From 2aea5d935b1b76ca8988b8e1c32128748fca18ca Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 18:16:55 -0600 Subject: [PATCH 1/6] Fixed tests and formatting --- .coveragerc | 6 + README.md | 6 +- parliament/__init__.py | 44 ++-- parliament/cli.py | 23 +- .../single_value_condition_too_permissive.py | 10 +- .../tests/test_advanced_policy_elements.py | 6 +- .../tests/test_credentials_exposure.py | 7 +- .../tests/test_permissions_management.py | 7 +- .../tests/test_privilege_escalation.py | 7 +- .../tests/test_sensitive_access.py | 6 +- ...t_single_value_condition_too_permissive.py | 7 +- parliament/finding.py | 4 +- parliament/policy.py | 12 +- parliament/statement.py | 46 ++-- requirements.txt | 44 ++-- tests/__init__.py | 0 tests/scripts/unit_tests.sh | 8 +- tests/unit/__init__.py | 0 tests/unit/test_action_expansion.py | 52 ++-- tests/unit/test_authorization_file.py | 8 +- tests/unit/test_community_auditors.py | 12 +- tests/unit/test_formatting.py | 149 ++++------- .../unit/test_get_resources_for_privilege.py | 29 +-- tests/unit/test_patterns.py | 69 ++--- tests/unit/test_principals.py | 43 +--- tests/unit/test_privilege_data.py | 52 ++-- tests/unit/test_resource_formatting.py | 241 +++++++----------- tests/unit/test_resources.py | 7 +- utils/update_iam_data.py | 25 +- 29 files changed, 396 insertions(+), 534 deletions(-) create mode 100644 .coveragerc create mode 100644 tests/__init__.py create mode 100644 tests/unit/__init__.py diff --git a/.coveragerc b/.coveragerc new file mode 100644 index 0000000..32ac7e3 --- /dev/null +++ b/.coveragerc @@ -0,0 +1,6 @@ +[run] +source = parliament +omit = parliament/cli.py + +[report] +fail_under = 65 \ No newline at end of file diff --git a/README.md b/README.md index 7b2051b..4656f18 100644 --- a/README.md +++ b/README.md @@ -217,13 +217,9 @@ ignore_locations: To create unit tests for our new private auditor, create the directory `./parliament/private_auditors/tests/` and create the file `test_sensitive_bucket_access.py` there with the contents: ``` -import unittest -from nose.tools import raises, assert_equal - -# import parliament from parliament import analyze_policy_string -class TestCustom(unittest.TestCase): +class TestCustom(): """Test class for custom auditor""" def test_my_auditor(self): diff --git a/parliament/__init__.py b/parliament/__init__.py index 7b48bb3..95361bb 100644 --- a/parliament/__init__.py +++ b/parliament/__init__.py @@ -62,7 +62,11 @@ def analyze_policy_string( policy_json = jsoncfg.loads_config(policy_str) except jsoncfg.parser.JSONConfigParserException as e: policy = Policy(None) - policy.add_finding("MALFORMED_JSON", detail="json parsing error: {}".format(e), location={'line': e.line, 'column': e.column}) + policy.add_finding( + "MALFORMED_JSON", + detail="json parsing error: {}".format(e), + location={"line": e.line, "column": e.column}, + ) return policy policy = Policy(policy_json, filepath, config) @@ -97,7 +101,7 @@ def is_arn_match(resource_type, arn_format, resource): - arn_format: ARN regex from the docs - resource: ARN regex from IAM policy - + We can cheat some because after the first sections of the arn match, meaning until the 5th colon (with some rules there to allow empty or asterisk sections), we only need to match the ID part. So the above is simplified to "*/*" and "*personalize*". @@ -147,6 +151,7 @@ def is_arn_match(resource_type, arn_format, resource): resource_id = re.sub(r"\[.+?\]", "*", resource_id) return is_glob_match(arn_id, resource_id) + def is_arn_strictly_valid(resource_type, arn_format, resource): """ Strictly validate the arn_format specified in the docs, with the resource @@ -179,7 +184,7 @@ def is_arn_strictly_valid(resource_type, arn_format, resource): arn_id_resource_type = re.match(r"(^[^\*][\w-]+)[\/\:].+", arn_id) if arn_id_resource_type != None and resource_id != "*": - + # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namesspaces # The following is not allowed: arn:aws:iam::123456789012:u* if not (resource_id.startswith(arn_id_resource_type[1])): @@ -193,9 +198,11 @@ def is_arn_strictly_valid(resource_type, arn_format, resource): return True return False + def strip_var_from_arn(arn, replace_with=""): return re.sub(r"\$\{aws.[\w\/]+\}", replace_with, arn) + def is_glob_match(s1, s2): # This comes from https://github.com/duo-labs/parliament/issues/36#issuecomment-574001764 @@ -275,20 +282,20 @@ def expand_action(action, raise_exceptions=True): def get_resource_type_matches_from_arn(arn): - """ Given an ARN such as "arn:aws:s3:::mybucket", find resource types that match it. - This would return: - [ - "resource": { - "arn": "arn:${Partition}:s3:::${BucketName}", - "condition_keys": [], - "resource": "bucket" - }, - "service": { - "service_name": "Amazon S3", - "privileges": [...] - ... - } - ] + """Given an ARN such as "arn:aws:s3:::mybucket", find resource types that match it. + This would return: + [ + "resource": { + "arn": "arn:${Partition}:s3:::${BucketName}", + "condition_keys": [], + "resource": "bucket" + }, + "service": { + "service_name": "Amazon S3", + "privileges": [...] + ... + } + ] """ matches = [] for service in iam_definition: @@ -300,8 +307,7 @@ def get_resource_type_matches_from_arn(arn): def get_privilege_matches_for_resource_type(resource_type_matches): - """ Given the response from get_resource_type_matches_from_arn(...), this will identify the relevant privileges. - """ + """Given the response from get_resource_type_matches_from_arn(...), this will identify the relevant privileges.""" privilege_matches = [] for match in resource_type_matches: for privilege in match["service"]["privileges"]: diff --git a/parliament/cli.py b/parliament/cli.py index 9cf7213..e5f6001 100755 --- a/parliament/cli.py +++ b/parliament/cli.py @@ -137,10 +137,12 @@ def main(): help='Provide a string such as \'{"Version": "2012-10-17","Statement": {"Effect": "Allow","Action": ["s3:GetObject", "s3:PutBucketPolicy"],"Resource": ["arn:aws:s3:::bucket1", "arn:aws:s3:::bucket2/*"]}}\'', type=str, ) - parser.add_argument('--file', - help="Provide a policy via stdin (e.g. through piping) or --file", - type=argparse.FileType('r'), - default=sys.stdin) + parser.add_argument( + "--file", + help="Provide a policy via stdin (e.g. through piping) or --file", + type=argparse.FileType("r"), + default=sys.stdin, + ) parser.add_argument( "--directory", help="Provide a path to directory with policy files", type=str ) @@ -236,9 +238,7 @@ def main(): with open(file_path) as f: contents = f.read() policy_file_json = jsoncfg.loads_config(contents) - policy_string = json.dumps( - policy_file_json.PolicyVersion.Document() - ) + policy_string = json.dumps(policy_file_json.PolicyVersion.Document()) policy = analyze_policy_string( policy_string, file_path, @@ -271,7 +271,8 @@ def main(): if not version.IsDefaultVersion(): continue policy = analyze_policy_string( - json.dumps(version.Document()), policy.Arn(), + json.dumps(version.Document()), + policy.Arn(), ) findings.extend(policy.findings) @@ -279,7 +280,7 @@ def main(): for user in auth_details_json.UserDetailList: for policy in user.UserPolicyList([]): policy = analyze_policy_string( - json.dumps(policy['PolicyDocument']), + json.dumps(policy["PolicyDocument"]), user.Arn(), private_auditors_custom_path=args.private_auditors, include_community_auditors=args.include_community_auditors, @@ -289,7 +290,7 @@ def main(): for role in auth_details_json.RoleDetailList: for policy in role.RolePolicyList([]): policy = analyze_policy_string( - json.dumps(policy['PolicyDocument']), + json.dumps(policy["PolicyDocument"]), role.Arn(), private_auditors_custom_path=args.private_auditors, include_community_auditors=args.include_community_auditors, @@ -299,7 +300,7 @@ def main(): for group in auth_details_json.GroupDetailList: for policy in group.GroupPolicyList([]): policy = analyze_policy_string( - json.dumps(policy['PolicyDocument']), + json.dumps(policy["PolicyDocument"]), group.Arn(), private_auditors_custom_path=args.private_auditors, include_community_auditors=args.include_community_auditors, diff --git a/parliament/community_auditors/single_value_condition_too_permissive.py b/parliament/community_auditors/single_value_condition_too_permissive.py index fdc9274..5288ae3 100644 --- a/parliament/community_auditors/single_value_condition_too_permissive.py +++ b/parliament/community_auditors/single_value_condition_too_permissive.py @@ -7,6 +7,7 @@ from parliament import Policy from parliament.misc import make_list + def audit(policy: Policy) -> None: global_single_valued_condition_keys = [ "aws:CalledViaFirst", @@ -52,9 +53,12 @@ def audit(policy: Policy) -> None: operator = condition[0] condition_block = condition[1] if re.match(r"^For(All|Any)Values:", operator): - keys = list(k for k,_v in condition_block) - if any(any(re.match(k, key) for k in global_single_valued_condition_keys) for key in keys): + keys = list(k for k, _v in condition_block) + if any( + any(re.match(k, key) for k in global_single_valued_condition_keys) + for key in keys + ): policy.add_finding( "SINGLE_VALUE_CONDITION_TOO_PERMISSIVE", - detail='Checking a single value conditional key against a set of values results in overly permissive policies.', + detail="Checking a single value conditional key against a set of values results in overly permissive policies.", ) diff --git a/parliament/community_auditors/tests/test_advanced_policy_elements.py b/parliament/community_auditors/tests/test_advanced_policy_elements.py index 1fefc35..5072f18 100644 --- a/parliament/community_auditors/tests/test_advanced_policy_elements.py +++ b/parliament/community_auditors/tests/test_advanced_policy_elements.py @@ -1,13 +1,9 @@ -import unittest - -from nose.tools import assert_equal - from parliament import analyze_policy_string S3_STAR_FINDINGS = {"PERMISSIONS_MANAGEMENT_ACTIONS", "RESOURCE_MISMATCH"} -class TestAdvancedPolicyElements(unittest.TestCase): +class TestAdvancedPolicyElements: def test_notresource_allow(self): # NotResource is OK with Effect: Deny. This denies access to # all S3 buckets except Payroll buckets. This example is taken from diff --git a/parliament/community_auditors/tests/test_credentials_exposure.py b/parliament/community_auditors/tests/test_credentials_exposure.py index 1078f69..80a84e8 100644 --- a/parliament/community_auditors/tests/test_credentials_exposure.py +++ b/parliament/community_auditors/tests/test_credentials_exposure.py @@ -1,12 +1,7 @@ -import unittest - -from nose.tools import assert_equal - -# import parliament from parliament import analyze_policy_string -class TestCredentialsManagement(unittest.TestCase): +class TestCredentialsManagement: """Test class for Credentials Management auditor""" def test_credentials_management(self): diff --git a/parliament/community_auditors/tests/test_permissions_management.py b/parliament/community_auditors/tests/test_permissions_management.py index 3908024..7d34132 100644 --- a/parliament/community_auditors/tests/test_permissions_management.py +++ b/parliament/community_auditors/tests/test_permissions_management.py @@ -1,12 +1,7 @@ -import unittest - -from nose.tools import assert_equal - -# import parliament from parliament import analyze_policy_string -class TestPermissionsManagement(unittest.TestCase): +class TestPermissionsManagement: """Test class for Permissions Management auditor""" def test_permissions_management(self): diff --git a/parliament/community_auditors/tests/test_privilege_escalation.py b/parliament/community_auditors/tests/test_privilege_escalation.py index 7447dda..cb57ac7 100644 --- a/parliament/community_auditors/tests/test_privilege_escalation.py +++ b/parliament/community_auditors/tests/test_privilege_escalation.py @@ -1,12 +1,7 @@ -import unittest - -from nose.tools import assert_equal - -# import parliament from parliament import analyze_policy_string -class TestPrivilegeEscalation(unittest.TestCase): +class TestPrivilegeEscalation: """Test class for Privilege Escalation auditor""" def test_privilege_escalation(self): diff --git a/parliament/community_auditors/tests/test_sensitive_access.py b/parliament/community_auditors/tests/test_sensitive_access.py index 58275cf..163f53b 100644 --- a/parliament/community_auditors/tests/test_sensitive_access.py +++ b/parliament/community_auditors/tests/test_sensitive_access.py @@ -1,11 +1,7 @@ -import unittest - -from nose.tools import assert_equal - from parliament import analyze_policy_string -class TestSensitiveAccess(unittest.TestCase): +class TestSensitiveAccess: """Test class for Sensitive access auditor""" def test_sensitive_access(self): diff --git a/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py b/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py index ac62e6a..c71d67a 100644 --- a/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py +++ b/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py @@ -1,12 +1,9 @@ -import unittest - -from nose.tools import assert_equal - from parliament import analyze_policy_string -class TestSensitiveAccess(unittest.TestCase): +class TestSensitiveAccess: """Test class for single value condition too permissive auditor""" + example_policy_string = """ { "Version": "2012-10-17", diff --git a/parliament/finding.py b/parliament/finding.py index 1045a5e..5920e4f 100644 --- a/parliament/finding.py +++ b/parliament/finding.py @@ -1,5 +1,5 @@ class Finding: - """ Class for storing findings """ + """Class for storing findings""" issue = "" detail = "" @@ -15,5 +15,5 @@ def __init__(self, issue, detail, location): self.location = location def __repr__(self): - """ Return a string for printing """ + """Return a string for printing""" return "{} - {} - {}".format(self.issue, self.detail, self.location) diff --git a/parliament/policy.py b/parliament/policy.py index b8fa833..b638586 100644 --- a/parliament/policy.py +++ b/parliament/policy.py @@ -130,7 +130,7 @@ def get_allowed_resources(self, privilege_prefix, privilege_name): def __is_allowed(stmts): """ Given statements that are all relevant to the same resource and privilege, - (meaning each statement must have an explicit allow or deny on the privilege) + (meaning each statement must have an explicit allow or deny on the privilege) determine if it is allowed, which means no Deny effects. """ has_allow = False @@ -303,14 +303,16 @@ def analyze( private_auditors = {} - for path in glob(f'{private_auditors_directory_path}/*.py'): - if path.endswith('__init__.py'): + for path in glob(f"{private_auditors_directory_path}/*.py"): + if path.endswith("__init__.py"): continue - package_name = 'private_auditors' + package_name = "private_auditors" module_name = Path(path).stem - module_spec = importlib.util.spec_from_file_location(f'{package_name}.{module_name}', path) + module_spec = importlib.util.spec_from_file_location( + f"{package_name}.{module_name}", path + ) module = importlib.util.module_from_spec(module_spec) module_spec.loader.exec_module(module) diff --git a/parliament/statement.py b/parliament/statement.py index 3f95e62..560cfd3 100644 --- a/parliament/statement.py +++ b/parliament/statement.py @@ -14,7 +14,7 @@ def is_condition_key_match(document_key, str): - """ Given a documented condition key and one from a policy, determine if they match + """Given a documented condition key and one from a policy, determine if they match Examples: - s3:prefix and s3:prefix obviously match - s3:ExistingObjectTag/ and s3:ExistingObjectTag/backup match @@ -201,7 +201,7 @@ def is_value_in_correct_format_for_type(type_needed, values): Given a documented type needed such as "Arn", return True if all values match. For example, if you have a condition of: - "Condition": {"DateGreaterThan" :{"aws:CurrentTime" : "2019-07-16T12:00:00Z"}} + "Condition": {"DateGreaterThan" :{"aws:CurrentTime" : "2019-07-16T12:00:00Z"}} Then this function would end up being called with: - type_needed: Date @@ -339,7 +339,7 @@ def get_resources_for_privilege(self, privilege_prefix, privilege_name): ["arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*"] and the privilege given is 's3:PutBucketPolicy' this should return ["arn:aws:s3:::bucket"], as the other resource is only applicable to object related privileges. - + If the privilege given is 's3:ListAllMyBuckets' this should return None, as that privilege does not apply to these resources. """ @@ -440,7 +440,9 @@ def _check_principal(self, principal_element): for aws_principal in make_list(json_object[1]): text = aws_principal.value account_id_regex = re.compile("^\d{12}$") - arn_regex = re.compile("^arn:[-a-z\*]*:iam::(\d{12}|cloudfront|):.*$") + arn_regex = re.compile( + "^arn:[-a-z\*]*:iam::(\d{12}|cloudfront|):.*$" + ) if text == "*": pass @@ -526,14 +528,20 @@ def _check_condition(self, operator, condition_block, expanded_actions): # Check for known bad pattern if operator.lower() == "bool": - if key.lower() == "aws:MultiFactorAuthPresent".lower() and "false" in values: + if ( + key.lower() == "aws:MultiFactorAuthPresent".lower() + and "false" in values + ): self.add_finding( "BAD_PATTERN_FOR_MFA", detail='The condition {"Bool": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent may not exist so it does not enforce MFA. You likely want to use a Deny with BoolIfExists.', location=condition_block, ) elif operator.lower() == "null": - if key.lower == "aws:MultiFactorAuthPresent".lower() and "false" in values: + if ( + key.lower == "aws:MultiFactorAuthPresent".lower() + and "false" in values + ): self.add_finding( "BAD_PATTERN_FOR_MFA", detail='The condition {"Null": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent it does not enforce MFA, and only checks if the value exists. You likely want to use an Allow with {"Bool": {"aws:MultiFactorAuthPresent":"true"}}.', @@ -552,9 +560,7 @@ def _check_condition(self, operator, condition_block, expanded_actions): if condition_type: # This is a global key, like aws:CurrentTime # Check if the values match the type (ex. must all be Date values) - if not is_value_in_correct_format_for_type( - condition_type, values - ): + if not is_value_in_correct_format_for_type(condition_type, values): self.add_finding( "MISMATCHED_TYPE", detail="Type mismatch: {} requires a value of type {} but given {}".format( @@ -598,9 +604,7 @@ def _check_condition(self, operator, condition_block, expanded_actions): ) ) - if not is_value_in_correct_format_for_type( - condition_type, values - ): + if not is_value_in_correct_format_for_type(condition_type, values): self.add_finding( "MISMATCHED_TYPE", detail="Type mismatch: {} requires a value of type {} but given {}".format( @@ -831,19 +835,25 @@ def analyze_statement(self): if len(parts) < 6: has_malformed_resource = True self.add_finding( - "INVALID_ARN", detail="Does not have 6 parts", location=resource, + "INVALID_ARN", + detail="Does not have 6 parts", + location=resource, ) continue elif parts[0] != "arn": has_malformed_resource = True self.add_finding( - "INVALID_ARN", detail="Does not start with arn:", location=resource, + "INVALID_ARN", + detail="Does not start with arn:", + location=resource, ) continue elif parts[1] not in ["aws", "aws-cn", "aws-us-gov", "aws-iso", "*", ""]: has_malformed_resource = True self.add_finding( - "INVALID_ARN", detail="Unexpected partition", location=resource, + "INVALID_ARN", + detail="Unexpected partition", + location=resource, ) continue @@ -933,7 +943,9 @@ def analyze_statement(self): self.resource_star[action_key] += 1 match_found = True continue - if is_arn_strictly_valid(resource_type, arn_format, resource.value): + if is_arn_strictly_valid( + resource_type, arn_format, resource.value + ): match_found = True continue @@ -953,7 +965,7 @@ def analyze_statement(self): self.add_finding( "RESOURCE_MISMATCH", detail=actions_without_matching_resources, - location=self.stmt + location=self.stmt, ) # If the Statement is applied to specific wildcarded Resources, diff --git a/requirements.txt b/requirements.txt index 87aa49a..07bc0eb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,18 +1,28 @@ -beautifulsoup4==4.8.2 -boto3==1.11.9 -botocore==1.14.9 -certifi==2019.11.28 -chardet==3.0.4 -coverage==5.0.3 -docutils==0.15.2 -idna==2.8 -jmespath==0.9.4 -nose==1.3.7 -python-dateutil==2.8.1 -PyYAML==5.4 -requests==2.22.0 -s3transfer==0.3.2 -six==1.14.0 -soupsieve==1.9.5 -urllib3==1.26.5 +attrs==22.1.0 +beautifulsoup4==4.11.1 +boto3==1.24.66 +botocore==1.27.66 +certifi==2022.6.15 +chardet==5.0.0 +charset-normalizer==2.1.1 +coverage==6.4.4 +docutils==0.19 +idna==3.3 +iniconfig==1.1.1 +jmespath==1.0.1 json-cfg==0.4.2 +kwonly-args==1.0.10 +packaging==21.3 +pluggy==1.0.0 +py==1.11.0 +pyparsing==3.0.9 +pytest==7.1.3 +pytest-cov==3.0.0 +python-dateutil==2.8.2 +PyYAML==6.0 +requests==2.28.1 +s3transfer==0.6.0 +six==1.16.0 +soupsieve==2.3.2.post1 +tomli==2.0.1 +urllib3==1.26.12 diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/scripts/unit_tests.sh b/tests/scripts/unit_tests.sh index 5b99153..75eea5c 100755 --- a/tests/scripts/unit_tests.sh +++ b/tests/scripts/unit_tests.sh @@ -13,10 +13,4 @@ if [ -d parliament/community_auditors/tests/ ]; then export COMMUNITY_TESTS="parliament/community_auditors/tests/" fi -python3 -m "nose" tests/unit $PRIVATE_TESTS $COMMUNITY_TESTS \ ---with-coverage \ ---cover-package=parliament \ ---cover-html \ ---cover-min-percentage=75 \ ---cover-html-dir=htmlcov - +pytest tests/unit --cov-report html --cov --cov-config=.coveragerc diff --git a/tests/unit/__init__.py b/tests/unit/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/unit/test_action_expansion.py b/tests/unit/test_action_expansion.py index 5bf4720..c5cb0c3 100644 --- a/tests/unit/test_action_expansion.py +++ b/tests/unit/test_action_expansion.py @@ -1,54 +1,50 @@ -import unittest -from nose.tools import ( - raises, - assert_equal, - assert_true, - assert_false, - assert_count_equal, -) +import parliament from parliament import UnknownPrefixException, UnknownActionException from parliament.statement import expand_action -class TestActionExpansion(unittest.TestCase): +class TestActionExpansion: """Test class for expand_action function""" def test_expand_action_no_expansion(self): expanded_actions = expand_action("s3:listallmybuckets") - assert_count_equal( - expanded_actions, [{"service": "s3", "action": "ListAllMyBuckets"}] + assert ( + len(expanded_actions), + len([{"service": "s3", "action": "ListAllMyBuckets"}]), ) def test_expand_action_with_expansion(self): expanded_actions = expand_action("s3:listallmybucke*") - assert_count_equal( - expanded_actions, [{"service": "s3", "action": "ListAllMyBuckets"}] + assert ( + len(expanded_actions), + len([{"service": "s3", "action": "ListAllMyBuckets"}]), ) def test_expand_action_with_casing(self): expanded_actions = expand_action("iAm:li*sTuS*rs") - assert_count_equal( - expanded_actions, [{"service": "iam", "action": "ListUsers"}] - ) + assert (len(expanded_actions), len([{"service": "iam", "action": "ListUsers"}])) def test_expand_action_with_expansion_for_prefix_used_multiple_times(self): expanded_actions = expand_action("ses:Describe*") - assert_count_equal( - expanded_actions, - [ - {"service": "ses", "action": "DescribeActiveReceiptRuleSet"}, - {"service": "ses", "action": "DescribeConfigurationSet"}, - {"service": "ses", "action": "DescribeReceiptRule"}, - {"service": "ses", "action": "DescribeReceiptRuleSet"}, - ], + assert ( + len(expanded_actions), + len( + [ + {"service": "ses", "action": "DescribeActiveReceiptRuleSet"}, + {"service": "ses", "action": "DescribeConfigurationSet"}, + {"service": "ses", "action": "DescribeReceiptRule"}, + {"service": "ses", "action": "DescribeReceiptRuleSet"}, + ] + ), ) def test_expand_action_with_permission_only_action(self): # There are 17 privileges list as "logs.CreateLogDelivery [permission only]" expanded_actions = expand_action("logs:GetLogDelivery") - assert_count_equal( - expanded_actions, [{"service": "logs", "action": "GetLogDelivery"}] + assert ( + len(expanded_actions), + len([{"service": "logs", "action": "GetLogDelivery"}]), ) def test_exception_malformed(self): @@ -80,8 +76,8 @@ def test_exception_bad_expansion(self): assert True def test_expand_all(self): - assert_true(len(expand_action("*")) > 5000) - assert_true(len(expand_action("*:*")) > 5000) + assert len(expand_action("*")) > 5000 + assert len(expand_action("*:*")) > 5000 def test_expand_iq(self): expand_action("iq:*") diff --git a/tests/unit/test_authorization_file.py b/tests/unit/test_authorization_file.py index 49b559c..149fb38 100644 --- a/tests/unit/test_authorization_file.py +++ b/tests/unit/test_authorization_file.py @@ -1,10 +1,9 @@ -import unittest import jsoncfg import json from parliament import analyze_policy_string -class TestAuthDetailsFile(unittest.TestCase): +class TestAuthDetailsFile: def test_auth_details_example(self): auth_details_json = { "UserDetailList": [ @@ -184,7 +183,8 @@ def test_auth_details_example(self): continue print(version["Document"]) policy = analyze_policy_string( - json.dumps(version["Document"]), policy["Arn"], + json.dumps(version["Document"]), + policy["Arn"], ) findings.extend(policy.findings) @@ -215,4 +215,4 @@ def test_auth_details_example(self): findings.extend(policy.findings) self.maxDiff = None - self.assertTrue("RESOURCE_POLICY_PRIVILEGE_ESCALATION" in str(findings)) + assert "RESOURCE_POLICY_PRIVILEGE_ESCALATION" in str(findings) diff --git a/tests/unit/test_community_auditors.py b/tests/unit/test_community_auditors.py index 5718f18..3f081ea 100644 --- a/tests/unit/test_community_auditors.py +++ b/tests/unit/test_community_auditors.py @@ -1,9 +1,7 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false from parliament import analyze_policy_string -class TestCommunityAuditors(unittest.TestCase): +class TestCommunityAuditors: """Test class for importing/enabling/disabling community auditors properly""" def test_analyze_policy_string_enable_community(self): @@ -32,9 +30,9 @@ def test_analyze_policy_string_enable_community(self): We are just not including the full results here because the Permissions management actions might expand as AWS expands their API. We don't want to have to update the unit tests every time that happens. """ - assert_equal( - policy.finding_ids, - set( + assert ( + policy.finding_ids + == set( [ "RESOURCE_STAR", "CREDENTIALS_EXPOSURE", @@ -63,4 +61,4 @@ def test_analyze_policy_string_disable_community(self): example_policy_with_wildcards, include_community_auditors=False ) - assert_equal(policy.finding_ids, set(["RESOURCE_STAR"])) + assert policy.finding_ids == set(["RESOURCE_STAR"]) diff --git a/tests/unit/test_formatting.py b/tests/unit/test_formatting.py index 4360ad9..7f508ba 100644 --- a/tests/unit/test_formatting.py +++ b/tests/unit/test_formatting.py @@ -1,17 +1,12 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false - from parliament import analyze_policy_string -class TestFormatting(unittest.TestCase): +class TestFormatting: """Test class for formatting""" def test_analyze_policy_string_not_json(self): policy = analyze_policy_string("not json") - assert_equal( - policy.finding_ids, set(["MALFORMED_JSON"]), "Policy is not valid json" - ) + assert policy.finding_ids == set(["MALFORMED_JSON"]), "Policy is not valid json" def test_analyze_policy_string_opposites(self): # Policy contains Action and NotAction @@ -25,11 +20,9 @@ def test_analyze_policy_string_opposites(self): "Resource": "*"}}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["MALFORMED"]), - "Policy contains Action and NotAction", - ) + assert policy.finding_ids == set( + ["MALFORMED"] + ), "Policy contains Action and NotAction" def test_analyze_policy_string_no_action(self): policy = analyze_policy_string( @@ -40,16 +33,14 @@ def test_analyze_policy_string_no_action(self): "Resource": "*"}}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["MALFORMED"]), "Policy does not have an Action" - ) + assert policy.finding_ids == set(["MALFORMED"]) def test_analyze_policy_string_no_statement(self): policy = analyze_policy_string( """{ "Version": "2012-10-17" }""" ) - assert_equal(policy.finding_ids, set(["MALFORMED"]), "Policy has no Statement") + assert policy.finding_ids == set(["MALFORMED"]), "Policy has no Statement" def test_analyze_policy_string_invalid_sid(self): policy = analyze_policy_string( @@ -62,9 +53,9 @@ def test_analyze_policy_string_invalid_sid(self): "Resource": "*"}}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["INVALID_SID"]), "Policy statement has invalid Sid" - ) + assert policy.finding_ids == set( + ["INVALID_SID"] + ), "Policy statement has invalid Sid" def test_analyze_policy_string_correct_simple(self): policy = analyze_policy_string( @@ -76,9 +67,7 @@ def test_analyze_policy_string_correct_simple(self): "Resource": "*"}}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_analyze_policy_string_correct_multiple_statements_and_actions(self): policy = analyze_policy_string( @@ -94,9 +83,7 @@ def test_analyze_policy_string_correct_multiple_statements_and_actions(self): "Resource": "*"}]}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_analyze_policy_string_multiple_statements_one_bad(self): policy = analyze_policy_string( @@ -112,11 +99,9 @@ def test_analyze_policy_string_multiple_statements_one_bad(self): "Resource": "*"}]}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_ACTION"]), - "Policy with multiple statements has one bad", - ) + assert policy.finding_ids == set( + ["UNKNOWN_ACTION"] + ), "Policy with multiple statements has one bad" def test_condition(self): policy = analyze_policy_string( @@ -129,7 +114,7 @@ def test_condition(self): "Condition": {"DateGreaterThan" :{"aws:CurrentTime" : "2019-07-16T12:00:00Z"}} }}""", ignore_private_auditors=True, ) - assert_equal(policy.finding_ids, set()) + assert policy.finding_ids == set() def test_condition_bad_key(self): policy = analyze_policy_string( @@ -142,11 +127,9 @@ def test_condition_bad_key(self): "Condition": {"DateGreaterThan" :{"bad" : "2019-07-16T12:00:00Z"}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_CONDITION_FOR_ACTION"]), - "Policy has bad key in Condition", - ) + assert policy.finding_ids == set( + ["UNKNOWN_CONDITION_FOR_ACTION"] + ), "Policy has bad key in Condition" def test_condition_action_specific(self): policy = analyze_policy_string( @@ -159,7 +142,7 @@ def test_condition_action_specific(self): "Condition": {"StringEquals": {"s3:prefix":["home/${aws:username}/*"]}} }}""", ignore_private_auditors=True, ) - assert_equal(policy.finding_ids, set()) + assert policy.finding_ids == set() # The key s3:x-amz-storage-class is not allowed for ListBucket, # but is for other S3 actions @@ -173,11 +156,9 @@ def test_condition_action_specific(self): "Condition": {"StringEquals": {"s3:x-amz-storage-class":"bad"}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_CONDITION_FOR_ACTION"]), - "Policy uses key that cannot be used for the action", - ) + assert policy.finding_ids == set( + ["UNKNOWN_CONDITION_FOR_ACTION"] + ), "Policy uses key that cannot be used for the action" def test_condition_action_specific_bad_type(self): # s3:signatureage requires a number @@ -191,11 +172,9 @@ def test_condition_action_specific_bad_type(self): "Condition": {"StringEquals": {"s3:signatureage":"bad"}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["MISMATCHED_TYPE"]), - 'Wrong type, "bad" should be a number', - ) + assert policy.finding_ids == set( + ["MISMATCHED_TYPE"] + ), 'Wrong type, "bad" should be a number' def test_condition_multiple(self): # Both good @@ -212,7 +191,7 @@ def test_condition_multiple(self): } }}""", ignore_private_auditors=True, ) - assert_equal(policy.finding_ids, set()) + assert policy.finding_ids == set() # First bad policy = analyze_policy_string( @@ -228,9 +207,7 @@ def test_condition_multiple(self): } }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["MISMATCHED_TYPE"]), "First condition is bad" - ) + assert policy.finding_ids == set(["MISMATCHED_TYPE"]), "First condition is bad" # Second bad policy = analyze_policy_string( @@ -246,11 +223,9 @@ def test_condition_multiple(self): } }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_CONDITION_FOR_ACTION"]), - "Second condition is bad", - ) + assert policy.finding_ids == set( + ["UNKNOWN_CONDITION_FOR_ACTION"] + ), "Second condition is bad" def test_condition_mismatch(self): policy = analyze_policy_string( @@ -263,11 +238,9 @@ def test_condition_mismatch(self): "Condition": {"StringNotEquals": {"iam:ResourceTag/status":"prod"}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_CONDITION_FOR_ACTION", "RESOURCE_STAR"]), - "Condition mismatch", - ) + assert policy.finding_ids == set( + ["UNKNOWN_CONDITION_FOR_ACTION", "RESOURCE_STAR"] + ), "Condition mismatch" def test_condition_operator(self): policy = analyze_policy_string( @@ -280,7 +253,7 @@ def test_condition_operator(self): "Condition": {"StringEqualsIfExists": {"s3:prefix":["home/${aws:username}/*"]}} }}""", ignore_private_auditors=True, ) - assert_equal(policy.finding_ids, set()) + assert policy.finding_ids == set() policy = analyze_policy_string( """{ @@ -292,11 +265,9 @@ def test_condition_operator(self): "Condition": {"bad": {"s3:prefix":["home/${aws:username}/*"]}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["UNKNOWN_OPERATOR", "MISMATCHED_TYPE"]), - "Unknown operator", - ) + assert policy.finding_ids == set( + ["UNKNOWN_OPERATOR", "MISMATCHED_TYPE"] + ), "Unknown operator" policy = analyze_policy_string( """{ @@ -308,9 +279,7 @@ def test_condition_operator(self): "Condition": {"NumericEquals": {"s3:prefix":["home/${aws:username}/*"]}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["MISMATCHED_TYPE"]), "Operator type mismatch" - ) + assert policy.finding_ids == set(["MISMATCHED_TYPE"]), "Operator type mismatch" def test_condition_type_unqoted_bool(self): policy = analyze_policy_string( @@ -323,9 +292,7 @@ def test_condition_type_unqoted_bool(self): "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}} }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["RESOURCE_STAR"]), - ) + assert policy.finding_ids == set(["RESOURCE_STAR"]) def test_condition_with_null(self): policy = analyze_policy_string( @@ -345,9 +312,7 @@ def test_condition_with_null(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_condition_with_MultiFactorAuthAge(self): policy = analyze_policy_string( @@ -366,9 +331,7 @@ def test_condition_with_MultiFactorAuthAge(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_redshift_GetClusterCredentials(self): policy = analyze_policy_string( @@ -387,9 +350,7 @@ def test_redshift_GetClusterCredentials(self): ) # This privilege has a required format of arn:*:redshift:*:*:dbuser:*/* - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_lambda_AddLayerVersionPermission(self): policy = analyze_policy_string( @@ -409,9 +370,7 @@ def test_lambda_AddLayerVersionPermission(self): ) # This privilege has a required format of arn:*:redshift:*:*:dbuser:*/* - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_lambda_TerminateInstances(self): policy = analyze_policy_string( @@ -436,9 +395,7 @@ def test_lambda_TerminateInstances(self): ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["RESOURCE_STAR"]), - ) + assert policy.finding_ids == set(["RESOURCE_STAR"]) def test_priv_that_requires_star_resource(self): policy = analyze_policy_string( @@ -461,9 +418,7 @@ def test_priv_that_requires_star_resource(self): # guardduty:ListDetectors has no required resources, so it can have "*". # This should not create a RESOURCE_STAR finding - assert_equal( - policy.finding_ids, set(), - ) + assert policy.finding_ids == set() def test_condition_operator_values(self): policy = analyze_policy_string( @@ -487,10 +442,10 @@ def test_condition_operator_values(self): ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["RESOURCE_STAR", "MISMATCHED_TYPE_BUT_USABLE"]), + assert policy.finding_ids == set( + ["RESOURCE_STAR", "MISMATCHED_TYPE_BUT_USABLE"] ) - + def test_duplicate_sids(self): policy = analyze_policy_string( """{ @@ -518,9 +473,7 @@ def test_duplicate_sids(self): ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(["DUPLICATE_SID"]), - ) + assert policy.finding_ids == set(["DUPLICATE_SID"]) def test_analyze_policy_string_MFA_formatting(self): policy = analyze_policy_string( @@ -537,4 +490,4 @@ def test_analyze_policy_string_MFA_formatting(self): } }""" ) - assert_equal(policy.finding_ids, set([]), "Policy is valid") + assert policy.finding_ids == set([]), "Policy is valid" diff --git a/tests/unit/test_get_resources_for_privilege.py b/tests/unit/test_get_resources_for_privilege.py index cc02b35..543b118 100644 --- a/tests/unit/test_get_resources_for_privilege.py +++ b/tests/unit/test_get_resources_for_privilege.py @@ -1,10 +1,7 @@ -import unittest -from nose.tools import raises, assert_equal, assert_not_equal, assert_true, assert_false - from parliament import analyze_policy_string -class TestGetResourcesForPrivilege(unittest.TestCase): +class TestGetResourcesForPrivilege: """Test class for get_resources_for_privilege""" def test_policy_simple(self): @@ -21,15 +18,15 @@ def test_policy_simple(self): }""" ) - assert_equal( - set(policy.statements[0].get_resources_for_privilege("s3", "GetObject")), - set(["arn:aws:s3:::examplebucket/*"]), + assert ( + set(policy.statements[0].get_resources_for_privilege("s3", "GetObject")) + == set(["arn:aws:s3:::examplebucket/*"]), "s3:GetObject matches the object resource", ) - assert_equal( - set(policy.statements[0].get_resources_for_privilege("s3", "PutObject")), - set([]), + assert ( + set(policy.statements[0].get_resources_for_privilege("s3", "PutObject")) + == set([]), "s3:PutObject not in policy", ) @@ -47,9 +44,9 @@ def test_policy_multiple_resources(self): }""" ) - assert_equal( - set(policy.statements[0].get_resources_for_privilege("s3", "GetObject")), - set(["arn:aws:s3:::examplebucket/*"]), + assert ( + set(policy.statements[0].get_resources_for_privilege("s3", "GetObject")) + == set(["arn:aws:s3:::examplebucket/*"]), "s3:GetObject matches the object resource", ) @@ -57,12 +54,12 @@ def test_policy_multiple_resources(self): # "arn:*:s3:::*" so it doesn't care whether or not there is a slash # assert_equal(set(policy.statements[0].get_resources_for_privilege("s3", "PutBucketPolicy")), set(["arn:aws:s3:::examplebucket"]), "s3:PutBucketPolicy matches the bucket resource") - assert_equal( + assert ( set( policy.statements[0].get_resources_for_privilege( "s3", "ListAllMyBuckets" ) - ), - set([]), + ) + == set([]), "s3:ListAllMyBuckets matches none of the resources", ) diff --git a/tests/unit/test_patterns.py b/tests/unit/test_patterns.py index c3ec071..83f65da 100644 --- a/tests/unit/test_patterns.py +++ b/tests/unit/test_patterns.py @@ -1,10 +1,7 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false - from parliament import analyze_policy_string -class TestPatterns(unittest.TestCase): +class TestPatterns: """Test class for bad patterns""" def test_bad_mfa_condition(self): @@ -19,11 +16,9 @@ def test_bad_mfa_condition(self): }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["BAD_PATTERN_FOR_MFA"]), - "Policy contains bad MFA check", - ) + assert policy.finding_ids == set( + ["BAD_PATTERN_FOR_MFA"] + ), "Policy contains bad MFA check" def test_resource_policy_privilege_escalation(self): # This policy is actually granting essentially s3:* due to the ability to put a policy on a bucket @@ -37,11 +32,9 @@ def test_resource_policy_privilege_escalation(self): }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["RESOURCE_POLICY_PRIVILEGE_ESCALATION", "RESOURCE_STAR"]), - "Resource policy privilege escalation", - ) + assert policy.finding_ids == set( + ["RESOURCE_POLICY_PRIVILEGE_ESCALATION", "RESOURCE_STAR"] + ), "Resource policy privilege escalation" policy = analyze_policy_string( """{ @@ -76,11 +69,9 @@ def test_resource_policy_privilege_escalation(self): ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["RESOURCE_POLICY_PRIVILEGE_ESCALATION", "RESOURCE_STAR"]), - "Resource policy privilege escalation across two statement", - ) + assert policy.finding_ids == set( + ["RESOURCE_POLICY_PRIVILEGE_ESCALATION", "RESOURCE_STAR"] + ), "Resource policy privilege escalation across two statement" def test_resource_effectively_star(self): policy = analyze_policy_string( @@ -102,11 +93,9 @@ def test_resource_effectively_star(self): }""" ) - assert_equal( - policy.finding_ids, - set(["RESOURCE_EFFECTIVELY_STAR"]), - "Resource policy spans all Cloudtrails even without an asterisk.", - ) + assert policy.finding_ids == set( + ["RESOURCE_EFFECTIVELY_STAR"] + ), "Resource policy spans all Cloudtrails even without an asterisk." policy = analyze_policy_string( """{ @@ -127,11 +116,9 @@ def test_resource_effectively_star(self): }""" ) - assert_equal( - policy.finding_ids, - set(), - "Resource policy is scoped by AWS partition, account and region and is therefore not 'STAR'.", - ) + assert ( + policy.finding_ids == set() + ), "Resource policy is scoped by AWS partition, account and region and is therefore not 'STAR'." def test_resource_policy_privilege_escalation_with_deny(self): # This test ensures if we have an allow on a specific resource, but a Deny on *, @@ -153,11 +140,9 @@ def test_resource_policy_privilege_escalation_with_deny(self): ]}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(), - "Resource policy privilege escalation does not exist because all our denied", - ) + assert ( + policy.finding_ids == set() + ), "Resource policy privilege escalation does not exist because all our denied" def test_resource_policy_privilege_escalation_at_bucket_level(self): policy = analyze_policy_string( @@ -170,11 +155,9 @@ def test_resource_policy_privilege_escalation_at_bucket_level(self): }}""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(["RESOURCE_POLICY_PRIVILEGE_ESCALATION"]), - "Resource policy privilege escalation", - ) + assert policy.finding_ids == set( + ["RESOURCE_POLICY_PRIVILEGE_ESCALATION"] + ), "Resource policy privilege escalation" policy = analyze_policy_string( """{ @@ -192,11 +175,9 @@ def test_resource_policy_privilege_escalation_at_bucket_level(self): ignore_private_auditors=True, ) # There is one finding for "No resources match for s3:ListAllMyBuckets which requires a resource format of *" - assert_equal( - policy.finding_ids, - set(["RESOURCE_MISMATCH"]), - "Buckets do not match so no escalation possible", - ) + assert policy.finding_ids == set( + ["RESOURCE_MISMATCH"] + ), "Buckets do not match so no escalation possible" # # # The following test for detections of various bad patterns, but unfortunately diff --git a/tests/unit/test_principals.py b/tests/unit/test_principals.py index 9a6fda1..c897f67 100644 --- a/tests/unit/test_principals.py +++ b/tests/unit/test_principals.py @@ -1,10 +1,7 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false - from parliament import analyze_policy_string -class TestPrincipals(unittest.TestCase): +class TestPrincipals: """Test class for principals""" def test_policy_with_principal(self): @@ -24,9 +21,7 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), "Basic S3 bucket policy", - ) + assert policy.finding_ids == set(), "Basic S3 bucket policy" policy = analyze_policy_string( """{ @@ -42,11 +37,9 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(), - "S3 bucket policy with two accounts granted access via account ARN", - ) + assert ( + policy.finding_ids == set() + ), "S3 bucket policy with two accounts granted access via account ARN" policy = analyze_policy_string( """{ @@ -62,11 +55,9 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, - set(), - "S3 bucket policy with one account granted access via ID", - ) + assert ( + policy.finding_ids == set() + ), "S3 bucket policy with one account granted access via ID" policy = analyze_policy_string( """{ @@ -82,9 +73,7 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), "S3 bucket policy with ARN of user", - ) + assert policy.finding_ids == set(), "S3 bucket policy with ARN of user" policy = analyze_policy_string( """{ @@ -100,9 +89,7 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), "Federated access", - ) + assert policy.finding_ids == set(), "Federated access" policy = analyze_policy_string( """{ @@ -118,9 +105,9 @@ def test_policy_with_principal(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), "S3 bucket policy with CloudFront OAI access", - ) + assert ( + policy.finding_ids == set() + ), "S3 bucket policy with CloudFront OAI access" def test_bad_principals(self): # Good principal @@ -139,6 +126,4 @@ def test_bad_principals(self): }""", ignore_private_auditors=True, ) - assert_equal( - policy.finding_ids, set(), "Basic S3 bucket policy", - ) + assert policy.finding_ids == set(), "Basic S3 bucket policy" diff --git a/tests/unit/test_privilege_data.py b/tests/unit/test_privilege_data.py index 25863a7..d1cfaab 100644 --- a/tests/unit/test_privilege_data.py +++ b/tests/unit/test_privilege_data.py @@ -1,17 +1,13 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false - import parliament -class TestPrivilegData(unittest.TestCase): +class TestPrivilegData: """Test class for the parliament/iam_definition.json file""" def test_minimum_number_of_services(self): - assert_true( - len(parliament.iam_definition) > 220, - "There should be over 220 services in the definition file", - ) + assert ( + len(parliament.iam_definition) > 220 + ), "There should be over 220 services in the definition file" def test_contains_all_elements(self): # Find the ec2 service @@ -20,39 +16,35 @@ def test_contains_all_elements(self): if service["prefix"] == "ec2": ec2_service = service break - assert_true(ec2_service is not None) + assert ec2_service is not None - assert_equal(ec2_service["service_name"], "Amazon EC2") - assert_true( - len(ec2_service["resources"]) > 30, - "There should be over 30 resources in the EC2 service", - ) + assert ec2_service["service_name"] == "Amazon EC2" + assert ( + len(ec2_service["resources"]) > 30 + ), "There should be over 30 resources in the EC2 service" vpc_resource = None for resource in ec2_service["resources"]: if resource["resource"] == "vpc": vpc_resource = resource break - assert_true(vpc_resource is not None) - - assert_true( - "vpc" in vpc_resource["arn"], - "The arn for the vpc resource should contain the string 'vpc'", - ) - assert_true( - len(vpc_resource["condition_keys"]) >= 5, - "There should be at least 5 condition_keys in the vpc resource", - ) - assert_true(len(ec2_service["resources"]) >= 32) + assert vpc_resource is not None + + assert ( + "vpc" in vpc_resource["arn"] + ), "The arn for the vpc resource should contain the string 'vpc'" + assert ( + len(vpc_resource["condition_keys"]) >= 5 + ), "There should be at least 5 condition_keys in the vpc resource" + assert len(ec2_service["resources"]) >= 32 vpc_condition = None for condition in ec2_service["conditions"]: if condition["condition"] == "ec2:Vpc": vpc_condition = condition break - assert_true(vpc_condition is not None) - - assert_true(vpc_condition["type"] == "ARN") - assert_true(len(ec2_service["conditions"]) >= 59) + assert vpc_condition is not None - assert_true(len(ec2_service["privileges"]) >= 363) + assert vpc_condition["type"] == "ARN" + assert len(ec2_service["conditions"]) >= 59 + assert len(ec2_service["privileges"]) >= 363 diff --git a/tests/unit/test_resource_formatting.py b/tests/unit/test_resource_formatting.py index 0b9e7a6..8a4a6f0 100644 --- a/tests/unit/test_resource_formatting.py +++ b/tests/unit/test_resource_formatting.py @@ -1,12 +1,13 @@ -import unittest -from nose.tools import raises, assert_equal, assert_true, assert_false - -# import parliament -from parliament import analyze_policy_string, is_arn_match, is_arn_strictly_valid, is_glob_match +from parliament import ( + analyze_policy_string, + is_arn_match, + is_arn_strictly_valid, + is_glob_match, +) from parliament.statement import is_valid_region, is_valid_account_id -class TestResourceFormatting(unittest.TestCase): +class TestResourceFormatting: """Test class for resource formatting""" def test_resource_bad(self): @@ -19,7 +20,7 @@ def test_resource_bad(self): "Resource": "s3"}}""", ignore_private_auditors=True, ) - assert_equal(len(policy.findings), 1) + assert len(policy.findings) == 1 def test_resource_good(self): policy = analyze_policy_string( @@ -32,188 +33,137 @@ def test_resource_good(self): ignore_private_auditors=True, ) print(policy.findings) - assert_equal(len(policy.findings), 0) + assert len(policy.findings) == 0 def test_is_valid_region(self): - assert_true(is_valid_region(""), "Empty regions are allowed") - assert_true(is_valid_region("us-east-1"), "This region is allowed") - assert_false(is_valid_region("us-east-1f"), "This is an AZ, not a region") - assert_false(is_valid_region("us-east-*"), "No regexes in regions") - assert_false(is_valid_region("us"), "Not a valid region") - assert_false(is_valid_region("us-east-1-f"), "Not a valid region") - assert_true(is_valid_region("us-gov-east-1"), "This is a valid govcloud region") + assert is_valid_region(""), "Empty regions are allowed" + assert is_valid_region("us-east-1"), "This region is allowed" + assert not is_valid_region("us-east-1f"), "This is an AZ, not a region" + assert not is_valid_region("us-east-*"), "No regexes in regions" + assert not is_valid_region("us"), "Not a valid region" + assert not is_valid_region("us-east-1-f"), "Not a valid region" + assert is_valid_region("us-gov-east-1"), "This is a valid govcloud region" def test_is_valid_account_id(self): - assert_true(is_valid_account_id(""), "Empty account id is allowed") - assert_true(is_valid_account_id("000000001234"), "This account id is allowed") - assert_false(is_valid_account_id("abc"), "Account id must have 12 digits") - assert_false( - is_valid_account_id("00000000123?"), "Regex not allowed in account id" - ) + assert is_valid_account_id(""), "Empty account id is allowed" + assert is_valid_account_id("000000001234"), "This account id is allowed" + assert not is_valid_account_id("abc"), "Account id must have 12 digits" + assert not is_valid_account_id( + "00000000123?" + ), "Regex not allowed in account id" def test_arn_match(self): - assert_true(is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*")) - assert_true(is_arn_match("object", "*", "arn:*:s3:::*/*")) - assert_true(is_arn_match("object", "arn:*:s3:::*/*", "*")) - assert_true( - is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*") - ) - assert_true( - is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket") - ) - assert_false( - is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*"), - "Bucket and object types should not match", - ) - assert_false( - is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket"), - "Object and bucket types should not match", - ) - assert_true( - is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2") - ) - assert_true(is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2")) - assert_false( - is_arn_match( - "object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*" - ) - ) - assert_false( - is_arn_match( - "object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*" - ) - ) - assert_true( - is_arn_match( - "cloudfront", - "arn:aws:logs:*:*:/aws/cloudfront/*", - "arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test" - ) - ) - assert_true( - is_arn_match( - "bucket", "arn:*:s3:::*", "arn:aws:s3:::bucket-for-client-${aws:PrincipalTag/Namespace}-*" - ) + assert is_arn_match("object", "arn:*:s3:::*/*", "arn:*:s3:::*/*") + assert is_arn_match("object", "*", "arn:*:s3:::*/*") + assert is_arn_match("object", "arn:*:s3:::*/*", "*") + assert is_arn_match("object", "arn:*:s3:::*/*", "arn:aws:s3:::*personalize*") + assert is_arn_match("bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket") + assert not is_arn_match( + "bucket", "arn:*:s3:::mybucket", "arn:*:s3:::mybucket/*" + ), "Bucket and object types should not match" + assert not is_arn_match( + "object", "arn:*:s3:::*/*", "arn:aws:s3:::examplebucket" + ), "Object and bucket types should not match" + assert is_arn_match("bucket", "arn:*:s3:::mybucket*", "arn:*:s3:::mybucket2") + assert is_arn_match("bucket", "arn:*:s3:::*", "arn:*:s3:::mybucket2") + assert not is_arn_match( + "object", "arn:*:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*" + ) + assert not is_arn_match( + "object", "arn:aws:s3:::*/*", "arn:aws:logs:*:*:/aws/cloudfront/*" + ) + assert is_arn_match( + "cloudfront", + "arn:aws:logs:*:*:/aws/cloudfront/*", + "arn:aws:logs:us-east-1:000000000000:/aws/cloudfront/test", + ) + assert is_arn_match( + "bucket", + "arn:*:s3:::*", + "arn:aws:s3:::bucket-for-client-${aws:PrincipalTag/Namespace}-*", ) def test_is_arn_strictly_valid(self): - assert_true( - is_arn_strictly_valid( - "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:user/Development/product_1234/*" - ) + assert is_arn_strictly_valid( + "user", + "arn:*:iam::*:user/*", + "arn:aws:iam::123456789012:user/Development/product_1234/*", ) - assert_true( - is_arn_strictly_valid( - "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:*" - ) + assert is_arn_strictly_valid( + "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:*" ) - assert_true( - is_arn_strictly_valid( - "ssm", "arn:*:ssm::*:resource-data-sync/*", "arn:aws:ssm::123456789012:resource-data-sync/*" - ) + assert is_arn_strictly_valid( + "ssm", + "arn:*:ssm::*:resource-data-sync/*", + "arn:aws:ssm::123456789012:resource-data-sync/*", ) - assert_false( - is_arn_strictly_valid( - "ssm", "arn:*:ssm::*:resource-data-sync/*", "arn:aws:ssm::123456789012:resource-data-*/*" - ) + assert not is_arn_strictly_valid( + "ssm", + "arn:*:ssm::*:resource-data-sync/*", + "arn:aws:ssm::123456789012:resource-data-*/*", ) - assert_false( - is_arn_strictly_valid( - "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:*/*" - ) + assert not is_arn_strictly_valid( + "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:*/*" ) - assert_false( - is_arn_strictly_valid( - "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:u*" - ) + assert not is_arn_strictly_valid( + "user", "arn:*:iam::*:user/*", "arn:aws:iam::123456789012:u*" ) - assert_false( - is_arn_strictly_valid( - "dbuser", "arn:*:redshift:*:*:dbuser:*/*", "arn:aws:redshift:us-west-2:123456789012:db*:the_cluster/the_user" - ) + assert not is_arn_strictly_valid( + "dbuser", + "arn:*:redshift:*:*:dbuser:*/*", + "arn:aws:redshift:us-west-2:123456789012:db*:the_cluster/the_user", ) - - def test_arn_match_cloudtrail_emptysegments(self): - assert_false( - is_arn_match( - "cloudtrail", - "arn:*:cloudtrail:*:*:trail/*", - "arn:::::trail/my-trail" - ) + assert not is_arn_match( + "cloudtrail", "arn:*:cloudtrail:*:*:trail/*", "arn:::::trail/my-trail" ) def test_arn_match_s3_withregion(self): - assert_false( - is_arn_match( - "object", - "arn:*:s3:::*/*", - "arn:aws:s3:us-east-1::bucket1/*" - ) + assert not is_arn_match( + "object", "arn:*:s3:::*/*", "arn:aws:s3:us-east-1::bucket1/*" ) def test_arn_match_s3_withaccount(self): - assert_false( - is_arn_match( - "object", - "arn:*:s3:::*/*", - "arn:aws:s3::123412341234:bucket1/*" - ) + assert not is_arn_match( + "object", "arn:*:s3:::*/*", "arn:aws:s3::123412341234:bucket1/*" ) def test_arn_match_s3_withregion_account(self): - assert_false( - is_arn_match( - "object", - "arn:*:s3:::*/*", - "arn:aws:s3:us-east-1:123412341234:bucket1/*" - ) + assert not is_arn_match( + "object", "arn:*:s3:::*/*", "arn:aws:s3:us-east-1:123412341234:bucket1/*" ) def test_arn_match_iam_emptysegments(self): - assert_false( - is_arn_match( - "role", - "arn:*:iam::*:role/*", - "arn:aws:iam:::role/my-role" - ) + assert not is_arn_match( + "role", "arn:*:iam::*:role/*", "arn:aws:iam:::role/my-role" ) def test_arn_match_iam_withregion(self): - assert_false( - is_arn_match( - "role", - "arn:*:iam::*:role/*", - "arn:aws:iam:us-east-1::role/my-role" - ) + assert not is_arn_match( + "role", "arn:*:iam::*:role/*", "arn:aws:iam:us-east-1::role/my-role" ) def test_arn_match_apigw_emptysegments(self): - assert_false( - is_arn_match( - "apigateway", - "arn:*:apigateway:*::*", - "arn:aws:apigateway:::/restapis/a123456789/*" - ) + assert not is_arn_match( + "apigateway", + "arn:*:apigateway:*::*", + "arn:aws:apigateway:::/restapis/a123456789/*", ) def test_arn_match_apigw_withaccount(self): - assert_false( - is_arn_match( - "apigateway", - "arn:*:apigateway:*::*", - "arn:aws:apigateway:us-east-1:123412341234:/restapis/a123456789/*" - ) + assert not is_arn_match( + "apigateway", + "arn:*:apigateway:*::*", + "arn:aws:apigateway:us-east-1:123412341234:/restapis/a123456789/*", ) - def test_is_glob_match(self): tests = [ # string1, string2, whether they match @@ -236,7 +186,6 @@ def test_is_glob_match(self): ] for s1, s2, expected in tests: - assert_true( - is_glob_match(s1, s2) == expected, - "Matching {} with {} should return {}".format(s1, s2, expected), - ) + assert ( + is_glob_match(s1, s2) == expected + ), "Matching {} with {} should return {}".format(s1, s2, expected) diff --git a/tests/unit/test_resources.py b/tests/unit/test_resources.py index ce84cca..09d1334 100644 --- a/tests/unit/test_resources.py +++ b/tests/unit/test_resources.py @@ -1,10 +1,7 @@ -import unittest -from nose.tools import assert_equal - from parliament import analyze_policy_string -class TestResources(unittest.TestCase): +class TestResources: """Test class for principals""" def test_resource_with_sub(self): @@ -22,4 +19,4 @@ def test_resource_with_sub(self): ] }""" ) - assert_equal(policy.finding_ids, {"INVALID_ARN"}) + assert policy.finding_ids == {"INVALID_ARN"} diff --git a/utils/update_iam_data.py b/utils/update_iam_data.py index 782cc8b..ce80714 100644 --- a/utils/update_iam_data.py +++ b/utils/update_iam_data.py @@ -29,13 +29,14 @@ def update_html_docs_directory(html_docs_destination): (i.e., this repository, or (2) the config directory :return: """ - link_url_prefix = "https://docs.aws.amazon.com/service-authorization/latest/reference/" + link_url_prefix = ( + "https://docs.aws.amazon.com/service-authorization/latest/reference/" + ) initial_html_filenames_list = ( get_links_from_base_actions_resources_conditions_page() ) # Remove the relative path so we can download it html_filenames = [sub.replace("./", "") for sub in initial_html_filenames_list] - for page in html_filenames: response = requests.get(link_url_prefix + page, allow_redirects=False) @@ -56,7 +57,7 @@ def update_html_docs_directory(html_docs_destination): link.attrs["href"] = link.attrs["href"].replace( temp, f"https://docs.aws.amazon.com{temp}" ) - + for script in soup.find_all("script"): try: if "src" in script.attrs: @@ -107,6 +108,7 @@ def header_matches(string, table): return False return True + # Create the docs directory Path("docs").mkdir(parents=True, exist_ok=True) @@ -115,7 +117,7 @@ def header_matches(string, table): mypath = "./docs/" schema = [] -#for filename in ['list_amazons3.html']: +# for filename in ['list_amazons3.html']: for filename in [f for f in listdir(mypath) if isfile(join(mypath, f))]: if not filename.startswith("list_"): continue @@ -153,7 +155,9 @@ def header_matches(string, table): for table in tables: # There can be 3 tables, the actions table, an ARN table, and a condition key table # Example: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssecuritytokenservice.html - if not header_matches("actions", table) or not header_matches("description", table): + if not header_matches("actions", table) or not header_matches( + "description", table + ): continue rows = table.find_all("tr") @@ -170,7 +174,7 @@ def header_matches(string, table): if len(cells) != 6: # Sometimes the privilege contains Scenarios, and I don't know how to handle this break - #raise Exception("Unexpected format in {}: {}".format(prefix, row)) + # raise Exception("Unexpected format in {}: {}".format(prefix, row)) # See if this cell spans multiple rows rowspan = 1 @@ -244,7 +248,9 @@ def header_matches(string, table): # Get resource table for table in tables: - if not header_matches("resource types", table) or not header_matches("arn", table): + if not header_matches("resource types", table) or not header_matches( + "arn", table + ): continue rows = table.find_all("tr") @@ -274,7 +280,10 @@ def header_matches(string, table): # Get condition keys table for table in tables: - if not (header_matches(" condition keys ", table) and header_matches(" type ", table)): + if not ( + header_matches(" condition keys ", table) + and header_matches(" type ", table) + ): continue rows = table.find_all("tr") From fba751ff5d38c7c33491d10910d9c0536893994c Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 19:05:25 -0600 Subject: [PATCH 2/6] Updated IAM definition --- parliament/iam_definition.json | 84476 +++++++++++++++++++++---------- 1 file changed, 56869 insertions(+), 27607 deletions(-) diff --git a/parliament/iam_definition.json b/parliament/iam_definition.json index 648880e..2ed623f 100644 --- a/parliament/iam_definition.json +++ b/parliament/iam_definition.json @@ -1327,7 +1327,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "access-analyzer", @@ -1609,7 +1609,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "" } ] @@ -1722,51 +1724,46 @@ { "conditions": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" + "condition": "account:AccountResourceOrgPaths", + "description": "Filters access by the resource path for an account in an organization", + "type": "ArrayOfString" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" + "condition": "account:AccountResourceOrgTags/${TagKey}", + "description": "Filters access by resource tags for an account in an organization", + "type": "ArrayOfString" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "condition": "account:AlternateContactTypes", + "description": "Filters access by alternate contact types", + "type": "ArrayOfString" + }, + { + "condition": "account:TargetRegion", + "description": "Filters access by a list of Regions. Enables or disables all the Regions specified here", "type": "String" } ], - "prefix": "access-analyzer", + "prefix": "account", "privileges": [ { "access_level": "Write", - "description": "Grants permission to apply an archive rule.", - "privilege": "ApplyArchiveRule", + "description": "Grants permission to delete the alternate contacts for an account", + "privilege": "DeleteAlternateContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an analyzer.", - "privilege": "CreateAnalyzer", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "Analyzer*" + "dependent_actions": [], + "resource_type": "accountInOrganization" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "account:AlternateContactTypes" ], "dependent_actions": [], "resource_type": "" @@ -1775,66 +1772,12 @@ }, { "access_level": "Write", - "description": "Grants permission to create an archive rule for the specified analyzer.", - "privilege": "CreateArchiveRule", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ArchiveRule*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified analyzer.", - "privilege": "DeleteAnalyzer", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete archive rules for the specified analyzer.", - "privilege": "DeleteArchiveRule", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ArchiveRule*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about an analyzed resource.", - "privilege": "GetAnalyzedResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about analyzers.", - "privilege": "GetAnalyzer", + "description": "Grants permission to disable use of a Region", + "privilege": "DisableRegion", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "account:TargetRegion" ], "dependent_actions": [], "resource_type": "" @@ -1842,135 +1785,37 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about archive rules for the specified analyzer.", - "privilege": "GetArchiveRule", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ArchiveRule*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve findings.", - "privilege": "GetFinding", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a list of resources that have been analyzed.", - "privilege": "ListAnalyzedResources", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieves a list of analyzers.", - "privilege": "ListAnalyzers", + "access_level": "Write", + "description": "Grants permission to enable use of a Region", + "privilege": "EnableRegion", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "account:TargetRegion" + ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "List", - "description": "Grants permission to retrieve a list of archive rules from an analyzer.", - "privilege": "ListArchiveRules", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a list of findings from an analyzer.", - "privilege": "ListFindings", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of tags applied to a resource.", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a scan of the policies applied to a resource.", - "privilege": "StartResourceScan", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add a tag to a resource.", - "privilege": "TagResource", + "description": "Grants permission to retrieve the alternate contacts for an account", + "privilege": "GetAlternateContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Analyzer" + "resource_type": "account" }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove a tag from a resource.", - "privilege": "UntagResource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Analyzer" + "resource_type": "accountInOrganization" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "account:AlternateContactTypes" ], "dependent_actions": [], "resource_type": "" @@ -1978,87 +1823,25 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to modify an archive rule.", - "privilege": "UpdateArchiveRule", + "access_level": "Read", + "description": "Grants permission to retrieve the primary contact information for an account", + "privilege": "GetContactInformation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ArchiveRule*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify findings.", - "privilege": "UpdateFindings", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Analyzer*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${analyzerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Analyzer" - }, - { - "arn": "arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${analyzerName}/archive-rule/${ruleName}", - "condition_keys": [], - "resource": "ArchiveRule" - } - ], - "service_name": "IAM Access Analyzer" - }, - { - "conditions": [ - { - "condition": "account:TargetRegion", - "description": "Filters access by a list of regions", - "type": "String" - } - ], - "prefix": "account", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to disable a region", - "privilege": "DisableRegion", - "resource_types": [ - { - "condition_keys": [ - "account:TargetRegion" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable a region", - "privilege": "EnableRegion", - "resource_types": [ - { - "condition_keys": [ - "account:TargetRegion" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "accountInOrganization" } ] }, { "access_level": "List", - "description": "Grants permission to list regions", + "description": "Grants permission to list the available Regions", "privilege": "ListRegions", "resource_types": [ { @@ -2067,40 +1850,11 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS Accounts" - }, - { - "conditions": [ - { - "condition": "account:AccountResourceOrgPaths", - "description": "Filters access by the resource path for an account in an organization", - "type": "ArrayOfString" }, - { - "condition": "account:AccountResourceOrgTags/${TagKey}", - "description": "Filters access by resource tags for an account in an organization", - "type": "ArrayOfString" - }, - { - "condition": "account:AlternateContactTypes", - "description": "Filters access by alternate contact types", - "type": "ArrayOfString" - }, - { - "condition": "account:TargetRegion", - "description": "Filters access by a list of Regions. Enables or disables all the Regions specified here", - "type": "String" - } - ], - "prefix": "account", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete the alternate contacts for an account", - "privilege": "DeleteAlternateContact", + "description": "Grants permission to modify the alternate contacts for an account", + "privilege": "PutAlternateContact", "resource_types": [ { "condition_keys": [], @@ -2111,70 +1865,20 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "accountInOrganization" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disable use of a Region", - "privilege": "DisableRegion", - "resource_types": [ - { - "condition_keys": [ - "account:TargetRegion" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable use of a Region", - "privilege": "EnableRegion", - "resource_types": [ + }, { "condition_keys": [ - "account:TargetRegion" + "account:AlternateContactTypes" ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the alternate contacts for an account", - "privilege": "GetAlternateContact", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "accountInOrganization" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the available Regions", - "privilege": "ListRegions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Write", - "description": "Grants permission to modify the alternate contacts for an account", - "privilege": "PutAlternateContact", + "description": "Grants permission to update the primary contact information for an account", + "privilege": "PutContactInformation", "resource_types": [ { "condition_keys": [], @@ -2217,8 +1921,8 @@ }, { "condition": "aws:TagKeys", - "description": "Filter access by the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "acm", @@ -2446,30 +2150,30 @@ "conditions": [ { "condition": "acm-pca:TemplateArn", - "description": "Filters issue certificate requests based on the presence of TemplateArn in the request.", + "description": "Filters issue certificate requests based on the presence of TemplateArn in the request", "type": "String" }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags.", + "description": "Filters create requests based on the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", + "description": "Filters actions based on tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" + "description": "Filters create requests based on the presence of mandatory tags in the request", + "type": "ArrayOfString" } ], "prefix": "acm-pca", "privileges": [ { "access_level": "Write", - "description": "Creates an ACM Private CA and its associated private key and configuration.", + "description": "Grants permission to create an ACM Private CA and its associated private key and configuration", "privilege": "CreateCertificateAuthority", "resource_types": [ { @@ -2484,7 +2188,7 @@ }, { "access_level": "Write", - "description": "Creates an audit report for an ACM Private CA.", + "description": "Grants permission to create an audit report for an ACM Private CA", "privilege": "CreateCertificateAuthorityAuditReport", "resource_types": [ { @@ -2496,7 +2200,7 @@ }, { "access_level": "Permissions management", - "description": "Creates a permission for an ACM Private CA.", + "description": "Grants permission to create a permission for an ACM Private CA", "privilege": "CreatePermission", "resource_types": [ { @@ -2508,7 +2212,7 @@ }, { "access_level": "Write", - "description": "Deletes an ACM Private CA and its associated private key and configuration.", + "description": "Grants permission to delete an ACM Private CA and its associated private key and configuration", "privilege": "DeleteCertificateAuthority", "resource_types": [ { @@ -2520,7 +2224,7 @@ }, { "access_level": "Permissions management", - "description": "Deletes a permission for an ACM Private CA.", + "description": "Grants permission to delete a permission for an ACM Private CA", "privilege": "DeletePermission", "resource_types": [ { @@ -2532,7 +2236,7 @@ }, { "access_level": "Permissions management", - "description": "Deletes the policy for an ACM Private CA.", + "description": "Grants permission to delete the policy for an ACM Private CA", "privilege": "DeletePolicy", "resource_types": [ { @@ -2544,7 +2248,7 @@ }, { "access_level": "Read", - "description": "Returns a list of the configuration and status fields contained in the specified ACM Private CA.", + "description": "Grants permission to return a list of the configuration and status fields contained in the specified ACM Private CA", "privilege": "DescribeCertificateAuthority", "resource_types": [ { @@ -2556,7 +2260,7 @@ }, { "access_level": "Read", - "description": "Returns the status and information about an ACM Private CA audit report.", + "description": "Grants permission to return the status and information about an ACM Private CA audit report", "privilege": "DescribeCertificateAuthorityAuditReport", "resource_types": [ { @@ -2568,7 +2272,7 @@ }, { "access_level": "Read", - "description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN.", + "description": "Grants permission to retrieve an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN", "privilege": "GetCertificate", "resource_types": [ { @@ -2580,7 +2284,7 @@ }, { "access_level": "Read", - "description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN.", + "description": "Grants permission to retrieve an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN", "privilege": "GetCertificateAuthorityCertificate", "resource_types": [ { @@ -2592,7 +2296,7 @@ }, { "access_level": "Read", - "description": "Retrieves an ACM Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN.", + "description": "Grants permission to retrieve an ACM Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN", "privilege": "GetCertificateAuthorityCsr", "resource_types": [ { @@ -2604,7 +2308,7 @@ }, { "access_level": "Read", - "description": "Retrieves the policy on an ACM Private CA.", + "description": "Grants permission to retrieve the policy on an ACM Private CA", "privilege": "GetPolicy", "resource_types": [ { @@ -2616,7 +2320,7 @@ }, { "access_level": "Write", - "description": "Imports an SSL/TLS certificate into ACM Private CA for use as the CA certificate of an ACM Private CA.", + "description": "Grants permission to import an SSL/TLS certificate into ACM Private CA for use as the CA certificate of an ACM Private CA", "privilege": "ImportCertificateAuthorityCertificate", "resource_types": [ { @@ -2628,7 +2332,7 @@ }, { "access_level": "Write", - "description": "Issues an ACM Private CA certificate.", + "description": "Grants permission to issue an ACM Private CA certificate", "privilege": "IssueCertificate", "resource_types": [ { @@ -2647,7 +2351,7 @@ }, { "access_level": "List", - "description": "Retrieves a list of the ACM Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account.", + "description": "Grants permission to retrieve a list of the ACM Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account", "privilege": "ListCertificateAuthorities", "resource_types": [ { @@ -2659,7 +2363,7 @@ }, { "access_level": "Read", - "description": "Lists the permissions that have been applied to the ACM Private CA certificate authority.", + "description": "Grants permission to list the permissions that have been applied to the ACM Private CA certificate authority", "privilege": "ListPermissions", "resource_types": [ { @@ -2671,7 +2375,7 @@ }, { "access_level": "Read", - "description": "Lists the tags that have been applied to the ACM Private CA certificate authority.", + "description": "Grants permission to list the tags that have been applied to the ACM Private CA certificate authority", "privilege": "ListTags", "resource_types": [ { @@ -2683,7 +2387,7 @@ }, { "access_level": "Permissions management", - "description": "Puts a policy on an ACM Private CA.", + "description": "Grants permission to put a policy on an ACM Private CA", "privilege": "PutPolicy", "resource_types": [ { @@ -2695,7 +2399,7 @@ }, { "access_level": "Write", - "description": "Restores an ACM Private CA from the deleted state to the state it was in when deleted.", + "description": "Grants permission to restore an ACM Private CA from the deleted state to the state it was in when deleted", "privilege": "RestoreCertificateAuthority", "resource_types": [ { @@ -2707,7 +2411,7 @@ }, { "access_level": "Write", - "description": "Revokes a certificate issued by an ACM Private CA.", + "description": "Grants permission to revoke a certificate issued by an ACM Private CA", "privilege": "RevokeCertificate", "resource_types": [ { @@ -2719,7 +2423,7 @@ }, { "access_level": "Tagging", - "description": "Adds one or more tags to an ACM Private CA.", + "description": "Grants permission to add one or more tags to an ACM Private CA", "privilege": "TagCertificateAuthority", "resource_types": [ { @@ -2739,7 +2443,7 @@ }, { "access_level": "Tagging", - "description": "Remove one or more tags from an ACM Private CA.", + "description": "Grants permission to remove one or more tags from an ACM Private CA", "privilege": "UntagCertificateAuthority", "resource_types": [ { @@ -2758,7 +2462,7 @@ }, { "access_level": "Write", - "description": "Updates the configuration of an ACM Private CA.", + "description": "Grants permission to update the configuration of an ACM Private CA", "privilege": "UpdateCertificateAuthority", "resource_types": [ { @@ -2888,18 +2592,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "airflow", @@ -3109,25 +2813,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "", + "description": "Filters access by a tag's key and value in a request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "", - "type": "String" + "description": "Filters access by the tag keys in a request", + "type": "ArrayOfString" } ], "prefix": "amplify", "privileges": [ { "access_level": "Write", - "description": "Creates a new Amplify App.", + "description": "Creates a new Amplify App", "privilege": "CreateApp", "resource_types": [ { @@ -3147,7 +2851,7 @@ }, { "access_level": "Write", - "description": "Creates a new backend environment for an Amplify App.", + "description": "Creates a new backend environment for an Amplify App", "privilege": "CreateBackendEnvironment", "resource_types": [ { @@ -3159,7 +2863,7 @@ }, { "access_level": "Write", - "description": "Creates a new Branch for an Amplify App.", + "description": "Creates a new Branch for an Amplify App", "privilege": "CreateBranch", "resource_types": [ { @@ -3211,7 +2915,7 @@ }, { "access_level": "Write", - "description": "Create a new webhook on an App.", + "description": "Create a new webhook on an App", "privilege": "CreateWebHook", "resource_types": [ { @@ -3223,7 +2927,7 @@ }, { "access_level": "Write", - "description": "Delete an existing Amplify App by appId.", + "description": "Delete an existing Amplify App by appId", "privilege": "DeleteApp", "resource_types": [ { @@ -3235,7 +2939,7 @@ }, { "access_level": "Write", - "description": "Deletes a branch for an Amplify App.", + "description": "Deletes a branch for an Amplify App", "privilege": "DeleteBackendEnvironment", "resource_types": [ { @@ -3247,7 +2951,7 @@ }, { "access_level": "Write", - "description": "Deletes a branch for an Amplify App.", + "description": "Deletes a branch for an Amplify App", "privilege": "DeleteBranch", "resource_types": [ { @@ -3259,7 +2963,7 @@ }, { "access_level": "Write", - "description": "Deletes a DomainAssociation.", + "description": "Deletes a DomainAssociation", "privilege": "DeleteDomainAssociation", "resource_types": [ { @@ -3271,7 +2975,7 @@ }, { "access_level": "Write", - "description": "Delete a job, for an Amplify branch, part of Amplify App.", + "description": "Delete a job, for an Amplify branch, part of Amplify App", "privilege": "DeleteJob", "resource_types": [ { @@ -3283,7 +2987,7 @@ }, { "access_level": "Write", - "description": "Delete a webhook by id.", + "description": "Delete a webhook by id", "privilege": "DeleteWebHook", "resource_types": [ { @@ -3295,7 +2999,7 @@ }, { "access_level": "Write", - "description": "Generate website access logs for a specific time range via a pre-signed URL.", + "description": "Generate website access logs for a specific time range via a pre-signed URL", "privilege": "GenerateAccessLogs", "resource_types": [ { @@ -3307,7 +3011,7 @@ }, { "access_level": "Read", - "description": "Retrieves an existing Amplify App by appId.", + "description": "Retrieves an existing Amplify App by appId", "privilege": "GetApp", "resource_types": [ { @@ -3319,7 +3023,7 @@ }, { "access_level": "Read", - "description": "Retrieves artifact info that corresponds to a artifactId.", + "description": "Retrieves artifact info that corresponds to a artifactId", "privilege": "GetArtifactUrl", "resource_types": [ { @@ -3331,7 +3035,7 @@ }, { "access_level": "Read", - "description": "Retrieves a backend environment for an Amplify App.", + "description": "Retrieves a backend environment for an Amplify App", "privilege": "GetBackendEnvironment", "resource_types": [ { @@ -3343,7 +3047,7 @@ }, { "access_level": "Read", - "description": "Retrieves a branch for an Amplify App.", + "description": "Retrieves a branch for an Amplify App", "privilege": "GetBranch", "resource_types": [ { @@ -3355,7 +3059,7 @@ }, { "access_level": "Read", - "description": "Retrieves domain info that corresponds to an appId and domainName.", + "description": "Retrieves domain info that corresponds to an appId and domainName", "privilege": "GetDomainAssociation", "resource_types": [ { @@ -3367,7 +3071,7 @@ }, { "access_level": "Read", - "description": "Get a job for a branch, part of an Amplify App.", + "description": "Get a job for a branch, part of an Amplify App", "privilege": "GetJob", "resource_types": [ { @@ -3379,7 +3083,7 @@ }, { "access_level": "Read", - "description": "Retrieves webhook info that corresponds to a webhookId.", + "description": "Retrieves webhook info that corresponds to a webhookId", "privilege": "GetWebHook", "resource_types": [ { @@ -3391,7 +3095,7 @@ }, { "access_level": "List", - "description": "Lists existing Amplify Apps.", + "description": "Lists existing Amplify Apps", "privilege": "ListApps", "resource_types": [ { @@ -3403,7 +3107,7 @@ }, { "access_level": "List", - "description": "List artifacts with an app, a branch, a job and an artifact type.", + "description": "List artifacts with an app, a branch, a job and an artifact type", "privilege": "ListArtifacts", "resource_types": [ { @@ -3415,7 +3119,7 @@ }, { "access_level": "List", - "description": "Lists backend environments for an Amplify App.", + "description": "Lists backend environments for an Amplify App", "privilege": "ListBackendEnvironments", "resource_types": [ { @@ -3427,7 +3131,7 @@ }, { "access_level": "List", - "description": "Lists branches for an Amplify App.", + "description": "Lists branches for an Amplify App", "privilege": "ListBranches", "resource_types": [ { @@ -3451,7 +3155,7 @@ }, { "access_level": "List", - "description": "List Jobs for a branch, part of an Amplify App.", + "description": "List Jobs for a branch, part of an Amplify App", "privilege": "ListJobs", "resource_types": [ { @@ -3463,7 +3167,7 @@ }, { "access_level": "Read", - "description": "List tags for an AWS Amplify Console resource.", + "description": "List tags for an AWS Amplify Console resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -3485,7 +3189,7 @@ }, { "access_level": "List", - "description": "List webhooks on an App.", + "description": "List webhooks on an App", "privilege": "ListWebHooks", "resource_types": [ { @@ -3509,7 +3213,7 @@ }, { "access_level": "Write", - "description": "Starts a new job for a branch, part of an Amplify App.", + "description": "Starts a new job for a branch, part of an Amplify App", "privilege": "StartJob", "resource_types": [ { @@ -3521,7 +3225,7 @@ }, { "access_level": "Write", - "description": "Stop a job that is in progress, for an Amplify branch, part of Amplify App.", + "description": "Stop a job that is in progress, for an Amplify branch, part of Amplify App", "privilege": "StopJob", "resource_types": [ { @@ -3533,7 +3237,7 @@ }, { "access_level": "Tagging", - "description": "This action tags an AWS Amplify Console resource.", + "description": "This action tags an AWS Amplify Console resource", "privilege": "TagResource", "resource_types": [ { @@ -3563,7 +3267,7 @@ }, { "access_level": "Tagging", - "description": "This action removes a tag from an AWS Amplify Console resource.", + "description": "This action removes a tag from an AWS Amplify Console resource", "privilege": "UntagResource", "resource_types": [ { @@ -3592,7 +3296,7 @@ }, { "access_level": "Write", - "description": "Updates an existing Amplify App.", + "description": "Updates an existing Amplify App", "privilege": "UpdateApp", "resource_types": [ { @@ -3604,7 +3308,7 @@ }, { "access_level": "Write", - "description": "Updates a branch for an Amplify App.", + "description": "Updates a branch for an Amplify App", "privilege": "UpdateBranch", "resource_types": [ { @@ -3616,7 +3320,7 @@ }, { "access_level": "Write", - "description": "Update a DomainAssociation on an App.", + "description": "Update a DomainAssociation on an App", "privilege": "UpdateDomainAssociation", "resource_types": [ { @@ -3628,7 +3332,7 @@ }, { "access_level": "Write", - "description": "Update a webhook.", + "description": "Update a webhook", "privilege": "UpdateWebHook", "resource_types": [ { @@ -3753,6 +3457,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a backend storage resource", + "privilege": "CreateBackendStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create an Amplify Admin challenge token by appId", @@ -3826,6 +3547,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a backend storage resource", + "privilege": "DeleteBackendStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete an Amplify Admin challenge token by appId", @@ -3960,6 +3703,23 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve an existing backend storage resource", + "privilege": "GetBackendStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve an Amplify Admin challenge token by appId", @@ -3994,6 +3754,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import an existing backend storage resource", + "privilege": "ImportBackendStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage*" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve the jobs of an existing Amplify Admin backend environment by appId and backendEnvironmentName", @@ -4011,6 +3793,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve s3 buckets", + "privilege": "ListS3Buckets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete all existing Amplify Admin backend environments by appId", @@ -4112,6 +3906,28 @@ "resource_type": "job*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a backend storage resource", + "privilege": "UpdateBackendStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage*" + } + ] } ], "resources": [ @@ -4149,10 +3965,320 @@ "arn": "arn:${Partition}:amplifybackend:${Region}:${Account}:backend/${AppId}/token", "condition_keys": [], "resource": "token" + }, + { + "arn": "arn:${Partition}:amplifybackend:${Region}:${Account}:backend/${AppId}/storage", + "condition_keys": [], + "resource": "storage" } ], "service_name": "AWS Amplify Admin" }, + { + "conditions": [ + { + "condition": "amplifyuibuilder:AppId", + "description": "Filters access by the app ID", + "type": "String" + }, + { + "condition": "amplifyuibuilder:ComponentsId", + "description": "Filters access by the component ID", + "type": "String" + }, + { + "condition": "amplifyuibuilder:EnvironmentName", + "description": "Filters access by the backend environment name", + "type": "String" + }, + { + "condition": "amplifyuibuilder:ThemesId", + "description": "Filters access by the theme ID", + "type": "String" + }, + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "amplifyuibuilder", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a component", + "privilege": "CreateComponent", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a theme", + "privilege": "CreateTheme", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a component", + "privilege": "DeleteComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a theme", + "privilege": "DeleteTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to exchange a code for a token", + "privilege": "ExchangeCodeForToken", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to export components", + "privilege": "ExportComponents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to export themes", + "privilege": "ExportThemes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an existing component", + "privilege": "GetComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an existing theme", + "privilege": "GetTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the components for an app", + "privilege": "ListComponents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the themes for an app", + "privilege": "ListThemes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to refresh an access token", + "privilege": "RefreshToken", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a component", + "privilege": "UpdateComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ComponentResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a theme", + "privilege": "UpdateTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ThemeResource*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:amplifyuibuilder:${Region}:${Account}:app/${AppId}/environment/${EnvironmentName}/components/${Id}", + "condition_keys": [ + "amplifyuibuilder:AppId", + "amplifyuibuilder:ComponentsId", + "amplifyuibuilder:EnvironmentName", + "aws:ResourceTag/${TagKey}" + ], + "resource": "ComponentResource" + }, + { + "arn": "arn:${Partition}:amplifyuibuilder:${Region}:${Account}:app/${AppId}/environment/${EnvironmentName}/themes/${Id}", + "condition_keys": [ + "amplifyuibuilder:AppId", + "amplifyuibuilder:EnvironmentName", + "amplifyuibuilder:ThemesId", + "aws:ResourceTag/${TagKey}" + ], + "resource": "ThemeResource" + } + ], + "service_name": "AWS Amplify UI Builder" + }, { "conditions": [ { @@ -4293,7 +4419,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "apigateway", @@ -4897,154 +5023,6 @@ ], "service_name": "Amazon API Gateway Management V2" }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "", - "type": "String" - } - ], - "prefix": "apigateway", - "privileges": [ - { - "access_level": "Write", - "description": "Used to delete resources", - "privilege": "DELETE", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Used to get information about resources", - "privilege": "GET", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - } - ] - }, - { - "access_level": "Write", - "description": "Used to update resources", - "privilege": "PATCH", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Used to create child resources", - "privilege": "POST", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Used to update resources (and, although not recommended, can be used to create child resources)", - "privilege": "PUT", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Gives WebAcl permissions to WAF", - "privilege": "SetWebACL", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - } - ] - }, - { - "access_level": "Write", - "description": "Used to update the Resource Policy for a given API", - "privilege": "UpdateRestApiPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apigateway-general*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:apigateway:${Region}::${ApiGatewayResourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "apigateway-general" - } - ], - "service_name": "Manage Amazon API Gateway" - }, { "conditions": [ { @@ -6193,25 +6171,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "app-integrations", "privileges": [ { "access_level": "Write", - "description": "Grants permissions to create a new DataIntegration", + "description": "Grants permission to create a new DataIntegration", "privilege": "CreateDataIntegration", "resource_types": [ { @@ -6231,7 +6209,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a DataIntegrationAssociation", + "description": "Grants permission to create a DataIntegrationAssociation", "privilege": "CreateDataIntegrationAssociation", "resource_types": [ { @@ -6243,7 +6221,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a new EventIntegration", + "description": "Grants permission to create a new EventIntegration", "privilege": "CreateEventIntegration", "resource_types": [ { @@ -6263,7 +6241,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create an EventIntegrationAssociation", + "description": "Grants permission to create an EventIntegrationAssociation", "privilege": "CreateEventIntegrationAssociation", "resource_types": [ { @@ -6278,7 +6256,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a DataIntegration", + "description": "Grants permission to delete a DataIntegration", "privilege": "DeleteDataIntegration", "resource_types": [ { @@ -6297,7 +6275,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a DataIntegrationAssociation", + "description": "Grants permission to delete a DataIntegrationAssociation", "privilege": "DeleteDataIntegrationAssociation", "resource_types": [ { @@ -6309,7 +6287,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete an EventIntegration", + "description": "Grants permission to delete an EventIntegration", "privilege": "DeleteEventIntegration", "resource_types": [ { @@ -6328,7 +6306,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete an EventIntegrationAssociation", + "description": "Grants permission to delete an EventIntegrationAssociation", "privilege": "DeleteEventIntegrationAssociation", "resource_types": [ { @@ -6344,7 +6322,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view details about DataIntegrations", + "description": "Grants permission to view details about DataIntegrations", "privilege": "GetDataIntegration", "resource_types": [ { @@ -6363,7 +6341,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view details about EventIntegrations", + "description": "Grants permission to view details about EventIntegrations", "privilege": "GetEventIntegration", "resource_types": [ { @@ -6382,7 +6360,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list DataIntegrationAssociations", + "description": "Grants permission to list DataIntegrationAssociations", "privilege": "ListDataIntegrationAssociations", "resource_types": [ { @@ -6394,7 +6372,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list DataIntegrations", + "description": "Grants permission to list DataIntegrations", "privilege": "ListDataIntegrations", "resource_types": [ { @@ -6406,7 +6384,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to list EventIntegrationAssociations", + "description": "Grants permission to list EventIntegrationAssociations", "privilege": "ListEventIntegrationAssociations", "resource_types": [ { @@ -6418,7 +6396,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list EventIntegrations", + "description": "Grants permission to list EventIntegrations", "privilege": "ListEventIntegrations", "resource_types": [ { @@ -6500,7 +6478,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to untag an Amazon AppIntegration resource", + "description": "Grants permission to untag an Amazon AppIntegration resource", "privilege": "UntagResource", "resource_types": [ { @@ -6535,7 +6513,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to modify a DataIntegration", + "description": "Grants permission to modify a DataIntegration", "privilege": "UpdateDataIntegration", "resource_types": [ { @@ -6554,7 +6532,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to modify an EventIntegration", + "description": "Grants permission to modify an EventIntegration", "privilege": "UpdateEventIntegration", "resource_types": [ { @@ -6608,18 +6586,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the allowed set of values for a specified tag", + "description": "Filters access by the allowed set of values for a specified tag", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on a tag key-value pair assigned to the AWS resource", + "description": "Filters access by a tag key-value pair assigned to the AWS resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on whether mandatory tags are included in the request", - "type": "String" + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "ArrayOfString" } ], "prefix": "appconfig", @@ -6629,11 +6607,6 @@ "description": "Grants permission to create an application", "privilege": "CreateApplication", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -6654,11 +6627,6 @@ "dependent_actions": [], "resource_type": "application*" }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "configurationprofile*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -6674,11 +6642,6 @@ "description": "Grants permission to create a deployment strategy", "privilege": "CreateDeploymentStrategy", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deploymentstrategy*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -6700,10 +6663,35 @@ "resource_type": "application*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "environment*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an extension", + "privilege": "CreateExtension", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an extension association", + "privilege": "CreateExtensionAssociation", + "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -6728,11 +6716,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "configurationprofile*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hostedconfigurationversion*" } ] }, @@ -6794,6 +6777,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an extension", + "privilege": "DeleteExtension", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extension*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an extension association", + "privilege": "DeleteExtensionAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extensionassociation*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a hosted configuration version", @@ -6960,6 +6967,44 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view details about an extension", + "privilege": "GetExtension", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extension*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an extension association", + "privilege": "GetExtensionAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extensionassociation*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view details about a hosted configuration version", @@ -6982,6 +7027,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a deployed configuration", + "privilege": "GetLatestConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the applications in your account", @@ -7047,6 +7111,30 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the extension associations in your account", + "privilege": "ListExtensionAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the extensions in your account", + "privilege": "ListExtensions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the hosted configuration versions for a configuration profile", @@ -7103,6 +7191,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start a configuration session", + "privilege": "StartConfigurationSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to initiate a deployment", @@ -7121,17 +7228,20 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment*" + "resource_type": "deploymentstrategy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" + "resource_type": "environment*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "" } ] }, @@ -7159,7 +7269,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to tag an appconfig resource.", + "description": "Grants permission to tag an appconfig resource", "privilege": "TagResource", "resource_types": [ { @@ -7167,6 +7277,11 @@ "dependent_actions": [], "resource_type": "application" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration" + }, { "condition_keys": [], "dependent_actions": [], @@ -7187,6 +7302,16 @@ "dependent_actions": [], "resource_type": "environment" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extension" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extensionassociation" + }, { "condition_keys": [ "aws:TagKeys", @@ -7200,7 +7325,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag an appconfig resource.", + "description": "Grants permission to untag an appconfig resource", "privilege": "UntagResource", "resource_types": [ { @@ -7208,6 +7333,11 @@ "dependent_actions": [], "resource_type": "application" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration" + }, { "condition_keys": [], "dependent_actions": [], @@ -7228,6 +7358,16 @@ "dependent_actions": [], "resource_type": "environment" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extension" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extensionassociation" + }, { "condition_keys": [ "aws:TagKeys" @@ -7323,6 +7463,44 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify an extension", + "privilege": "UpdateExtension", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extension*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an extension association", + "privilege": "UpdateExtensionAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "extensionassociation*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to validate a configuration", @@ -7381,6 +7559,27 @@ "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}/hostedconfigurationversion/${VersionNumber}", "condition_keys": [], "resource": "hostedconfigurationversion" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/configuration/${ConfigurationProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "configuration" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:extension/${ExtensionId}/${ExtensionVersionNumber}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "extension" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:extensionassociation/${ExtensionAssociationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "extensionassociation" } ], "service_name": "AWS AppConfig" @@ -7389,18 +7588,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by presence of mandatory tags in the request", + "type": "ArrayOfString" } ], "prefix": "appflow", @@ -7464,6 +7663,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a connector registered in Amazon AppFlow", + "privilege": "DescribeConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe all fields for an object in a login profile configured in Amazon AppFlow", @@ -7584,6 +7795,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list all connectors supported in Amazon AppFlow", + "privilege": "ListConnectors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all flows configured in Amazon AppFlow", @@ -7608,6 +7831,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to register an Amazon AppFlow connector", + "privilege": "RegisterConnector", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to run a flow configured in Amazon AppFlow (Console Only)", @@ -7664,6 +7902,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to un-register a connector in Amazon AppFlow", + "privilege": "UnRegisterConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to untag a flow", @@ -7722,16 +7980,23 @@ ], "resources": [ { - "arn": "arn:${Partition}:appflow:${Region}:${Account}:connectorprofile/${profileName}", + "arn": "arn:${Partition}:appflow:${Region}:${Account}:connectorprofile/${ProfileName}", "condition_keys": [], "resource": "connectorprofile" }, { - "arn": "arn:${Partition}:appflow:${Region}:${Account}:flow/${flowName}", + "arn": "arn:${Partition}:appflow:${Region}:${Account}:flow/${FlowName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "flow" + }, + { + "arn": "arn:${Partition}:appflow:${Region}:${Account}:connector/${ConnectorLabel}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connector" } ], "service_name": "Amazon AppFlow" @@ -7742,7 +8007,7 @@ "privileges": [ { "access_level": "Write", - "description": "Deletes an Application Auto Scaling scaling policy that was previously created.", + "description": "Grants permission to delete a scaling policy", "privilege": "DeleteScalingPolicy", "resource_types": [ { @@ -7754,7 +8019,7 @@ }, { "access_level": "Write", - "description": "Deletes an Application Auto Scaling scheduled action that was previously created.", + "description": "Grants permission to delete a scheduled action", "privilege": "DeleteScheduledAction", "resource_types": [ { @@ -7766,7 +8031,7 @@ }, { "access_level": "Write", - "description": "Deregisters a scalable target that was previously registered.", + "description": "Grants permission to deregister a scalable target", "privilege": "DeregisterScalableTarget", "resource_types": [ { @@ -7778,7 +8043,7 @@ }, { "access_level": "Read", - "description": "Provides descriptive information for scalable targets with a specified service namespace.", + "description": "Grants permission to describe one or more scalable targets in the specified namespace", "privilege": "DescribeScalableTargets", "resource_types": [ { @@ -7790,7 +8055,7 @@ }, { "access_level": "Read", - "description": "Provides descriptive information for scaling activities with a specified service namespace for the previous six weeks.", + "description": "Grants permission to describe a set of scaling activities or all scaling activities in the specified namespace", "privilege": "DescribeScalingActivities", "resource_types": [ { @@ -7802,7 +8067,7 @@ }, { "access_level": "Read", - "description": "Provides descriptive information for scaling policies with a specified service namespace.", + "description": "Grants permission to describe a set of scaling policies or all scaling policies in the specified namespace", "privilege": "DescribeScalingPolicies", "resource_types": [ { @@ -7814,7 +8079,7 @@ }, { "access_level": "Read", - "description": "Provides descriptive information for scheduled actions with a specified service namespace.", + "description": "Grants permission to describe a set of scheduled actions or all scheduled actions in the specified namespace", "privilege": "DescribeScheduledActions", "resource_types": [ { @@ -7826,7 +8091,7 @@ }, { "access_level": "Write", - "description": "Creates or updates a policy for an existing Application Auto Scaling scalable target.", + "description": "Grants permission to create and update a scaling policy for a scalable target", "privilege": "PutScalingPolicy", "resource_types": [ { @@ -7838,7 +8103,7 @@ }, { "access_level": "Write", - "description": "Creates or updates a scheduled action for an existing Application Auto Scaling scalable target.", + "description": "Grants permission to create and update a scheduled action for a scalable target", "privilege": "PutScheduledAction", "resource_types": [ { @@ -7850,7 +8115,7 @@ }, { "access_level": "Write", - "description": "Registers or updates a scalable target. A scalable target is a resource that can be scaled out or in with Application Auto Scaling.", + "description": "Grants permission to register AWS or custom resources as scalable targets with Application Auto Scaling and to update configuration parameters used to manage a scalable target", "privilege": "RegisterScalableTarget", "resource_types": [ { @@ -7862,7 +8127,7 @@ } ], "resources": [], - "service_name": "Application Auto Scaling" + "service_name": "AWS Application Auto Scaling" }, { "conditions": [], @@ -7945,7 +8210,23 @@ "service_name": "AWS Application Cost Profiler Service" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key and value pair that is allowed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair of a resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "ArrayOfString" + } + ], "prefix": "applicationinsights", "privileges": [ { @@ -8206,7 +8487,10 @@ "privilege": "TagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -8218,7 +8502,9 @@ "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -8274,7 +8560,7 @@ } ], "resources": [], - "service_name": "CloudWatch Application Insights" + "service_name": "Amazon CloudWatch Application Insights" }, { "conditions": [ @@ -8291,7 +8577,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions by the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "appmesh", @@ -9559,28 +9845,38 @@ "conditions": [ { "condition": "apprunner:AutoScalingConfigurationArn", - "description": "Filters access to the CreateService and UpdateService actions based on the ARN of an associated AutoScalingConfiguration resource", + "description": "Filters access by the CreateService and UpdateService actions based on the ARN of an associated AutoScalingConfiguration resource", "type": "ARN" }, { "condition": "apprunner:ConnectionArn", - "description": "Filters access to the CreateService and UpdateService actions based on the ARN of an associated Connection resource", + "description": "Filters access by the CreateService and UpdateService actions based on the ARN of an associated Connection resource", + "type": "ARN" + }, + { + "condition": "apprunner:ObservabilityConfigurationArn", + "description": "Filters access by the CreateService and UpdateService actions based on the ARN of an associated ObservabilityConfiguration resource", + "type": "ARN" + }, + { + "condition": "apprunner:VpcConnectorArn", + "description": "Filters access by the CreateService and UpdateService actions based on the ARN of an associated VpcConnector resource", "type": "ARN" }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by actions based on the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "apprunner", @@ -9639,7 +9935,27 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS App Runner service", + "description": "Grants permission to create an AWS App Runner observability configuration resource", + "privilege": "CreateObservabilityConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS App Runner service resource", "privilege": "CreateService", "resource_types": [ { @@ -9657,12 +9973,44 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "apprunner:ConnectionArn", - "apprunner:AutoScalingConfigurationArn" + "apprunner:AutoScalingConfigurationArn", + "apprunner:ObservabilityConfigurationArn", + "apprunner:VpcConnectorArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS App Runner VPC connector resource", + "privilege": "CreateVpcConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -9683,7 +10031,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS App Runner connection", + "description": "Grants permission to delete an AWS App Runner connection resource", "privilege": "DeleteConnection", "resource_types": [ { @@ -9695,7 +10043,19 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS App Runner service", + "description": "Grants permission to delete an AWS App Runner observability configuration resource", + "privilege": "DeleteObservabilityConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS App Runner service resource", "privilege": "DeleteService", "resource_types": [ { @@ -9705,9 +10065,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS App Runner VPC connector resource", + "privilege": "DeleteVpcConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector*" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to retrieve descriptions of an AWS App Runner automatic scaling configuration resource", + "description": "Grants permission to retrieve the description of an AWS App Runner automatic scaling configuration resource", "privilege": "DescribeAutoScalingConfiguration", "resource_types": [ { @@ -9731,7 +10103,19 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve description of an operation that occurred on an AWS App Runner service", + "description": "Grants permission to retrieve the description of an AWS App Runner observability configuration resource", + "privilege": "DescribeObservabilityConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the description of an operation that occurred on an AWS App Runner service", "privilege": "DescribeOperation", "resource_types": [ { @@ -9743,7 +10127,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve description of an AWS App Runner service", + "description": "Grants permission to retrieve the description of an AWS App Runner service resource", "privilege": "DescribeService", "resource_types": [ { @@ -9753,6 +10137,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the description of an AWS App Runner VPC connector resource", + "privilege": "DescribeVpcConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to disassociate a custom domain name from an AWS App Runner service", @@ -9779,7 +10175,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS App Runner connections associated with your AWS account", + "description": "Grants permission to retrieve a list of AWS App Runner connections in your AWS account", "privilege": "ListConnections", "resource_types": [ { @@ -9791,7 +10187,19 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of operations that occurred on an AWS App Runner service", + "description": "Grants permission to retrieve a list of AWS App Runner observability configurations in your AWS account", + "privilege": "ListObservabilityConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of operations that occurred on an AWS App Runner service resource", "privilege": "ListOperations", "resource_types": [ { @@ -9828,10 +10236,32 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS App Runner VPC connectors in your AWS account", + "privilege": "ListVpcConnectors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -9873,7 +10303,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add tags to, or update tag values of, an App Runner resource", + "description": "Grants permission to add tags to, or update tag values of, an AWS App Runner resource", "privilege": "TagResource", "resource_types": [ { @@ -9886,11 +10316,21 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "service" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector" + }, { "condition_keys": [ "aws:TagKeys", @@ -9903,7 +10343,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from an App Runner resource", + "description": "Grants permission to remove tags from an AWS App Runner resource", "privilege": "UntagResource", "resource_types": [ { @@ -9916,11 +10356,21 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "service" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector" + }, { "condition_keys": [ "aws:TagKeys" @@ -9932,7 +10382,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an AWS App Runner service", + "description": "Grants permission to update an AWS App Runner service resource", "privilege": "UpdateService", "resource_types": [ { @@ -9950,10 +10400,22 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "observabilityconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpcconnector" + }, { "condition_keys": [ "apprunner:ConnectionArn", - "apprunner:AutoScalingConfigurationArn" + "apprunner:AutoScalingConfigurationArn", + "apprunner:ObservabilityConfigurationArn", + "apprunner:VpcConnectorArn" ], "dependent_actions": [], "resource_type": "" @@ -9982,6 +10444,20 @@ "aws:ResourceTag/${TagKey}" ], "resource": "autoscalingconfiguration" + }, + { + "arn": "arn:${Partition}:apprunner:${Region}:${Account}:observabilityconfiguration/${ObservabilityConfigurationName}/${ObservabilityConfigurationVersion}/${ObservabilityConfigurationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "observabilityconfiguration" + }, + { + "arn": "arn:${Partition}:apprunner:${Region}:${Account}:vpcconnector/${VpcConnectorName}/${VpcConnectorVersion}/${VpcConnectorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "vpcconnector" } ], "service_name": "AWS App Runner" @@ -9995,22 +10471,58 @@ }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "appstream", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate the specified application with the fleet", + "privilege": "AssociateApplicationFleet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate the specified application to the specified entitlement", + "privilege": "AssociateApplicationToEntitlement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to associate the specified fleet with the specified stack", @@ -10092,6 +10604,43 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an app block. App blocks store details about the virtual hard disk that contains the files for the application in an S3 bucket. It also stores the setup script with details about how to mount the virtual hard disk. App blocks are only supported for Elastic fleets", + "privilege": "CreateAppBlock", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an application within customer account. Applications store the details about how to launch applications on streaming instances. This is only supported for Elastic fleets", + "privilege": "CreateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", @@ -10104,6 +10653,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an entitlement to control access to applications based on user attributes", + "privilege": "CreateEntitlement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a fleet. A fleet is a group of streaming instances from which applications are launched and streamed to users", @@ -10117,7 +10678,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "image" }, { "condition_keys": [ @@ -10229,6 +10790,7 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys" ], @@ -10261,6 +10823,44 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified app block", + "privilege": "DeleteAppBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified application", + "privilege": "DeleteApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", @@ -10273,6 +10873,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified entitlement", + "privilege": "DeleteEntitlement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete the specified fleet", @@ -10392,6 +11004,47 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified app blocks, if the app block arns are provided. Otherwise, all app blocks in the account are described", + "privilege": "DescribeAppBlocks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the associations that are associated with the specified application or fleet", + "privilege": "DescribeApplicationFleetAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fleet" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified applications, if the application arns are provided. Otherwise, all applications in the account are described", + "privilege": "DescribeApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", @@ -10404,6 +11057,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve one or all entitlements for the specified stack", + "privilege": "DescribeEntitlements", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described", @@ -10529,6 +11194,42 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate the specified application from the specified fleet", + "privilege": "DisassociateApplicationFleet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate the specified application from the specified entitlement", + "privilege": "DisassociateApplicationFromEntitlement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to disassociate the specified fleet from the specified stack", @@ -10601,6 +11302,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve the applications that are associated with the specified entitlement", + "privilege": "ListEntitledApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", @@ -10710,9 +11423,19 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", + "description": "Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, stacks, app blocks and applications", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], @@ -10749,6 +11472,16 @@ "description": "Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], @@ -10778,6 +11511,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the specified fields for the specified application", + "privilege": "UpdateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-block" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", @@ -10790,6 +11547,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the specified fields for the specified entitlement", + "privilege": "UpdateEntitlement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state", @@ -10881,6 +11650,20 @@ "aws:ResourceTag/${TagKey}" ], "resource": "stack" + }, + { + "arn": "arn:${Partition}:appstream:${Region}:${Account}:app-block/${AppBlockName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "app-block" + }, + { + "arn": "arn:${Partition}:appstream:${Region}:${Account}:application/${ApplicationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" } ], "service_name": "Amazon AppStream 2.0" @@ -10889,22 +11672,34 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "appsync", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to attach a GraphQL API to a custom domain name in AppSync", + "privilege": "AssociateApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create an API cache in AppSync", @@ -10941,6 +11736,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a custom domain name in AppSync", + "privilege": "CreateDomainName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new function", @@ -11030,6 +11837,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a custom domain name in AppSync", + "privilege": "DeleteDomainName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a function", @@ -11085,6 +11904,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to dettach a GraphQL API to a custom domain name in AppSync", + "privilege": "DisassociateApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to evaluate template mapping", + "privilege": "EvaluateMappingTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to flush an API cache in AppSync", @@ -11097,6 +11940,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to read custom domain name - GraphQL API association details in AppSync", + "privilege": "GetApiAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to read information about an API cache in AppSync", @@ -11121,6 +11976,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to read information about a custom domain name in AppSync", + "privilege": "GetDomainName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a function", @@ -11241,6 +12108,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to enumerate custom domain names in AppSync", + "privilege": "ListDomainNames", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the functions for a given API", @@ -11349,6 +12228,11 @@ "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi*" + }, { "condition_keys": [], "dependent_actions": [], @@ -11370,6 +12254,11 @@ "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi*" + }, { "condition_keys": [], "dependent_actions": [], @@ -11420,6 +12309,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a custom domain name in AppSync", + "privilege": "UpdateDomainName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update an existing function", @@ -11484,6 +12385,11 @@ "condition_keys": [], "resource": "datasource" }, + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:domainnames/${DomainName}", + "condition_keys": [], + "resource": "domain" + }, { "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}", "condition_keys": [ @@ -11524,7 +12430,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "aps", @@ -11567,6 +12473,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a logging configuration", + "privilege": "CreateLoggingConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a rule groups namespace", @@ -11640,6 +12565,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a logging configuration", + "privilege": "DeleteLoggingConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a rule groups namespace", @@ -11697,6 +12641,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a logging configuration", + "privilege": "DescribeLoggingConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a rule groups namespace", @@ -12145,6 +13108,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a logging configuration", + "privilege": "UpdateLoggingConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to modify the alias of existing AMP workspace", @@ -12288,25 +13270,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "athena", "privileges": [ { "access_level": "Read", - "description": "Grants permissions to get information about one or more named queries", + "description": "Grants permission to get information about one or more named queries", "privilege": "BatchGetNamedQuery", "resource_types": [ { @@ -12318,7 +13300,19 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about one or more query executions", + "description": "Grants permission to get information about one or more prepared statements", + "privilege": "BatchGetPreparedStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about one or more query executions", "privilege": "BatchGetQueryExecution", "resource_types": [ { @@ -12330,7 +13324,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a datacatalog", + "description": "Grants permission to create a datacatalog", "privilege": "CreateDataCatalog", "resource_types": [ { @@ -12350,7 +13344,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a named query", + "description": "Grants permission to create a named query", "privilege": "CreateNamedQuery", "resource_types": [ { @@ -12362,7 +13356,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a prepared statement.", + "description": "Grants permission to create a prepared statement", "privilege": "CreatePreparedStatement", "resource_types": [ { @@ -12374,7 +13368,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a workgroup", + "description": "Grants permission to create a workgroup", "privilege": "CreateWorkGroup", "resource_types": [ { @@ -12394,7 +13388,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a datacatalog", + "description": "Grants permission to delete a datacatalog", "privilege": "DeleteDataCatalog", "resource_types": [ { @@ -12406,7 +13400,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a named query specified", + "description": "Grants permission to delete a named query specified", "privilege": "DeleteNamedQuery", "resource_types": [ { @@ -12418,7 +13412,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a prepared statement specified.", + "description": "Grants permission to delete a prepared statement specified", "privilege": "DeletePreparedStatement", "resource_types": [ { @@ -12430,7 +13424,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a workgroup", + "description": "Grants permission to delete a workgroup", "privilege": "DeleteWorkGroup", "resource_types": [ { @@ -12442,7 +13436,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a datacatalog", + "description": "Grants permission to get a datacatalog", "privilege": "GetDataCatalog", "resource_types": [ { @@ -12454,7 +13448,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a database for a given datacatalog", + "description": "Grants permission to get a database for a given datacatalog", "privilege": "GetDatabase", "resource_types": [ { @@ -12466,7 +13460,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about the specified named query", + "description": "Grants permission to get information about the specified named query", "privilege": "GetNamedQuery", "resource_types": [ { @@ -12478,7 +13472,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about the specified prepared statement.", + "description": "Grants permission to get information about the specified prepared statement", "privilege": "GetPreparedStatement", "resource_types": [ { @@ -12490,7 +13484,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about the specified query execution", + "description": "Grants permission to get information about the specified query execution", "privilege": "GetQueryExecution", "resource_types": [ { @@ -12502,7 +13496,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get the query results", + "description": "Grants permission to get the query results", "privilege": "GetQueryResults", "resource_types": [ { @@ -12514,7 +13508,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get the query results stream", + "description": "Grants permission to get the query results stream", "privilege": "GetQueryResultsStream", "resource_types": [ { @@ -12526,7 +13520,19 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a metadata about a table for a given datacatalog", + "description": "Grants permission to get runtime statistics for the specified query execution", + "privilege": "GetQueryRuntimeStatistics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a metadata about a table for a given datacatalog", "privilege": "GetTableMetadata", "resource_types": [ { @@ -12538,7 +13544,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a workgroup", + "description": "Grants permission to get a workgroup", "privilege": "GetWorkGroup", "resource_types": [ { @@ -12550,7 +13556,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of datacatalogs for the specified AWS account", + "description": "Grants permission to return a list of datacatalogs for the specified AWS account", "privilege": "ListDataCatalogs", "resource_types": [ { @@ -12562,7 +13568,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of databases for a given datacatalog", + "description": "Grants permission to return a list of databases for a given datacatalog", "privilege": "ListDatabases", "resource_types": [ { @@ -12574,7 +13580,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of athena engine versions for the specified AWS account", + "description": "Grants permission to return a list of athena engine versions for the specified AWS account", "privilege": "ListEngineVersions", "resource_types": [ { @@ -12586,7 +13592,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of named queries in Amazon Athena for the specified AWS account", + "description": "Grants permission to return a list of named queries in Amazon Athena for the specified AWS account", "privilege": "ListNamedQueries", "resource_types": [ { @@ -12598,7 +13604,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of prepared statements for the specified workgroup.", + "description": "Grants permission to return a list of prepared statements for the specified workgroup", "privilege": "ListPreparedStatements", "resource_types": [ { @@ -12610,7 +13616,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of query executions for the specified AWS account", + "description": "Grants permission to return a list of query executions for the specified AWS account", "privilege": "ListQueryExecutions", "resource_types": [ { @@ -12622,7 +13628,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of table metadata in a database for a given datacatalog", + "description": "Grants permission to return a list of table metadata in a database for a given datacatalog", "privilege": "ListTableMetadata", "resource_types": [ { @@ -12634,7 +13640,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of tags for a resource", + "description": "Grants permission to return a list of tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -12651,7 +13657,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of workgroups for the specified AWS account", + "description": "Grants permission to return a list of workgroups for the specified AWS account", "privilege": "ListWorkGroups", "resource_types": [ { @@ -12663,7 +13669,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to start a query execution using an SQL query provided as a string", + "description": "Grants permission to start a query execution using an SQL query provided as a string", "privilege": "StartQueryExecution", "resource_types": [ { @@ -12675,7 +13681,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to stop the specified query execution", + "description": "Grants permission to stop the specified query execution", "privilege": "StopQueryExecution", "resource_types": [ { @@ -12687,7 +13693,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to add a tag to a resource", + "description": "Grants permission to add a tag to a resource", "privilege": "TagResource", "resource_types": [ { @@ -12712,7 +13718,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to remove a tag from a resource", + "description": "Grants permission to remove a tag from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -12736,7 +13742,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a datacatalog", + "description": "Grants permission to update a datacatalog", "privilege": "UpdateDataCatalog", "resource_types": [ { @@ -12748,7 +13754,19 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a prepared statement.", + "description": "Grants permission to update a named query specified", + "privilege": "UpdateNamedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a prepared statement", "privilege": "UpdatePreparedStatement", "resource_types": [ { @@ -12760,7 +13778,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a workgroup", + "description": "Grants permission to update a workgroup", "privilege": "UpdateWorkGroup", "resource_types": [ { @@ -12793,18 +13811,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "auditmanager", @@ -12902,7 +13920,10 @@ "privilege": "CreateAssessmentFramework", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -13199,6 +14220,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get analytics data for all active assessments", + "privilege": "GetInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get analytics data for a specific active assessment", + "privilege": "GetInsightsByAssessment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the delegated administrator account in AWS Audit Manager", @@ -13235,6 +14280,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list analytics data for controls in a specific control domain and active assessment", + "privilege": "ListAssessmentControlInsightsByControlDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all sent or received share requests for custom frameworks in AWS Audit Manager", @@ -13283,6 +14340,42 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list analytics data for control domains across all active assessments", + "privilege": "ListControlDomainInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list analytics data for control domains in a specific active assessment", + "privilege": "ListControlDomainInsightsByAssessment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list analytics data for controls in a specific control domain across all active assessments", + "privilege": "ListControlInsightsByControlDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all controls in AWS Audit Manager", @@ -14693,7 +15786,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to add new approved products to the Private Marketplace. Also allows to approve a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "description": "Grants permission to approve a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it", "privilege": "AssociateProductsWithPrivateMarketplace", "resource_types": [ { @@ -14705,7 +15798,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new request for a product or products to be associated with the Private Marketplace. This action can be performed by any account in an in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "description": "Grants permission to create a new request for a product or products to be associated with the Private Marketplace. This action can be performed by any account in an in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it", "privilege": "CreatePrivateMarketplaceRequests", "resource_types": [ { @@ -14717,7 +15810,7 @@ }, { "access_level": "List", - "description": "Grants permission to describe requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "description": "Grants permission to describe requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it", "privilege": "DescribePrivateMarketplaceRequests", "resource_types": [ { @@ -14729,7 +15822,7 @@ }, { "access_level": "Write", - "description": "Grants permission to remove approved products from the Private Marketplace. Also allows to decline a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "description": "Grants permission to decline a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it", "privilege": "DisassociateProductsFromPrivateMarketplace", "resource_types": [ { @@ -14741,7 +15834,7 @@ }, { "access_level": "List", - "description": "Grants permission to get a queryable list for requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "description": "Grants permission to get a queryable list for requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it", "privilege": "ListPrivateMarketplaceRequests", "resource_types": [ { @@ -14759,18 +15852,18 @@ "conditions": [ { "condition": "aws-marketplace:AgreementType", - "description": "Filters access by the type of the agreement.", - "type": "String" + "description": "Filters access by the type of the agreement", + "type": "ArrayOfString" }, { "condition": "aws-marketplace:PartyType", - "description": "Filters access by the party type of the agreement.", + "description": "Filters access by the party type of the agreement", "type": "String" }, { "condition": "aws-marketplace:ProductId", - "description": "Filters access to AWS Marketplace RedHat OpenShift products in the RedHat console, based on the ProductID of the product. Note: This condition key only applies to the RedHat console, and using it will not allow access to products in AWS Marketplace.", - "type": "String" + "description": "Filters access by product id for AWS Marketplace RedHat OpenShift products in the RedHat console. Note: This condition key only applies to the RedHat console, and using it will not restrict access to products in AWS Marketplace", + "type": "ArrayOfString" } ], "prefix": "aws-marketplace", @@ -14787,6 +15880,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to users to accept their agreement requests. Note that this action is not applicable to Marketplace purchases", + "privilege": "AcceptAgreementRequest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to users to cancel their agreements. Note that this action is not applicable to Marketplace purchases", + "privilege": "CancelAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to users to cancel pending subscription requests for products that require subscription verification", @@ -14799,6 +15916,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to users to create an agreement request. Note that this action is not applicable to Marketplace purchases", + "privilege": "CreateAgreementRequest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to users to describe the metadata about the agreement", @@ -14951,7 +16080,7 @@ "conditions": [ { "condition": "catalog:ChangeType", - "description": "Enables you to verify change type in the StartChangeSet request.", + "description": "Filters access by the change type in the StartChangeSet request", "type": "String" } ], @@ -14959,19 +16088,19 @@ "privileges": [ { "access_level": "Write", - "description": "Cancels a running change set.", + "description": "Grants permission to cancel a running change set", "privilege": "CancelChangeSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ChangeSet*" } ] }, { "access_level": "Write", - "description": "Complete an existing task and submit the content to the associated change.", + "description": "Grants permission to complete an existing task and submit the content to the associated change", "privilege": "CompleteTask", "resource_types": [ { @@ -14983,31 +16112,31 @@ }, { "access_level": "Read", - "description": "Returns the details of an existing change set.", + "description": "Grants permission to return the details of an existing change set", "privilege": "DescribeChangeSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ChangeSet*" } ] }, { "access_level": "Read", - "description": "Returns the details of an existing entity.", + "description": "Grants permission to return the details of an existing entity", "privilege": "DescribeEntity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Entity*" } ] }, { "access_level": "Read", - "description": "Returns the details of an existing task.", + "description": "Grants permission to return the details of an existing task", "privilege": "DescribeTask", "resource_types": [ { @@ -15018,8 +16147,8 @@ ] }, { - "access_level": "Read", - "description": "Lists existing change sets.", + "access_level": "List", + "description": "Grants permission to list existing change sets", "privilege": "ListChangeSets", "resource_types": [ { @@ -15030,8 +16159,8 @@ ] }, { - "access_level": "Read", - "description": "Lists existing entities.", + "access_level": "List", + "description": "Grants permission to list existing entities", "privilege": "ListEntities", "resource_types": [ { @@ -15043,7 +16172,7 @@ }, { "access_level": "List", - "description": "Lists existing tasks.", + "description": "Grants permission to list existing tasks", "privilege": "ListTasks", "resource_types": [ { @@ -15055,9 +16184,14 @@ }, { "access_level": "Write", - "description": "Requests a new change set.", + "description": "Grants permission to request a new change set. (Note: resource-level permissions for this action and condition context keys for this action are only supported when used with Catalog API and are not supported when used with AWS Marketplace Management Portal)", "privilege": "StartChangeSet", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Entity*" + }, { "condition_keys": [ "catalog:ChangeType" @@ -15069,7 +16203,7 @@ }, { "access_level": "Write", - "description": "Update the content of an existing task.", + "description": "Grants permission to update the contents of an existing task", "privilege": "UpdateTask", "resource_types": [ { @@ -15094,206 +16228,6 @@ ], "service_name": "AWS Marketplace Catalog" }, - { - "conditions": [], - "prefix": "aws-marketplace", - "privileges": [ - { - "access_level": "Write", - "description": "Adds new approved products to the Private Marketplace. Also allows to approve a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "AssociateProductsWithPrivateMarketplace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a Private Marketplace for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization.", - "privilege": "CreatePrivateMarketplace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a Private Marketplace Profile that customizes the white label experience on the AWS Marketplace website for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization.", - "privilege": "CreatePrivateMarketplaceProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new request for a product or products to be associated with the Private Marketplace. This action can be performed by any account in an in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "CreatePrivateMarketplaceRequests", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Describes the status of requested products in the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DescribePrivateMarketplaceProducts", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Describes details about the Private Marketplace Profile for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DescribePrivateMarketplaceProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Describes requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DescribePrivateMarketplaceRequests", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Describes the Private Marketplace settings. This includes setting for enabling requests from end users and preferences for notifications. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DescribePrivateMarketplaceSettings", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Describes the status of the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DescribePrivateMarketplaceStatus", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Removes approved products from the Private Marketplace. Also allows to decline a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "DisassociateProductsFromPrivateMarketplace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Queryable list for the products and status of products in the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "ListPrivateMarketplaceProducts", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Queryable list for requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "ListPrivateMarketplaceRequests", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Starts the Private Marketplace, enabling the customized AWS Marketplace experience, and enabling restrictions on the procurement of products based on what is available in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "StartPrivateMarketplace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Stops the Private Marketplace, disabling the customized AWS Marketplace experience and removing the Private Marketplace procurement restrictions on products. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "StopPrivateMarketplace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the Private Marketplace Profile that customizes the white label experience on the AWS Marketplace website for the individual account, or for the entire AWS Organization if one exists. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "UpdatePrivateMarketplaceProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the Private Marketplace settings. This includes setting for enabling requests from end users and preferences for notifications. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", - "privilege": "UpdatePrivateMarketplaceSettings", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "AWS Private Marketplace" - }, { "conditions": [], "prefix": "aws-marketplace", @@ -15520,7 +16454,7 @@ "privileges": [ { "access_level": "Write", - "description": "Allow or deny IAM users permission to modify Account Settings.", + "description": "Allow or deny IAM users permission to modify Account Settings", "privilege": "ModifyAccount", "resource_types": [ { @@ -15532,7 +16466,7 @@ }, { "access_level": "Write", - "description": "Allow or deny IAM users permission to modify billing settings.", + "description": "Allow or deny IAM users permission to modify billing settings", "privilege": "ModifyBilling", "resource_types": [ { @@ -15544,7 +16478,7 @@ }, { "access_level": "Write", - "description": "Allow or deny IAM users permission to modify payment methods.", + "description": "Allow or deny IAM users permission to modify payment methods", "privilege": "ModifyPaymentMethods", "resource_types": [ { @@ -15556,7 +16490,7 @@ }, { "access_level": "Read", - "description": "Allow or deny IAM users permission to view account settings.", + "description": "Allow or deny IAM users permission to view account settings", "privilege": "ViewAccount", "resource_types": [ { @@ -15568,7 +16502,7 @@ }, { "access_level": "Read", - "description": "Allow or deny IAM users permission to view billing pages in the console.", + "description": "Allow or deny IAM users permission to view billing pages in the console", "privilege": "ViewBilling", "resource_types": [ { @@ -15580,7 +16514,7 @@ }, { "access_level": "Read", - "description": "Allow or deny IAM users permission to view payment methods.", + "description": "Allow or deny IAM users permission to view payment methods", "privilege": "ViewPaymentMethods", "resource_types": [ { @@ -15592,7 +16526,7 @@ }, { "access_level": "Read", - "description": "Allow or deny IAM users permission to view AWS usage reports.", + "description": "Allow or deny IAM users permission to view AWS usage reports", "privilege": "ViewUsage", "resource_types": [ { @@ -15665,22 +16599,22 @@ { "condition": "aws:TagKeys", "description": "Filters access by the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "backup:CopyTargetOrgPaths", "description": "Filters access by the organization unit", - "type": "String" + "type": "ArrayOfString" }, { "condition": "backup:CopyTargets", "description": "Filters access by the ARN of an backup vault", - "type": "String" + "type": "ArrayOfARN" }, { "condition": "backup:FrameworkArns", "description": "Filters access by the Framework ARNs", - "type": "ArrayOfString" + "type": "ArrayOfARN" } ], "prefix": "backup", @@ -16416,6 +17350,14 @@ "iam:PassRole" ], "resource_type": "backupVault*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -16559,6 +17501,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "backupPlan*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -16571,6 +17521,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "framework*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -16669,6 +17627,373 @@ ], "service_name": "AWS Backup" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag-value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" + } + ], + "prefix": "backup-gateway", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to AssociateGatewayToServer", + "privilege": "AssociateGatewayToServer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Backup", + "privilege": "Backup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualmachine*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to to CreateGateway", + "privilege": "CreateGateway", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to DeleteGateway", + "privilege": "DeleteGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to DeleteHypervisor", + "privilege": "DeleteHypervisor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to DisassociateGatewayFromServer", + "privilege": "DisassociateGatewayFromServer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to GetGateway", + "privilege": "GetGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to ImportHypervisorConfiguration", + "privilege": "ImportHypervisorConfiguration", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to ListGateways", + "privilege": "ListGateways", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to ListHypervisors", + "privilege": "ListHypervisors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to ListTagsForResource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualmachine" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to ListVirtualMachines", + "privilege": "ListVirtualMachines", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to PutMaintenanceStartTime", + "privilege": "PutMaintenanceStartTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Restore", + "privilege": "Restore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to TagResource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualmachine" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to TestHypervisorConfiguration", + "privilege": "TestHypervisorConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to UntagResource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hypervisor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualmachine" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to UpdateGatewayInformation", + "privilege": "UpdateGatewayInformation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to UpdateGatewaySoftwareNow", + "privilege": "UpdateGatewaySoftwareNow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to UpdateHypervisor", + "privilege": "UpdateHypervisor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:backup-gateway::${Account}:gateway/${GatewayId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "gateway" + }, + { + "arn": "arn:${Partition}:backup-gateway::${Account}:hypervisor/${HypervisorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "hypervisor" + }, + { + "arn": "arn:${Partition}:backup-gateway::${Account}:vm/${VirtualmachineId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "virtualmachine" + } + ], + "service_name": "AWS Backup Gateway" + }, { "conditions": [], "prefix": "backup-storage", @@ -16693,57 +18018,62 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" }, { "condition": "batch:AWSLogsCreateGroup", - "description": "Filters access based on the specified logging driver to determine whether awslogs group will be created for the logs", - "type": "Boolean" + "description": "Filters access by the specified logging driver to determine whether awslogs group will be created for the logs", + "type": "Bool" }, { "condition": "batch:AWSLogsGroup", - "description": "Filters access based on the awslogs group where the logs are located", + "description": "Filters access by the awslogs group where the logs are located", "type": "String" }, { "condition": "batch:AWSLogsRegion", - "description": "Filters access based on the region where the logs are sent to", + "description": "Filters access by the region where the logs are sent to", "type": "String" }, { "condition": "batch:AWSLogsStreamPrefix", - "description": "Filters access based on the awslogs log stream prefix", + "description": "Filters access by the awslogs log stream prefix", "type": "String" }, { "condition": "batch:Image", - "description": "Filters access based on the image used to start a container", + "description": "Filters access by on the image used to start a container", "type": "String" }, { "condition": "batch:LogDriver", - "description": "Filters access based on the log driver used for the container", + "description": "Filters access by the log driver used for the container", "type": "String" }, { "condition": "batch:Privileged", - "description": "Filter access based on the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user)", - "type": "Boolean" + "description": "Filters access by the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user)", + "type": "Bool" + }, + { + "condition": "batch:ShareIdentifier", + "description": "Filters access by the shareIdentifier used inside submit job", + "type": "String" }, { "condition": "batch:User", - "description": "Filters access based on the user name or numeric uid used inside the container", + "description": "Filters access by user name or numeric uid used inside the container", "type": "String" } ], @@ -16796,6 +18126,31 @@ "dependent_actions": [], "resource_type": "job-queue*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Batch scheduling policy in your account", + "privilege": "CreateSchedulingPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -16830,6 +18185,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS Batch scheduling policy in your account", + "privilege": "DeleteSchedulingPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to deregister an AWS Batch job definition in your account", @@ -16890,6 +18257,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more AWS Batch scheduling policies in your account", + "privilege": "DescribeSchedulingPolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list jobs for a specified AWS Batch job queue in your account", @@ -16902,6 +18281,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list AWS Batch scheduling policies in your account", + "privilege": "ListSchedulingPolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list tags for an AWS Batch resource in your account", @@ -16926,6 +18317,11 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "job-queue" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy" } ] }, @@ -16975,7 +18371,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "batch:ShareIdentifier" ], "dependent_actions": [], "resource_type": "" @@ -17007,6 +18404,11 @@ "dependent_actions": [], "resource_type": "job-queue" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -17054,6 +18456,11 @@ "dependent_actions": [], "resource_type": "job-queue" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy" + }, { "condition_keys": [ "aws:TagKeys" @@ -17089,6 +18496,23 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "compute-environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an AWS Batch scheduling policy in your account", + "privilege": "UpdateSchedulingPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduling-policy*" } ] } @@ -17116,11 +18540,18 @@ "resource": "job-definition" }, { - "arn": "arn:${Partition}:batch:${Region}:${Account}:job/${jobId}", + "arn": "arn:${Partition}:batch:${Region}:${Account}:job/${JobId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "job" + }, + { + "arn": "arn:${Partition}:batch:${Region}:${Account}:scheduling-policy/${SchedulingPolicyName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "scheduling-policy" } ], "service_name": "AWS Batch" @@ -17129,44 +18560,525 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "billingconductor", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate between one and 30 accounts to a billing group", + "privilege": "AssociateAccounts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "billinggroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate pricing rules", + "privilege": "AssociatePricingRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to batch associate resources to a percentage custom line item", + "privilege": "BatchAssociateResourcesToCustomLineItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customlineitem*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to batch disassociate resources from a percentage custom line item", + "privilege": "BatchDisassociateResourcesFromCustomLineItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customlineitem*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a billing group", + "privilege": "CreateBillingGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a custom line item", + "privilege": "CreateCustomLineItem", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a pricing plan", + "privilege": "CreatePricingPlan", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a pricing rule", + "privilege": "CreatePricingRule", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a billing group", + "privilege": "DeleteBillingGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "billinggroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a custom line item", + "privilege": "DeleteCustomLineItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customlineitem*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a pricing plan", + "privilege": "DeletePricingPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a pricing rule", + "privilege": "DeletePricingRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to detach between one and 30 accounts from a billing group", + "privilege": "DisassociateAccounts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "billinggroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate pricing rules", + "privilege": "DisassociatePricingRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the linked accounts of the payer account for the given billing period while also providing the billing group the linked accounts belong to", + "privilege": "ListAccountAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the billing group cost report", + "privilege": "ListBillingGroupCostReports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the details of billing groups", + "privilege": "ListBillingGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view custom line item details", + "privilege": "ListCustomLineItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the pricing plans details", + "privilege": "ListPricingPlans", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list pricing plans associated with a pricing rule", + "privilege": "ListPricingPlansAssociatedWithPricingRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view pricing rules details", + "privilege": "ListPricingRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list pricing rules associated to a pricing plan", + "privilege": "ListPricingRulesAssociatedToPricingPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list resources associated to a percentage custom line item", + "privilege": "ListResourcesAssociatedToCustomLineItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customlineitem*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags of a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a billing group", + "privilege": "UpdateBillingGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "billinggroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a custom line item", + "privilege": "UpdateCustomLineItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customlineitem*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a pricing plan", + "privilege": "UpdatePricingPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingplan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a pricing rule", + "privilege": "UpdatePricingRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pricingrule*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:billingconductor::${Account}:billinggroup/${BillingGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "billinggroup" + }, + { + "arn": "arn:${Partition}:billingconductor::${Account}:pricingplan/${PricingPlanId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "pricingplan" + }, + { + "arn": "arn:${Partition}:billingconductor::${Account}:pricingrule/${PricingRuleId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "pricingrule" + }, + { + "arn": "arn:${Partition}:billingconductor::${Account}:customlineitem/${CustomLineItemId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "customlineitem" + } + ], + "service_name": "AWS Billing Conductor" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "braket", "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel a quantum task.", - "privilege": "CancelQuantumTask", + "description": "Grants permission to cancel a job", + "privilege": "CancelJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "quantum-task*" + "resource_type": "job*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a quantum task.", - "privilege": "CreateQuantumTask", + "description": "Grants permission to cancel a quantum task", + "privilege": "CancelQuantumTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "quantum-task*" - }, + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a job", + "privilege": "CreateJob", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a quantum task", + "privilege": "CreateQuantumTask", + "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -17179,7 +19091,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the devices available in Amazon Braket.", + "description": "Grants permission to retrieve information about the devices available in Amazon Braket", "privilege": "GetDevice", "resource_types": [ { @@ -17191,7 +19103,19 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve quantum tasks.", + "description": "Grants permission to retrieve jobs", + "privilege": "GetJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve quantum tasks", "privilege": "GetQuantumTask", "resource_types": [ { @@ -17203,9 +19127,14 @@ }, { "access_level": "Read", - "description": "Lists the tags that have been applied to the quantum task resource.", + "description": "Grants permission to listing the tags that have been applied to the quantum task resource or the job", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job" + }, { "condition_keys": [], "dependent_actions": [], @@ -17215,7 +19144,7 @@ }, { "access_level": "Read", - "description": "Grants permission to search for devices available in Amazon Braket.", + "description": "Grants permission to search for devices available in Amazon Braket", "privilege": "SearchDevices", "resource_types": [ { @@ -17227,7 +19156,19 @@ }, { "access_level": "Read", - "description": "Grants permission to search for quantum tasks.", + "description": "Grants permission to search for jobs", + "privilege": "SearchJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search for quantum tasks", "privilege": "SearchQuantumTasks", "resource_types": [ { @@ -17239,7 +19180,7 @@ }, { "access_level": "Tagging", - "description": "Adds one or more tags to a quantum task.", + "description": "Grants permission to add one or more tags to a quantum task", "privilege": "TagResource", "resource_types": [ { @@ -17259,9 +19200,14 @@ }, { "access_level": "Tagging", - "description": "Remove one or more tags from a quantum task resource. A tag consists of a key-value pair", + "description": "Grants permission to remove one or more tags from a quantum task resource or a job. A tag consists of a key-value pair", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job" + }, { "condition_keys": [], "dependent_actions": [], @@ -17284,6 +19230,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "quantum-task" + }, + { + "arn": "arn:${Partition}:braket:${Region}:${Account}:job/${JobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "job" } ], "service_name": "Amazon Braket" @@ -17446,7 +19399,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "bugbust", @@ -17557,11 +19510,6 @@ ], "resource_type": "Event*" }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "codereview*" - }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -17738,16 +19686,6 @@ ], "resource_type": "Event*" }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ProfilingGroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "codereview*" - }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -17764,7 +19702,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "codeguru-reviewer:ListRecommendations" + ], "resource_type": "Event*" }, { @@ -17783,7 +19723,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "codeguru-reviewer:ListRecommendations" + ], "resource_type": "Event*" }, { @@ -17797,20 +19739,6 @@ } ], "resources": [ - { - "arn": "arn:${Partition}:codeguru-reviewer:${Region}:${Account}:association:${ResourceId}:codereview:${CodeReviewId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "codereview" - }, - { - "arn": "arn:${Partition}:codeguru-profiler:${Region}:${Account}:profilingGroup/${profilingGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ProfilingGroup" - }, { "arn": "arn:${Partition}:bugbust:${Region}:${Account}:events/${EventId}", "condition_keys": [ @@ -17825,366 +19753,273 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by tag keys that are passed in the request", + "type": "ArrayOfString" } ], - "prefix": "cassandra", + "prefix": "cases", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to alter a keyspace or table", - "privilege": "Alter", + "access_level": "Read", + "description": "Grants permission to retrieve information about the fields in the case domain", + "privilege": "BatchGetField", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "keyspace" + "resource_type": "Domain*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Field*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a keyspace or table", - "privilege": "Create", + "description": "Grants permission to update the field options in the case domain", + "privilege": "BatchPutFieldOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "keyspace" + "resource_type": "Domain*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Field*" } ] }, { "access_level": "Write", - "description": "Grants permission to drop a keyspace or table", - "privilege": "Drop", + "description": "Grants permission to create a case in the case domain", + "privilege": "CreateCase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "keyspace" + "resource_type": "Domain*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" + "resource_type": "Field*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Template*" } ] }, { "access_level": "Write", - "description": "Grants permission to INSERT, UPDATE or DELETE data in a table", - "privilege": "Modify", + "description": "Grants permission to create a new case domain", + "privilege": "CreateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to restore table from a backup", - "privilege": "Restore", + "description": "Grants permission to create a field in the case domain", + "privilege": "CreateField", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to SELECT data from a table", - "privilege": "Select", + "access_level": "Write", + "description": "Grants permission to create a layout in the case domain", + "privilege": "CreateLayout", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "Domain*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a keyspace or table", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a related item associated to a case in the case domain", + "privilege": "CreateRelatedItem", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "keyspace" + "resource_type": "Case*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a keyspace or table", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a template in the case domain", + "privilege": "CreateTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "keyspace" + "resource_type": "Domain*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Layout*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "keyspace" }, { - "arn": "arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/table/${tableName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "table" - } - ], - "service_name": "Amazon Keyspaces (for Apache Cassandra)" - }, - { - "conditions": [], - "prefix": "ce", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a new Anomaly Monitor", - "privilege": "CreateAnomalyMonitor", + "access_level": "Read", + "description": "Grants permission to retrieve information about a case in the case domain", + "privilege": "GetCase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new Anomaly Subscription", - "privilege": "CreateAnomalySubscription", - "resource_types": [ + "resource_type": "Case*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new Cost Category with the requested name and rules", - "privilege": "CreateCostCategoryDefinition", - "resource_types": [ + "resource_type": "Domain*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Field*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create Reservation expiration alerts", - "privilege": "CreateNotificationSubscription", + "access_level": "Read", + "description": "Grants permission to retrieve information about the case event configuraton in the case domain", + "privilege": "GetCaseEventConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create Cost Explorer Reports", - "privilege": "CreateReport", + "access_level": "Read", + "description": "Grants permission to retrieve information about the case domain", + "privilege": "GetDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Anomaly Monitor", - "privilege": "DeleteAnomalyMonitor", + "access_level": "Read", + "description": "Grants permission to retrieve information about the layout in the case domain", + "privilege": "GetLayout", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an Anomaly Subscription", - "privilege": "DeleteAnomalySubscription", - "resource_types": [ + "resource_type": "Domain*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Layout*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Cost Category", - "privilege": "DeleteCostCategoryDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve information about the template in the case domain", + "privilege": "GetTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete Reservation expiration alerts", - "privilege": "DeleteNotificationSubscription", - "resource_types": [ + "resource_type": "Domain*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Template*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete Cost Explorer Reports", - "privilege": "DeleteReport", + "access_level": "List", + "description": "Grants permission to list cases for a specific contact in the case domain", + "privilege": "ListCasesForContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve descriptions such as the name, ARN, rules, definition, and effective dates of a Cost Category", - "privilege": "DescribeCostCategoryDefinition", + "access_level": "List", + "description": "Grants permission to list field options for a single select field in the case domain", + "privilege": "ListFieldOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view Reservation expiration alerts", - "privilege": "DescribeNotificationSubscription", - "resource_types": [ + "resource_type": "Domain*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Field*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view Cost Explorer Reports page", - "privilege": "DescribeReport", + "access_level": "List", + "description": "Grants permission to list fields in the case domain", + "privilege": "ListFields", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve anomalies", - "privilege": "GetAnomalies", + "description": "Grants permission to list the tags for the specified resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -18194,282 +20029,1137 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to query Anomaly Monitors", - "privilege": "GetAnomalyMonitors", + "access_level": "List", + "description": "Grants permission to list templates in the case domain", + "privilege": "ListTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to query Anomaly Subscriptions", - "privilege": "GetAnomalySubscriptions", + "access_level": "Write", + "description": "Grants permission to insert or update the case event configuration in the case domain", + "privilege": "PutCaseEventConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the cost and usage metrics for your account", - "privilege": "GetCostAndUsage", + "description": "Grants permission to search for cases in the case domain", + "privilege": "SearchCases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the cost and usage metrics with resources for your account", - "privilege": "GetCostAndUsageWithResources", + "description": "Grants permission to search for related items associated to the case in the case domain", + "privilege": "SearchRelatedItems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to query Cost Catagory names and values for a specified time period", - "privilege": "GetCostCategories", - "resource_types": [ + "resource_type": "Case*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a cost forecast for a forecast time period", - "privilege": "GetCostForecast", + "access_level": "Tagging", + "description": "Grants permission to add the specified tags to the specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve all available filter values for a filter for a period of time", - "privilege": "GetDimensionValues", - "resource_types": [ + "resource_type": "Case" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view Cost Explorer Preferences page", - "privilege": "GetPreferences", - "resource_types": [ + "resource_type": "Domain" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the reservation coverage for your account", - "privilege": "GetReservationCoverage", - "resource_types": [ + "resource_type": "Field" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the reservation recommendations for your account", - "privilege": "GetReservationPurchaseRecommendation", - "resource_types": [ + "resource_type": "Layout" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the reservation utilization for your account", - "privilege": "GetReservationUtilization", - "resource_types": [ + "resource_type": "RelatedItem" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Template" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the rightsizing recommendations for your account", - "privilege": "GetRightsizingRecommendation", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the Savings Plans coverage for your account", - "privilege": "GetSavingsPlansCoverage", - "resource_types": [ + "resource_type": "Case" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the Savings Plans recommendations for your account", - "privilege": "GetSavingsPlansPurchaseRecommendation", - "resource_types": [ + "resource_type": "Domain" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the Savings Plans utilization for your account", - "privilege": "GetSavingsPlansUtilization", - "resource_types": [ + "resource_type": "Field" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the Savings Plans utilization details for your account", - "privilege": "GetSavingsPlansUtilizationDetails", - "resource_types": [ + "resource_type": "Layout" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to query tags for a specified time period", - "privilege": "GetTags", - "resource_types": [ + "resource_type": "RelatedItem" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Template" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a usage forecast for a forecast time period", - "privilege": "GetUsageForecast", + "access_level": "Write", + "description": "Grants permission to update the field values on the case in the case domain", + "privilege": "UpdateCase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve names, ARN, and effective dates for all Cost Categories", - "privilege": "ListCostCategoryDefinitions", - "resource_types": [ + "resource_type": "Case*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to provide feedback on detected anomalies", - "privilege": "ProvideAnomalyFeedback", - "resource_types": [ + "resource_type": "Domain*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Field*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Anomaly Monitor", - "privilege": "UpdateAnomalyMonitor", + "description": "Grants permission to update the field in the case domain", + "privilege": "UpdateField", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Field*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Anomaly Subscription", - "privilege": "UpdateAnomalySubscription", + "description": "Grants permission to update the layout in the case domain", + "privilege": "UpdateLayout", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Layout*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Cost Category", - "privilege": "UpdateCostCategoryDefinition", + "description": "Grants permission to update the template in the case domain", + "privilege": "UpdateTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { + "resource_type": "Domain*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Template*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Domain" + }, + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}/field/${FieldId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Field" + }, + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}/layout/${LayoutId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Layout" + }, + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}/template/${TemplateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Template" + }, + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}/case/${CaseId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Case" + }, + { + "arn": "arn:${Partition}:cases:${Region}:${Account}:domain/${DomainId}/case/${CaseId}/related-item/${RelatedItemId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "RelatedItem" + } + ], + "service_name": "Amazon Connect Cases" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "cassandra", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to alter a keyspace or table", + "privilege": "Alter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "keyspace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a keyspace or table", + "privilege": "Create", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "keyspace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to drop a keyspace or table", + "privilege": "Drop", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "keyspace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to INSERT, UPDATE or DELETE data in a table", + "privilege": "Modify", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore table from a backup", + "privilege": "Restore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to SELECT data from a table", + "privilege": "Select", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a keyspace or table", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "keyspace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a keyspace or table", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "keyspace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to UPDATE the partitioner in a system table", + "privilege": "UpdatePartitioner", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "keyspace" + }, + { + "arn": "arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/table/${TableName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "table" + } + ], + "service_name": "Amazon Keyspaces (for Apache Cassandra)" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "ce", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a new Anomaly Monitor", + "privilege": "CreateAnomalyMonitor", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Anomaly Subscription", + "privilege": "CreateAnomalySubscription", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Cost Category with the requested name and rules", + "privilege": "CreateCostCategoryDefinition", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create Reservation expiration alerts", + "privilege": "CreateNotificationSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create Cost Explorer Reports", + "privilege": "CreateReport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Anomaly Monitor", + "privilege": "DeleteAnomalyMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Anomaly Subscription", + "privilege": "DeleteAnomalySubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Cost Category", + "privilege": "DeleteCostCategoryDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete Reservation expiration alerts", + "privilege": "DeleteNotificationSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete Cost Explorer Reports", + "privilege": "DeleteReport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptions such as the name, ARN, rules, definition, and effective dates of a Cost Category", + "privilege": "DescribeCostCategoryDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view Reservation expiration alerts", + "privilege": "DescribeNotificationSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view Cost Explorer Reports page", + "privilege": "DescribeReport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve anomalies", + "privilege": "GetAnomalies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to query Anomaly Monitors", + "privilege": "GetAnomalyMonitors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to query Anomaly Subscriptions", + "privilege": "GetAnomalySubscriptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the cost and usage metrics for your account", + "privilege": "GetCostAndUsage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the cost and usage metrics with resources for your account", + "privilege": "GetCostAndUsageWithResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to query Cost Catagory names and values for a specified time period", + "privilege": "GetCostCategories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a cost forecast for a forecast time period", + "privilege": "GetCostForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve all available filter values for a filter for a period of time", + "privilege": "GetDimensionValues", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view Cost Explorer Preferences page", + "privilege": "GetPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the reservation coverage for your account", + "privilege": "GetReservationCoverage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the reservation recommendations for your account", + "privilege": "GetReservationPurchaseRecommendation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the reservation utilization for your account", + "privilege": "GetReservationUtilization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the rightsizing recommendations for your account", + "privilege": "GetRightsizingRecommendation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the Savings Plans coverage for your account", + "privilege": "GetSavingsPlansCoverage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the Savings Plans recommendations for your account", + "privilege": "GetSavingsPlansPurchaseRecommendation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the Savings Plans utilization for your account", + "privilege": "GetSavingsPlansUtilization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the Savings Plans utilization details for your account", + "privilege": "GetSavingsPlansUtilizationDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to query tags for a specified time period", + "privilege": "GetTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a usage forecast for a forecast time period", + "privilege": "GetUsageForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list Cost Allocation Tags", + "privilege": "ListCostAllocationTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve names, ARN, and effective dates for all Cost Categories", + "privilege": "ListCostCategoryDefinitions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a Cost Explorer resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provide feedback on detected anomalies", + "privilege": "ProvideAnomalyFeedback", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a Cost Explorer resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a Cost Explorer resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Anomaly Monitor", + "privilege": "UpdateAnomalyMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalymonitor*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Anomaly Subscription", + "privilege": "UpdateAnomalySubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "anomalysubscription*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update existing Cost Allocation Tags status", + "privilege": "UpdateCostAllocationTagsStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Cost Category", + "privilege": "UpdateCostCategoryDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "costcategory*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { "access_level": "Write", "description": "Grants permission to update Reservation expiration alerts", "privilege": "UpdateNotificationSubscription", @@ -18506,17 +21196,33 @@ ] } ], - "resources": [], - "service_name": "AWS Cost Explorer Service" - }, - { - "conditions": [ + "resources": [ { - "condition": "aws:CalledVia", - "description": "Filters access by the services that make the request on behalf of the IAM principal", - "type": "String" + "arn": "arn:${Partition}:ce::${Account}:anomalysubscription/${Identifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "anomalysubscription" + }, + { + "arn": "arn:${Partition}:ce::${Account}:anomalymonitor/${Identifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "anomalymonitor" + }, + { + "arn": "arn:${Partition}:ce::${Account}:costcategory/${Identifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "costcategory" } ], + "service_name": "AWS Cost Explorer Service" + }, + { + "conditions": [], "prefix": "chatbot", "privileges": [ { @@ -18567,6 +21273,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS Chatbot Slack User Identity", + "privilege": "DeleteSlackUserIdentity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete the Slack workspace authorization with AWS Chatbot, associated with an AWS account", @@ -18615,6 +21333,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe AWS Chatbot Slack User Identities", + "privilege": "DescribeSlackUserIdentities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list all authorized Slack workspaces connected to the AWS Account onboarded with AWS Chatbot service", @@ -18627,6 +21357,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve AWS Chatbot account preferences", + "privilege": "GetAccountPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to generate OAuth parameters to request Slack OAuth code to be used by the AWS Chatbot service", @@ -18651,6 +21393,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update AWS Chatbot account preferences", + "privilege": "UpdateAccountPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update an AWS Chatbot Chime Webhook Configuration", @@ -18678,7 +21432,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:chatbot::${Account}:chat-configuration/${ChatbotConfigurationName}", + "arn": "arn:${Partition}:chatbot::${Account}:chat-configuration/${ConfigurationType}/${ChatbotConfigurationName}", "condition_keys": [], "resource": "ChatbotConfiguration" } @@ -18700,7 +21454,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by the tag keys in a request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "chime", @@ -18912,6 +21666,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update AttendeeCapabilities except the capabilities listed in an ExcludedAttendeeIds table", + "privilege": "BatchUpdateAttendeeCapabilitiesExcept", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "meeting*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update phone number details within the UpdatePhoneNumberRequestItem object for up to 50 phone numbers", @@ -19069,18 +21835,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to add a bot to a chat room in your Amazon Chime Enterprise account", - "privilege": "CreateBotMembership", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Write", "description": "Grants permission to create a new Call Detail Record S3 bucket", @@ -19193,8 +21947,13 @@ "privilege": "CreateMediaCapturePipeline", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "s3:GetBucketPolicy" + ], "resource_type": "" } ] @@ -19629,7 +22388,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "media-pipeline*" } ] }, @@ -19724,7 +22483,12 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "logs:CreateLogDelivery", + "logs:DeleteLogDelivery", + "logs:GetLogDelivery", + "logs:ListLogDeliveries" + ], "resource_type": "" } ] @@ -19813,6 +22577,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to deregister an endpoint for an app instance user", + "privilege": "DeregisterAppInstanceUserEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the full details of an AppInstance", @@ -19854,6 +22630,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe an endpoint registered for an app instance user", + "privilege": "DescribeAppInstanceUserEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the full details of a channel", @@ -20164,6 +22952,23 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the preferences for a channel membership", + "privilege": "GetChannelMembershipPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the full details of a channel message", @@ -20242,7 +23047,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "media-pipeline*" } ] }, @@ -20647,6 +23452,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the endpoints registered for an app instance user", + "privilege": "ListAppInstanceUserEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all AppInstanceUsers created under a single app instance", @@ -20835,11 +23652,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "app-instance-user*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" } ] }, @@ -21167,6 +23979,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to put the preferences for a channel membership", + "privilege": "PutChannelMembershipPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update details for an events configuration for a bot to receive outgoing events", @@ -21347,6 +24176,20 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to register an endpoint for an app instance user", + "privilege": "RegisterAppInstanceUserEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "mobiletargeting:GetApp" + ], + "resource_type": "app-instance-user*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to modify the account name for your Amazon Chime Enterprise or Team account", @@ -21431,6 +24274,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to search channels that an AppInstanceUser belongs to, or search channels across the AppInstance for an AppInstaceAdmin", + "privilege": "SearchChannels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to send a message to a particular channel that the member is a part of", @@ -21546,11 +24401,36 @@ "description": "Grants permission to apply the specified tags to the specified Amazon Chime resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "channel" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel-flow" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "media-pipeline" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "meeting" + }, { "condition_keys": [ "aws:TagKeys", @@ -21603,10 +24483,42 @@ "description": "Grants permission to untag the specified tags from the specified Amazon Chime resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel-flow" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "media-pipeline" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "meeting" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -21682,6 +24594,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an endpoint registered for an app instance user", + "privilege": "UpdateAppInstanceUserEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to the capabilties that you want to update", + "privilege": "UpdateAttendeeCapabilities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "meeting*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the status of the specified bot", @@ -22001,6 +24937,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "channel-flow" + }, + { + "arn": "arn:${Partition}:chime:${Region}:${AccountId}:media-pipeline/${MediaPipelineId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "media-pipeline" } ], "service_name": "Amazon Chime" @@ -22009,18 +24952,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" }, { "condition": "cloud9:EnvironmentId", @@ -22037,6 +24980,11 @@ "description": "Filters access by the instance type of the AWS Cloud9 environment's Amazon EC2 instance", "type": "String" }, + { + "condition": "cloud9:OwnerArn", + "description": "Filters access by the owner ARN specified", + "type": "ARN" + }, { "condition": "cloud9:Permissions", "description": "Filters access by the type of AWS Cloud9 permissions", @@ -22078,6 +25026,7 @@ "cloud9:InstanceType", "cloud9:SubnetId", "cloud9:UserArn", + "cloud9:OwnerArn", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -22119,6 +25068,7 @@ { "condition_keys": [ "cloud9:EnvironmentName", + "cloud9:OwnerArn", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -22275,7 +25225,9 @@ "privilege": "GetUserPublicKey", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "cloud9:UserArn" + ], "dependent_actions": [], "resource_type": "" } @@ -22480,7 +25432,7 @@ "privileges": [ { "access_level": "Write", - "description": "Adds a new Facet to an object.", + "description": "Grants permission to add a new Facet to an object", "privilege": "AddFacetToObject", "resource_types": [ { @@ -22492,7 +25444,7 @@ }, { "access_level": "Write", - "description": "Copies input published schema into Directory with same name and version as that of published schema.", + "description": "Grants permission to copy input published schema into Directory with same name and version as that of published schema", "privilege": "ApplySchema", "resource_types": [ { @@ -22509,7 +25461,7 @@ }, { "access_level": "Write", - "description": "Attaches an existing object to another existing object.", + "description": "Grants permission to attach an existing object to another existing object", "privilege": "AttachObject", "resource_types": [ { @@ -22521,7 +25473,7 @@ }, { "access_level": "Write", - "description": "Attaches a policy object to any other object.", + "description": "Grants permission to attach a policy object to any other object", "privilege": "AttachPolicy", "resource_types": [ { @@ -22533,7 +25485,7 @@ }, { "access_level": "Write", - "description": "Attaches the specified object to the specified index.", + "description": "Grants permission to attach the specified object to the specified index", "privilege": "AttachToIndex", "resource_types": [ { @@ -22545,7 +25497,7 @@ }, { "access_level": "Write", - "description": "Attaches a typed link b/w a source & target object reference.", + "description": "Grants permission to attach a typed link b/w a source & target object reference", "privilege": "AttachTypedLink", "resource_types": [ { @@ -22557,7 +25509,7 @@ }, { "access_level": "Read", - "description": "Performs all the read operations in a batch. Each individual operation inside BatchRead needs to be granted permissions explicitly.", + "description": "Grants permission to perform all the read operations in a batch. Each individual operation inside BatchRead needs to be granted permissions explicitly", "privilege": "BatchRead", "resource_types": [ { @@ -22569,7 +25521,7 @@ }, { "access_level": "Write", - "description": "Performs all the write operations in a batch. Each individual operation inside BatchWrite needs to be granted permissions explicitly.", + "description": "Grants permission to perform all the write operations in a batch. Each individual operation inside BatchWrite needs to be granted permissions explicitly", "privilege": "BatchWrite", "resource_types": [ { @@ -22581,7 +25533,7 @@ }, { "access_level": "Write", - "description": "Creates a Directory by copying the published schema into the directory.", + "description": "Grants permission to create a Directory by copying the published schema into the directory", "privilege": "CreateDirectory", "resource_types": [ { @@ -22593,7 +25545,7 @@ }, { "access_level": "Write", - "description": "Creates a new Facet in a schema.", + "description": "Grants permission to create a new Facet in a schema", "privilege": "CreateFacet", "resource_types": [ { @@ -22610,7 +25562,7 @@ }, { "access_level": "Write", - "description": "Creates an index object.", + "description": "Grants permission to create an index object", "privilege": "CreateIndex", "resource_types": [ { @@ -22622,7 +25574,7 @@ }, { "access_level": "Write", - "description": "Creates an object in a Directory.", + "description": "Grants permission to create an object in a Directory", "privilege": "CreateObject", "resource_types": [ { @@ -22634,7 +25586,7 @@ }, { "access_level": "Write", - "description": "Creates a new schema in a development state.", + "description": "Grants permission to create a new schema in a development state", "privilege": "CreateSchema", "resource_types": [ { @@ -22646,7 +25598,7 @@ }, { "access_level": "Write", - "description": "Creates a new Typed Link facet in a schema.", + "description": "Grants permission to create a new Typed Link facet in a schema", "privilege": "CreateTypedLinkFacet", "resource_types": [ { @@ -22663,7 +25615,7 @@ }, { "access_level": "Write", - "description": "Deletes a directory. Only disabled directories can be deleted.", + "description": "Grants permission to delete a directory. Only disabled directories can be deleted", "privilege": "DeleteDirectory", "resource_types": [ { @@ -22675,7 +25627,7 @@ }, { "access_level": "Write", - "description": "Deletes a given Facet. All attributes and Rules associated with the facet will be deleted.", + "description": "Grants permission to delete a given Facet. All attributes and Rules associated with the facet will be deleted", "privilege": "DeleteFacet", "resource_types": [ { @@ -22687,7 +25639,7 @@ }, { "access_level": "Write", - "description": "Deletes an object and its associated attributes.", + "description": "Grants permission to delete an object and its associated attributes", "privilege": "DeleteObject", "resource_types": [ { @@ -22699,7 +25651,7 @@ }, { "access_level": "Write", - "description": "Deletes a given schema.", + "description": "Grants permission to delete a given schema", "privilege": "DeleteSchema", "resource_types": [ { @@ -22716,7 +25668,7 @@ }, { "access_level": "Write", - "description": "Deletes a given TypedLink Facet. All attributes and Rules associated with the facet will be deleted.", + "description": "Grants permission to delete a given TypedLink Facet. All attributes and Rules associated with the facet will be deleted", "privilege": "DeleteTypedLinkFacet", "resource_types": [ { @@ -22728,7 +25680,7 @@ }, { "access_level": "Write", - "description": "Detaches the specified object from the specified index.", + "description": "Grants permission to detach the specified object from the specified index", "privilege": "DetachFromIndex", "resource_types": [ { @@ -22740,7 +25692,7 @@ }, { "access_level": "Write", - "description": "Detaches a given object from the parent object.", + "description": "Grants permission to detach a given object from the parent object", "privilege": "DetachObject", "resource_types": [ { @@ -22752,7 +25704,7 @@ }, { "access_level": "Write", - "description": "Detaches a policy from an object.", + "description": "Grants permission to detach a policy from an object", "privilege": "DetachPolicy", "resource_types": [ { @@ -22764,7 +25716,7 @@ }, { "access_level": "Write", - "description": "Detaches a given typed link b/w given source and target object reference.", + "description": "Grants permission to detach a given typed link b/w given source and target object reference", "privilege": "DetachTypedLink", "resource_types": [ { @@ -22776,7 +25728,7 @@ }, { "access_level": "Write", - "description": "Disables the specified directory.", + "description": "Grants permission to disable the specified directory", "privilege": "DisableDirectory", "resource_types": [ { @@ -22788,7 +25740,7 @@ }, { "access_level": "Write", - "description": "Enables the specified directory.", + "description": "Grants permission to enable the specified directory", "privilege": "EnableDirectory", "resource_types": [ { @@ -22800,7 +25752,19 @@ }, { "access_level": "Read", - "description": "Retrieves metadata about a directory.", + "description": "Grants permission to return current applied schema version ARN, including the minor version in use", + "privilege": "GetAppliedSchemaVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "appliedSchema*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve metadata about a directory", "privilege": "GetDirectory", "resource_types": [ { @@ -22812,7 +25776,7 @@ }, { "access_level": "Read", - "description": "Gets details of the Facet, such as Facet Name, Attributes, Rules, or ObjectType.", + "description": "Grants permission to get details of the Facet, such as Facet Name, Attributes, Rules, or ObjectType", "privilege": "GetFacet", "resource_types": [ { @@ -22834,7 +25798,7 @@ }, { "access_level": "Read", - "description": "Retrieves attributes that are associated with a typed link.", + "description": "Grants permission to retrieve attributes that are associated with a typed link", "privilege": "GetLinkAttributes", "resource_types": [ { @@ -22846,7 +25810,7 @@ }, { "access_level": "Read", - "description": "Retrieves attributes within a facet that are associated with an object.", + "description": "Grants permission to retrieve attributes within a facet that are associated with an object", "privilege": "GetObjectAttributes", "resource_types": [ { @@ -22858,7 +25822,7 @@ }, { "access_level": "Read", - "description": "Retrieves metadata about an object.", + "description": "Grants permission to retrieve metadata about an object", "privilege": "GetObjectInformation", "resource_types": [ { @@ -22870,7 +25834,7 @@ }, { "access_level": "Read", - "description": "Retrieves a JSON representation of the schema.", + "description": "Grants permission to retrieve a JSON representation of the schema", "privilege": "GetSchemaAsJson", "resource_types": [ { @@ -22892,7 +25856,7 @@ }, { "access_level": "Read", - "description": "Returns identity attributes order information associated with a given typed link facet.", + "description": "Grants permission to return identity attributes order information associated with a given typed link facet", "privilege": "GetTypedLinkFacetInformation", "resource_types": [ { @@ -22914,7 +25878,7 @@ }, { "access_level": "List", - "description": "Lists schemas applied to a directory.", + "description": "Grants permission to list schemas applied to a directory", "privilege": "ListAppliedSchemaArns", "resource_types": [ { @@ -22926,7 +25890,7 @@ }, { "access_level": "Read", - "description": "Lists indices attached to an object.", + "description": "Grants permission to list indices attached to an object", "privilege": "ListAttachedIndices", "resource_types": [ { @@ -22938,7 +25902,7 @@ }, { "access_level": "List", - "description": "Retrieves the ARNs of schemas in the development state.", + "description": "Grants permission to retrieve the ARNs of schemas in the development state", "privilege": "ListDevelopmentSchemaArns", "resource_types": [ { @@ -22950,7 +25914,7 @@ }, { "access_level": "List", - "description": "Lists directories created within an account.", + "description": "Grants permission to list directories created within an account", "privilege": "ListDirectories", "resource_types": [ { @@ -22962,7 +25926,7 @@ }, { "access_level": "Read", - "description": "Retrieves attributes attached to the facet.", + "description": "Grants permission to retrieve attributes attached to the facet", "privilege": "ListFacetAttributes", "resource_types": [ { @@ -22984,7 +25948,7 @@ }, { "access_level": "Read", - "description": "Retrieves the names of facets that exist in a schema.", + "description": "Grants permission to retrieve the names of facets that exist in a schema", "privilege": "ListFacetNames", "resource_types": [ { @@ -23006,7 +25970,7 @@ }, { "access_level": "Read", - "description": "Returns a paginated list of all incoming TypedLinks for a given object.", + "description": "Grants permission to return a paginated list of all incoming TypedLinks for a given object", "privilege": "ListIncomingTypedLinks", "resource_types": [ { @@ -23018,7 +25982,7 @@ }, { "access_level": "Read", - "description": "Lists objects attached to the specified index.", + "description": "Grants permission to list objects attached to the specified index", "privilege": "ListIndex", "resource_types": [ { @@ -23030,7 +25994,7 @@ }, { "access_level": "List", - "description": "Lists the major version families of each managed schema. If a major version ARN is provided as SchemaArn, the minor version revisions in that family are listed instead.", + "description": "Grants permission to list the major version families of each managed schema. If a major version ARN is provided as SchemaArn, the minor version revisions in that family are listed instead", "privilege": "ListManagedSchemaArns", "resource_types": [ { @@ -23042,7 +26006,7 @@ }, { "access_level": "Read", - "description": "Lists all attributes associated with an object.", + "description": "Grants permission to list all attributes associated with an object", "privilege": "ListObjectAttributes", "resource_types": [ { @@ -23054,7 +26018,7 @@ }, { "access_level": "Read", - "description": "Returns a paginated list of child objects associated with a given object.", + "description": "Grants permission to return a paginated list of child objects associated with a given object", "privilege": "ListObjectChildren", "resource_types": [ { @@ -23066,7 +26030,7 @@ }, { "access_level": "Read", - "description": "Retrieves all available parent paths for any object type such as node, leaf node, policy node, and index node objects.", + "description": "Grants permission to retrieve all available parent paths for any object type such as node, leaf node, policy node, and index node objects", "privilege": "ListObjectParentPaths", "resource_types": [ { @@ -23078,7 +26042,7 @@ }, { "access_level": "Read", - "description": "Lists parent objects associated with a given object in pagination fashion.", + "description": "Grants permission to list parent objects associated with a given object in pagination fashion", "privilege": "ListObjectParents", "resource_types": [ { @@ -23090,7 +26054,7 @@ }, { "access_level": "Read", - "description": "Returns policies attached to an object in pagination fashion.", + "description": "Grants permission to return policies attached to an object in pagination fashion", "privilege": "ListObjectPolicies", "resource_types": [ { @@ -23102,7 +26066,7 @@ }, { "access_level": "Read", - "description": "Returns a paginated list of all outgoing TypedLinks for a given object.", + "description": "Grants permission to return a paginated list of all outgoing TypedLinks for a given object", "privilege": "ListOutgoingTypedLinks", "resource_types": [ { @@ -23114,7 +26078,7 @@ }, { "access_level": "Read", - "description": "Returns all of the ObjectIdentifiers to which a given policy is attached.", + "description": "Grants permission to return all of the ObjectIdentifiers to which a given policy is attached", "privilege": "ListPolicyAttachments", "resource_types": [ { @@ -23126,7 +26090,7 @@ }, { "access_level": "List", - "description": "Retrieves published schema ARNs.", + "description": "Grants permission to retrieve published schema ARNs", "privilege": "ListPublishedSchemaArns", "resource_types": [ { @@ -23138,7 +26102,7 @@ }, { "access_level": "Read", - "description": "Returns tags for a resource.", + "description": "Grants permission to return tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -23150,7 +26114,7 @@ }, { "access_level": "Read", - "description": "Returns a paginated list of attributes associated with typed link facet.", + "description": "Grants permission to return a paginated list of attributes associated with typed link facet", "privilege": "ListTypedLinkFacetAttributes", "resource_types": [ { @@ -23172,7 +26136,7 @@ }, { "access_level": "Read", - "description": "Returns a paginated list of typed link facet names that exist in a schema.", + "description": "Grants permission to return a paginated list of typed link facet names that exist in a schema", "privilege": "ListTypedLinkFacetNames", "resource_types": [ { @@ -23194,7 +26158,7 @@ }, { "access_level": "Read", - "description": "Lists all policies from the root of the Directory to the object specified.", + "description": "Grants permission to list all policies from the root of the Directory to the object specified", "privilege": "LookupPolicy", "resource_types": [ { @@ -23206,7 +26170,7 @@ }, { "access_level": "Write", - "description": "Publishes a development schema with a version.", + "description": "Grants permission to publish a development schema with a version", "privilege": "PublishSchema", "resource_types": [ { @@ -23218,7 +26182,7 @@ }, { "access_level": "Write", - "description": "Allows a schema to be updated using JSON upload. Only available for development schemas.", + "description": "Grants permission to update a schema using JSON upload. Only available for development schemas", "privilege": "PutSchemaFromJson", "resource_types": [ { @@ -23230,7 +26194,7 @@ }, { "access_level": "Write", - "description": "Removes the specified facet from the specified object.", + "description": "Grants permission to remove the specified facet from the specified object", "privilege": "RemoveFacetFromObject", "resource_types": [ { @@ -23242,7 +26206,7 @@ }, { "access_level": "Tagging", - "description": "Adds tags to a resource.", + "description": "Grants permission to add tags to a resource", "privilege": "TagResource", "resource_types": [ { @@ -23254,7 +26218,7 @@ }, { "access_level": "Tagging", - "description": "Removes tags from a resource.", + "description": "Grants permission to remove tags from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -23266,7 +26230,7 @@ }, { "access_level": "Write", - "description": "Adds/Updates/Deletes existing Attributes, Rules, or ObjectType of a Facet.", + "description": "Grants permission to add/update/delete existing Attributes, Rules, or ObjectType of a Facet", "privilege": "UpdateFacet", "resource_types": [ { @@ -23283,7 +26247,7 @@ }, { "access_level": "Write", - "description": "Updates a given typed link\u2019s attributes. Attributes to be updated must not contribute to the typed link\u2019s identity, as defined by its IdentityAttributeOrder.", + "description": "Grants permission to update a given typed link\u2019s attributes. Attributes to be updated must not contribute to the typed link\u2019s identity, as defined by its IdentityAttributeOrder", "privilege": "UpdateLinkAttributes", "resource_types": [ { @@ -23295,7 +26259,7 @@ }, { "access_level": "Write", - "description": "Updates a given object's attributes.", + "description": "Grants permission to update a given object's attributes", "privilege": "UpdateObjectAttributes", "resource_types": [ { @@ -23307,7 +26271,7 @@ }, { "access_level": "Write", - "description": "Updates the schema name with a new name.", + "description": "Grants permission to update the schema name with a new name", "privilege": "UpdateSchema", "resource_types": [ { @@ -23319,7 +26283,7 @@ }, { "access_level": "Write", - "description": "Adds/Updates/Deletes existing Attributes, Rules, identity attribute order of a TypedLink Facet.", + "description": "Grants permission to add/update/delete existing Attributes, Rules, identity attribute order of a TypedLink Facet", "privilege": "UpdateTypedLinkFacet", "resource_types": [ { @@ -23328,6 +26292,40 @@ "resource_type": "developmentSchema*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to upgrade a single directory in-place using the PublishedSchemaArn with schema updates found in MinorVersion. Backwards-compatible minor version upgrades are instantaneously available for readers on all objects in the directory", + "privilege": "UpgradeAppliedSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "publishedSchema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to upgrade a published schema under a new minor version revision using the current contents of DevelopmentSchemaArn", + "privilege": "UpgradePublishedSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "developmentSchema*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "publishedSchema*" + } + ] } ], "resources": [ @@ -23473,7 +26471,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "cloudformation:ChangeSetName", @@ -23488,7 +26486,7 @@ { "condition": "cloudformation:ResourceTypes", "description": "Filters access by the template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they create or update a stack", - "type": "String" + "type": "ArrayOfString" }, { "condition": "cloudformation:RoleArn", @@ -23640,6 +26638,7 @@ }, { "condition_keys": [ + "aws:TagKeys", "cloudformation:TargetRegion" ], "dependent_actions": [], @@ -23810,6 +26809,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return the Hook invocation information for the specified change set", + "privilege": "DescribeChangeSetHooks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "cloudformation:ChangeSetName" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about a CloudFormation extension publisher", @@ -24266,6 +27284,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to rollback the stack to the last stable state", + "privilege": "RollbackStack", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "cloudformation:RoleArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to set a stack policy for a specified stack", @@ -24338,6 +27375,11 @@ "description": "Grants permission to tag cloudformation resources", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "changeset" + }, { "condition_keys": [], "dependent_actions": [], @@ -24347,6 +27389,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "stackset" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -24367,6 +27417,11 @@ "description": "Grants permission to untag cloudformation resources", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "changeset" + }, { "condition_keys": [], "dependent_actions": [], @@ -24376,6 +27431,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "stackset" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -24493,7 +27555,9 @@ "resources": [ { "arn": "arn:${Partition}:cloudformation:${Region}:${Account}:changeSet/${ChangeSetName}/${Id}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "changeset" }, { @@ -24527,18 +27591,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "cloudfront", @@ -24563,7 +27627,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cache-policy*" } ] }, @@ -24591,26 +27655,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to create a new web distribution with tags", - "privilege": "CreateDistributionWithTags", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "distribution*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Write", "description": "Grants permission to create a new field-level encryption configuration", @@ -24619,7 +27663,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption*" } ] }, @@ -24631,7 +27675,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption-profile*" } ] }, @@ -24643,7 +27687,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -24691,7 +27735,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin-request-policy*" } ] }, @@ -24715,7 +27759,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "realtime-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a new response headers policy to CloudFront", + "privilege": "CreateResponseHeadersPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-headers-policy*" } ] }, @@ -24759,7 +27815,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cache-policy*" } ] }, @@ -24795,7 +27851,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption*" } ] }, @@ -24807,7 +27863,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption-profile*" } ] }, @@ -24819,7 +27875,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -24855,7 +27911,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin-request-policy*" } ] }, @@ -24879,7 +27935,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "realtime-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a response headers policy", + "privilege": "DeleteResponseHeadersPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-headers-policy*" } ] }, @@ -24903,7 +27971,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -24915,7 +27983,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cache-policy*" } ] }, @@ -24927,7 +27995,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cache-policy*" } ] }, @@ -24987,7 +28055,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption*" } ] }, @@ -24999,7 +28067,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption*" } ] }, @@ -25011,7 +28079,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption-profile*" } ] }, @@ -25023,7 +28091,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption-profile*" } ] }, @@ -25035,7 +28103,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -25095,7 +28163,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin-request-policy*" } ] }, @@ -25107,7 +28175,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin-request-policy*" } ] }, @@ -25143,7 +28211,31 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "realtime-log-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the response headers policy", + "privilege": "GetResponseHeadersPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-headers-policy*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the response headers policy configuration", + "privilege": "GetResponseHeadersPolicyConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-headers-policy*" } ] }, @@ -25279,6 +28371,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified response headers policy", + "privilege": "ListDistributionsByResponseHeadersPolicyId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the distributions associated with your AWS account with given AWS WAF web ACL", @@ -25387,6 +28491,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list all response headers policies that have been created in CloudFront for this account", + "privilege": "ListResponseHeadersPolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list your RTMP distributions", @@ -25424,7 +28540,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -25461,7 +28577,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -25497,7 +28613,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cache-policy*" } ] }, @@ -25533,7 +28649,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption*" } ] }, @@ -25545,7 +28661,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "field-level-encryption-profile*" } ] }, @@ -25557,7 +28673,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, @@ -25581,7 +28697,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin-request-policy*" } ] }, @@ -25605,7 +28721,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "realtime-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a response headers policy", + "privilege": "UpdateResponseHeadersPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-headers-policy*" } ] }, @@ -25671,6 +28799,11 @@ "arn": "arn:${Partition}:cloudfront::${Account}:function/${Name}", "condition_keys": [], "resource": "function" + }, + { + "arn": "arn:${Partition}:cloudfront::${Account}:response-headers-policy/${Id}", + "condition_keys": [], + "resource": "response-headers-policy" } ], "service_name": "Amazon CloudFront" @@ -26162,7 +29295,7 @@ "privileges": [ { "access_level": "Tagging", - "description": "Attaches resource tags to an Amazon CloudSearch domain.", + "description": "Attaches resource tags to an Amazon CloudSearch domain", "privilege": "AddTags", "resource_types": [ { @@ -26174,7 +29307,7 @@ }, { "access_level": "Write", - "description": "Indexes the search suggestions.", + "description": "Indexes the search suggestions", "privilege": "BuildSuggesters", "resource_types": [ { @@ -26186,7 +29319,7 @@ }, { "access_level": "Write", - "description": "Creates a new search domain.", + "description": "Creates a new search domain", "privilege": "CreateDomain", "resource_types": [ { @@ -26198,7 +29331,7 @@ }, { "access_level": "Write", - "description": "Configures an analysis scheme that can be applied to a text or text-array field to define language-specific text processing options.", + "description": "Configures an analysis scheme that can be applied to a text or text-array field to define language-specific text processing options", "privilege": "DefineAnalysisScheme", "resource_types": [ { @@ -26210,7 +29343,7 @@ }, { "access_level": "Write", - "description": "Configures an Expression for the search domain.", + "description": "Configures an Expression for the search domain", "privilege": "DefineExpression", "resource_types": [ { @@ -26222,7 +29355,7 @@ }, { "access_level": "Write", - "description": "Configures an IndexField for the search domain.", + "description": "Configures an IndexField for the search domain", "privilege": "DefineIndexField", "resource_types": [ { @@ -26234,7 +29367,7 @@ }, { "access_level": "Write", - "description": "Configures a suggester for a domain.", + "description": "Configures a suggester for a domain", "privilege": "DefineSuggester", "resource_types": [ { @@ -26246,7 +29379,7 @@ }, { "access_level": "Write", - "description": "Deletes an analysis scheme.", + "description": "Deletes an analysis scheme", "privilege": "DeleteAnalysisScheme", "resource_types": [ { @@ -26258,7 +29391,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a search domain and all of its data.", + "description": "Permanently deletes a search domain and all of its data", "privilege": "DeleteDomain", "resource_types": [ { @@ -26270,7 +29403,7 @@ }, { "access_level": "Write", - "description": "Removes an Expression from the search domain.", + "description": "Removes an Expression from the search domain", "privilege": "DeleteExpression", "resource_types": [ { @@ -26282,7 +29415,7 @@ }, { "access_level": "Write", - "description": "Removes an IndexField from the search domain.", + "description": "Removes an IndexField from the search domain", "privilege": "DeleteIndexField", "resource_types": [ { @@ -26294,7 +29427,7 @@ }, { "access_level": "Write", - "description": "Deletes a suggester.", + "description": "Deletes a suggester", "privilege": "DeleteSuggester", "resource_types": [ { @@ -26306,7 +29439,7 @@ }, { "access_level": "Read", - "description": "Gets the analysis schemes configured for a domain.", + "description": "Gets the analysis schemes configured for a domain", "privilege": "DescribeAnalysisSchemes", "resource_types": [ { @@ -26318,7 +29451,7 @@ }, { "access_level": "Read", - "description": "Gets the availability options configured for a domain.", + "description": "Gets the availability options configured for a domain", "privilege": "DescribeAvailabilityOptions", "resource_types": [ { @@ -26330,7 +29463,7 @@ }, { "access_level": "Read", - "description": "Gets the domain endpoint options configured for a domain.", + "description": "Gets the domain endpoint options configured for a domain", "privilege": "DescribeDomainEndpointOptions", "resource_types": [ { @@ -26342,7 +29475,7 @@ }, { "access_level": "List", - "description": "Gets information about the search domains owned by this account.", + "description": "Gets information about the search domains owned by this account", "privilege": "DescribeDomains", "resource_types": [ { @@ -26354,7 +29487,7 @@ }, { "access_level": "Read", - "description": "Gets the expressions configured for the search domain.", + "description": "Gets the expressions configured for the search domain", "privilege": "DescribeExpressions", "resource_types": [ { @@ -26366,7 +29499,7 @@ }, { "access_level": "Read", - "description": "Gets information about the index fields configured for the search domain.", + "description": "Gets information about the index fields configured for the search domain", "privilege": "DescribeIndexFields", "resource_types": [ { @@ -26378,7 +29511,7 @@ }, { "access_level": "Read", - "description": "Gets the scaling parameters configured for a domain.", + "description": "Gets the scaling parameters configured for a domain", "privilege": "DescribeScalingParameters", "resource_types": [ { @@ -26390,7 +29523,7 @@ }, { "access_level": "Read", - "description": "Gets information about the access policies that control access to the domain's document and search endpoints.", + "description": "Gets information about the access policies that control access to the domain's document and search endpoints", "privilege": "DescribeServiceAccessPolicies", "resource_types": [ { @@ -26402,7 +29535,7 @@ }, { "access_level": "Read", - "description": "Gets the suggesters configured for a domain.", + "description": "Gets the suggesters configured for a domain", "privilege": "DescribeSuggesters", "resource_types": [ { @@ -26414,7 +29547,7 @@ }, { "access_level": "Write", - "description": "Tells the search domain to start indexing its documents using the latest indexing options.", + "description": "Tells the search domain to start indexing its documents using the latest indexing options", "privilege": "IndexDocuments", "resource_types": [ { @@ -26426,7 +29559,7 @@ }, { "access_level": "List", - "description": "Lists all search domains owned by an account.", + "description": "Lists all search domains owned by an account", "privilege": "ListDomainNames", "resource_types": [ { @@ -26438,7 +29571,7 @@ }, { "access_level": "Read", - "description": "Displays all of the resource tags for an Amazon CloudSearch domain.", + "description": "Displays all of the resource tags for an Amazon CloudSearch domain", "privilege": "ListTags", "resource_types": [ { @@ -26450,7 +29583,7 @@ }, { "access_level": "Tagging", - "description": "Removes the specified resource tags from an Amazon ES domain.", + "description": "Removes the specified resource tags from an Amazon ES domain", "privilege": "RemoveTags", "resource_types": [ { @@ -26462,7 +29595,7 @@ }, { "access_level": "Write", - "description": "Configures the availability options for a domain.", + "description": "Configures the availability options for a domain", "privilege": "UpdateAvailabilityOptions", "resource_types": [ { @@ -26474,7 +29607,7 @@ }, { "access_level": "Write", - "description": "Configures the domain endpoint options for a domain.", + "description": "Configures the domain endpoint options for a domain", "privilege": "UpdateDomainEndpointOptions", "resource_types": [ { @@ -26486,7 +29619,7 @@ }, { "access_level": "Write", - "description": "Configures scaling parameters for a domain.", + "description": "Configures scaling parameters for a domain", "privilege": "UpdateScalingParameters", "resource_types": [ { @@ -26498,7 +29631,7 @@ }, { "access_level": "Permissions management", - "description": "Configures the access rules that control access to the domain's document and search endpoints.", + "description": "Configures the access rules that control access to the domain's document and search endpoints", "privilege": "UpdateServiceAccessPolicies", "resource_types": [ { @@ -26510,7 +29643,7 @@ }, { "access_level": "Write", - "description": "Allows access to the document service operations.", + "description": "Allows access to the document service operations", "privilege": "document", "resource_types": [ { @@ -26522,7 +29655,7 @@ }, { "access_level": "Read", - "description": "Allows access to the search operations.", + "description": "Allows access to the search operations", "privilege": "search", "resource_types": [ { @@ -26534,7 +29667,7 @@ }, { "access_level": "Read", - "description": "Allows access to the suggest operations.", + "description": "Allows access to the suggest operations", "privilege": "suggest", "resource_types": [ { @@ -26677,7 +29810,23 @@ "service_name": "AWS CloudShell" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by value associated with the resource", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by value associated with the resource", + "type": "ArrayOfString" + } + ], "prefix": "cloudtrail", "privileges": [ { @@ -26688,7 +29837,44 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trail*" + "resource_type": "eventdatastore" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trail" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a running query", + "privilege": "CancelQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an event data store", + "privilege": "CreateEventDataStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventdatastore*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -26706,6 +29892,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an event data store", + "privilege": "DeleteEventDataStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventdatastore*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a trail", @@ -26718,6 +29916,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list details for the query", + "privilege": "DescribeQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list settings for the trails associated with the current region for your account", @@ -26730,6 +29940,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list settings for the event data store", + "privilege": "GetEventDataStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list settings for event selectors configured for a trail", @@ -26754,6 +29976,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to fetch results of a complete query", + "privilege": "GetQueryResults", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list settings for the trail", @@ -26778,6 +30012,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list event data stores associated with the current region for your account", + "privilege": "ListEventDataStores", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list the public keys whose private keys were used to sign trail digest files within a specified time range", @@ -26790,15 +30036,32 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list queries associated with an event data store", + "privilege": "ListQueries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to list the tags for trails in the current region", + "description": "Grants permission to list the tags for trails or event data stores in the current region", "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trail*" + "resource_type": "eventdatastore" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trail" } ] }, @@ -26858,7 +30121,24 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trail*" + "resource_type": "eventdatastore" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trail" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore an event data store", + "privilege": "RestoreEventDataStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventdatastore*" } ] }, @@ -26874,6 +30154,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start a new query on a specified event data store", + "privilege": "StartQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop the recording of AWS API calls and log file delivery for a trail", @@ -26886,6 +30178,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an event data store", + "privilege": "UpdateEventDataStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventdatastore*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the settings that specify delivery of log files", @@ -26904,6 +30208,13 @@ "arn": "arn:${Partition}:cloudtrail:${Region}:${Account}:trail/${TrailName}", "condition_keys": [], "resource": "trail" + }, + { + "arn": "arn:${Partition}:cloudtrail:${Region}:${Account}:eventdatastore/${EventDataStoreId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "eventdatastore" } ], "service_name": "AWS CloudTrail" @@ -26923,7 +30234,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "cloudwatch:AlarmActions", @@ -26937,7 +30248,12 @@ }, { "condition": "cloudwatch:requestInsightRuleLogGroups", - "description": "Filters actions based on the Log Groups specified in an Insight Rule.", + "description": "Filters actions based on the Log Groups specified in an Insight Rule", + "type": "ArrayOfString" + }, + { + "condition": "cloudwatch:requestManagedResourceARNs", + "description": "Filters access by the Resource ARNs specified in a managed Insight Rule", "type": "ArrayOfString" } ], @@ -27195,6 +30511,22 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list available managed Insight Rules for a given Resource ARN", + "privilege": "ListManagedInsightRules", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "cloudwatch:requestManagedResourceARNs" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to return a list of all CloudWatch metric streams in your account", @@ -27302,6 +30634,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create managed Insight Rules", + "privilege": "PutManagedInsightRules", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "cloudwatch:requestManagedResourceARNs" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create or update an alarm and associates it with the specified Amazon CloudWatch metric", @@ -27346,6 +30694,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "metric-stream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -27469,18 +30825,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "codeartifact", @@ -27511,7 +30867,7 @@ }, { "access_level": "Write", - "description": "Grants permission to copy package versions from one repository to another repository in the same domain.", + "description": "Grants permission to copy package versions from one repository to another repository in the same domain", "privilege": "CopyPackageVersions", "resource_types": [ { @@ -27628,6 +30984,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about a package", + "privilege": "DescribePackage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "package*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about a package version", @@ -27885,6 +31253,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to set origin configuration for a package", + "privilege": "PutPackageOriginConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "package*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to attach a resource policy to a repository", @@ -28010,25 +31390,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by actions based on the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "codebuild", "privileges": [ { "access_level": "Write", - "description": "Deletes one or more builds.", + "description": "Grants permission to delete one or more builds", "privilege": "BatchDeleteBuilds", "resource_types": [ { @@ -28040,7 +31420,7 @@ }, { "access_level": "Read", - "description": "Gets information about one or more build batches.", + "description": "Grants permission to get information about one or more build batches", "privilege": "BatchGetBuildBatches", "resource_types": [ { @@ -28052,7 +31432,7 @@ }, { "access_level": "Read", - "description": "Gets information about one or more builds.", + "description": "Grants permission to get information about one or more builds", "privilege": "BatchGetBuilds", "resource_types": [ { @@ -28064,7 +31444,7 @@ }, { "access_level": "Read", - "description": "Gets information about one or more build projects.", + "description": "Grants permission to get information about one or more build projects", "privilege": "BatchGetProjects", "resource_types": [ { @@ -28076,7 +31456,7 @@ }, { "access_level": "Read", - "description": "Returns an array of ReportGroup objects that are specified by the input reportGroupArns parameter.", + "description": "Grants permission to return an array of ReportGroup objects that are specified by the input reportGroupArns parameter", "privilege": "BatchGetReportGroups", "resource_types": [ { @@ -28088,7 +31468,7 @@ }, { "access_level": "Read", - "description": "Returns an array of the Report objects specified by the input reportArns parameter.", + "description": "Grants permission to return an array of the Report objects specified by the input reportArns parameter", "privilege": "BatchGetReports", "resource_types": [ { @@ -28100,7 +31480,7 @@ }, { "access_level": "Write", - "description": "Adds or updates information about a report.", + "description": "Grants permission to add or update information about a report", "privilege": "BatchPutCodeCoverages", "resource_types": [ { @@ -28112,7 +31492,7 @@ }, { "access_level": "Write", - "description": "Adds or updates information about a report.", + "description": "Grants permission to add or update information about a report", "privilege": "BatchPutTestCases", "resource_types": [ { @@ -28124,7 +31504,7 @@ }, { "access_level": "Write", - "description": "Creates a build project.", + "description": "Grants permission to create a build project", "privilege": "CreateProject", "resource_types": [ { @@ -28144,7 +31524,7 @@ }, { "access_level": "Write", - "description": "Creates a report. A report is created when tests specified in the buildspec file for a report groups run during the build of a project.", + "description": "Grants permission to create a report. A report is created when tests specified in the buildspec file for a report groups run during the build of a project", "privilege": "CreateReport", "resource_types": [ { @@ -28156,7 +31536,7 @@ }, { "access_level": "Write", - "description": "Creates a report group.", + "description": "Grants permission to create a report group", "privilege": "CreateReportGroup", "resource_types": [ { @@ -28176,7 +31556,7 @@ }, { "access_level": "Write", - "description": "For an existing AWS CodeBuild build project that has its source code stored in a GitHub or Bitbucket repository, enables AWS CodeBuild to start rebuilding the source code every time a code change is pushed to the repository.", + "description": "Grants permission to create webhook. For an existing AWS CodeBuild build project that has its source code stored in a GitHub or Bitbucket repository, enables AWS CodeBuild to start rebuilding the source code every time a code change is pushed to the repository", "privilege": "CreateWebhook", "resource_types": [ { @@ -28188,7 +31568,7 @@ }, { "access_level": "Write", - "description": "Deletes a build batch.", + "description": "Grants permission to delete a build batch", "privilege": "DeleteBuildBatch", "resource_types": [ { @@ -28200,7 +31580,7 @@ }, { "access_level": "Write", - "description": "Deletes an OAuth token from a connected third-party OAuth provider. Only used in the AWS CodeBuild console.", + "description": "Grants permission to delete an OAuth token from a connected third-party OAuth provider. Only used in the AWS CodeBuild console", "privilege": "DeleteOAuthToken", "resource_types": [ { @@ -28212,7 +31592,7 @@ }, { "access_level": "Write", - "description": "Deletes a build project.", + "description": "Grants permission to delete a build project", "privilege": "DeleteProject", "resource_types": [ { @@ -28224,7 +31604,7 @@ }, { "access_level": "Write", - "description": "Deletes a report.", + "description": "Grants permission to delete a report", "privilege": "DeleteReport", "resource_types": [ { @@ -28236,7 +31616,7 @@ }, { "access_level": "Write", - "description": "Deletes a report group.", + "description": "Grants permission to delete a report group", "privilege": "DeleteReportGroup", "resource_types": [ { @@ -28248,7 +31628,7 @@ }, { "access_level": "Permissions management", - "description": "Deletes a resource policy for the associated project or report group.", + "description": "Grants permission to delete a resource policy for the associated project or report group", "privilege": "DeleteResourcePolicy", "resource_types": [ { @@ -28265,7 +31645,7 @@ }, { "access_level": "Write", - "description": "Deletes a set of GitHub, GitHub Enterprise, or Bitbucket source credentials.", + "description": "Grants permission to delete a set of GitHub, GitHub Enterprise, or Bitbucket source credentials", "privilege": "DeleteSourceCredentials", "resource_types": [ { @@ -28277,7 +31657,7 @@ }, { "access_level": "Write", - "description": "For an existing AWS CodeBuild build project that has its source code stored in a GitHub or Bitbucket repository, stops AWS CodeBuild from rebuilding the source code every time a code change is pushed to the repository.", + "description": "Grants permission to delete webhook. For an existing AWS CodeBuild build project that has its source code stored in a GitHub or Bitbucket repository, stops AWS CodeBuild from rebuilding the source code every time a code change is pushed to the repository", "privilege": "DeleteWebhook", "resource_types": [ { @@ -28289,7 +31669,7 @@ }, { "access_level": "Read", - "description": "Returns an array of CodeCoverage objects.", + "description": "Grants permission to return an array of CodeCoverage objects", "privilege": "DescribeCodeCoverages", "resource_types": [ { @@ -28301,7 +31681,7 @@ }, { "access_level": "Read", - "description": "Returns an array of TestCase objects.", + "description": "Grants permission to return an array of TestCase objects", "privilege": "DescribeTestCases", "resource_types": [ { @@ -28313,7 +31693,7 @@ }, { "access_level": "Read", - "description": "Analyzes and accumulates test report values for the test reports in the specified report group.", + "description": "Grants permission to analyze and accumulate test report values for the test reports in the specified report group", "privilege": "GetReportGroupTrend", "resource_types": [ { @@ -28325,7 +31705,7 @@ }, { "access_level": "Read", - "description": "Returns a resource policy for the specified project or report group.", + "description": "Grants permission to return a resource policy for the specified project or report group", "privilege": "GetResourcePolicy", "resource_types": [ { @@ -28342,7 +31722,7 @@ }, { "access_level": "Write", - "description": "Imports the source repository credentials for an AWS CodeBuild project that has its source code stored in a GitHub, GitHub Enterprise, or Bitbucket repository.", + "description": "Grants permission to import the source repository credentials for an AWS CodeBuild project that has its source code stored in a GitHub, GitHub Enterprise, or Bitbucket repository", "privilege": "ImportSourceCredentials", "resource_types": [ { @@ -28354,7 +31734,7 @@ }, { "access_level": "Write", - "description": "Resets the cache for a project.", + "description": "Grants permission to reset the cache for a project", "privilege": "InvalidateProjectCache", "resource_types": [ { @@ -28366,7 +31746,7 @@ }, { "access_level": "List", - "description": "Gets a list of build batch IDs, with each build batch ID representing a single build batch.", + "description": "Grants permission to get a list of build batch IDs, with each build batch ID representing a single build batch", "privilege": "ListBuildBatches", "resource_types": [ { @@ -28378,7 +31758,7 @@ }, { "access_level": "List", - "description": "Gets a list of build batch IDs for the specified build project, with each build batch ID representing a single build batch.", + "description": "Grants permission to get a list of build batch IDs for the specified build project, with each build batch ID representing a single build batch", "privilege": "ListBuildBatchesForProject", "resource_types": [ { @@ -28390,7 +31770,7 @@ }, { "access_level": "List", - "description": "Gets a list of build IDs, with each build ID representing a single build.", + "description": "Grants permission to get a list of build IDs, with each build ID representing a single build", "privilege": "ListBuilds", "resource_types": [ { @@ -28402,7 +31782,7 @@ }, { "access_level": "List", - "description": "Gets a list of build IDs for the specified build project, with each build ID representing a single build.", + "description": "Grants permission to get a list of build IDs for the specified build project, with each build ID representing a single build", "privilege": "ListBuildsForProject", "resource_types": [ { @@ -28414,7 +31794,7 @@ }, { "access_level": "List", - "description": "Lists connected third-party OAuth providers. Only used in the AWS CodeBuild console.", + "description": "Grants permission to list connected third-party OAuth providers. Only used in the AWS CodeBuild console", "privilege": "ListConnectedOAuthAccounts", "resource_types": [ { @@ -28426,7 +31806,7 @@ }, { "access_level": "List", - "description": "Gets information about Docker images that are managed by AWS CodeBuild.", + "description": "Grants permission to get information about Docker images that are managed by AWS CodeBuild", "privilege": "ListCuratedEnvironmentImages", "resource_types": [ { @@ -28438,7 +31818,7 @@ }, { "access_level": "List", - "description": "Gets a list of build project names, with each build project name representing a single build project.", + "description": "Grants permission to get a list of build project names, with each build project name representing a single build project", "privilege": "ListProjects", "resource_types": [ { @@ -28450,7 +31830,7 @@ }, { "access_level": "List", - "description": "Returns a list of report group ARNs. Each report group ARN represents one report group.", + "description": "Grants permission to return a list of report group ARNs. Each report group ARN represents one report group", "privilege": "ListReportGroups", "resource_types": [ { @@ -28462,7 +31842,7 @@ }, { "access_level": "List", - "description": "Returns a list of report ARNs. Each report ARN representing one report.", + "description": "Grants permission to return a list of report ARNs. Each report ARN representing one report", "privilege": "ListReports", "resource_types": [ { @@ -28474,7 +31854,7 @@ }, { "access_level": "List", - "description": "Returns a list of report ARNs that belong to the specified report group. Each report ARN represents one report.", + "description": "Grants permission to return a list of report ARNs that belong to the specified report group. Each report ARN represents one report", "privilege": "ListReportsForReportGroup", "resource_types": [ { @@ -28486,7 +31866,7 @@ }, { "access_level": "List", - "description": "Lists source code repositories from a connected third-party OAuth provider. Only used in the AWS CodeBuild console.", + "description": "Grants permission to list source code repositories from a connected third-party OAuth provider. Only used in the AWS CodeBuild console", "privilege": "ListRepositories", "resource_types": [ { @@ -28498,7 +31878,7 @@ }, { "access_level": "List", - "description": "Returns a list of project ARNs that have been shared with the requester. Each project ARN represents one project.", + "description": "Grants permission to return a list of project ARNs that have been shared with the requester. Each project ARN represents one project", "privilege": "ListSharedProjects", "resource_types": [ { @@ -28510,7 +31890,7 @@ }, { "access_level": "List", - "description": "Returns a list of report group ARNs that have been shared with the requester. Each report group ARN represents one report group.", + "description": "Grants permission to return a list of report group ARNs that have been shared with the requester. Each report group ARN represents one report group", "privilege": "ListSharedReportGroups", "resource_types": [ { @@ -28522,7 +31902,7 @@ }, { "access_level": "List", - "description": "Returns a list of SourceCredentialsInfo objects.", + "description": "Grants permission to return a list of SourceCredentialsInfo objects", "privilege": "ListSourceCredentials", "resource_types": [ { @@ -28534,7 +31914,7 @@ }, { "access_level": "Write", - "description": "Saves an OAuth token from a connected third-party OAuth provider. Only used in the AWS CodeBuild console.", + "description": "Grants permission to save an OAuth token from a connected third-party OAuth provider. Only used in the AWS CodeBuild console", "privilege": "PersistOAuthToken", "resource_types": [ { @@ -28546,7 +31926,7 @@ }, { "access_level": "Permissions management", - "description": "Creates a resource policy for the associated project or report group.", + "description": "Grants permission to create a resource policy for the associated project or report group", "privilege": "PutResourcePolicy", "resource_types": [ { @@ -28563,7 +31943,7 @@ }, { "access_level": "Write", - "description": "Retries a build.", + "description": "Grants permission to retry a build", "privilege": "RetryBuild", "resource_types": [ { @@ -28575,7 +31955,7 @@ }, { "access_level": "Write", - "description": "Retries a build batch.", + "description": "Grants permission to retry a build batch", "privilege": "RetryBuildBatch", "resource_types": [ { @@ -28587,7 +31967,7 @@ }, { "access_level": "Write", - "description": "Starts running a build.", + "description": "Grants permission to start running a build", "privilege": "StartBuild", "resource_types": [ { @@ -28599,7 +31979,7 @@ }, { "access_level": "Write", - "description": "Starts running a build batch.", + "description": "Grants permission to start running a build batch", "privilege": "StartBuildBatch", "resource_types": [ { @@ -28611,7 +31991,7 @@ }, { "access_level": "Write", - "description": "Attempts to stop running a build.", + "description": "Grants permission to attempt to stop running a build", "privilege": "StopBuild", "resource_types": [ { @@ -28623,7 +32003,7 @@ }, { "access_level": "Write", - "description": "Attempts to stop running a build batch.", + "description": "Grants permission to attempt to stop running a build batch", "privilege": "StopBuildBatch", "resource_types": [ { @@ -28635,7 +32015,7 @@ }, { "access_level": "Write", - "description": "Changes the settings of an existing build project.", + "description": "Grants permission to change the settings of an existing build project", "privilege": "UpdateProject", "resource_types": [ { @@ -28655,7 +32035,7 @@ }, { "access_level": "Write", - "description": "Changes the public visibility of a project and its builds.", + "description": "Grants permission to change the public visibility of a project and its builds", "privilege": "UpdateProjectVisibility", "resource_types": [ { @@ -28675,7 +32055,7 @@ }, { "access_level": "Write", - "description": "Updates information about a report.", + "description": "Grants permission to update information about a report", "privilege": "UpdateReport", "resource_types": [ { @@ -28687,7 +32067,7 @@ }, { "access_level": "Write", - "description": "Changes the settings of an existing report group.", + "description": "Grants permission to change the settings of an existing report group", "privilege": "UpdateReportGroup", "resource_types": [ { @@ -28707,7 +32087,7 @@ }, { "access_level": "Write", - "description": "Updates the webhook associated with an AWS CodeBuild build project.", + "description": "Grants permission to update the webhook associated with an AWS CodeBuild build project", "privilege": "UpdateWebhook", "resource_types": [ { @@ -28766,7 +32146,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "codecommit:References", @@ -28826,7 +32206,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get return information about one or more commits in an AWS CodeCommit repository.", + "description": "Grants permission to get return information about one or more commits in an AWS CodeCommit repository", "privilege": "BatchGetCommits", "resource_types": [ { @@ -28905,7 +32285,7 @@ }, { "access_level": "Write", - "description": "Grants permission to add, copy, move or update single or multiple files in a branch in an AWS CodeCommit repository, and generate a commit for the changes in the specified branch.", + "description": "Grants permission to add, copy, move or update single or multiple files in a branch in an AWS CodeCommit repository, and generate a commit for the changes in the specified branch", "privilege": "CreateCommit", "resource_types": [ { @@ -29981,14 +33361,14 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "codedeploy", "privileges": [ { "access_level": "Tagging", - "description": "Add tags to one or more on-premises instances.", + "description": "Grants permission to add tags to one or more on-premises instances", "privilege": "AddTagsToOnPremisesInstances", "resource_types": [ { @@ -30000,7 +33380,7 @@ }, { "access_level": "Read", - "description": "Gets information about one or more application revisions.", + "description": "Grants permission to get information about one or more application revisions", "privilege": "BatchGetApplicationRevisions", "resource_types": [ { @@ -30012,7 +33392,7 @@ }, { "access_level": "Read", - "description": "Get information about multiple applications associated with the IAM user.", + "description": "Grants permission to get information about multiple applications associated with the IAM user", "privilege": "BatchGetApplications", "resource_types": [ { @@ -30024,7 +33404,7 @@ }, { "access_level": "Read", - "description": "Get information about one or more deployment groups.", + "description": "Grants permission to get information about one or more deployment groups", "privilege": "BatchGetDeploymentGroups", "resource_types": [ { @@ -30036,7 +33416,7 @@ }, { "access_level": "Read", - "description": "Gets information about one or more instance that are part of a deployment group.", + "description": "Grants permission to get information about one or more instance that are part of a deployment group", "privilege": "BatchGetDeploymentInstances", "resource_types": [ { @@ -30048,7 +33428,7 @@ }, { "access_level": "Read", - "description": "Returns an array of one or more targets associated with a deployment. This method works with all compute types and should be used instead of the deprecated BatchGetDeploymentInstances. The maximum number of targets that can be returned is 25.", + "description": "Grants permission to return an array of one or more targets associated with a deployment. This method works with all compute types and should be used instead of the deprecated BatchGetDeploymentInstances. The maximum number of targets that can be returned is 25", "privilege": "BatchGetDeploymentTargets", "resource_types": [ { @@ -30060,7 +33440,7 @@ }, { "access_level": "Read", - "description": "Get information about multiple deployments associated with the IAM user.", + "description": "Grants permission to get information about multiple deployments associated with the IAM user", "privilege": "BatchGetDeployments", "resource_types": [ { @@ -30072,7 +33452,7 @@ }, { "access_level": "Read", - "description": "Get information about one or more on-premises instances.", + "description": "Grants permission to get information about one or more on-premises instances", "privilege": "BatchGetOnPremisesInstances", "resource_types": [ { @@ -30084,7 +33464,7 @@ }, { "access_level": "Write", - "description": "Starts the process of rerouting traffic from instances in the original environment to instances in thereplacement environment without waiting for a specified wait time to elapse.", + "description": "Grants permission to start the process of rerouting traffic from instances in the original environment to instances in thereplacement environment without waiting for a specified wait time to elapse", "privilege": "ContinueDeployment", "resource_types": [ { @@ -30096,7 +33476,7 @@ }, { "access_level": "Write", - "description": "Create an application associated with the IAM user.", + "description": "Grants permission to create an application associated with the IAM user", "privilege": "CreateApplication", "resource_types": [ { @@ -30116,7 +33496,7 @@ }, { "access_level": "Write", - "description": "Create CloudFormation deployment to cooperate ochestration for a CloudFormation stack update.", + "description": "Grants permission to create CloudFormation deployment to cooperate ochestration for a CloudFormation stack update", "privilege": "CreateCloudFormationDeployment", "resource_types": [ { @@ -30128,7 +33508,7 @@ }, { "access_level": "Write", - "description": "Create a deployment for an application associated with the IAM user.", + "description": "Grants permission to create a deployment for an application associated with the IAM user", "privilege": "CreateDeployment", "resource_types": [ { @@ -30140,7 +33520,7 @@ }, { "access_level": "Write", - "description": "Create a custom deployment configuration associated with the IAM user.", + "description": "Grants permission to create a custom deployment configuration associated with the IAM user", "privilege": "CreateDeploymentConfig", "resource_types": [ { @@ -30152,7 +33532,7 @@ }, { "access_level": "Write", - "description": "Create a deployment group for an application associated with the IAM user.", + "description": "Grants permission to create a deployment group for an application associated with the IAM user", "privilege": "CreateDeploymentGroup", "resource_types": [ { @@ -30172,7 +33552,7 @@ }, { "access_level": "Write", - "description": "Delete an application associated with the IAM user.", + "description": "Grants permission to delete an application associated with the IAM user", "privilege": "DeleteApplication", "resource_types": [ { @@ -30184,7 +33564,7 @@ }, { "access_level": "Write", - "description": "Delete a custom deployment configuration associated with the IAM user.", + "description": "Grants permission to delete a custom deployment configuration associated with the IAM user", "privilege": "DeleteDeploymentConfig", "resource_types": [ { @@ -30196,7 +33576,7 @@ }, { "access_level": "Write", - "description": "Delete a deployment group for an application associated with the IAM user.", + "description": "Grants permission to delete a deployment group for an application associated with the IAM user", "privilege": "DeleteDeploymentGroup", "resource_types": [ { @@ -30208,7 +33588,7 @@ }, { "access_level": "Write", - "description": "Deletes a GitHub account connection.", + "description": "Grants permission to delete a GitHub account connection", "privilege": "DeleteGitHubAccountToken", "resource_types": [ { @@ -30220,7 +33600,7 @@ }, { "access_level": "Write", - "description": "Delete resources associated with the given external Id.", + "description": "Grants permission to delete resources associated with the given external Id", "privilege": "DeleteResourcesByExternalId", "resource_types": [ { @@ -30232,7 +33612,7 @@ }, { "access_level": "Write", - "description": "Deregister an on-premises instance.", + "description": "Grants permission to deregister an on-premises instance", "privilege": "DeregisterOnPremisesInstance", "resource_types": [ { @@ -30244,7 +33624,7 @@ }, { "access_level": "List", - "description": "Get information about a single application associated with the IAM user.", + "description": "Grants permission to get information about a single application associated with the IAM user", "privilege": "GetApplication", "resource_types": [ { @@ -30256,7 +33636,7 @@ }, { "access_level": "List", - "description": "Get information about a single application revision for an application associated with the IAM user.", + "description": "Grants permission to get information about a single application revision for an application associated with the IAM user", "privilege": "GetApplicationRevision", "resource_types": [ { @@ -30268,7 +33648,7 @@ }, { "access_level": "List", - "description": "Get information about a single deployment to a deployment group for an application associated with the IAM user.", + "description": "Grants permission to get information about a single deployment to a deployment group for an application associated with the IAM user", "privilege": "GetDeployment", "resource_types": [ { @@ -30280,7 +33660,7 @@ }, { "access_level": "List", - "description": "Get information about a single deployment configuration associated with the IAM user.", + "description": "Grants permission to get information about a single deployment configuration associated with the IAM user", "privilege": "GetDeploymentConfig", "resource_types": [ { @@ -30292,7 +33672,7 @@ }, { "access_level": "List", - "description": "Get information about a single deployment group for an application associated with the IAM user.", + "description": "Grants permission to get information about a single deployment group for an application associated with the IAM user", "privilege": "GetDeploymentGroup", "resource_types": [ { @@ -30304,7 +33684,7 @@ }, { "access_level": "List", - "description": "Get information about a single instance in a deployment associated with the IAM user.", + "description": "Grants permission to get information about a single instance in a deployment associated with the IAM user", "privilege": "GetDeploymentInstance", "resource_types": [ { @@ -30316,7 +33696,7 @@ }, { "access_level": "Read", - "description": "Returns information about a deployment target.", + "description": "Grants permission to return information about a deployment target", "privilege": "GetDeploymentTarget", "resource_types": [ { @@ -30328,7 +33708,7 @@ }, { "access_level": "List", - "description": "Get information about a single on-premises instance.", + "description": "Grants permission to get information about a single on-premises instance", "privilege": "GetOnPremisesInstance", "resource_types": [ { @@ -30340,7 +33720,7 @@ }, { "access_level": "List", - "description": "Get information about all application revisions for an application associated with the IAM user.", + "description": "Grants permission to get information about all application revisions for an application associated with the IAM user", "privilege": "ListApplicationRevisions", "resource_types": [ { @@ -30352,7 +33732,7 @@ }, { "access_level": "List", - "description": "Get information about all applications associated with the IAM user.", + "description": "Grants permission to get information about all applications associated with the IAM user", "privilege": "ListApplications", "resource_types": [ { @@ -30364,7 +33744,7 @@ }, { "access_level": "List", - "description": "Get information about all deployment configurations associated with the IAM user.", + "description": "Grants permission to get information about all deployment configurations associated with the IAM user", "privilege": "ListDeploymentConfigs", "resource_types": [ { @@ -30376,7 +33756,7 @@ }, { "access_level": "List", - "description": "Get information about all deployment groups for an application associated with the IAM user.", + "description": "Grants permission to get information about all deployment groups for an application associated with the IAM user", "privilege": "ListDeploymentGroups", "resource_types": [ { @@ -30388,7 +33768,7 @@ }, { "access_level": "List", - "description": "Get information about all instances in a deployment associated with the IAM user.", + "description": "Grants permission to get information about all instances in a deployment associated with the IAM user", "privilege": "ListDeploymentInstances", "resource_types": [ { @@ -30400,7 +33780,7 @@ }, { "access_level": "List", - "description": "Returns an array of target IDs that are associated a deployment.", + "description": "Grants permission to return an array of target IDs that are associated a deployment", "privilege": "ListDeploymentTargets", "resource_types": [ { @@ -30412,7 +33792,7 @@ }, { "access_level": "List", - "description": "Get information about all deployments to a deployment group associated with the IAM user, or to get all deployments associated with the IAM user.", + "description": "Grants permission to get information about all deployments to a deployment group associated with the IAM user, or to get all deployments associated with the IAM user", "privilege": "ListDeployments", "resource_types": [ { @@ -30424,7 +33804,7 @@ }, { "access_level": "List", - "description": "Lists the names of stored connections to GitHub accounts.", + "description": "Grants permission to list the names of stored connections to GitHub accounts", "privilege": "ListGitHubAccountTokenNames", "resource_types": [ { @@ -30436,7 +33816,7 @@ }, { "access_level": "List", - "description": "Get a list of one or more on-premises instance names.", + "description": "Grants permission to get a list of one or more on-premises instance names", "privilege": "ListOnPremisesInstances", "resource_types": [ { @@ -30448,7 +33828,7 @@ }, { "access_level": "List", - "description": "Returns a list of tags for the resource identified by a specified ARN. Tags are used to organize and categorize your CodeDeploy resources.", + "description": "Grants permission to return a list of tags for the resource identified by a specified ARN. Tags are used to organize and categorize your CodeDeploy resources", "privilege": "ListTagsForResource", "resource_types": [ { @@ -30465,7 +33845,7 @@ }, { "access_level": "Write", - "description": "Notify a lifecycle event hook execution status for associated deployment with the IAM user.", + "description": "Grants permission to notify a lifecycle event hook execution status for associated deployment with the IAM user", "privilege": "PutLifecycleEventHookExecutionStatus", "resource_types": [ { @@ -30477,7 +33857,7 @@ }, { "access_level": "Write", - "description": "Register information about an application revision for an application associated with the IAM user.", + "description": "Grants permission to register information about an application revision for an application associated with the IAM user", "privilege": "RegisterApplicationRevision", "resource_types": [ { @@ -30489,7 +33869,7 @@ }, { "access_level": "Write", - "description": "Register an on-premises instance.", + "description": "Grants permission to register an on-premises instance", "privilege": "RegisterOnPremisesInstance", "resource_types": [ { @@ -30501,7 +33881,7 @@ }, { "access_level": "Tagging", - "description": "Remove tags from one or more on-premises instances.", + "description": "Grants permission to remove tags from one or more on-premises instances", "privilege": "RemoveTagsFromOnPremisesInstances", "resource_types": [ { @@ -30513,7 +33893,7 @@ }, { "access_level": "Write", - "description": "In a blue/green deployment, overrides any specified wait time and starts terminating instances immediately after the traffic routing is complete.", + "description": "Grants permission to override any specified wait time and starts terminating instances immediately after the traffic routing is complete. This action applies to blue-green deployments only", "privilege": "SkipWaitTimeForInstanceTermination", "resource_types": [ { @@ -30525,7 +33905,7 @@ }, { "access_level": "Write", - "description": "Description for StopDeployment", + "description": "Grants permission to stop a deployment", "privilege": "StopDeployment", "resource_types": [ { @@ -30537,7 +33917,7 @@ }, { "access_level": "Tagging", - "description": "Associates the list of tags in the input Tags parameter with the resource identified by the ResourceArn input parameter.", + "description": "Grants permission to associate the list of tags in the input Tags parameter with the resource identified by the ResourceArn input parameter", "privilege": "TagResource", "resource_types": [ { @@ -30562,7 +33942,7 @@ }, { "access_level": "Tagging", - "description": "Disassociates a resource from a list of tags. The resource is identified by the ResourceArn input parameter. The tags are identfied by the list of keys in the TagKeys input parameter.", + "description": "Grants permission to disassociate a resource from a list of tags. The resource is identified by the ResourceArn input parameter. The tags are identfied by the list of keys in the TagKeys input parameter", "privilege": "UntagResource", "resource_types": [ { @@ -30586,7 +33966,7 @@ }, { "access_level": "Write", - "description": "Description for UpdateApplication", + "description": "Grants permission to update an application", "privilege": "UpdateApplication", "resource_types": [ { @@ -30598,7 +33978,7 @@ }, { "access_level": "Write", - "description": "Change information about a single deployment group for an application associated with the IAM user.", + "description": "Grants permission to change information about a single deployment group for an application associated with the IAM user", "privilege": "UpdateDeploymentGroup", "resource_types": [ { @@ -30633,6 +34013,62 @@ ], "service_name": "AWS CodeDeploy" }, + { + "conditions": [], + "prefix": "codedeploy-commands-secure", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to get deployment specification", + "privilege": "GetDeploymentSpecification", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to request host agent commands", + "privilege": "PollHostCommand", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to mark host agent commands acknowledged", + "privilege": "PutHostCommandAcknowledgement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to mark host agent commands completed", + "privilege": "PutHostCommandComplete", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS CodeDeploy secure host commands service" + }, { "conditions": [], "prefix": "codeguru", @@ -30668,7 +34104,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "codeguru-profiler", @@ -30774,7 +34210,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get the resource policy associated with the specified Profiling Group.", + "description": "Grants permission to get the resource policy associated with the specified Profiling Group", "privilege": "GetPolicy", "resource_types": [ { @@ -30870,7 +34306,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to update the list of principals allowed for an action group in the resource policy associated with the specified Profiling Group.", + "description": "Grants permission to update the list of principals allowed for an action group in the resource policy associated with the specified Profiling Group", "privilege": "PutPermission", "resource_types": [ { @@ -30894,7 +34330,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to remove the permission of specified Action Group from the resource policy associated with the specified Profiling Group.", + "description": "Grants permission to remove the permission of specified Action Group from the resource policy associated with the specified Profiling Group", "privilege": "RemovePermission", "resource_types": [ { @@ -30971,7 +34407,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:codeguru-profiler:${Region}:${Account}:profilingGroup/${profilingGroupName}", + "arn": "arn:${Partition}:codeguru-profiler:${Region}:${Account}:profilingGroup/${ProfilingGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -30995,7 +34431,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "codeguru-reviewer", @@ -31289,7 +34725,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -31308,7 +34745,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -31357,7 +34795,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "codepipeline", @@ -31948,22 +35386,22 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags.", + "description": "Filters access by requests based on the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", + "description": "Filters access by actions based on tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" + "description": "Filters access by requests based on the presence of mandatory tags in the request", + "type": "ArrayOfString" }, { "condition": "iam:ResourceTag/${TagKey}", - "description": "", + "description": "Filters access by actions based on tag-value associated with the resource", "type": "String" } ], @@ -31971,7 +35409,7 @@ "privileges": [ { "access_level": "Permissions management", - "description": "Adds a user to the team for an AWS CodeStar project.", + "description": "Grants permission to add a user to the team for an AWS CodeStar project", "privilege": "AssociateTeamMember", "resource_types": [ { @@ -31983,7 +35421,7 @@ }, { "access_level": "Permissions management", - "description": "Creates a project with minimal structure, customer policies, and no resources.", + "description": "Grants permission to create a project with minimal structure, customer policies, and no resources", "privilege": "CreateProject", "resource_types": [ { @@ -31998,7 +35436,7 @@ }, { "access_level": "Write", - "description": "Creates a profile for a user that includes user preferences, display name, and email.", + "description": "Grants permission to create a profile for a user that includes user preferences, display name, and email", "privilege": "CreateUserProfile", "resource_types": [ { @@ -32010,7 +35448,7 @@ }, { "access_level": "Write", - "description": "Grants access to extended delete APIs.", + "description": "Grants permission to extended delete APIs", "privilege": "DeleteExtendedAccess", "resource_types": [ { @@ -32022,7 +35460,7 @@ }, { "access_level": "Permissions management", - "description": "Deletes a project, including project resources. Does not delete users associated with the project, but does delete the IAM roles that allowed access to the project.", + "description": "Grants permission to delete a project, including project resources. Does not delete users associated with the project, but does delete the IAM roles that allowed access to the project", "privilege": "DeleteProject", "resource_types": [ { @@ -32034,7 +35472,7 @@ }, { "access_level": "Write", - "description": "Deletes a user profile in AWS CodeStar, including all personal preference data associated with that profile, such as display name and email address. It does not delete the history of that user, for example the history of commits made by that user.", + "description": "Grants permission to delete a user profile in AWS CodeStar, including all personal preference data associated with that profile, such as display name and email address. It does not delete the history of that user, for example the history of commits made by that user", "privilege": "DeleteUserProfile", "resource_types": [ { @@ -32046,7 +35484,7 @@ }, { "access_level": "Read", - "description": "Describes a project and its resources.", + "description": "Grants permission to describe a project and its resources", "privilege": "DescribeProject", "resource_types": [ { @@ -32058,7 +35496,7 @@ }, { "access_level": "Read", - "description": "Describes a user in AWS CodeStar and the user attributes across all projects.", + "description": "Grants permission to describe a user in AWS CodeStar and the user attributes across all projects", "privilege": "DescribeUserProfile", "resource_types": [ { @@ -32070,7 +35508,7 @@ }, { "access_level": "Permissions management", - "description": "Removes a user from a project. Removing a user from a project also removes the IAM policies from that user that allowed access to the project and its resources.", + "description": "Grants permission to remove a user from a project. Removing a user from a project also removes the IAM policies from that user that allowed access to the project and its resources", "privilege": "DisassociateTeamMember", "resource_types": [ { @@ -32082,7 +35520,7 @@ }, { "access_level": "Read", - "description": "Grants access to extended read APIs.", + "description": "Grants permission to extended read APIs", "privilege": "GetExtendedAccess", "resource_types": [ { @@ -32094,7 +35532,7 @@ }, { "access_level": "List", - "description": "Lists all projects in CodeStar associated with your AWS account.", + "description": "Grants permission to list all projects in CodeStar associated with your AWS account", "privilege": "ListProjects", "resource_types": [ { @@ -32106,7 +35544,7 @@ }, { "access_level": "List", - "description": "Lists all resources associated with a project in CodeStar.", + "description": "Grants permission to list all resources associated with a project in CodeStar", "privilege": "ListResources", "resource_types": [ { @@ -32118,7 +35556,7 @@ }, { "access_level": "List", - "description": "Lists the tags associated with a project in CodeStar.", + "description": "Grants permission to list the tags associated with a project in CodeStar", "privilege": "ListTagsForProject", "resource_types": [ { @@ -32130,7 +35568,7 @@ }, { "access_level": "List", - "description": "Lists all team members associated with a project.", + "description": "Grants permission to list all team members associated with a project", "privilege": "ListTeamMembers", "resource_types": [ { @@ -32142,7 +35580,7 @@ }, { "access_level": "List", - "description": "Lists user profiles in AWS CodeStar.", + "description": "Grants permission to list user profiles in AWS CodeStar", "privilege": "ListUserProfiles", "resource_types": [ { @@ -32154,7 +35592,7 @@ }, { "access_level": "Write", - "description": "Grants access to extended write APIs.", + "description": "Grants permission to extended write APIs", "privilege": "PutExtendedAccess", "resource_types": [ { @@ -32166,7 +35604,7 @@ }, { "access_level": "Tagging", - "description": "Adds tags to a project in CodeStar.", + "description": "Grants permission to add tags to a project in CodeStar", "privilege": "TagProject", "resource_types": [ { @@ -32186,7 +35624,7 @@ }, { "access_level": "Tagging", - "description": "Removes tags from a project in CodeStar.", + "description": "Grants permission to remove tags from a project in CodeStar", "privilege": "UntagProject", "resource_types": [ { @@ -32205,7 +35643,7 @@ }, { "access_level": "Write", - "description": "Updates a project in CodeStar.", + "description": "Grants permission to update a project in CodeStar", "privilege": "UpdateProject", "resource_types": [ { @@ -32217,7 +35655,7 @@ }, { "access_level": "Permissions management", - "description": "Updates team member attributes within a CodeStar project.", + "description": "Grants permission to update team member attributes within a CodeStar project", "privilege": "UpdateTeamMember", "resource_types": [ { @@ -32229,7 +35667,7 @@ }, { "access_level": "Write", - "description": "Updates a profile for a user that includes user preferences, display name, and email.", + "description": "Grants permission to update a profile for a user that includes user preferences, display name, and email", "privilege": "UpdateUserProfile", "resource_types": [ { @@ -32241,7 +35679,7 @@ }, { "access_level": "List", - "description": "Verifies whether the AWS CodeStar service role exists in the customer's account.", + "description": "Grants permission to verify whether the AWS CodeStar service role exists in the customer's account", "privilege": "VerifyServiceRole", "resource_types": [ { @@ -32261,7 +35699,7 @@ "resource": "project" }, { - "arn": "arn:${Partition}:iam::${Account}:user/${aws:username}", + "arn": "arn:${Partition}:iam::${Account}:user/${AwsUserName}", "condition_keys": [ "iam:ResourceTag/${TagKey}" ], @@ -32285,7 +35723,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "codestar-connections:BranchName", @@ -32368,6 +35806,8 @@ "resource_types": [ { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "codestar-connections:ProviderType" ], "dependent_actions": [], @@ -32696,7 +36136,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "codestar-notifications:NotificationsForResource", @@ -32979,7 +36419,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by a key that is present in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "cognito-identity", @@ -33294,25 +36734,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by a key that is present in the request.", - "type": "String" + "description": "Filters access by a key that is present in the request", + "type": "ArrayOfString" } ], "prefix": "cognito-idp", "privileges": [ { "access_level": "Write", - "description": "Adds additional user attributes to the user pool schema.", + "description": "Grants permission to add user attributes to the user pool schema", "privilege": "AddCustomAttributes", "resource_types": [ { @@ -33324,7 +36764,7 @@ }, { "access_level": "Write", - "description": "Adds the specified user to the specified group.", + "description": "Grants permission to add any user to any group", "privilege": "AdminAddUserToGroup", "resource_types": [ { @@ -33336,7 +36776,7 @@ }, { "access_level": "Write", - "description": "Confirms user registration as an admin without using a confirmation code. Works on any user.", + "description": "Grants permission to confirm any user's registration without a confirmation code", "privilege": "AdminConfirmSignUp", "resource_types": [ { @@ -33348,7 +36788,7 @@ }, { "access_level": "Write", - "description": "Creates a new user in the specified user pool and sends a welcome message via email or phone (SMS).", + "description": "Grants permission to create new users and send welcome messages via email or SMS", "privilege": "AdminCreateUser", "resource_types": [ { @@ -33360,7 +36800,7 @@ }, { "access_level": "Write", - "description": "Deletes a user as an administrator. Works on any user.", + "description": "Grants permission to delete any user", "privilege": "AdminDeleteUser", "resource_types": [ { @@ -33372,7 +36812,7 @@ }, { "access_level": "Write", - "description": "Deletes the user attributes in a user pool as an administrator. Works on any user.", + "description": "Grants permission to delete attributes from any user", "privilege": "AdminDeleteUserAttributes", "resource_types": [ { @@ -33384,7 +36824,7 @@ }, { "access_level": "Write", - "description": "Disables the user from signing in with the specified external (SAML or social) identity provider.", + "description": "Grants permission to unlink any user pool user from a third-party identity provider (IdP) user", "privilege": "AdminDisableProviderForUser", "resource_types": [ { @@ -33396,7 +36836,7 @@ }, { "access_level": "Write", - "description": "Disables the specified user as an administrator. Works on any user.", + "description": "Grants permission to deactivate any user", "privilege": "AdminDisableUser", "resource_types": [ { @@ -33408,7 +36848,7 @@ }, { "access_level": "Write", - "description": "Enables the specified user as an administrator. Works on any user.", + "description": "Grants permission to activate any user", "privilege": "AdminEnableUser", "resource_types": [ { @@ -33420,7 +36860,7 @@ }, { "access_level": "Write", - "description": "Forgets the device, as an administrator.", + "description": "Grants permission to deregister any user's devices", "privilege": "AdminForgetDevice", "resource_types": [ { @@ -33432,7 +36872,7 @@ }, { "access_level": "Read", - "description": "Gets the device, as an administrator.", + "description": "Grants permission to get information about any user's devices", "privilege": "AdminGetDevice", "resource_types": [ { @@ -33444,7 +36884,7 @@ }, { "access_level": "Read", - "description": "Gets the specified user by user name in a user pool as an administrator. Works on any user.", + "description": "Grants permission to look up any user by user name", "privilege": "AdminGetUser", "resource_types": [ { @@ -33456,7 +36896,7 @@ }, { "access_level": "Write", - "description": "Authenticates a user in a user pool as an administrator. Works on any user.", + "description": "Grants permission to authenticate any user", "privilege": "AdminInitiateAuth", "resource_types": [ { @@ -33468,7 +36908,7 @@ }, { "access_level": "Write", - "description": "Links an existing user account in a user pool (DestinationUser) to an identity from an external identity provider (SourceUser) based on a specified attribute name and value from the external identity provider.", + "description": "Grants permission to link any user pool user to a third-party IdP user", "privilege": "AdminLinkProviderForUser", "resource_types": [ { @@ -33480,7 +36920,7 @@ }, { "access_level": "List", - "description": "Lists devices, as an administrator.", + "description": "Grants permission to list any user's remembered devices", "privilege": "AdminListDevices", "resource_types": [ { @@ -33492,7 +36932,7 @@ }, { "access_level": "List", - "description": "Lists the groups that the user belongs to.", + "description": "Grants permission to list the groups that any user belongs to", "privilege": "AdminListGroupsForUser", "resource_types": [ { @@ -33504,7 +36944,7 @@ }, { "access_level": "Read", - "description": "Lists the authentication events for the user.", + "description": "Grants permission to lists sign-in events for any user", "privilege": "AdminListUserAuthEvents", "resource_types": [ { @@ -33516,7 +36956,7 @@ }, { "access_level": "Write", - "description": "Removes the specified user from the specified group.", + "description": "Grants permission to remove any user from any group", "privilege": "AdminRemoveUserFromGroup", "resource_types": [ { @@ -33528,7 +36968,7 @@ }, { "access_level": "Write", - "description": "Resets the specified user's password in a user pool as an administrator. Works on any user.", + "description": "Grants permission to reset any user's password", "privilege": "AdminResetUserPassword", "resource_types": [ { @@ -33540,7 +36980,7 @@ }, { "access_level": "Write", - "description": "Responds to an authentication challenge, as an administrator.", + "description": "Grants permission to respond to an authentication challenge during the authentication of any user", "privilege": "AdminRespondToAuthChallenge", "resource_types": [ { @@ -33552,7 +36992,7 @@ }, { "access_level": "Write", - "description": "Sets MFA preference for the user in the userpool", + "description": "Grants permission to set any user's preferred MFA method", "privilege": "AdminSetUserMFAPreference", "resource_types": [ { @@ -33564,7 +37004,7 @@ }, { "access_level": "Write", - "description": "Sets the specified user's password in a user pool as an administrator. Works on any user.", + "description": "Grants permission to set any user's password", "privilege": "AdminSetUserPassword", "resource_types": [ { @@ -33576,7 +37016,7 @@ }, { "access_level": "Write", - "description": "Sets all the user settings for a specified user name. Works on any user.", + "description": "Grants permission to set user settings for any user", "privilege": "AdminSetUserSettings", "resource_types": [ { @@ -33588,7 +37028,7 @@ }, { "access_level": "Write", - "description": "Updates the feedback for the user authentication event", + "description": "Grants permission to update advanced security feedback for any user's authentication event", "privilege": "AdminUpdateAuthEventFeedback", "resource_types": [ { @@ -33600,7 +37040,7 @@ }, { "access_level": "Write", - "description": "Updates the device status as an administrator.", + "description": "Grants permission to update the status of any user's remembered devices", "privilege": "AdminUpdateDeviceStatus", "resource_types": [ { @@ -33612,7 +37052,7 @@ }, { "access_level": "Write", - "description": "Updates the specified user's attributes, including developer attributes, as an administrator.", + "description": "Grants permission to updates any user's standard or custom attributes", "privilege": "AdminUpdateUserAttributes", "resource_types": [ { @@ -33624,7 +37064,7 @@ }, { "access_level": "Write", - "description": "Signs out users from all devices, as an administrator.", + "description": "Grants permission to sign out any user from all sessions", "privilege": "AdminUserGlobalSignOut", "resource_types": [ { @@ -33636,7 +37076,7 @@ }, { "access_level": "Write", - "description": "Returns a unique generated shared secret key code for the user account.", + "description": "Returns a unique generated shared secret key code for the user account", "privilege": "AssociateSoftwareToken", "resource_types": [ { @@ -33648,7 +37088,24 @@ }, { "access_level": "Write", - "description": "Changes the password for a specified user in a user pool.", + "description": "Grants permission to associate the user pool with an AWS WAF web ACL", + "privilege": "AssociateWebACL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "webacl*" + } + ] + }, + { + "access_level": "Write", + "description": "Changes the password for a specified user in a user pool", "privilege": "ChangePassword", "resource_types": [ { @@ -33660,7 +37117,7 @@ }, { "access_level": "Write", - "description": "Confirms tracking of the device. This API call is the call that begins device tracking.", + "description": "Confirms tracking of the device. This API call is the call that begins device tracking", "privilege": "ConfirmDevice", "resource_types": [ { @@ -33672,7 +37129,7 @@ }, { "access_level": "Write", - "description": "Allows a user to enter a confirmation code to reset a forgotten password.", + "description": "Allows a user to enter a confirmation code to reset a forgotten password", "privilege": "ConfirmForgotPassword", "resource_types": [ { @@ -33684,7 +37141,7 @@ }, { "access_level": "Write", - "description": "Confirms registration of a user and handles the existing alias from a previous user.", + "description": "Confirms registration of a user and handles the existing alias from a previous user", "privilege": "ConfirmSignUp", "resource_types": [ { @@ -33696,7 +37153,7 @@ }, { "access_level": "Write", - "description": "Creates a new group in the specified user pool.", + "description": "Grants permission to create new user pool groups", "privilege": "CreateGroup", "resource_types": [ { @@ -33708,7 +37165,7 @@ }, { "access_level": "Write", - "description": "Creates an identity provider for a user pool.", + "description": "Grants permission to add identity providers to user pools", "privilege": "CreateIdentityProvider", "resource_types": [ { @@ -33720,7 +37177,7 @@ }, { "access_level": "Write", - "description": "Creates a new OAuth2.0 resource server and defines custom scopes in it.", + "description": "Grants permission to create and configure scopes for OAuth 2.0 resource servers", "privilege": "CreateResourceServer", "resource_types": [ { @@ -33732,7 +37189,7 @@ }, { "access_level": "Write", - "description": "Creates the user import job.", + "description": "Grants permission to create user CSV import jobs", "privilege": "CreateUserImportJob", "resource_types": [ { @@ -33744,7 +37201,7 @@ }, { "access_level": "Write", - "description": "Creates a new Amazon Cognito user pool and sets the password policy for the pool.", + "description": "Grants permission to create and set password policy for user pools", "privilege": "CreateUserPool", "resource_types": [ { @@ -33760,7 +37217,7 @@ }, { "access_level": "Write", - "description": "Creates the user pool client.", + "description": "Grants permission to create user pool app clients", "privilege": "CreateUserPoolClient", "resource_types": [ { @@ -33772,7 +37229,7 @@ }, { "access_level": "Write", - "description": "Creates a new domain for a user pool.", + "description": "Grants permission to add user pool domains", "privilege": "CreateUserPoolDomain", "resource_types": [ { @@ -33784,7 +37241,7 @@ }, { "access_level": "Write", - "description": "Deletes a group. Currently only groups with no members can be deleted.", + "description": "Grants permission to delete any empty user pool group", "privilege": "DeleteGroup", "resource_types": [ { @@ -33796,7 +37253,7 @@ }, { "access_level": "Write", - "description": "Deletes an identity provider for a user pool.", + "description": "Grants permission to delete any identity provider from user pools", "privilege": "DeleteIdentityProvider", "resource_types": [ { @@ -33808,7 +37265,7 @@ }, { "access_level": "Write", - "description": "Deletes a resource server.", + "description": "Grants permission to delete any OAuth 2.0 resource server from user pools", "privilege": "DeleteResourceServer", "resource_types": [ { @@ -33820,7 +37277,7 @@ }, { "access_level": "Write", - "description": "Allows a user to delete one's self.", + "description": "Allows a user to delete one's self", "privilege": "DeleteUser", "resource_types": [ { @@ -33832,7 +37289,7 @@ }, { "access_level": "Write", - "description": "Deletes the attributes for a user.", + "description": "Deletes the attributes for a user", "privilege": "DeleteUserAttributes", "resource_types": [ { @@ -33844,7 +37301,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified Amazon Cognito user pool.", + "description": "Grants permission to delete user pools", "privilege": "DeleteUserPool", "resource_types": [ { @@ -33856,7 +37313,7 @@ }, { "access_level": "Write", - "description": "Allows the developer to delete the user pool client.", + "description": "Grants permission to delete any user pool app client", "privilege": "DeleteUserPoolClient", "resource_types": [ { @@ -33868,7 +37325,7 @@ }, { "access_level": "Write", - "description": "Deletes a domain for a user pool.", + "description": "Grants permission to delete any user pool domain", "privilege": "DeleteUserPoolDomain", "resource_types": [ { @@ -33880,7 +37337,7 @@ }, { "access_level": "Read", - "description": "Gets information about a specific identity provider.", + "description": "Grants permission to describe any user pool identity provider", "privilege": "DescribeIdentityProvider", "resource_types": [ { @@ -33892,7 +37349,7 @@ }, { "access_level": "Read", - "description": "Describes a resource server.", + "description": "Grants permission to describe any OAuth 2.0 resource server", "privilege": "DescribeResourceServer", "resource_types": [ { @@ -33904,7 +37361,7 @@ }, { "access_level": "Read", - "description": "Describes the risk configuration setting for the userpool / userpool client", + "description": "Grants permission to describe the risk configuration settings of user pools and app clients", "privilege": "DescribeRiskConfiguration", "resource_types": [ { @@ -33916,7 +37373,7 @@ }, { "access_level": "Read", - "description": "Describes the user import job.", + "description": "Grants permission to describe any user import job", "privilege": "DescribeUserImportJob", "resource_types": [ { @@ -33928,7 +37385,7 @@ }, { "access_level": "Read", - "description": "Returns the configuration information and metadata of the specified user pool.", + "description": "Grants permission to describe user pools", "privilege": "DescribeUserPool", "resource_types": [ { @@ -33940,7 +37397,7 @@ }, { "access_level": "Read", - "description": "Client method for returning the configuration information and metadata of the specified user pool client.", + "description": "Grants permission to describe any user pool app client", "privilege": "DescribeUserPoolClient", "resource_types": [ { @@ -33952,7 +37409,7 @@ }, { "access_level": "Read", - "description": "Gets information about a domain.", + "description": "Grants permission to describe any user pool domain", "privilege": "DescribeUserPoolDomain", "resource_types": [ { @@ -33964,7 +37421,19 @@ }, { "access_level": "Write", - "description": "Forgets the specified device.", + "description": "Grants permission to disassociate the user pool with an AWS WAF web ACL", + "privilege": "DisassociateWebACL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool*" + } + ] + }, + { + "access_level": "Write", + "description": "Forgets the specified device", "privilege": "ForgetDevice", "resource_types": [ { @@ -33976,7 +37445,7 @@ }, { "access_level": "Write", - "description": "Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password.", + "description": "Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password", "privilege": "ForgotPassword", "resource_types": [ { @@ -33988,7 +37457,7 @@ }, { "access_level": "Read", - "description": "Gets the header information for the .csv file to be used as input for the user import job.", + "description": "Grants permission to generate headers for a user import .csv file", "privilege": "GetCSVHeader", "resource_types": [ { @@ -34000,7 +37469,7 @@ }, { "access_level": "Read", - "description": "Gets the device.", + "description": "Gets the device", "privilege": "GetDevice", "resource_types": [ { @@ -34012,7 +37481,7 @@ }, { "access_level": "Read", - "description": "Gets a group.", + "description": "Grants permission to describe a user pool group", "privilege": "GetGroup", "resource_types": [ { @@ -34024,7 +37493,7 @@ }, { "access_level": "Read", - "description": "Gets the specified identity provider.", + "description": "Grants permission to correlate a user pool IdP identifier to the IdP Name", "privilege": "GetIdentityProviderByIdentifier", "resource_types": [ { @@ -34036,7 +37505,7 @@ }, { "access_level": "Read", - "description": "Returns the signing certificate.", + "description": "Grants permission to look up signing certificates for user pools", "privilege": "GetSigningCertificate", "resource_types": [ { @@ -34048,7 +37517,7 @@ }, { "access_level": "Read", - "description": "Gets the UI Customization information for a particular app client's app UI, if there is something set.", + "description": "Grants permission to get UI customization information for the hosted UI of any app client", "privilege": "GetUICustomization", "resource_types": [ { @@ -34060,7 +37529,7 @@ }, { "access_level": "Read", - "description": "Gets the user attributes and metadata for a user.", + "description": "Gets the user attributes and metadata for a user", "privilege": "GetUser", "resource_types": [ { @@ -34072,7 +37541,7 @@ }, { "access_level": "Read", - "description": "Gets the user attribute verification code for the specified attribute name.", + "description": "Gets the user attribute verification code for the specified attribute name", "privilege": "GetUserAttributeVerificationCode", "resource_types": [ { @@ -34084,7 +37553,7 @@ }, { "access_level": "Read", - "description": "Gets the MFA configuration for the userpool", + "description": "Grants permission to look up the MFA configuration of user pools", "privilege": "GetUserPoolMfaConfig", "resource_types": [ { @@ -34094,9 +37563,21 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool", + "privilege": "GetWebACLForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool*" + } + ] + }, { "access_level": "Write", - "description": "Signs out users from all devices.", + "description": "Signs out users from all devices", "privilege": "GlobalSignOut", "resource_types": [ { @@ -34108,7 +37589,7 @@ }, { "access_level": "Write", - "description": "Initiates the authentication flow.", + "description": "Initiates the authentication flow", "privilege": "InitiateAuth", "resource_types": [ { @@ -34120,7 +37601,7 @@ }, { "access_level": "List", - "description": "Lists the devices.", + "description": "Lists the devices", "privilege": "ListDevices", "resource_types": [ { @@ -34132,7 +37613,7 @@ }, { "access_level": "List", - "description": "Lists the groups associated with a user pool.", + "description": "Grants permission to list all groups in user pools", "privilege": "ListGroups", "resource_types": [ { @@ -34144,7 +37625,7 @@ }, { "access_level": "List", - "description": "Lists information about all identity providers for a user pool.", + "description": "Grants permission to list all identity providers in user pools", "privilege": "ListIdentityProviders", "resource_types": [ { @@ -34156,7 +37637,7 @@ }, { "access_level": "List", - "description": "Lists the resource servers for a user pool.", + "description": "Grants permission to list all resource servers in user pools", "privilege": "ListResourceServers", "resource_types": [ { @@ -34168,7 +37649,19 @@ }, { "access_level": "List", - "description": "Lists the tags that are assigned to an Amazon Cognito user pool.", + "description": "Grants permission to list the user pools that are associated with an AWS WAF web ACL", + "privilege": "ListResourcesForWebACL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "webacl*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the tags that are assigned to an Amazon Cognito user pool", "privilege": "ListTagsForResource", "resource_types": [ { @@ -34180,7 +37673,7 @@ }, { "access_level": "List", - "description": "Lists the user import jobs..", + "description": "Grants permission to list all user import jobs", "privilege": "ListUserImportJobs", "resource_types": [ { @@ -34192,7 +37685,7 @@ }, { "access_level": "List", - "description": "Lists the clients that have been created for the specified user pool.", + "description": "Grants permission to list all app clients in user pools", "privilege": "ListUserPoolClients", "resource_types": [ { @@ -34204,7 +37697,7 @@ }, { "access_level": "List", - "description": "Lists the user pools associated with an AWS account.", + "description": "Grants permission to list all user pools", "privilege": "ListUserPools", "resource_types": [ { @@ -34216,7 +37709,7 @@ }, { "access_level": "List", - "description": "Lists the users in the Amazon Cognito user pool.", + "description": "Grants permission to list all user pool users", "privilege": "ListUsers", "resource_types": [ { @@ -34228,7 +37721,7 @@ }, { "access_level": "List", - "description": "Lists the users in the specified group.", + "description": "Grants permission to list the users in any group", "privilege": "ListUsersInGroup", "resource_types": [ { @@ -34240,7 +37733,7 @@ }, { "access_level": "Write", - "description": "Resends the confirmation (for confirmation of registration) to a specific user in the user pool.", + "description": "Resends the confirmation (for confirmation of registration) to a specific user in the user pool", "privilege": "ResendConfirmationCode", "resource_types": [ { @@ -34252,7 +37745,7 @@ }, { "access_level": "Write", - "description": "Responds to the authentication challenge.", + "description": "Responds to the authentication challenge", "privilege": "RespondToAuthChallenge", "resource_types": [ { @@ -34264,7 +37757,19 @@ }, { "access_level": "Write", - "description": "sets the risk configuration setting for the userpool / userpool client", + "description": "Revokes all of the access tokens generated by the specified refresh token", + "privilege": "RevokeToken", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set risk configuration for user pools and app clients", "privilege": "SetRiskConfiguration", "resource_types": [ { @@ -34276,7 +37781,7 @@ }, { "access_level": "Write", - "description": "Sets the UI customization information for a user pool's built-in app UI.", + "description": "Grants permission to customize the hosted UI for any app client", "privilege": "SetUICustomization", "resource_types": [ { @@ -34300,7 +37805,7 @@ }, { "access_level": "Write", - "description": "Sets the MFA configuration for the userpool", + "description": "Grants permission to set user pool MFA configuration", "privilege": "SetUserPoolMfaConfig", "resource_types": [ { @@ -34312,7 +37817,7 @@ }, { "access_level": "Write", - "description": "Sets the user settings like multi-factor authentication (MFA).", + "description": "Sets the user settings like multi-factor authentication (MFA)", "privilege": "SetUserSettings", "resource_types": [ { @@ -34324,7 +37829,7 @@ }, { "access_level": "Write", - "description": "Registers the user in the specified user pool and creates a user name, password, and user attributes.", + "description": "Registers the user in the specified user pool and creates a user name, password, and user attributes", "privilege": "SignUp", "resource_types": [ { @@ -34336,7 +37841,7 @@ }, { "access_level": "Write", - "description": "Starts the user import.", + "description": "Grants permission to start any user import job", "privilege": "StartUserImportJob", "resource_types": [ { @@ -34348,7 +37853,7 @@ }, { "access_level": "Write", - "description": "Stops the user import job.", + "description": "Grants permission to stop any user import job", "privilege": "StopUserImportJob", "resource_types": [ { @@ -34360,7 +37865,7 @@ }, { "access_level": "Tagging", - "description": "Assigns a set of tags to an Amazon Cognito user pool.", + "description": "Grants permission to tag a user pool", "privilege": "TagResource", "resource_types": [ { @@ -34380,7 +37885,7 @@ }, { "access_level": "Tagging", - "description": "Removes the specified tags from an Amazon Cognito user pool.", + "description": "Grants permission to untag a user pool", "privilege": "UntagResource", "resource_types": [ { @@ -34411,7 +37916,7 @@ }, { "access_level": "Write", - "description": "Updates the device status.", + "description": "Updates the device status", "privilege": "UpdateDeviceStatus", "resource_types": [ { @@ -34423,7 +37928,7 @@ }, { "access_level": "Write", - "description": "Updates the specified group with the specified attributes.", + "description": "Grants permission to update the configuration of any group", "privilege": "UpdateGroup", "resource_types": [ { @@ -34435,7 +37940,7 @@ }, { "access_level": "Write", - "description": "Updates identity provider information for a user pool.", + "description": "Grants permission to update the configuration of any user pool IdP", "privilege": "UpdateIdentityProvider", "resource_types": [ { @@ -34447,7 +37952,7 @@ }, { "access_level": "Write", - "description": "Updates the name and scopes of resource server.", + "description": "Grants permission to update the configuration of any OAuth 2.0 resource server", "privilege": "UpdateResourceServer", "resource_types": [ { @@ -34459,7 +37964,7 @@ }, { "access_level": "Write", - "description": "Allows a user to update a specific attribute (one at a time).", + "description": "Allows a user to update a specific attribute (one at a time)", "privilege": "UpdateUserAttributes", "resource_types": [ { @@ -34471,7 +37976,7 @@ }, { "access_level": "Write", - "description": "Updates the specified user pool with the specified attributes.", + "description": "Grants permission to updates the configuration of user pools", "privilege": "UpdateUserPool", "resource_types": [ { @@ -34491,7 +37996,7 @@ }, { "access_level": "Write", - "description": "Allows the developer to update the specified user pool client and password policy.", + "description": "Grants permission to update any user pool client", "privilege": "UpdateUserPoolClient", "resource_types": [ { @@ -34503,7 +38008,7 @@ }, { "access_level": "Write", - "description": "Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.", + "description": "Grants permission to replace the certificate for any custom domain", "privilege": "UpdateUserPoolDomain", "resource_types": [ { @@ -34515,7 +38020,7 @@ }, { "access_level": "Write", - "description": "Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful.", + "description": "Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful", "privilege": "VerifySoftwareToken", "resource_types": [ { @@ -34527,7 +38032,7 @@ }, { "access_level": "Write", - "description": "Verifies a user attribute using a one time verification code.", + "description": "Verifies a user attribute using a one time verification code", "privilege": "VerifyUserAttribute", "resource_types": [ { @@ -34545,6 +38050,11 @@ "aws:ResourceTag/${TagKey}" ], "resource": "userpool" + }, + { + "arn": "arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/webacl/${Name}/${Id}", + "condition_keys": [], + "resource": "webacl" } ], "service_name": "Amazon Cognito User Pools" @@ -34555,7 +38065,7 @@ "privileges": [ { "access_level": "Write", - "description": "Initiates a bulk publish of all existing datasets for an Identity Pool to the configured stream.", + "description": "Grants permission to initiate a bulk publish of all existing datasets for an Identity Pool to the configured stream", "privilege": "BulkPublish", "resource_types": [ { @@ -34567,7 +38077,7 @@ }, { "access_level": "Write", - "description": "Deletes the specific dataset.", + "description": "Grants permission to delete a specific dataset", "privilege": "DeleteDataset", "resource_types": [ { @@ -34579,7 +38089,7 @@ }, { "access_level": "Read", - "description": "Gets meta data about a dataset by identity and dataset name.", + "description": "Grants permission to get metadata about a dataset by identity and dataset name", "privilege": "DescribeDataset", "resource_types": [ { @@ -34591,7 +38101,7 @@ }, { "access_level": "Read", - "description": "Gets usage details (for example, data storage) about a particular identity pool.", + "description": "Grants permission to get usage details (for example, data storage) about a particular identity pool", "privilege": "DescribeIdentityPoolUsage", "resource_types": [ { @@ -34603,7 +38113,7 @@ }, { "access_level": "Read", - "description": "Gets usage information for an identity, including number of datasets and data usage.", + "description": "Grants permission to get usage information for an identity, including number of datasets and data usage", "privilege": "DescribeIdentityUsage", "resource_types": [ { @@ -34615,7 +38125,7 @@ }, { "access_level": "Read", - "description": "Get the status of the last BulkPublish operation for an identity pool.", + "description": "Grants permission to get the status of the last BulkPublish operation for an identity pool", "privilege": "GetBulkPublishDetails", "resource_types": [ { @@ -34627,7 +38137,7 @@ }, { "access_level": "Read", - "description": "Gets the events and the corresponding Lambda functions associated with an identity pool.", + "description": "Grants permission to get the events and the corresponding Lambda functions associated with an identity pool", "privilege": "GetCognitoEvents", "resource_types": [ { @@ -34639,7 +38149,7 @@ }, { "access_level": "Read", - "description": "Gets the configuration settings of an identity pool.", + "description": "Grants permission to get the configuration settings of an identity pool", "privilege": "GetIdentityPoolConfiguration", "resource_types": [ { @@ -34651,7 +38161,7 @@ }, { "access_level": "List", - "description": "Lists datasets for an identity.", + "description": "Grants permission to list datasets for an identity", "privilege": "ListDatasets", "resource_types": [ { @@ -34663,7 +38173,7 @@ }, { "access_level": "Read", - "description": "Gets a list of identity pools registered with Cognito.", + "description": "Grants permission to get a list of identity pools registered with Cognito", "privilege": "ListIdentityPoolUsage", "resource_types": [ { @@ -34675,7 +38185,7 @@ }, { "access_level": "Read", - "description": "Gets paginated records, optionally changed after a particular sync count for a dataset and identity.", + "description": "Grants permission to get paginated records, optionally changed after a particular sync count for a dataset and identity", "privilege": "ListRecords", "resource_types": [ { @@ -34687,7 +38197,7 @@ }, { "access_level": "Read", - "description": "A permission that grants the ability to query records.", + "description": "Grants permission to query records", "privilege": "QueryRecords", "resource_types": [ { @@ -34699,7 +38209,7 @@ }, { "access_level": "Write", - "description": "Registers a device to receive push sync notifications.", + "description": "Grants permission to register a device to receive push sync notifications", "privilege": "RegisterDevice", "resource_types": [ { @@ -34711,7 +38221,7 @@ }, { "access_level": "Write", - "description": "Sets the AWS Lambda function for a given event type for an identity pool.", + "description": "Grants permission to set the AWS Lambda function for a given event type for an identity pool", "privilege": "SetCognitoEvents", "resource_types": [ { @@ -34723,7 +38233,7 @@ }, { "access_level": "Write", - "description": "A permission that grants ability to configure datasets.", + "description": "Grants permission to configure datasets", "privilege": "SetDatasetConfiguration", "resource_types": [ { @@ -34735,7 +38245,7 @@ }, { "access_level": "Write", - "description": "Sets the necessary configuration for push sync.", + "description": "Grants permission to set the necessary configuration for push sync", "privilege": "SetIdentityPoolConfiguration", "resource_types": [ { @@ -34747,7 +38257,7 @@ }, { "access_level": "Write", - "description": "Subscribes to receive notifications when a dataset is modified by another device.", + "description": "Grants permission to subscribe to receive notifications when a dataset is modified by another device", "privilege": "SubscribeToDataset", "resource_types": [ { @@ -34759,7 +38269,7 @@ }, { "access_level": "Write", - "description": "Unsubscribes from receiving notifications when a dataset is modified by another device.", + "description": "Grants permission to unsubscribe from receiving notifications when a dataset is modified by another device", "privilege": "UnsubscribeFromDataset", "resource_types": [ { @@ -34771,7 +38281,7 @@ }, { "access_level": "Write", - "description": "Posts updates to records and adds and deletes records for a dataset and user.", + "description": "Grants permission to post updates to records and add and delete records for a dataset and user", "privilege": "UpdateRecords", "resource_types": [ { @@ -34805,18 +38315,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access to create requests based on the allowed set of values for each of the mandatory tags", + "description": "Filters access by requiring tag values present in a resource creation request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access to actions based on the tag value associated with the resource", + "description": "Filters access by requiring tag value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access to create requests based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by requiring the presence of mandatory tags in the request", + "type": "ArrayOfString" }, { "condition": "comprehend:ModelKmsKey", @@ -34920,7 +38430,7 @@ }, { "access_level": "Read", - "description": "Grants permission to classify the personally identifiable information within given documents at realtime", + "description": "Grants permission to classify the personally identifiable information within given documents in real-time", "privilege": "ContainsPiiEntities", "resource_types": [ { @@ -35055,6 +38565,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove policy on resource", + "privilege": "DeleteResourcePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the properties associated with a document classification job", @@ -35168,6 +38695,23 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to read attached policy on resource", + "privilege": "DescribeResourcePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the properties associated with a sentiment detection job", @@ -35180,6 +38724,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the properties associated with a targeted sentiment detection job", + "privilege": "DescribeTargetedSentimentDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "targeted-sentiment-detection-job*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the properties associated with a topic detection job", @@ -35264,6 +38820,32 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import a trained Comprehend model", + "privilege": "ImportModel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "comprehend:ModelKmsKey" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get a list of the document classification jobs that you have submitted", @@ -35468,6 +39050,11 @@ "dependent_actions": [], "resource_type": "sentiment-detection-job" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "targeted-sentiment-detection-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -35475,6 +39062,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get a list of targeted sentiment detection jobs that you have submitted", + "privilege": "ListTargetedSentimentDetectionJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get a list of the topic detection jobs that you have submitted", @@ -35487,6 +39086,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to attach policy to resource", + "privilege": "PutResourcePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start an asynchronous document classification job", @@ -35659,6 +39275,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous targeted sentiment detection job for a collection of documents", + "privilege": "StartTargetedSentimentDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "targeted-sentiment-detection-job*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "comprehend:VolumeKmsKey", + "comprehend:OutputKmsKey", + "comprehend:VpcSecurityGroupIds", + "comprehend:VpcSubnets" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start an asynchronous job to detect the most common topics in the collection of documents and the phrases associated with each topic", @@ -35755,6 +39395,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to stop a targeted sentiment detection job", + "privilege": "StopTargetedSentimentDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "targeted-sentiment-detection-job*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop a previously created document classifier training job", @@ -35947,6 +39599,13 @@ } ], "resources": [ + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:targeted-sentiment-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "targeted-sentiment-detection-job" + }, { "arn": "arn:${Partition}:comprehend:${Region}:${Account}:document-classifier/${DocumentClassifierName}", "condition_keys": [ @@ -36034,53 +39693,21 @@ ], "service_name": "Amazon Comprehend" }, - { - "conditions": [], - "prefix": "comprehendmedical", - "privileges": [ - { - "access_level": "Read", - "description": "Inspects the specified text for the specified type of entities and returns information about them.", - "privilege": "DetectEntities", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Inspects the specified text for PHI entities and returns information about them.", - "privilege": "DetectPHI", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "Comprehend Medical" - }, { "conditions": [ { "condition": "aws:SourceArn", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the presence of tag keys in the request", "type": "String" }, { "condition": "aws:SourceVpc", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the presence of tag keys in the request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the presence of tag keys in the request", "type": "String" } ], @@ -36134,6 +39761,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe the properties of a SNOMED-CT linking job that you have submitted", + "privilege": "DescribeSNOMEDCTInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to detect the named medical entities, and their relationships and traits within the given text document", @@ -36182,6 +39821,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to detect the medical condition, anatomy, and test, treatment, and procedure entities within the given text document and link them to SNOMED-CT codes", + "privilege": "InferSNOMEDCT", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list the medical entity detection jobs that you have submitted", @@ -36230,6 +39881,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list the SNOMED-CT linking jobs that you have submitted", + "privilege": "ListSNOMEDCTInferenceJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start an asynchronous medical entity detection job for a collection of documents", @@ -36278,6 +39941,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous SNOMED-CT linking job for a collection of documents", + "privilege": "StartSNOMEDCTInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop a medical entity detection job", @@ -36325,15 +40000,50 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a SNOMED-CT linking job", + "privilege": "StopSNOMEDCTInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [], "service_name": "Amazon Comprehend Medical" }, { - "conditions": [], + "conditions": [ + { + "condition": "compute-optimizer:ResourceType", + "description": "Filters access by the resource type", + "type": "String" + } + ], "prefix": "compute-optimizer", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to delete recommendation preferences", + "privilege": "DeleteRecommendationPreferences", + "resource_types": [ + { + "condition_keys": [ + "compute-optimizer:ResourceType" + ], + "dependent_actions": [ + "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeInstances" + ], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to view the status of recommendation export jobs", @@ -36348,7 +40058,7 @@ }, { "access_level": "Write", - "description": "Grants permission to export autoscaling group recommendations to S3 for the provided accounts", + "description": "Grants permission to export AutoScaling group recommendations to S3 for the provided accounts", "privilege": "ExportAutoScalingGroupRecommendations", "resource_types": [ { @@ -36409,7 +40119,7 @@ }, { "access_level": "List", - "description": "Grants permission to get recommendations for the provided autoscaling groups", + "description": "Grants permission to get recommendations for the provided AutoScaling groups", "privilege": "GetAutoScalingGroupRecommendations", "resource_types": [ { @@ -36423,7 +40133,7 @@ }, { "access_level": "List", - "description": "Grants permission to get recommendations for the provided ebs volumes", + "description": "Grants permission to get recommendations for the provided EBS volumes", "privilege": "GetEBSVolumeRecommendations", "resource_types": [ { @@ -36463,6 +40173,24 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get recommendation preferences that are in effect", + "privilege": "GetEffectiveRecommendationPreferences", + "resource_types": [ + { + "condition_keys": [ + "compute-optimizer:ResourceType" + ], + "dependent_actions": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances" + ], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to get the enrollment status for the specified account", @@ -36489,7 +40217,7 @@ }, { "access_level": "List", - "description": "Grants permission to get recommendations for the provided lambda functions", + "description": "Grants permission to get recommendations for the provided Lambda functions", "privilege": "GetLambdaFunctionRecommendations", "resource_types": [ { @@ -36503,53 +40231,23 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get the recommendation summaries for the specified account(s)", - "privilege": "GetRecommendationSummaries", + "access_level": "Read", + "description": "Grants permission to get recommendation preferences", + "privilege": "GetRecommendationPreferences", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "compute-optimizer:ResourceType" + ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Write", - "description": "Grants permission to update the enrollment status", - "privilege": "UpdateEnrollmentStatus", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "AWS Compute Optimizer" - }, - { - "conditions": [], - "prefix": "compute-optimizer", - "privileges": [ { "access_level": "List", - "description": "Grants permission to view the status of recommendation export jobs.", - "privilege": "DescribeRecommendationExportJobs", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to export autoscaling group recommendations to S3 for the provided accounts.", - "privilege": "ExportAutoScalingGroupRecommendations", + "description": "Grants permission to get the recommendation summaries for the specified account(s)", + "privilege": "GetRecommendationSummaries", "resource_types": [ { "condition_keys": [], @@ -36560,91 +40258,25 @@ }, { "access_level": "Write", - "description": "Grants permission to export EC2 instance recommendations to S3 for the provided accounts.", - "privilege": "ExportEC2InstanceRecommendations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get recommendations for the provided autoscaling groups.", - "privilege": "GetAutoScalingGroupRecommendations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get recommendations for the provided ebs volumes.", - "privilege": "GetEBSVolumeRecommendations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get recommendations for the provided EC2 instances.", - "privilege": "GetEC2InstanceRecommendations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get the recommendation projected metrics of the specified instance.", - "privilege": "GetEC2RecommendationProjectedMetrics", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get the enrollment status for the specified account.", - "privilege": "GetEnrollmentStatus", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get the recommendation summaries for the specified account(s).", - "privilege": "GetRecommendationSummaries", + "description": "Grants permission to put recommendation preferences", + "privilege": "PutRecommendationPreferences", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "compute-optimizer:ResourceType" + ], + "dependent_actions": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the enrollment status.", + "description": "Grants permission to update the enrollment status", "privilege": "UpdateEnrollmentStatus", "resource_types": [ { @@ -36656,7 +40288,7 @@ } ], "resources": [], - "service_name": "Compute Optimizer" + "service_name": "AWS Compute Optimizer" }, { "conditions": [ @@ -36673,7 +40305,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "config", @@ -37647,6 +41279,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "StoredQuery*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -37850,18 +41490,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by using tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by using tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by using tag keys in the request", + "type": "ArrayOfString" }, { "condition": "connect:AttributeType", @@ -37873,6 +41513,11 @@ "description": "Filters access by restricting federation into specified Amazon Connect instances", "type": "String" }, + { + "condition": "connect:SearchTag/${TagKey}", + "description": "Filters access by TagFilter condition passed in the search request", + "type": "String" + }, { "condition": "connect:StorageResourceType", "description": "Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration", @@ -37883,7 +41528,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate approved origin for an existing Amazon Connect instance", "privilege": "AssociateApprovedOrigin", "resource_types": [ { @@ -37902,7 +41547,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate a Lex bot for an existing Amazon Connect instance", "privilege": "AssociateBot", "resource_types": [ { @@ -37929,7 +41574,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance", "privilege": "AssociateCustomerProfilesDomain", "resource_types": [ { @@ -37946,7 +41591,26 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to default vocabulary for an existing Amazon Connect instance", + "privilege": "AssociateDefaultVocabulary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate instance storage for an existing Amazon Connect instance", "privilege": "AssociateInstanceStorageConfig", "resource_types": [ { @@ -37977,7 +41641,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate a Lambda function for an existing Amazon Connect instance", "privilege": "AssociateLambdaFunction", "resource_types": [ { @@ -37998,7 +41662,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate a Lex bot for an existing Amazon Connect instance", "privilege": "AssociateLexBot", "resource_types": [ { @@ -38022,7 +41686,32 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate quick connects with a queue in an Amazon Connect instance", + "description": "Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance", + "privilege": "AssociatePhoneNumberContactFlow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate quick connects with a queue in an Amazon Connect instance", "privilege": "AssociateQueueQuickConnects", "resource_types": [ { @@ -38047,7 +41736,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate queues with a routing profile in an Amazon Connect instance", + "description": "Grants permission to associate queues with a routing profile in an Amazon Connect instance", "privilege": "AssociateRoutingProfileQueues", "resource_types": [ { @@ -38072,7 +41761,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to associate a security key for an existing Amazon Connect instance", "privilege": "AssociateSecurityKey", "resource_types": [ { @@ -38089,6 +41778,69 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to grant access and to associate the datasets with the specified AWS account", + "privilege": "BatchAssociateAnalyticsDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to revoke access and to disassociate the datasets with the specified AWS account", + "privilege": "BatchDisassociateAnalyticsDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to claim phone number resources in an Amazon Connect instance", + "privilege": "ClaimPhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create agent status in an Amazon Connect instance", @@ -38112,7 +41864,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a contact flow in an Amazon Connect instance", + "description": "Grants permission to create a contact flow in an Amazon Connect instance", "privilege": "CreateContactFlow", "resource_types": [ { @@ -38131,6 +41883,27 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a contact flow module in an Amazon Connect instance", + "privilege": "CreateContactFlowModule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create hours of operation in an Amazon Connect instance", @@ -38154,11 +41927,14 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings.", + "description": "Grants permission to create a new Amazon Connect instance", "privilege": "CreateInstance", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "ds:AuthorizeApplication", "ds:CheckAlias", @@ -38178,7 +41954,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create an AppIntegration association with an Amazon Connect instance", + "description": "Grants permission to create an integration association with an Amazon Connect instance", "privilege": "CreateIntegrationAssociation", "resource_types": [ { @@ -38188,7 +41964,14 @@ "connect:DescribeInstance", "ds:DescribeDirectories", "events:PutRule", - "events:PutTargets" + "events:PutTargets", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "mobiletargeting:GetApp", + "voiceid:DescribeDomain", + "wisdom:GetAssistant", + "wisdom:GetKnowledgeBase" ], "resource_type": "instance*" }, @@ -38210,7 +41993,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a queue in an Amazon Connect instance", + "description": "Grants permission to create a queue in an Amazon Connect instance", "privilege": "CreateQueue", "resource_types": [ { @@ -38313,7 +42096,40 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a use case for an AppIntegration association", + "description": "Grants permission to create a security profile for the specified Amazon Connect instance", + "privilege": "CreateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a task template in an Amazon Connect instance", + "privilege": "CreateTaskTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a use case for an integration association", "privilege": "CreateUseCase", "resource_types": [ { @@ -38383,7 +42199,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a user hierarchy group in an Amazon Connect instance", + "description": "Grants permission to create a user hierarchy group in an Amazon Connect instance", "privilege": "CreateUserHierarchyGroup", "resource_types": [ { @@ -38393,6 +42209,69 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a vocabulary in an Amazon Connect instance", + "privilege": "CreateVocabulary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a contact flow in an Amazon Connect instance", + "privilege": "DeleteContactFlow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a contact flow module in an Amazon Connect instance", + "privilege": "DeleteContactFlowModule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "connect:InstanceId" ], "dependent_actions": [], @@ -38422,7 +42301,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed.", + "description": "Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed", "privilege": "DeleteInstance", "resource_types": [ { @@ -38436,7 +42315,8 @@ }, { "condition_keys": [ - "connect:InstanceId" + "connect:InstanceId", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -38445,7 +42325,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete an AppIntegration association from an Amazon Connect instance. The association must not have any use cases associated with it.", + "description": "Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it", "privilege": "DeleteIntegrationAssociation", "resource_types": [ { @@ -38476,7 +42356,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a quick connect in an Amazon Connect instance", + "description": "Grants permission to delete a quick connect in an Amazon Connect instance", "privilege": "DeleteQuickConnect", "resource_types": [ { @@ -38496,7 +42376,47 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a use case from an AppIntegration association", + "description": "Grants permission to delete a security profile in an Amazon Connect instance", + "privilege": "DeleteSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a task template in an Amazon Connect instance", + "privilege": "DeleteTaskTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a use case from an integration association", "privilege": "DeleteUseCase", "resource_types": [ { @@ -38523,7 +42443,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a user in an Amazon Connect instance", + "description": "Grants permission to delete a user in an Amazon Connect instance", "privilege": "DeleteUser", "resource_types": [ { @@ -38543,7 +42463,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a user hierarchy group in an Amazon Connect instance", + "description": "Grants permission to delete a user hierarchy group in an Amazon Connect instance", "privilege": "DeleteUserHierarchyGroup", "resource_types": [ { @@ -38560,6 +42480,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a vocabulary in an Amazon Connect instance", + "privilege": "DeleteVocabulary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe agent status in an Amazon Connect instance", @@ -38582,7 +42522,26 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a contact flow in an Amazon Connect instance", + "description": "Grants permission to describe a contact in an Amazon Connect instance", + "privilege": "DescribeContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a contact flow in an Amazon Connect instance", "privilege": "DescribeContactFlow", "resource_types": [ { @@ -38602,7 +42561,27 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe hours of operation in an Amazon Connect instance", + "description": "Grants permission to describe a contact flow module in an Amazon Connect instance", + "privilege": "DescribeContactFlowModule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe hours of operation in an Amazon Connect instance", "privilege": "DescribeHoursOfOperation", "resource_types": [ { @@ -38622,7 +42601,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view details of an Amazon Connect instance. This is required to create an instance.", + "description": "Grants permission to view details of an Amazon Connect instance and is also required to create an instance", "privilege": "DescribeInstance", "resource_types": [ { @@ -38634,7 +42613,8 @@ }, { "condition_keys": [ - "connect:InstanceId" + "connect:InstanceId", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -38643,7 +42623,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view the attribute details of an existing Amazon Connect instance", + "description": "Grants permission to view the attribute details of an existing Amazon Connect instance", "privilege": "DescribeInstanceAttribute", "resource_types": [ { @@ -38663,7 +42643,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view the instance storage configuration for an existing Amazon Connect instance", + "description": "Grants permission to view the instance storage configuration for an existing Amazon Connect instance", "privilege": "DescribeInstanceStorageConfig", "resource_types": [ { @@ -38681,9 +42661,28 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe phone number resources in an Amazon Connect instance", + "privilege": "DescribePhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Grants permissions to describe a queue in an Amazon Connect instance", + "description": "Grants permission to describe a queue in an Amazon Connect instance", "privilege": "DescribeQueue", "resource_types": [ { @@ -38703,7 +42702,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a quick connect in an Amazon Connect instance", + "description": "Grants permission to describe a quick connect in an Amazon Connect instance", "privilege": "DescribeQuickConnect", "resource_types": [ { @@ -38723,7 +42722,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a routing profile in an Amazon Connect instance", + "description": "Grants permission to describe a routing profile in an Amazon Connect instance", "privilege": "DescribeRoutingProfile", "resource_types": [ { @@ -38743,7 +42742,27 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a user in an Amazon Connect instance", + "description": "Grants permission to describe a security profile in an Amazon Connect instance", + "privilege": "DescribeSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a user in an Amazon Connect instance", "privilege": "DescribeUser", "resource_types": [ { @@ -38763,7 +42782,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a hierarchy group for an Amazon Connect instance", + "description": "Grants permission to describe a hierarchy group for an Amazon Connect instance", "privilege": "DescribeUserHierarchyGroup", "resource_types": [ { @@ -38782,7 +42801,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe the hierarchy structure for an Amazon Connect instance", + "description": "Grants permission to describe the hierarchy structure for an Amazon Connect instance", "privilege": "DescribeUserHierarchyStructure", "resource_types": [ { @@ -38799,9 +42818,29 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a vocabulary in an Amazon Connect instance", + "privilege": "DescribeVocabulary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate approved origin for an existing Amazon Connect instance", "privilege": "DisassociateApprovedOrigin", "resource_types": [ { @@ -38820,7 +42859,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate a Lex bot for an existing Amazon Connect instance", "privilege": "DisassociateBot", "resource_types": [ { @@ -38845,7 +42884,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance", "privilege": "DisassociateCustomerProfilesDomain", "resource_types": [ { @@ -38864,7 +42903,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate instance storage for an existing Amazon Connect instance", "privilege": "DisassociateInstanceStorageConfig", "resource_types": [ { @@ -38884,7 +42923,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate a Lambda function for an existing Amazon Connect instance", "privilege": "DisassociateLambdaFunction", "resource_types": [ { @@ -38905,7 +42944,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate a Lex bot for an existing Amazon Connect instance", "privilege": "DisassociateLexBot", "resource_types": [ { @@ -38928,7 +42967,27 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate quick connects from a queue in an Amazon Connect instance", + "description": "Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance", + "privilege": "DisassociatePhoneNumberContactFlow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate quick connects from a queue in an Amazon Connect instance", "privilege": "DisassociateQueueQuickConnects", "resource_types": [ { @@ -38953,7 +43012,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance", + "description": "Grants permission to disassociate queues from a routing profile in an Amazon Connect instance", "privilege": "DisassociateRoutingProfileQueues", "resource_types": [ { @@ -38973,7 +43032,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to disassociate the security key for an existing Amazon Connect instance", "privilege": "DisassociateSecurityKey", "resource_types": [ { @@ -38992,7 +43051,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to retrieve the contact attributes for the specified contact", + "description": "Grants permission to retrieve the contact attributes for the specified contact", "privilege": "GetContactAttributes", "resource_types": [ { @@ -39011,7 +43070,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance", + "description": "Grants permission to retrieve current metric data for the queues in an Amazon Connect instance", "privilege": "GetCurrentMetricData", "resource_types": [ { @@ -39030,7 +43089,26 @@ }, { "access_level": "Read", - "description": "Grants permissions to federate into an Amazon Connect instance when using SAML-based authentication for identity management", + "description": "Grants permission to retrieve current user data in an Amazon Connect instance", + "privilege": "GetCurrentUserData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management", "privilege": "GetFederationToken", "resource_types": [ { @@ -39049,7 +43127,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)", + "description": "Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)", "privilege": "GetFederationTokens", "resource_types": [ { @@ -39065,7 +43143,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance", + "description": "Grants permission to retrieve historical metric data for queues in an Amazon Connect instance", "privilege": "GetMetricData", "resource_types": [ { @@ -39082,6 +43160,26 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get details about specified task template in an Amazon Connect instance", + "privilege": "GetTaskTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list agent statuses in an Amazon Connect instance", @@ -39090,13 +43188,13 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance*" + "resource_type": "wildcard-agent-status*" } ] }, { "access_level": "List", - "description": "Grants permissions to view approved origins of an existing Amazon Connect instance", + "description": "Grants permission to view approved origins of an existing Amazon Connect instance", "privilege": "ListApprovedOrigins", "resource_types": [ { @@ -39115,7 +43213,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the Lex bots of an existing Amazon Connect instance", + "description": "Grants permission to view the Lex bots of an existing Amazon Connect instance", "privilege": "ListBots", "resource_types": [ { @@ -39134,19 +43232,69 @@ }, { "access_level": "List", - "description": "Grants permissions to list contact flow resources in an Amazon Connect instance", + "description": "Grants permission to list contact flow module resources in an Amazon Connect instance", + "privilege": "ListContactFlowModules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list contact flow resources in an Amazon Connect instance", "privilege": "ListContactFlows", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-contact-flow*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list references associated with a contact in an Amazon Connect instance", + "privilege": "ListContactReferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list default vocabularies associated with a Amazon Connect instance", + "privilege": "ListDefaultVocabularies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list hours of operation resources in an Amazon Connect instance", + "description": "Grants permission to list hours of operation resources in an Amazon Connect instance", "privilege": "ListHoursOfOperations", "resource_types": [ { @@ -39165,7 +43313,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the attributes of an existing Amazon Connect instance", + "description": "Grants permission to view the attributes of an existing Amazon Connect instance", "privilege": "ListInstanceAttributes", "resource_types": [ { @@ -39184,7 +43332,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view storage configurations of an existing Amazon Connect instance", + "description": "Grants permission to view storage configurations of an existing Amazon Connect instance", "privilege": "ListInstanceStorageConfigs", "resource_types": [ { @@ -39203,7 +43351,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the Amazon Connect instances associated with an AWS account", + "description": "Grants permission to view the Amazon Connect instances associated with an AWS account", "privilege": "ListInstances", "resource_types": [ { @@ -39217,7 +43365,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list summary information about the AppIntegration associations for the specified Amazon Connect instance", + "description": "Grants permission to list summary information about the integration associations for the specified Amazon Connect instance", "privilege": "ListIntegrationAssociations", "resource_types": [ { @@ -39239,7 +43387,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the Lambda functions of an existing Amazon Connect instance", + "description": "Grants permission to view the Lambda functions of an existing Amazon Connect instance", "privilege": "ListLambdaFunctions", "resource_types": [ { @@ -39258,7 +43406,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the Lex bots of an existing Amazon Connect instance", + "description": "Grants permission to view the Lex bots of an existing Amazon Connect instance", "privilege": "ListLexBots", "resource_types": [ { @@ -39277,19 +43425,31 @@ }, { "access_level": "List", - "description": "Grants permissions to list phone number resources in an Amazon Connect instance", + "description": "Grants permission to list phone number resources in an Amazon Connect instance", "privilege": "ListPhoneNumbers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance*" + "resource_type": "wildcard-legacy-phone-number*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list phone number resources in an Amazon Connect instance", + "privilege": "ListPhoneNumbersV2", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number*" } ] }, { "access_level": "List", - "description": "Grants permissions to list prompt resources in an Amazon Connect instance", + "description": "Grants permission to list prompt resources in an Amazon Connect instance", "privilege": "ListPrompts", "resource_types": [ { @@ -39308,7 +43468,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list quick connect resources in a queue in an Amazon Connect instance", + "description": "Grants permission to list quick connect resources in a queue in an Amazon Connect instance", "privilege": "ListQueueQuickConnects", "resource_types": [ { @@ -39328,25 +43488,25 @@ }, { "access_level": "List", - "description": "Grants permissions to list queue resources in an Amazon Connect instance", + "description": "Grants permission to list queue resources in an Amazon Connect instance", "privilege": "ListQueues", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance*" + "resource_type": "wildcard-queue*" } ] }, { "access_level": "List", - "description": "Grants permissions to list quick connect resources in an Amazon Connect instance", + "description": "Grants permission to list quick connect resources in an Amazon Connect instance", "privilege": "ListQuickConnects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance*" + "resource_type": "wildcard-quick-connect*" } ] }, @@ -39364,7 +43524,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list queue resources in a routing profile in an Amazon Connect instance", + "description": "Grants permission to list queue resources in a routing profile in an Amazon Connect instance", "privilege": "ListRoutingProfileQueues", "resource_types": [ { @@ -39384,7 +43544,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list routing profile resources in an Amazon Connect instance", + "description": "Grants permission to list routing profile resources in an Amazon Connect instance", "privilege": "ListRoutingProfiles", "resource_types": [ { @@ -39403,7 +43563,7 @@ }, { "access_level": "List", - "description": "Grants permissions to view the security keys of an existing Amazon Connect instance", + "description": "Grants permission to view the security keys of an existing Amazon Connect instance", "privilege": "ListSecurityKeys", "resource_types": [ { @@ -39422,7 +43582,27 @@ }, { "access_level": "List", - "description": "Grants permissions to list security profile resources in an Amazon Connect instance", + "description": "Grants permission to list permissions associated with security profile in an Amazon Connect instance", + "privilege": "ListSecurityProfilePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list security profile resources in an Amazon Connect instance", "privilege": "ListSecurityProfiles", "resource_types": [ { @@ -39441,19 +43621,44 @@ }, { "access_level": "Read", - "description": "Grants permissions to list tags for an Amazon Connect resource", + "description": "Grants permission to list tags for an Amazon Connect resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hierarchy-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "integration-association" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number" + }, { "condition_keys": [], "dependent_actions": [], @@ -39469,6 +43674,11 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile" + }, { "condition_keys": [], "dependent_actions": [], @@ -39479,6 +43689,11 @@ "dependent_actions": [], "resource_type": "user" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -39490,7 +43705,19 @@ }, { "access_level": "List", - "description": "Grants permissions to list the use cases of an AppIntegration association", + "description": "Grants permission to list task template resources in an Amazon Connect instance", + "privilege": "ListTaskTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the use cases of an integration association", "privilege": "ListUseCases", "resource_types": [ { @@ -39512,7 +43739,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list the hierarchy group resources in an Amazon Connect instance", + "description": "Grants permission to list the hierarchy group resources in an Amazon Connect instance", "privilege": "ListUserHierarchyGroups", "resource_types": [ { @@ -39531,7 +43758,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list user resources in an Amazon Connect instance", + "description": "Grants permission to list user resources in an Amazon Connect instance", "privilege": "ListUsers", "resource_types": [ { @@ -39550,7 +43777,56 @@ }, { "access_level": "Write", - "description": "Grants permissions to resume recording for the specified contact", + "description": "Grants permission to switch User Status in an Amazon Connect instance", + "privilege": "PutUserStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to release phone number resources in an Amazon Connect instance", + "privilege": "ReleasePhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to resume recording for the specified contact", "privilege": "ResumeContactRecording", "resource_types": [ { @@ -39560,9 +43836,84 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to search phone number resources in an Amazon Connect instance", + "privilege": "SearchAvailablePhoneNumbers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search security profile resources in an Amazon Connect instance", + "privilege": "SearchSecurityProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeSecurityProfile" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId", + "connect:SearchTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search user resources in an Amazon Connect instance", + "privilege": "SearchUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeUser" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId", + "connect:SearchTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search vocabularies in a Amazon Connect instance", + "privilege": "SearchVocabularies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Grants permissions to initiate a chat using the Amazon Connect API", + "description": "Grants permission to initiate a chat using the Amazon Connect API", "privilege": "StartChatContact", "resource_types": [ { @@ -39574,7 +43925,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to start recording for the specified contact", + "description": "Grants permission to start recording for the specified contact", "privilege": "StartContactRecording", "resource_types": [ { @@ -39586,7 +43937,19 @@ }, { "access_level": "Write", - "description": "Grants permissions to initiate outbound calls using the Amazon Connect API", + "description": "Grants permission to start chat streaming using the Amazon Connect API", + "privilege": "StartContactStreaming", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initiate outbound calls using the Amazon Connect API", "privilege": "StartOutboundVoiceContact", "resource_types": [ { @@ -39598,7 +43961,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to initiate a task using the Amazon Connect API", + "description": "Grants permission to initiate a task using the Amazon Connect API", "privilege": "StartTaskContact", "resource_types": [ { @@ -39617,7 +43980,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer.", + "description": "Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer", "privilege": "StopContact", "resource_types": [ { @@ -39636,7 +43999,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to stop recording for the specified contact", + "description": "Grants permission to stop recording for the specified contact", "privilege": "StopContactRecording", "resource_types": [ { @@ -39648,7 +44011,19 @@ }, { "access_level": "Write", - "description": "Grants permissions to suspend recording for the specified contact", + "description": "Grants permission to stop chat streaming using the Amazon Connect API", + "privilege": "StopContactStreaming", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to suspend recording for the specified contact", "privilege": "SuspendContactRecording", "resource_types": [ { @@ -39660,19 +44035,49 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to tag an Amazon Connect resource", + "description": "Grants permission to tag an Amazon Connect resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hierarchy-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "integration-association" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number" + }, { "condition_keys": [], "dependent_actions": [], @@ -39688,6 +44093,16 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template" + }, { "condition_keys": [], "dependent_actions": [], @@ -39698,11 +44113,49 @@ "dependent_actions": [], "resource_type": "user" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number" + }, { "condition_keys": [ "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to transfer the contact to another queue or agent", + "privilege": "TransferContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -39711,19 +44164,49 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to untag an Amazon Connect resource", + "description": "Grants permission to untag an Amazon Connect resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hierarchy-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "integration-association" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number" + }, { "condition_keys": [], "dependent_actions": [], @@ -39739,6 +44222,16 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template" + }, { "condition_keys": [], "dependent_actions": [], @@ -39749,10 +44242,20 @@ "dependent_actions": [], "resource_type": "user" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vocabulary" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "wildcard-phone-number" + }, { "condition_keys": [ "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -39781,7 +44284,26 @@ }, { "access_level": "Write", - "description": "Grants permissions to create or update the contact attributes associated with the specified contact", + "description": "Grants permission to update a contact in an Amazon Connect instance", + "privilege": "UpdateContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or update the contact attributes associated with the specified contact", "privilege": "UpdateContactAttributes", "resource_types": [ { @@ -39800,7 +44322,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update contact flow content in an Amazon Connect instance", + "description": "Grants permission to update contact flow content in an Amazon Connect instance", "privilege": "UpdateContactFlowContent", "resource_types": [ { @@ -39820,7 +44342,67 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the name and description of a contact flow in an Amazon Connect instance", + "description": "Grants permission to update the metadata of a contact flow in an Amazon Connect instance", + "privilege": "UpdateContactFlowMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update contact flow module content in an Amazon Connect instance", + "privilege": "UpdateContactFlowModuleContent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the metadata of a contact flow module in an Amazon Connect instance", + "privilege": "UpdateContactFlowModuleMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the name and description of a contact flow in an Amazon Connect instance", "privilege": "UpdateContactFlowName", "resource_types": [ { @@ -39838,6 +44420,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance", + "privilege": "UpdateContactSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update hours of operation in an Amazon Connect instance", @@ -39860,7 +44461,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to update the attribute for an existing Amazon Connect instance", "privilege": "UpdateInstanceAttribute", "resource_types": [ { @@ -39886,7 +44487,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "description": "Grants permission to update the storage configuration for an existing Amazon Connect instance", "privilege": "UpdateInstanceStorageConfig", "resource_types": [ { @@ -39917,7 +44518,31 @@ }, { "access_level": "Write", - "description": "Grants permissions to update queue hours of operation in an Amazon Connect instance", + "description": "Grants permission to update phone number resources in an Amazon Connect instance", + "privilege": "UpdatePhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update queue hours of operation in an Amazon Connect instance", "privilege": "UpdateQueueHoursOfOperation", "resource_types": [ { @@ -39942,7 +44567,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update queue capacity in an Amazon Connect instance", + "description": "Grants permission to update queue capacity in an Amazon Connect instance", "privilege": "UpdateQueueMaxContacts", "resource_types": [ { @@ -39962,7 +44587,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a queue name and description in an Amazon Connect instance", + "description": "Grants permission to update a queue name and description in an Amazon Connect instance", "privilege": "UpdateQueueName", "resource_types": [ { @@ -39982,7 +44607,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update queue outbound caller config in an Amazon Connect instance", + "description": "Grants permission to update queue outbound caller config in an Amazon Connect instance", "privilege": "UpdateQueueOutboundCallerConfig", "resource_types": [ { @@ -40012,7 +44637,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update queue status in an Amazon Connect instance", + "description": "Grants permission to update queue status in an Amazon Connect instance", "privilege": "UpdateQueueStatus", "resource_types": [ { @@ -40032,7 +44657,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the configuration of a quick connect in an Amazon Connect instance", + "description": "Grants permission to update the configuration of a quick connect in an Amazon Connect instance", "privilege": "UpdateQuickConnectConfig", "resource_types": [ { @@ -40067,7 +44692,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a quick connect name and description in an Amazon Connect instance", + "description": "Grants permission to update a quick connect name and description in an Amazon Connect instance", "privilege": "UpdateQuickConnectName", "resource_types": [ { @@ -40087,7 +44712,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance", + "description": "Grants permission to update the concurrency in a routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileConcurrency", "resource_types": [ { @@ -40107,7 +44732,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance", + "description": "Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileDefaultOutboundQueue", "resource_types": [ { @@ -40132,7 +44757,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a routing profile name and description in an Amazon Connect instance", + "description": "Grants permission to update a routing profile name and description in an Amazon Connect instance", "privilege": "UpdateRoutingProfileName", "resource_types": [ { @@ -40152,7 +44777,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the queues in routing profile in an Amazon Connect instance", + "description": "Grants permission to update the queues in routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileQueues", "resource_types": [ { @@ -40172,7 +44797,47 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a hierarchy group for a user in an Amazon Connect instance", + "description": "Grants permission to update a security profile group for a user in an Amazon Connect instance", + "privilege": "UpdateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-profile*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update task template belonging to a Amazon Connect instance", + "privilege": "UpdateTaskTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task-template*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a hierarchy group for a user in an Amazon Connect instance", "privilege": "UpdateUserHierarchy", "resource_types": [ { @@ -40197,7 +44862,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a user hierarchy group name in an Amazon Connect instance", + "description": "Grants permission to update a user hierarchy group name in an Amazon Connect instance", "privilege": "UpdateUserHierarchyGroupName", "resource_types": [ { @@ -40216,7 +44881,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update user hierarchy structure in an Amazon Connect instance", + "description": "Grants permission to update user hierarchy structure in an Amazon Connect instance", "privilege": "UpdateUserHierarchyStructure", "resource_types": [ { @@ -40235,7 +44900,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update identity information for a user in an Amazon Connect instance", + "description": "Grants permission to update identity information for a user in an Amazon Connect instance", "privilege": "UpdateUserIdentityInfo", "resource_types": [ { @@ -40255,7 +44920,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update phone configuration settings for a user in an Amazon Connect instance", + "description": "Grants permission to update phone configuration settings for a user in an Amazon Connect instance", "privilege": "UpdateUserPhoneConfig", "resource_types": [ { @@ -40275,7 +44940,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a routing profile for a user in an Amazon Connect instance", + "description": "Grants permission to update a routing profile for a user in an Amazon Connect instance", "privilege": "UpdateUserRoutingProfile", "resource_types": [ { @@ -40300,7 +44965,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update security profiles for a user in an Amazon Connect instance", + "description": "Grants permission to update security profiles for a user in an Amazon Connect instance", "privilege": "UpdateUserSecurityProfiles", "resource_types": [ { @@ -40322,12 +44987,34 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update contact flow module content in an Amazon Connect instance", + "privilege": "UpdatedescribeContent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow-module*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "instance" }, { @@ -40351,12 +45038,16 @@ }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "security-profile" }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "hierarchy-group" }, { @@ -40366,6 +45057,11 @@ ], "resource": "queue" }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*", + "condition_keys": [], + "resource": "wildcard-queue" + }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}", "condition_keys": [ @@ -40373,6 +45069,11 @@ ], "resource": "quick-connect" }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*", + "condition_keys": [], + "resource": "wildcard-quick-connect" + }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}", "condition_keys": [ @@ -40380,6 +45081,25 @@ ], "resource": "contact-flow" }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "task-template" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "contact-flow-module" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*", + "condition_keys": [], + "resource": "wildcard-contact-flow" + }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}", "condition_keys": [ @@ -40388,17 +45108,41 @@ "resource": "hours-of-operation" }, { - "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-status/${AgentStatusId}", + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "agent-status" }, { - "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}", + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*", + "condition_keys": [], + "resource": "wildcard-agent-status" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}", + "condition_keys": [], + "resource": "legacy-phone-number" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*", "condition_keys": [], + "resource": "wildcard-legacy-phone-number" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "phone-number" }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:phone-number/*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "wildcard-phone-number" + }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}", "condition_keys": [ @@ -40412,6 +45156,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "use-case" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "vocabulary" } ], "service_name": "Amazon Connect" @@ -40431,7 +45182,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "connect-campaigns", @@ -40468,6 +45219,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove configuration information for an Amazon Connect instance", + "privilege": "DeleteConnectInstanceConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove onboarding job for an Amazon Connect instance", + "privilege": "DeleteInstanceOnboardingJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a specific campaign", @@ -40525,6 +45300,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get configuration information for an Amazon Connect instance", + "privilege": "GetConnectInstanceConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get onboarding job status for an Amazon Connect instance", + "privilege": "GetInstanceOnboardingJobStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to provide summary of all campaigns", @@ -40570,18 +45369,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to add configuration information for an Amazon Connect instance", - "privilege": "PutConnectInstanceConfig", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Write", "description": "Grants permission to create dial requests for the specified campaign", @@ -40618,6 +45405,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start onboarding job for an Amazon Connect instance", + "privilege": "StartInstanceOnboardingJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop a campaign", @@ -40724,7 +45523,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an account managed by AWS Control Tower.", + "description": "Grants permission to create an account managed by AWS Control Tower", "privilege": "CreateManagedAccount", "resource_types": [ { @@ -40736,7 +45535,7 @@ }, { "access_level": "Write", - "description": "Grants permission to deregister an account created through the account factory from AWS Control Tower.", + "description": "Grants permission to deregister an account created through the account factory from AWS Control Tower", "privilege": "DeregisterManagedAccount", "resource_types": [ { @@ -40748,7 +45547,7 @@ }, { "access_level": "Write", - "description": "Grants permission to deregister an organizational unit from AWS Control Tower management.", + "description": "Grants permission to deregister an organizational unit from AWS Control Tower management", "privilege": "DeregisterOrganizationalUnit", "resource_types": [ { @@ -40760,7 +45559,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the current account factory configuration.", + "description": "Grants permission to describe the current account factory configuration", "privilege": "DescribeAccountFactoryConfig", "resource_types": [ { @@ -40772,7 +45571,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe resources managed by core accounts in AWS Control Tower.", + "description": "Grants permission to describe resources managed by core accounts in AWS Control Tower", "privilege": "DescribeCoreService", "resource_types": [ { @@ -40784,7 +45583,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a guardrail.", + "description": "Grants permission to describe a guardrail", "privilege": "DescribeGuardrail", "resource_types": [ { @@ -40796,7 +45595,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a guardrail for a organizational unit.", + "description": "Grants permission to describe a guardrail for a organizational unit", "privilege": "DescribeGuardrailForTarget", "resource_types": [ { @@ -40808,7 +45607,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe an account created through account factory.", + "description": "Grants permission to describe an account created through account factory", "privilege": "DescribeManagedAccount", "resource_types": [ { @@ -40820,7 +45619,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower.", + "description": "Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower", "privilege": "DescribeManagedOrganizationalUnit", "resource_types": [ { @@ -40832,7 +45631,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the current AWS Control Tower SSO configuration.", + "description": "Grants permission to describe the current AWS Control Tower SSO configuration", "privilege": "DescribeSingleSignOn", "resource_types": [ { @@ -40844,7 +45643,19 @@ }, { "access_level": "Write", - "description": "Grants permission to disable a guardrail from an organizational unit.", + "description": "Grants permission to remove a control from an organizational unit", + "privilege": "DisableControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable a guardrail from an organizational unit", "privilege": "DisableGuardrail", "resource_types": [ { @@ -40856,7 +45667,19 @@ }, { "access_level": "Write", - "description": "Grants permission to enable a guardrail to an organizational unit.", + "description": "Grants permission to activate a control for an organizational unit", + "privilege": "EnableControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable a guardrail to an organizational unit", "privilege": "EnableGuardrail", "resource_types": [ { @@ -40868,7 +45691,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list available updates for the current AWS Control Tower deployment.", + "description": "Grants permission to list available updates for the current AWS Control Tower deployment", "privilege": "GetAvailableUpdates", "resource_types": [ { @@ -40880,7 +45703,19 @@ }, { "access_level": "Read", - "description": "Grants permission to get the current compliance status of a guardrail.", + "description": "Grants permission to get the current status of a particular EnabledControl or DisableControl operation", + "privilege": "GetControlOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the current compliance status of a guardrail", "privilege": "GetGuardrailComplianceStatus", "resource_types": [ { @@ -40892,7 +45727,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get the home region of the AWS Control Tower setup.", + "description": "Grants permission to get the home region of the AWS Control Tower setup", "privilege": "GetHomeRegion", "resource_types": [ { @@ -40904,7 +45739,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get the current status of the landing zone setup.", + "description": "Grants permission to get the current status of the landing zone setup", "privilege": "GetLandingZoneStatus", "resource_types": [ { @@ -40916,7 +45751,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the current directory groups available through SSO.", + "description": "Grants permission to list the current directory groups available through SSO", "privilege": "ListDirectoryGroups", "resource_types": [ { @@ -40928,7 +45763,19 @@ }, { "access_level": "List", - "description": "Grants permission to list currently enabled guardrails.", + "description": "Grants permission to list all enabled controls in a specified organizational unit", + "privilege": "ListEnabledControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list currently enabled guardrails", "privilege": "ListEnabledGuardrails", "resource_types": [ { @@ -40940,7 +45787,7 @@ }, { "access_level": "List", - "description": "Grants permission to list existing guardrail violations.", + "description": "Grants permission to list existing guardrail violations", "privilege": "ListGuardrailViolations", "resource_types": [ { @@ -40952,7 +45799,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all available guardrails.", + "description": "Grants permission to list all available guardrails", "privilege": "ListGuardrails", "resource_types": [ { @@ -40964,7 +45811,7 @@ }, { "access_level": "List", - "description": "Grants permission to list guardrails and their current state for a organizational unit.", + "description": "Grants permission to list guardrails and their current state for a organizational unit", "privilege": "ListGuardrailsForTarget", "resource_types": [ { @@ -40976,7 +45823,7 @@ }, { "access_level": "List", - "description": "Grants permission to list accounts managed through AWS Control Tower.", + "description": "Grants permission to list accounts managed through AWS Control Tower", "privilege": "ListManagedAccounts", "resource_types": [ { @@ -40988,7 +45835,7 @@ }, { "access_level": "List", - "description": "Grants permission to list managed accounts with a specified guardrail applied.", + "description": "Grants permission to list managed accounts with a specified guardrail applied", "privilege": "ListManagedAccountsForGuardrail", "resource_types": [ { @@ -41000,7 +45847,7 @@ }, { "access_level": "List", - "description": "Grants permission to list managed accounts under an organizational unit.", + "description": "Grants permission to list managed accounts under an organizational unit", "privilege": "ListManagedAccountsForParent", "resource_types": [ { @@ -41012,7 +45859,7 @@ }, { "access_level": "List", - "description": "Grants permission to list organizational units managed by AWS Control Tower.", + "description": "Grants permission to list organizational units managed by AWS Control Tower", "privilege": "ListManagedOrganizationalUnits", "resource_types": [ { @@ -41024,7 +45871,7 @@ }, { "access_level": "List", - "description": "Grants permission to list managed organizational units that have a specified guardrail applied.", + "description": "Grants permission to list managed organizational units that have a specified guardrail applied", "privilege": "ListManagedOrganizationalUnitsForGuardrail", "resource_types": [ { @@ -41036,7 +45883,7 @@ }, { "access_level": "Write", - "description": "Grants permission to set up an organizational unit to be managed by AWS Control Tower.", + "description": "Grants permission to set up an organizational unit to be managed by AWS Control Tower", "privilege": "ManageOrganizationalUnit", "resource_types": [ { @@ -41048,7 +45895,7 @@ }, { "access_level": "Write", - "description": "Grants permission to set up or update AWS Control Tower landing zone.", + "description": "Grants permission to set up or update AWS Control Tower landing zone", "privilege": "SetupLandingZone", "resource_types": [ { @@ -41060,7 +45907,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the account factory configuration.", + "description": "Grants permission to update the account factory configuration", "privilege": "UpdateAccountFactoryConfig", "resource_types": [ { @@ -41140,18 +45987,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "databrew", @@ -41243,6 +46090,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a ruleset", + "privilege": "CreateRuleset", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a schedule", @@ -41306,6 +46168,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a ruleset", + "privilege": "DeleteRuleset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a schedule", @@ -41378,6 +46252,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view details about a ruleset", + "privilege": "DescribeRuleset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view details about a schedule", @@ -41462,6 +46348,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list rulesets in your account", + "privilege": "ListRulesets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list schedules in your account", @@ -41470,7 +46368,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Schedule*" + "resource_type": "" } ] }, @@ -41499,6 +46397,11 @@ "dependent_actions": [], "resource_type": "Recipe" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset" + }, { "condition_keys": [], "dependent_actions": [], @@ -41591,6 +46494,11 @@ "dependent_actions": [], "resource_type": "Recipe" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset" + }, { "condition_keys": [], "dependent_actions": [], @@ -41631,6 +46539,11 @@ "dependent_actions": [], "resource_type": "Recipe" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset" + }, { "condition_keys": [], "dependent_actions": [], @@ -41705,6 +46618,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify a ruleset", + "privilege": "UpdateRuleset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Ruleset*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to modify a schedule", @@ -41733,6 +46658,13 @@ ], "resource": "Dataset" }, + { + "arn": "arn:${Partition}:databrew:${Region}:${Account}:ruleset/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Ruleset" + }, { "arn": "arn:${Partition}:databrew:${Region}:${Account}:recipe/${ResourceId}", "condition_keys": [ @@ -41772,7 +46704,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by the presence of mandatory tags in the create request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "dataexchange:JobType", @@ -41784,7 +46716,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permissions to cancel a job", + "description": "Grants permission to cancel a job", "privilege": "CancelJob", "resource_types": [ { @@ -41800,11 +46732,7 @@ "privilege": "CreateAsset", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -41840,7 +46768,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a job to import or export assets", + "description": "Grants permission to create a job to import or export assets", "privilege": "CreateJob", "resource_types": [ { @@ -41868,7 +46796,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete an asset", + "description": "Grants permission to delete an asset", "privilege": "DeleteAsset", "resource_types": [ { @@ -41880,7 +46808,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a data set", + "description": "Grants permission to delete a data set", "privilege": "DeleteDataSet", "resource_types": [ { @@ -41904,7 +46832,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a revision", + "description": "Grants permission to delete a revision", "privilege": "DeleteRevision", "resource_types": [ { @@ -41916,7 +46844,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about an asset and to export it (for example, in a Job)", + "description": "Grants permission to get information about an asset and to export it (for example, in a Job)", "privilege": "GetAsset", "resource_types": [ { @@ -41952,7 +46880,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about a job", + "description": "Grants permission to get information about a job", "privilege": "GetJob", "resource_types": [ { @@ -41976,7 +46904,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to list the revisions of a data set", + "description": "Grants permission to list the revisions of a data set", "privilege": "ListDataSetRevisions", "resource_types": [ { @@ -42012,7 +46940,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to list jobs for the account", + "description": "Grants permission to list jobs for the account", "privilege": "ListJobs", "resource_types": [ { @@ -42024,7 +46952,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get list the assets of a revision", + "description": "Grants permission to get list the assets of a revision", "privilege": "ListRevisionAssets", "resource_types": [ { @@ -42036,7 +46964,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list the tags that you associated with the specified resource.", + "description": "Grants permission to list the tags that you associated with the specified resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -42065,7 +46993,31 @@ }, { "access_level": "Write", - "description": "Grants permissions to start a job", + "description": "Grants permission to revoke subscriber access to a revision", + "privilege": "RevokeRevision", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "revisions*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send a request to an API asset", + "privilege": "SendApiAsset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assets*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a job", "privilege": "StartJob", "resource_types": [ { @@ -42126,7 +47078,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to get update information about an asset", + "description": "Grants permission to get update information about an asset", "privilege": "UpdateAsset", "resource_types": [ { @@ -42138,7 +47090,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update information about a data set", + "description": "Grants permission to update information about a data set", "privilege": "UpdateDataSet", "resource_types": [ { @@ -42162,7 +47114,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update information about a revision", + "description": "Grants permission to update information about a revision", "privilege": "UpdateRevision", "resource_types": [ { @@ -42183,12 +47135,16 @@ }, { "arn": "arn:${Partition}:dataexchange:${Region}:${Account}:data-sets/${DataSetId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "data-sets" }, { "arn": "arn:${Partition}:dataexchange:${Region}:${Account}:data-sets/${DataSetId}/revisions/${RevisionId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "revisions" }, { @@ -42206,27 +47162,37 @@ }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + }, { "condition": "datapipeline:PipelineCreator", - "description": "The IAM user that created the pipeline.", - "type": "ARN" + "description": "Filters access by the IAM user that created the pipeline", + "type": "ArrayOfString" }, { "condition": "datapipeline:Tag", - "description": "A customer-specified key/value pair that can be attached to a resource.", - "type": "ARN" + "description": "Filters access by customer-specified key/value pair that can be attached to a resource", + "type": "ArrayOfString" }, { "condition": "datapipeline:workerGroup", - "description": "The name of a worker group for which a Task Runner retrieves work.", - "type": "ARN" + "description": "Filters access by the name of a worker group for which a Task Runner retrieves work", + "type": "ArrayOfString" } ], "prefix": "datapipeline", "privileges": [ { "access_level": "Write", - "description": "Validates the specified pipeline and starts processing pipeline tasks. If the pipeline does not pass validation, activation fails.", + "description": "Grants permission to validate the specified pipeline and starts processing pipeline tasks. If the pipeline does not pass validation, activation fails", "privilege": "ActivatePipeline", "resource_types": [ { @@ -42242,7 +47208,7 @@ }, { "access_level": "Tagging", - "description": "Adds or modifies tags for the specified pipeline.", + "description": "Grants permission to add or modify tags for the specified pipeline", "privilege": "AddTags", "resource_types": [ { @@ -42257,11 +47223,13 @@ }, { "access_level": "Write", - "description": "Creates a new, empty pipeline.", + "description": "Grants permission to create a new, empty pipeline", "privilege": "CreatePipeline", "resource_types": [ { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "datapipeline:Tag" ], "dependent_actions": [], @@ -42271,7 +47239,7 @@ }, { "access_level": "Write", - "description": "Deactivates the specified running pipeline.", + "description": "Grants permission to Deactivate the specified running pipeline", "privilege": "DeactivatePipeline", "resource_types": [ { @@ -42287,7 +47255,7 @@ }, { "access_level": "Write", - "description": "Deletes a pipeline, its pipeline definition, and its run history.", + "description": "Grants permission to delete a pipeline, its pipeline definition, and its run history", "privilege": "DeletePipeline", "resource_types": [ { @@ -42302,7 +47270,7 @@ }, { "access_level": "Read", - "description": "Gets the object definitions for a set of objects associated with the pipeline.", + "description": "Grants permission to get the object definitions for a set of objects associated with the pipeline", "privilege": "DescribeObjects", "resource_types": [ { @@ -42317,7 +47285,7 @@ }, { "access_level": "List", - "description": "Retrieves metadata about one or more pipelines.", + "description": "Grants permission to retrieves metadata about one or more pipelines", "privilege": "DescribePipelines", "resource_types": [ { @@ -42332,7 +47300,7 @@ }, { "access_level": "Read", - "description": "Task runners call EvaluateExpression to evaluate a string in the context of the specified object.", + "description": "Grants permission to task runners to call EvaluateExpression, to evaluate a string in the context of the specified object", "privilege": "EvaluateExpression", "resource_types": [ { @@ -42347,7 +47315,7 @@ }, { "access_level": "List", - "description": "Description for GetAccountLimits", + "description": "Grants permission to call GetAccountLimits", "privilege": "GetAccountLimits", "resource_types": [ { @@ -42359,7 +47327,7 @@ }, { "access_level": "Read", - "description": "Gets the definition of the specified pipeline.", + "description": "Grants permission to gets the definition of the specified pipeline", "privilege": "GetPipelineDefinition", "resource_types": [ { @@ -42375,7 +47343,7 @@ }, { "access_level": "List", - "description": "Lists the pipeline identifiers for all active pipelines that you have permission to access.", + "description": "Grants permission to list the pipeline identifiers for all active pipelines that you have permission to access", "privilege": "ListPipelines", "resource_types": [ { @@ -42387,7 +47355,7 @@ }, { "access_level": "Write", - "description": "Task runners call PollForTask to receive a task to perform from AWS Data Pipeline.", + "description": "Grants permission to task runners to call PollForTask, to receive a task to perform from AWS Data Pipeline", "privilege": "PollForTask", "resource_types": [ { @@ -42401,7 +47369,7 @@ }, { "access_level": "Write", - "description": "Description for PutAccountLimits", + "description": "Grants permission to call PutAccountLimits", "privilege": "PutAccountLimits", "resource_types": [ { @@ -42413,7 +47381,7 @@ }, { "access_level": "Write", - "description": "Adds tasks, schedules, and preconditions to the specified pipeline.", + "description": "Grants permission to add tasks, schedules, and preconditions to the specified pipeline", "privilege": "PutPipelineDefinition", "resource_types": [ { @@ -42429,7 +47397,7 @@ }, { "access_level": "Read", - "description": "Queries the specified pipeline for the names of objects that match the specified set of conditions.", + "description": "Grants permission to query the specified pipeline for the names of objects that match the specified set of conditions", "privilege": "QueryObjects", "resource_types": [ { @@ -42444,7 +47412,7 @@ }, { "access_level": "Tagging", - "description": "Removes existing tags from the specified pipeline.", + "description": "Grants permission to remove existing tags from the specified pipeline", "privilege": "RemoveTags", "resource_types": [ { @@ -42459,7 +47427,7 @@ }, { "access_level": "Write", - "description": "Task runners call ReportTaskProgress when assigned a task to acknowledge that it has the task.", + "description": "Grants permission to task runners to call ReportTaskProgress, when they are assigned a task to acknowledge that it has the task", "privilege": "ReportTaskProgress", "resource_types": [ { @@ -42471,7 +47439,7 @@ }, { "access_level": "Write", - "description": "Task runners call ReportTaskRunnerHeartbeat every 15 minutes to indicate that they are operational.", + "description": "Grants permission to task runners to call ReportTaskRunnerHeartbeat every 15 minutes to indicate that they are operational", "privilege": "ReportTaskRunnerHeartbeat", "resource_types": [ { @@ -42483,7 +47451,7 @@ }, { "access_level": "Write", - "description": "Requests that the status of the specified physical or logical pipeline objects be updated in the specified pipeline.", + "description": "Grants permission to requests that the status of the specified physical or logical pipeline objects be updated in the specified pipeline", "privilege": "SetStatus", "resource_types": [ { @@ -42498,7 +47466,7 @@ }, { "access_level": "Write", - "description": "Task runners call SetTaskStatus to notify AWS Data Pipeline that a task is completed and provide information about the final status.", + "description": "Grants permission to task runners to call SetTaskStatus to notify AWS Data Pipeline that a task is completed and provide information about the final status", "privilege": "SetTaskStatus", "resource_types": [ { @@ -42510,7 +47478,7 @@ }, { "access_level": "Read", - "description": "Validates the specified pipeline definition to ensure that it is well formed and can be run without error.", + "description": "Grants permission to validate the specified pipeline definition to ensure that it is well formed and can be run without error", "privilege": "ValidatePipelineDefinition", "resource_types": [ { @@ -42526,31 +47494,31 @@ } ], "resources": [], - "service_name": "Data Pipeline" + "service_name": "AWS Data Pipeline" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags.", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", + "description": "Filters access by the tag key-value pairs associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" + "description": "Filters access by the tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "datasync", "privileges": [ { "access_level": "Write", - "description": "Cancels execution of a sync task.", + "description": "Grants permission to cancel execution of a sync task", "privilege": "CancelTaskExecution", "resource_types": [ { @@ -42562,7 +47530,7 @@ }, { "access_level": "Write", - "description": "Activates an agent that you have deployed on your host.", + "description": "Grants permission to activate an agent that you have deployed on your host", "privilege": "CreateAgent", "resource_types": [ { @@ -42577,7 +47545,7 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for an Amazon EFS file system.", + "description": "Grants permission to create an endpoint for an Amazon EFS file system", "privilege": "CreateLocationEfs", "resource_types": [ { @@ -42592,7 +47560,52 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for an Amazon FSx Windows File Server file system.", + "description": "Grants permission to create an endpoint for an Amazon Fsx Lustre", + "privilege": "CreateLocationFsxLustre", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for Amazon FSx for ONTAP", + "privilege": "CreateLocationFsxOntap", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for Amazon FSx for OpenZFS", + "privilege": "CreateLocationFsxOpenZfs", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for an Amazon FSx Windows File Server file system", "privilege": "CreateLocationFsxWindows", "resource_types": [ { @@ -42607,7 +47620,22 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for a NFS file system.", + "description": "Grants permission to create an endpoint for an Amazon Hdfs", + "privilege": "CreateLocationHdfs", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for a NFS file system", "privilege": "CreateLocationNfs", "resource_types": [ { @@ -42622,7 +47650,7 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for a self-managed object storage bucket.", + "description": "Grants permission to create an endpoint for a self-managed object storage bucket", "privilege": "CreateLocationObjectStorage", "resource_types": [ { @@ -42637,7 +47665,7 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for an Amazon S3 bucket.", + "description": "Grants permission to create an endpoint for an Amazon S3 bucket", "privilege": "CreateLocationS3", "resource_types": [ { @@ -42652,7 +47680,7 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for an SMB file system.", + "description": "Grants permission to create an endpoint for an SMB file system", "privilege": "CreateLocationSmb", "resource_types": [ { @@ -42667,7 +47695,7 @@ }, { "access_level": "Write", - "description": "Creates a sync task.", + "description": "Grants permission to create a sync task", "privilege": "CreateTask", "resource_types": [ { @@ -42682,7 +47710,7 @@ }, { "access_level": "Write", - "description": "Deletes an agent.", + "description": "Grants permission to delete an agent", "privilege": "DeleteAgent", "resource_types": [ { @@ -42694,7 +47722,7 @@ }, { "access_level": "Write", - "description": "Deletes the configuration of a location used by AWS DataSync.", + "description": "Grants permission to delete a location used by AWS DataSync", "privilege": "DeleteLocation", "resource_types": [ { @@ -42706,7 +47734,7 @@ }, { "access_level": "Write", - "description": "Deletes a sync task.", + "description": "Grants permission to delete a sync task", "privilege": "DeleteTask", "resource_types": [ { @@ -42718,7 +47746,7 @@ }, { "access_level": "Read", - "description": "Returns metadata such as name, network interfaces, and the status (that is, whether the agent is running or not) about a sync agent.", + "description": "Grants permission to view metadata such as name, network interfaces, and the status (that is, whether the agent is running or not) about a sync agent", "privilege": "DescribeAgent", "resource_types": [ { @@ -42730,7 +47758,7 @@ }, { "access_level": "Read", - "description": "Returns metadata, such as the path information about an Amazon EFS sync location.", + "description": "Grants permission to view metadata, such as the path information about an Amazon EFS sync location", "privilege": "DescribeLocationEfs", "resource_types": [ { @@ -42742,7 +47770,43 @@ }, { "access_level": "Read", - "description": "Returns metadata, such as the path information about an Amazon FSx Windows sync location.", + "description": "Grants permission to view metadata, such as the path information about an Amazon FSx Lustre sync location", + "privilege": "DescribeLocationFsxLustre", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information about an Amazon FSx for ONTAP sync location", + "privilege": "DescribeLocationFsxOntap", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information about an Amazon FSx OpenZFS sync location", + "privilege": "DescribeLocationFsxOpenZfs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information about an Amazon FSx Windows sync location", "privilege": "DescribeLocationFsxWindows", "resource_types": [ { @@ -42754,7 +47818,19 @@ }, { "access_level": "Read", - "description": "Returns metadata, such as the path information, about a NFS sync location.", + "description": "Grants permission to view metadata, such as the path information about an Amazon HDFS sync location", + "privilege": "DescribeLocationHdfs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information, about a NFS sync location", "privilege": "DescribeLocationNfs", "resource_types": [ { @@ -42766,7 +47842,7 @@ }, { "access_level": "Read", - "description": "Returns metadata about a self-managed object storage server location.", + "description": "Grants permission to view metadata about a self-managed object storage server location", "privilege": "DescribeLocationObjectStorage", "resource_types": [ { @@ -42778,7 +47854,7 @@ }, { "access_level": "Read", - "description": "Returns metadata, such as bucket name, about an Amazon S3 bucket sync location.", + "description": "Grants permission to view metadata, such as bucket name, about an Amazon S3 bucket sync location", "privilege": "DescribeLocationS3", "resource_types": [ { @@ -42790,7 +47866,7 @@ }, { "access_level": "Read", - "description": "Returns metadata, such as the path information, about an SMB sync location.", + "description": "Grants permission to view metadata, such as the path information, about an SMB sync location", "privilege": "DescribeLocationSmb", "resource_types": [ { @@ -42802,7 +47878,7 @@ }, { "access_level": "Read", - "description": "Returns metadata about a sync task.", + "description": "Grants permission to view metadata about a sync task", "privilege": "DescribeTask", "resource_types": [ { @@ -42814,7 +47890,7 @@ }, { "access_level": "Read", - "description": "Returns detailed metadata about a sync task that is being executed.", + "description": "Grants permission to view metadata about a sync task that is being executed", "privilege": "DescribeTaskExecution", "resource_types": [ { @@ -42826,7 +47902,7 @@ }, { "access_level": "List", - "description": "Returns a list of agents owned by an AWS account in a region specified in the request.", + "description": "Grants permission to list agents owned by an AWS account in a region specified in the request", "privilege": "ListAgents", "resource_types": [ { @@ -42838,7 +47914,7 @@ }, { "access_level": "List", - "description": "Returns a lists of source and destination sync locations.", + "description": "Grants permission to list source and destination sync locations", "privilege": "ListLocations", "resource_types": [ { @@ -42850,7 +47926,7 @@ }, { "access_level": "Read", - "description": "This operation lists the tags that have been added to the specified resource.", + "description": "Grants permission to list tags that have been added to the specified resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -42872,7 +47948,7 @@ }, { "access_level": "List", - "description": "Returns a list of executed sync tasks.", + "description": "Grants permission to list executed sync tasks", "privilege": "ListTaskExecutions", "resource_types": [ { @@ -42884,7 +47960,7 @@ }, { "access_level": "List", - "description": "Returns a list of all the sync tasks.", + "description": "Grants permission to list of all the sync tasks", "privilege": "ListTasks", "resource_types": [ { @@ -42896,7 +47972,7 @@ }, { "access_level": "Write", - "description": "Starts a specific invocation of a sync task.", + "description": "Grants permission to start a specific invocation of a sync task", "privilege": "StartTaskExecution", "resource_types": [ { @@ -42907,8 +47983,8 @@ ] }, { - "access_level": "Write", - "description": "Applies a key-value pair to an AWS resource.", + "access_level": "Tagging", + "description": "Grants permission to apply a key-value pair to an AWS resource", "privilege": "TagResource", "resource_types": [ { @@ -42938,7 +48014,7 @@ }, { "access_level": "Tagging", - "description": "This operation removes one or more tags from the specified resource.", + "description": "Grants permission to remove one or more tags from the specified resource", "privilege": "UntagResource", "resource_types": [ { @@ -42967,7 +48043,7 @@ }, { "access_level": "Write", - "description": "Updates the name of an agent.", + "description": "Grants permission to update the name of an agent", "privilege": "UpdateAgent", "resource_types": [ { @@ -42979,287 +48055,8 @@ }, { "access_level": "Write", - "description": "Updates the metadata associated with a sync task.", - "privilege": "UpdateTask", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:agent/${AgentId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "agent" - }, - { - "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "location" - }, - { - "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:task/${TaskId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "task" - }, - { - "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:task/${TaskId}/execution/${ExecutionId}", - "condition_keys": [], - "resource": "taskexecution" - } - ], - "service_name": "DataSync" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" - } - ], - "prefix": "datasync", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to cancel execution of a sync task", - "privilege": "CancelTaskExecution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "taskexecution*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to activate an agent that you have deployed on your host", - "privilege": "CreateAgent", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for an Amazon EFS file system", - "privilege": "CreateLocationEfs", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for an Amazon FSx Windows File Server file system", - "privilege": "CreateLocationFsxWindows", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for a NFS file system", - "privilege": "CreateLocationNfs", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for a self-managed object storage bucket", - "privilege": "CreateLocationObjectStorage", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for an Amazon S3 bucket", - "privilege": "CreateLocationS3", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an endpoint for an SMB file system", - "privilege": "CreateLocationSmb", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a sync task.", - "privilege": "CreateTask", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an agent", - "privilege": "DeleteAgent", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a location used by AWS DataSync", - "privilege": "DeleteLocation", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a sync task", - "privilege": "DeleteTask", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata such as name, network interfaces, and the status (that is, whether the agent is running or not) about a sync agent", - "privilege": "DescribeAgent", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata, such as the path information about an Amazon EFS sync location", - "privilege": "DescribeLocationEfs", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata, such as the path information about an Amazon FSx Windows sync location", - "privilege": "DescribeLocationFsxWindows", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata, such as the path information, about a NFS sync location", - "privilege": "DescribeLocationNfs", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata about a self-managed object storage server location", - "privilege": "DescribeLocationObjectStorage", + "description": "Grants permission to update an HDFS sync Location", + "privilege": "UpdateLocationHdfs", "resource_types": [ { "condition_keys": [], @@ -43268,207 +48065,6 @@ } ] }, - { - "access_level": "Read", - "description": "Grants permission to view metadata, such as bucket name, about an Amazon S3 bucket sync location", - "privilege": "DescribeLocationS3", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata, such as the path information, about an SMB sync location", - "privilege": "DescribeLocationSmb", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata about a sync task", - "privilege": "DescribeTask", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view metadata about a sync task that is being executed", - "privilege": "DescribeTaskExecution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "taskexecution*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list agents owned by an AWS account in a region specified in the request", - "privilege": "ListAgents", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list source and destination sync locations", - "privilege": "ListLocations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list tags that have been added to the specified resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list executed sync tasks", - "privilege": "ListTaskExecutions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list of all the sync tasks", - "privilege": "ListTasks", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a specific invocation of a sync task", - "privilege": "StartTaskExecution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to apply a key-value pair to an AWS resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from the specified resource", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "location" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the name of an agent.", - "privilege": "UpdateAgent", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "agent*" - } - ] - }, { "access_level": "Write", "description": "Grants permission to update an NFS sync Location", @@ -43558,13 +48154,13 @@ "resource": "taskexecution" } ], - "service_name": "AWSDataSync" + "service_name": "AWS DataSync" }, { "conditions": [ { "condition": "dax:EnclosingOperation", - "description": "Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa.", + "description": "Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa", "type": "String" } ], @@ -43572,7 +48168,7 @@ "privileges": [ { "access_level": "Read", - "description": "The BatchGetItem action returns the attributes of one or more items from one or more tables.", + "description": "Grants permission to return the attributes of one or more items from one or more tables", "privilege": "BatchGetItem", "resource_types": [ { @@ -43584,7 +48180,7 @@ }, { "access_level": "Write", - "description": "The BatchWriteItem action operation puts or deletes multiple items in one or more tables.", + "description": "Grants permission to put or delete multiple items in one or more tables", "privilege": "BatchWriteItem", "resource_types": [ { @@ -43596,7 +48192,7 @@ }, { "access_level": "Read", - "description": "The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key", + "description": "Grants permission to the ConditionCheckItem operation that checks the existence of a set of attributes for the item with the given primary key", "privilege": "ConditionCheckItem", "resource_types": [ { @@ -43608,7 +48204,7 @@ }, { "access_level": "Write", - "description": "The CreateCluster action creates a DAX cluster.", + "description": "Grants permission to create a DAX cluster", "privilege": "CreateCluster", "resource_types": [ { @@ -43631,7 +48227,7 @@ }, { "access_level": "Write", - "description": "The CreateParameterGroup action creates collection of parameters that you apply to all of the nodes in a DAX cluster.", + "description": "Grants permission to create a parameter group", "privilege": "CreateParameterGroup", "resource_types": [ { @@ -43643,7 +48239,7 @@ }, { "access_level": "Write", - "description": "The CreateSubnetGroup action creates a new subnet group.", + "description": "Grants permission to create a subnet group", "privilege": "CreateSubnetGroup", "resource_types": [ { @@ -43655,7 +48251,7 @@ }, { "access_level": "Write", - "description": "The DecreaseReplicationFactor action removes one or more nodes from a DAX cluster.", + "description": "Grants permission to remove one or more nodes from a DAX cluster", "privilege": "DecreaseReplicationFactor", "resource_types": [ { @@ -43667,7 +48263,7 @@ }, { "access_level": "Write", - "description": "The DeleteCluster action deletes a previously provisioned DAX cluster.", + "description": "Grants permission to delete a previously provisioned DAX cluster", "privilege": "DeleteCluster", "resource_types": [ { @@ -43679,7 +48275,7 @@ }, { "access_level": "Write", - "description": "The DeleteItem action deletes a single item in a table by primary key.", + "description": "Grants permission to delete a single item in a table by primary key", "privilege": "DeleteItem", "resource_types": [ { @@ -43698,7 +48294,7 @@ }, { "access_level": "Write", - "description": "The DeleteParameterGroup action deletes the specified parameter group.", + "description": "Grants permission to delete the specified parameter group", "privilege": "DeleteParameterGroup", "resource_types": [ { @@ -43710,7 +48306,7 @@ }, { "access_level": "Write", - "description": "The DeleteSubnetGroup action deletes a subnet group.", + "description": "Grants permission to delete a subnet group", "privilege": "DeleteSubnetGroup", "resource_types": [ { @@ -43722,7 +48318,7 @@ }, { "access_level": "List", - "description": "The DescribeClusters action returns information about all provisioned DAX clusters.", + "description": "Grants permission to return information about all provisioned DAX clusters", "privilege": "DescribeClusters", "resource_types": [ { @@ -43734,7 +48330,7 @@ }, { "access_level": "List", - "description": "The DescribeDefaultParameters action returns the default system parameter information for DAX.", + "description": "Grants permission to return the default system parameter information for DAX", "privilege": "DescribeDefaultParameters", "resource_types": [ { @@ -43746,7 +48342,7 @@ }, { "access_level": "List", - "description": "The DescribeEvents action returns events related to DAX clusters and parameter groups.", + "description": "Grants permission to return events related to DAX clusters and parameter groups", "privilege": "DescribeEvents", "resource_types": [ { @@ -43758,7 +48354,7 @@ }, { "access_level": "List", - "description": "The DescribeParameterGroups action returns a list of parameter group descriptions.", + "description": "Grants permission to return a list of parameter group descriptions", "privilege": "DescribeParameterGroups", "resource_types": [ { @@ -43770,7 +48366,7 @@ }, { "access_level": "Read", - "description": "The DescribeParameters action returns the detailed parameter list for a particular parameter group.", + "description": "Grants permission to return the detailed parameter list for a particular parameter group", "privilege": "DescribeParameters", "resource_types": [ { @@ -43782,7 +48378,7 @@ }, { "access_level": "List", - "description": "The DescribeSubnetGroups action returns a list of subnet group descriptions.", + "description": "Grants permission to return a list of subnet group descriptions", "privilege": "DescribeSubnetGroups", "resource_types": [ { @@ -43794,7 +48390,7 @@ }, { "access_level": "Read", - "description": "The GetItem action returns a set of attributes for the item with the given primary key.", + "description": "Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key", "privilege": "GetItem", "resource_types": [ { @@ -43813,7 +48409,7 @@ }, { "access_level": "Write", - "description": "The IncreaseReplicationFactor action adds one or more nodes to a DAX cluster.", + "description": "Grants permission to add one or more nodes to a DAX cluster", "privilege": "IncreaseReplicationFactor", "resource_types": [ { @@ -43825,7 +48421,7 @@ }, { "access_level": "Read", - "description": "The ListTags action returns a list all of the tags for a DAX cluster.", + "description": "Grants permission to return a list all of the tags for a DAX cluster", "privilege": "ListTags", "resource_types": [ { @@ -43837,7 +48433,7 @@ }, { "access_level": "Write", - "description": "The PutItem action creates a new item, or replaces an old item with a new item.", + "description": "Grants permission to create a new item, or replace an old item with a new item", "privilege": "PutItem", "resource_types": [ { @@ -43856,7 +48452,7 @@ }, { "access_level": "Read", - "description": "The Query action finds items based on primary key values. You can query any table or secondary index that has a composite primary key (a partition key and a sort key).", + "description": "Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index", "privilege": "Query", "resource_types": [ { @@ -43868,7 +48464,7 @@ }, { "access_level": "Write", - "description": "The RebootNode action reboots a single node of a DAX cluster.", + "description": "Grants permission to reboot a single node of a DAX cluster", "privilege": "RebootNode", "resource_types": [ { @@ -43880,7 +48476,7 @@ }, { "access_level": "Read", - "description": "The Scan action returns one or more items and item attributes by accessing every item in a table or a secondary index.", + "description": "Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index", "privilege": "Scan", "resource_types": [ { @@ -43892,7 +48488,7 @@ }, { "access_level": "Tagging", - "description": "The TagResource action associates a set of tags with a DAX resource.", + "description": "Grants permission to associate a set of tags with a DAX resource", "privilege": "TagResource", "resource_types": [ { @@ -43904,7 +48500,7 @@ }, { "access_level": "Tagging", - "description": "The UntagResource action removes the association of tags from a DAX resource.", + "description": "Grants permission to remove the association of tags from a DAX resource", "privilege": "UntagResource", "resource_types": [ { @@ -43916,7 +48512,7 @@ }, { "access_level": "Write", - "description": "The UpdateCluster action modifies the settings for a DAX cluster.", + "description": "Grants permission to modify the settings for a DAX cluster", "privilege": "UpdateCluster", "resource_types": [ { @@ -43928,7 +48524,7 @@ }, { "access_level": "Write", - "description": "The UpdateItem action edits an existing item's attributes, or adds a new item to the table if it does not already exist.", + "description": "Grants permission to edit an existing item's attributes, or adds a new item to the table if it does not already exist", "privilege": "UpdateItem", "resource_types": [ { @@ -43947,7 +48543,7 @@ }, { "access_level": "Write", - "description": "The UpdateParameterGroup action modifies the parameters of a parameter group.", + "description": "Grants permission to modify the parameters of a parameter group", "privilege": "UpdateParameterGroup", "resource_types": [ { @@ -43959,7 +48555,7 @@ }, { "access_level": "Write", - "description": "The UpdateSubnetGroup action modifies an existing subnet group.", + "description": "Grants permission to modify an existing subnet group", "privilege": "UpdateSubnetGroup", "resource_types": [ { @@ -44147,18 +48743,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by actions based on the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "deepcomposer", @@ -44805,7 +49401,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions by tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "deepracer:MultiUser", @@ -45858,18 +50454,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by specifying the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by specifying the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by specifying the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "detective", @@ -45886,6 +50482,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the datasource package history for the specified member accounts in a behavior graph managed by this account", + "privilege": "BatchGetGraphMemberDatasources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the datasource package history of the caller account for the specified graphs", + "privilege": "BatchGetMembershipDatasources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a behavior graph and begin to aggregate security information", @@ -45937,6 +50557,34 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view the current configuration related to the Amazon Detective integration with AWS Organizations", + "privilege": "DescribeOrganizationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "organizations:DescribeOrganization" + ], + "resource_type": "Graph*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the Amazon Detective delegated administrator account for an organization", + "privilege": "DisableOrganizationAdminAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "organizations:DescribeOrganization" + ], + "resource_type": "Graph*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to remove the association of this account with a behavior graph", @@ -45949,6 +50597,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to designate the Amazon Detective delegated administrator account for an organization", + "privilege": "EnableOrganizationAdminAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "organizations:DescribeOrganization", + "organizations:EnableAWSServiceAccess", + "organizations:RegisterDelegatedAdministrator" + ], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a behavior graph's eligibility for a free trial period", @@ -46009,6 +50674,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list a graph's datasource package ingest states and timestamps for the most recent state changes in a behavior graph managed by this account", + "privilege": "ListDatasourcePackages", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list behavior graphs managed by this account", @@ -46045,6 +50722,20 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to view the current Amazon Detective delegated administrator account for an organization", + "privilege": "ListOrganizationAdminAccounts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "organizations:DescribeOrganization" + ], + "resource_type": "Graph*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list the tag values that are assigned to a behavior graph", @@ -46090,7 +50781,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start data ingest for a member account that has a status of ACCEPTED_BUT_DISABLED.", + "description": "Grants permission to start data ingest for a member account that has a status of ACCEPTED_BUT_DISABLED", "privilege": "StartMonitoringMember", "resource_types": [ { @@ -46139,6 +50830,32 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable or disable datasource package(s) in a behavior graph managed by this account", + "privilege": "UpdateDatasourcePackages", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the current configuration related to the Amazon Detective integration with AWS Organizations", + "privilege": "UpdateOrganizationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "organizations:DescribeOrganization" + ], + "resource_type": "Graph*" + } + ] } ], "resources": [ @@ -46167,7 +50884,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "devicefarm", @@ -47467,6 +52184,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete specified insight in your account", + "privilege": "DeleteInsight", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the health of operations in your AWS account", @@ -47503,6 +52232,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details about event sources for DevOps Guru", + "privilege": "DescribeEventSourcesConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the feedback details of a specified insight", @@ -47527,6 +52268,42 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view the health of operations in your organization", + "privilege": "DescribeOrganizationHealth", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the health of operations within a time range in your organization", + "privilege": "DescribeOrganizationOverview", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the health of operations for each AWS CloudFormation stack or AWS Services or accounts specified in DevOps Guru in your organization", + "privilege": "DescribeOrganizationResourceCollectionHealth", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the health of operations for each AWS CloudFormation stack specified in DevOps Guru", @@ -47587,6 +52364,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list log anomalies of a given insight in your account", + "privilege": "ListAnomalousLogGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list resource events that are evaluated by DevOps Guru", @@ -47611,6 +52400,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list resource monitored by DevOps Guru in your account", + "privilege": "ListMonitoredResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list notification channels configured for DevOps Guru in your account", @@ -47623,6 +52424,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list insights in your organization", + "privilege": "ListOrganizationInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list a specified insight's recommendations", @@ -47674,6 +52487,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to search insights in your organization", + "privilege": "SearchOrganizationInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to start the creation of an estimate of the monthly cost", @@ -47686,6 +52511,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an event source for DevOps Guru", + "privilege": "UpdateEventSourcesConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the list of AWS CloudFormation stacks that are used to specify which AWS resources in your account are analyzed by DevOps Guru", @@ -47700,7 +52537,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to enable or disable a service that integrates with DevOps Guru", + "description": "Grants permission to enable or disable a service that integrates with DevOps Guru", "privilege": "UpdateServiceIntegration", "resource_types": [ { @@ -47724,17 +52561,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by actions based on the presence of tag keys in the request", "type": "String" } ], @@ -47742,7 +52579,7 @@ "privileges": [ { "access_level": "Write", - "description": "Accepts a proposal request to attach a virtual private gateway to a Direct Connect gateway.", + "description": "Grants permission to accept a proposal request to attach a virtual private gateway to a Direct Connect gateway", "privilege": "AcceptDirectConnectGatewayAssociationProposal", "resource_types": [ { @@ -47754,7 +52591,7 @@ }, { "access_level": "Write", - "description": "Creates a hosted connection on an interconnect.", + "description": "Grants permission to create a hosted connection on an interconnect", "privilege": "AllocateConnectionOnInterconnect", "resource_types": [ { @@ -47766,7 +52603,7 @@ }, { "access_level": "Write", - "description": "Creates a new hosted connection between a AWS Direct Connect partner's network and a specific AWS Direct Connect location.", + "description": "Grants permission to create a new hosted connection between a AWS Direct Connect partner's network and a specific AWS Direct Connect location", "privilege": "AllocateHostedConnection", "resource_types": [ { @@ -47791,7 +52628,7 @@ }, { "access_level": "Write", - "description": "Provisions a private virtual interface to be owned by a different customer.", + "description": "Grants permission to provision a private virtual interface to be owned by a different customer", "privilege": "AllocatePrivateVirtualInterface", "resource_types": [ { @@ -47816,7 +52653,7 @@ }, { "access_level": "Write", - "description": "Provisions a public virtual interface to be owned by a different customer.", + "description": "Grants permission to provision a public virtual interface to be owned by a different customer", "privilege": "AllocatePublicVirtualInterface", "resource_types": [ { @@ -47841,7 +52678,7 @@ }, { "access_level": "Write", - "description": "Provisions a transit virtual interface to be owned by a different customer.", + "description": "Grants permission to provision a transit virtual interface to be owned by a different customer", "privilege": "AllocateTransitVirtualInterface", "resource_types": [ { @@ -47866,7 +52703,7 @@ }, { "access_level": "Write", - "description": "Associates a connection with a LAG.", + "description": "Grants permission to associate a connection with a LAG", "privilege": "AssociateConnectionWithLag", "resource_types": [ { @@ -47883,7 +52720,7 @@ }, { "access_level": "Write", - "description": "Associates a hosted connection and its virtual interfaces with a link aggregation group (LAG) or interconnect.", + "description": "Grants permission to associate a hosted connection and its virtual interfaces with a link aggregation group (LAG) or interconnect", "privilege": "AssociateHostedConnection", "resource_types": [ { @@ -47922,7 +52759,7 @@ }, { "access_level": "Write", - "description": "Associates a virtual interface with a specified link aggregation group (LAG) or connection.", + "description": "Grants permission to associate a virtual interface with a specified link aggregation group (LAG) or connection", "privilege": "AssociateVirtualInterface", "resource_types": [ { @@ -47944,7 +52781,7 @@ }, { "access_level": "Write", - "description": "Confirm the creation of a hosted connection on an interconnect.", + "description": "Grants permission to confirm the creation of a hosted connection on an interconnect", "privilege": "ConfirmConnection", "resource_types": [ { @@ -47956,7 +52793,19 @@ }, { "access_level": "Write", - "description": "Accept ownership of a private virtual interface created by another customer.", + "description": "Grants permission to confirm the the terms of agreement when creating the connection or link aggregation group (LAG)", + "privilege": "ConfirmCustomerAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to accept ownership of a private virtual interface created by another customer", "privilege": "ConfirmPrivateVirtualInterface", "resource_types": [ { @@ -47968,7 +52817,7 @@ }, { "access_level": "Write", - "description": "Accept ownership of a public virtual interface created by another customer", + "description": "Grants permission to accept ownership of a public virtual interface created by another customer", "privilege": "ConfirmPublicVirtualInterface", "resource_types": [ { @@ -47980,7 +52829,7 @@ }, { "access_level": "Write", - "description": "Accept ownership of a transit virtual interface created by another customer", + "description": "Grants permission to accept ownership of a transit virtual interface created by another customer", "privilege": "ConfirmTransitVirtualInterface", "resource_types": [ { @@ -47992,7 +52841,7 @@ }, { "access_level": "Write", - "description": "Creates a BGP peer on the specified virtual interface.", + "description": "Grants permission to create a BGP peer on the specified virtual interface", "privilege": "CreateBGPPeer", "resource_types": [ { @@ -48004,7 +52853,7 @@ }, { "access_level": "Write", - "description": "Creates a new connection between the customer network and a specific AWS Direct Connect location.", + "description": "Grants permission to create a new connection between the customer network and a specific AWS Direct Connect location", "privilege": "CreateConnection", "resource_types": [ { @@ -48024,7 +52873,7 @@ }, { "access_level": "Write", - "description": "Creates a Direct Connect gateway, which is an intermediate object that enables you to connect a set of virtual interfaces and virtual private gateways.", + "description": "Grants permission to create a Direct Connect gateway, which is an intermediate object that enables you to connect a set of virtual interfaces and virtual private gateways", "privilege": "CreateDirectConnectGateway", "resource_types": [ { @@ -48036,7 +52885,7 @@ }, { "access_level": "Write", - "description": "Creates an association between a Direct Connect gateway and a virtual private gateway.", + "description": "Grants permission to create an association between a Direct Connect gateway and a virtual private gateway", "privilege": "CreateDirectConnectGatewayAssociation", "resource_types": [ { @@ -48048,7 +52897,7 @@ }, { "access_level": "Write", - "description": "Creates a proposal to associate the specified virtual private gateway with the specified Direct Connect gateway.", + "description": "Grants permission to create a proposal to associate the specified virtual private gateway with the specified Direct Connect gateway", "privilege": "CreateDirectConnectGatewayAssociationProposal", "resource_types": [ { @@ -48060,7 +52909,7 @@ }, { "access_level": "Write", - "description": "Creates a new interconnect between a AWS Direct Connect partner's network and a specific AWS Direct Connect location.", + "description": "Grants permission to create a new interconnect between a AWS Direct Connect partner's network and a specific AWS Direct Connect location", "privilege": "CreateInterconnect", "resource_types": [ { @@ -48080,7 +52929,7 @@ }, { "access_level": "Write", - "description": "Creates a link aggregation group (LAG) with the specified number of bundled physical connections between the customer network and a specific AWS Direct Connect location.", + "description": "Grants permission to create a link aggregation group (LAG) with the specified number of bundled physical connections between the customer network and a specific AWS Direct Connect location", "privilege": "CreateLag", "resource_types": [ { @@ -48100,7 +52949,7 @@ }, { "access_level": "Write", - "description": "Creates a new private virtual interface.", + "description": "Grants permission to create a new private virtual interface", "privilege": "CreatePrivateVirtualInterface", "resource_types": [ { @@ -48125,7 +52974,7 @@ }, { "access_level": "Write", - "description": "Creates a new public virtual interface.", + "description": "Grants permission to create a new public virtual interface", "privilege": "CreatePublicVirtualInterface", "resource_types": [ { @@ -48150,7 +52999,7 @@ }, { "access_level": "Write", - "description": "Creates a new transit virtual interface.", + "description": "Grants permission to create a new transit virtual interface", "privilege": "CreateTransitVirtualInterface", "resource_types": [ { @@ -48175,7 +53024,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified BGP peer on the specified virtual interface with the specified customer address and ASN.", + "description": "Grants permission to delete the specified BGP peer on the specified virtual interface with the specified customer address and ASN", "privilege": "DeleteBGPPeer", "resource_types": [ { @@ -48187,7 +53036,7 @@ }, { "access_level": "Write", - "description": "Deletes the connection.", + "description": "Grants permission to delete the connection", "privilege": "DeleteConnection", "resource_types": [ { @@ -48199,7 +53048,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified Direct Connect gateway.", + "description": "Grants permission to delete the specified Direct Connect gateway", "privilege": "DeleteDirectConnectGateway", "resource_types": [ { @@ -48211,7 +53060,7 @@ }, { "access_level": "Write", - "description": "Deletes the association between the specified Direct Connect gateway and virtual private gateway.", + "description": "Grants permission to delete the association between the specified Direct Connect gateway and virtual private gateway", "privilege": "DeleteDirectConnectGatewayAssociation", "resource_types": [ { @@ -48223,7 +53072,7 @@ }, { "access_level": "Write", - "description": "Deletes the association proposal request between the specified Direct Connect gateway and virtual private gateway.", + "description": "Grants permission to delete the association proposal request between the specified Direct Connect gateway and virtual private gateway", "privilege": "DeleteDirectConnectGatewayAssociationProposal", "resource_types": [ { @@ -48235,7 +53084,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified interconnect.", + "description": "Grants permission to delete the specified interconnect", "privilege": "DeleteInterconnect", "resource_types": [ { @@ -48247,7 +53096,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified link aggregation group (LAG).", + "description": "Grants permission to delete the specified link aggregation group (LAG)", "privilege": "DeleteLag", "resource_types": [ { @@ -48259,7 +53108,7 @@ }, { "access_level": "Write", - "description": "Deletes a virtual interface.", + "description": "Grants permission to delete a virtual interface", "privilege": "DeleteVirtualInterface", "resource_types": [ { @@ -48271,7 +53120,7 @@ }, { "access_level": "Read", - "description": "Returns the LOA-CFA for a Connection.", + "description": "Grants permission to describe the LOA-CFA for a Connection", "privilege": "DescribeConnectionLoa", "resource_types": [ { @@ -48283,7 +53132,7 @@ }, { "access_level": "Read", - "description": "Displays all connections in this region.", + "description": "Grants permission to describe all connections in this region", "privilege": "DescribeConnections", "resource_types": [ { @@ -48295,7 +53144,7 @@ }, { "access_level": "Read", - "description": "Return a list of connections that have been provisioned on the given interconnect.", + "description": "Grants permission to describe a list of connections that have been provisioned on the given interconnect", "privilege": "DescribeConnectionsOnInterconnect", "resource_types": [ { @@ -48307,7 +53156,19 @@ }, { "access_level": "Read", - "description": "Describes one or more association proposals for connection between a virtual private gateway and a Direct Connect gateway.", + "description": "Grants permission to view a list of customer agreements, along with their signed status and whether the customer is an NNIPartner, NNIPartnerV2, or a nonPartner", + "privilege": "DescribeCustomerMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more association proposals for connection between a virtual private gateway and a Direct Connect gateway", "privilege": "DescribeDirectConnectGatewayAssociationProposals", "resource_types": [ { @@ -48319,7 +53180,7 @@ }, { "access_level": "Read", - "description": "Lists the associations between your Direct Connect gateways and virtual private gateways.", + "description": "Grants permission to describe the associations between your Direct Connect gateways and virtual private gateways", "privilege": "DescribeDirectConnectGatewayAssociations", "resource_types": [ { @@ -48331,7 +53192,7 @@ }, { "access_level": "Read", - "description": "Lists the attachments between your Direct Connect gateways and virtual interfaces.", + "description": "Grants permission to describe the attachments between your Direct Connect gateways and virtual interfaces", "privilege": "DescribeDirectConnectGatewayAttachments", "resource_types": [ { @@ -48343,7 +53204,7 @@ }, { "access_level": "Read", - "description": "Lists all your Direct Connect gateways or only the specified Direct Connect gateway.", + "description": "Grants permission to describe all your Direct Connect gateways or only the specified Direct Connect gateway", "privilege": "DescribeDirectConnectGateways", "resource_types": [ { @@ -48355,7 +53216,7 @@ }, { "access_level": "Read", - "description": "Lists the hosted connections that have been provisioned on the specified interconnect or link aggregation group (LAG).", + "description": "Grants permission to describe the hosted connections that have been provisioned on the specified interconnect or link aggregation group (LAG)", "privilege": "DescribeHostedConnections", "resource_types": [ { @@ -48372,7 +53233,7 @@ }, { "access_level": "Read", - "description": "Returns the LOA-CFA for an Interconnect.", + "description": "Grants permission to describe the LOA-CFA for an Interconnect", "privilege": "DescribeInterconnectLoa", "resource_types": [ { @@ -48384,7 +53245,7 @@ }, { "access_level": "Read", - "description": "Returns a list of interconnects owned by the AWS account.", + "description": "Grants permission to describe a list of interconnects owned by the AWS account", "privilege": "DescribeInterconnects", "resource_types": [ { @@ -48396,7 +53257,7 @@ }, { "access_level": "Read", - "description": "Describes all your link aggregation groups (LAG) or the specified LAG.", + "description": "Grants permission to describe all your link aggregation groups (LAG) or the specified LAG", "privilege": "DescribeLags", "resource_types": [ { @@ -48408,7 +53269,7 @@ }, { "access_level": "Read", - "description": "Gets the LOA-CFA for a connection, interconnect, or link aggregation group (LAG).", + "description": "Grants permission to describe the LOA-CFA for a connection, interconnect, or link aggregation group (LAG)", "privilege": "DescribeLoa", "resource_types": [ { @@ -48424,8 +53285,8 @@ ] }, { - "access_level": "List", - "description": "Returns the list of AWS Direct Connect locations in the current AWS region.", + "access_level": "Read", + "description": "Grants permission to describe the list of AWS Direct Connect locations in the current AWS region", "privilege": "DescribeLocations", "resource_types": [ { @@ -48437,7 +53298,19 @@ }, { "access_level": "Read", - "description": "Describes the tags associated with the specified AWS Direct Connect resources.", + "description": "Grants permission to describe Details about the router for a virtual interface", + "privilege": "DescribeRouterConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxvif*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the tags associated with the specified AWS Direct Connect resources", "privilege": "DescribeTags", "resource_types": [ { @@ -48459,7 +53332,7 @@ }, { "access_level": "Read", - "description": "Returns a list of virtual private gateways owned by the AWS account.", + "description": "Grants permission to describe a list of virtual private gateways owned by the AWS account", "privilege": "DescribeVirtualGateways", "resource_types": [ { @@ -48471,7 +53344,7 @@ }, { "access_level": "Read", - "description": "Displays all virtual interfaces for an AWS account.", + "description": "Grants permission to describe all virtual interfaces for an AWS account", "privilege": "DescribeVirtualInterfaces", "resource_types": [ { @@ -48493,7 +53366,7 @@ }, { "access_level": "Write", - "description": "Disassociates a connection from a link aggregation group (LAG).", + "description": "Grants permission to disassociate a connection from a link aggregation group (LAG)", "privilege": "DisassociateConnectionFromLag", "resource_types": [ { @@ -48527,7 +53400,7 @@ }, { "access_level": "List", - "description": "Lists the virtual interface failover test history.", + "description": "Grants permission to list the virtual interface failover test history", "privilege": "ListVirtualInterfaceTestHistory", "resource_types": [ { @@ -48539,7 +53412,7 @@ }, { "access_level": "Write", - "description": "Starts the virtual interface failover test that verifies your configuration meets your resiliency requirements by placing the BGP peering session in the DOWN state. You can then send traffic to verify that there are no outages.", + "description": "Grants permission to start the virtual interface failover test that verifies your configuration meets your resiliency requirements by placing the BGP peering session in the DOWN state. You can then send traffic to verify that there are no outages", "privilege": "StartBgpFailoverTest", "resource_types": [ { @@ -48551,7 +53424,7 @@ }, { "access_level": "Write", - "description": "Stops the virtual interface failover test.", + "description": "Grants permission to stop the virtual interface failover test", "privilege": "StopBgpFailoverTest", "resource_types": [ { @@ -48563,7 +53436,7 @@ }, { "access_level": "Tagging", - "description": "Adds the specified tags to the specified AWS Direct Connect resource. Each resource can have a maximum of 50 tags.", + "description": "Grants permission to add the specified tags to the specified AWS Direct Connect resource. Each resource can have a maximum of 50 tags", "privilege": "TagResource", "resource_types": [ { @@ -48593,7 +53466,7 @@ }, { "access_level": "Tagging", - "description": "Removes one or more tags from the specified AWS Direct Connect resource.", + "description": "Grants permission to remove one or more tags from the specified AWS Direct Connect resource", "privilege": "UntagResource", "resource_types": [ { @@ -48634,7 +53507,19 @@ }, { "access_level": "Write", - "description": "Updates the specified attributes of the Direct Connect gateway association.", + "description": "Grants permission to update the name of a Direct Connect gateway", + "privilege": "UpdateDirectConnectGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dx-gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the specified attributes of the Direct Connect gateway association", "privilege": "UpdateDirectConnectGatewayAssociation", "resource_types": [ { @@ -48646,7 +53531,7 @@ }, { "access_level": "Write", - "description": "Updates the attributes of the specified link aggregation group (LAG).", + "description": "Grants permission to update the attributes of the specified link aggregation group (LAG)", "privilege": "UpdateLag", "resource_types": [ { @@ -48658,7 +53543,7 @@ }, { "access_level": "Write", - "description": "Updates the specified attributes of the specified virtual private interface.", + "description": "Grants permission to update the specified attributes of the specified virtual private interface", "privilege": "UpdateVirtualInterfaceAttributes", "resource_types": [ { @@ -48705,7 +53590,7 @@ "privileges": [ { "access_level": "Write", - "description": "Associates one or more configuration items with an application.", + "description": "Grants permission to AssociateConfigurationItemsToApplication API. AssociateConfigurationItemsToApplication associates one or more configuration items with an application", "privilege": "AssociateConfigurationItemsToApplication", "resource_types": [ { @@ -48717,7 +53602,7 @@ }, { "access_level": "Write", - "description": "Deletes one or more Migration Hub import tasks, each identified by their import ID. Each import task has a number of records, which can identify servers or applications.", + "description": "Grants permission to BatchDeleteImportData API. BatchDeleteImportData deletes one or more Migration Hub import tasks, each identified by their import ID. Each import task has a number of records, which can identify servers or applications", "privilege": "BatchDeleteImportData", "resource_types": [ { @@ -48729,7 +53614,7 @@ }, { "access_level": "Write", - "description": "Creates an application with the given name and description.", + "description": "Grants permission to CreateApplication API. CreateApplication creates an application with the given name and description", "privilege": "CreateApplication", "resource_types": [ { @@ -48741,7 +53626,7 @@ }, { "access_level": "Tagging", - "description": "Creates one or more tags for configuration items. Tags are metadata that help you categorize IT assets. This API accepts a list of multiple configuration items.", + "description": "Grants permission to CreateTags API. CreateTags creates one or more tags for configuration items. Tags are metadata that help you categorize IT assets. This API accepts a list of multiple configuration items", "privilege": "CreateTags", "resource_types": [ { @@ -48753,7 +53638,7 @@ }, { "access_level": "Write", - "description": "Deletes a list of applications and their associations with configuration items.", + "description": "Grants permission to DeleteApplications API. DeleteApplications deletes a list of applications and their associations with configuration items", "privilege": "DeleteApplications", "resource_types": [ { @@ -48765,7 +53650,7 @@ }, { "access_level": "Tagging", - "description": "Deletes the association between configuration items and one or more tags. This API accepts a list of multiple configuration items.", + "description": "Grants permission to DeleteTags API. DeleteTags deletes the association between configuration items and one or more tags. This API accepts a list of multiple configuration items", "privilege": "DeleteTags", "resource_types": [ { @@ -48777,7 +53662,7 @@ }, { "access_level": "Read", - "description": "Lists agents or the Connector by ID or lists all agents/Connectors associated with your user account if you did not specify an ID.", + "description": "Grants permission to DescribeAgents API. DescribeAgents lists agents or the Connector by ID or lists all agents/Connectors associated with your user account if you did not specify an ID", "privilege": "DescribeAgents", "resource_types": [ { @@ -48789,7 +53674,7 @@ }, { "access_level": "Read", - "description": "Retrieves attributes for a list of configuration item IDs. All of the supplied IDs must be for the same asset type (server, application, process, or connection). Output fields are specific to the asset type selected. For example, the output for a server configuration item includes a list of attributes about the server, such as host name, operating system, and number of network cards.", + "description": "Grants permission to DescribeConfigurations API. DescribeConfigurations retrieves attributes for a list of configuration item IDs. All of the supplied IDs must be for the same asset type (server, application, process, or connection). Output fields are specific to the asset type selected. For example, the output for a server configuration item includes a list of attributes about the server, such as host name, operating system, and number of network cards", "privilege": "DescribeConfigurations", "resource_types": [ { @@ -48801,7 +53686,7 @@ }, { "access_level": "Read", - "description": "Lists exports as specified by ID. All continuous exports associated with your user account can be listed if you call DescribeContinuousExports as is without passing any parameters.", + "description": "Grants permission to DescribeContinuousExports API. DescribeContinuousExports lists exports as specified by ID. All continuous exports associated with your user account can be listed if you call DescribeContinuousExports as is without passing any parameters", "privilege": "DescribeContinuousExports", "resource_types": [ { @@ -48813,7 +53698,7 @@ }, { "access_level": "Read", - "description": "Retrieves the status of a given export process. You can retrieve status from a maximum of 100 processes.", + "description": "Grants permission to DescribeExportConfigurations API. DescribeExportConfigurations retrieves the status of a given export process. You can retrieve status from a maximum of 100 processes", "privilege": "DescribeExportConfigurations", "resource_types": [ { @@ -48825,7 +53710,7 @@ }, { "access_level": "Read", - "description": "Retrieve status of one or more export tasks. You can retrieve the status of up to 100 export tasks.", + "description": "Grants permission to DescribeExportTasks API. DescribeExportTasks retrieve status of one or more export tasks. You can retrieve the status of up to 100 export tasks", "privilege": "DescribeExportTasks", "resource_types": [ { @@ -48837,7 +53722,7 @@ }, { "access_level": "List", - "description": "Returns an array of import tasks for your account, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more.", + "description": "Grants permission to DescribeImportTasks API. DescribeImportTasks returns an array of import tasks for your account, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more", "privilege": "DescribeImportTasks", "resource_types": [ { @@ -48849,7 +53734,7 @@ }, { "access_level": "Read", - "description": "Retrieves a list of configuration items that are tagged with a specific tag. Or retrieves a list of all tags assigned to a specific configuration item.", + "description": "Grants permission to DescribeTags API. DescribeTags retrieves a list of configuration items that are tagged with a specific tag. Or retrieves a list of all tags assigned to a specific configuration item", "privilege": "DescribeTags", "resource_types": [ { @@ -48861,7 +53746,7 @@ }, { "access_level": "Write", - "description": "Disassociates one or more configuration items from an application.", + "description": "Grants permission to DisassociateConfigurationItemsFromApplication API. DisassociateConfigurationItemsFromApplication disassociates one or more configuration items from an application", "privilege": "DisassociateConfigurationItemsFromApplication", "resource_types": [ { @@ -48873,7 +53758,7 @@ }, { "access_level": "Write", - "description": "Exports all discovered configuration data to an Amazon S3 bucket or an application that enables you to view and evaluate the data. Data includes tags and tag associations, processes, connections, servers, and system performance.", + "description": "Grants permission to ExportConfigurations API. ExportConfigurations exports all discovered configuration data to an Amazon S3 bucket or an application that enables you to view and evaluate the data. Data includes tags and tag associations, processes, connections, servers, and system performance", "privilege": "ExportConfigurations", "resource_types": [ { @@ -48885,7 +53770,7 @@ }, { "access_level": "Read", - "description": "Retrieves a short summary of discovered assets.", + "description": "Grants permission to GetDiscoverySummary API. GetDiscoverySummary retrieves a short summary of discovered assets", "privilege": "GetDiscoverySummary", "resource_types": [ { @@ -48895,9 +53780,21 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to GetNetworkConnectionGraph API. GetNetworkConnectionGraph accepts input list of one of - Ip Addresses, server ids or node ids. Returns a list of nodes and edges which help customer visualize network connection graph. This API is used for visualize network graph functionality in MigrationHub console", + "privilege": "GetNetworkConnectionGraph", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", - "description": "Retrieves a list of configuration items according to criteria you specify in a filter. The filter criteria identify relationship requirements.", + "description": "Grants permission to ListConfigurations API. ListConfigurations retrieves a list of configuration items according to criteria you specify in a filter. The filter criteria identify relationship requirements", "privilege": "ListConfigurations", "resource_types": [ { @@ -48909,7 +53806,7 @@ }, { "access_level": "List", - "description": "Retrieves a list of servers which are one network hop away from a specified server.", + "description": "Grants permission to ListServerNeighbors API. ListServerNeighbors retrieves a list of servers which are one network hop away from a specified server", "privilege": "ListServerNeighbors", "resource_types": [ { @@ -48921,19 +53818,24 @@ }, { "access_level": "Write", - "description": "Start the continuous flow of agent's discovered data into Amazon Athena.", + "description": "Grants permission to StartContinuousExport API. StartContinuousExport start the continuous flow of agent's discovered data into Amazon Athena", "privilege": "StartContinuousExport", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Instructs the specified agents or Connectors to start collecting data.", + "description": "Grants permission to StartDataCollectionByAgentIds API. StartDataCollectionByAgentIds instructs the specified agents or Connectors to start collecting data", "privilege": "StartDataCollectionByAgentIds", "resource_types": [ { @@ -48945,7 +53847,7 @@ }, { "access_level": "Write", - "description": "Export the configuration data about discovered configuration items and relationships to an S3 bucket in a specified format.", + "description": "Grants permission to StartExportTask API. StartExportTask export the configuration data about discovered configuration items and relationships to an S3 bucket in a specified format", "privilege": "StartExportTask", "resource_types": [ { @@ -48957,19 +53859,24 @@ }, { "access_level": "Write", - "description": "Starts an import task. The Migration Hub import feature allows you to import details of your on-premises environment directly into AWS without having to use the Application Discovery Service (ADS) tools such as the Discovery Connector or Discovery Agent. This gives you the option to perform migration assessment and planning directly from your imported data including the ability to group your devices as applications and track their migration status.", + "description": "Grants permission to StartImportTask API. StartImportTask starts an import task. The Migration Hub import feature allows you to import details of your on-premises environment directly into AWS without having to use the Application Discovery Service (ADS) tools such as the Discovery Connector or Discovery Agent. This gives you the option to perform migration assessment and planning directly from your imported data including the ability to group your devices as applications and track their migration status", "privilege": "StartImportTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "discovery:AssociateConfigurationItemsToApplication", + "discovery:CreateApplication", + "discovery:CreateTags", + "discovery:ListConfigurations" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Stop the continuous flow of agent's discovered data into Amazon Athena.", + "description": "Grants permission to StopContinuousExport API. StopContinuousExport stops the continuous flow of agent's discovered data into Amazon Athena", "privilege": "StopContinuousExport", "resource_types": [ { @@ -48981,7 +53888,7 @@ }, { "access_level": "Write", - "description": "Instructs the specified agents or Connectors to stop collecting data.", + "description": "Grants permission to StopDataCollectionByAgentIds API. StopDataCollectionByAgentIds instructs the specified agents or Connectors to stop collecting data", "privilege": "StopDataCollectionByAgentIds", "resource_types": [ { @@ -48993,7 +53900,7 @@ }, { "access_level": "Write", - "description": "Updates metadata about an application.", + "description": "Grants permission to UpdateApplication API. UpdateApplication updates metadata about an application", "privilege": "UpdateApplication", "resource_types": [ { @@ -49005,31 +53912,31 @@ } ], "resources": [], - "service_name": "Application Discovery" + "service_name": "AWS Application Discovery Service" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "dlm", "privileges": [ { "access_level": "Write", - "description": "Create a data lifecycle policy to manage the scheduled creation and retention of Amazon EBS snapshots. You may have up to 100 policies.", + "description": "Grants permission to create a data lifecycle policy to manage the scheduled creation and retention of Amazon EBS snapshots. You may have up to 100 policies", "privilege": "CreateLifecyclePolicy", "resource_types": [ { @@ -49044,7 +53951,7 @@ }, { "access_level": "Write", - "description": "Delete an existing data lifecycle policy. In addition, this action halts the creation and deletion of snapshots that the policy specified. Existing snapshots are not affected.", + "description": "Grants permission to delete an existing data lifecycle policy. In addition, this action halts the creation and deletion of snapshots that the policy specified. Existing snapshots are not affected", "privilege": "DeleteLifecyclePolicy", "resource_types": [ { @@ -49056,7 +53963,7 @@ }, { "access_level": "List", - "description": "Returns a list of summary descriptions of data lifecycle policies.", + "description": "Grants permission to returns a list of summary descriptions of data lifecycle policies", "privilege": "GetLifecyclePolicies", "resource_types": [ { @@ -49068,7 +53975,7 @@ }, { "access_level": "Read", - "description": "Returns a complete description of a single data lifecycle policy.", + "description": "Grants permission to return a complete description of a single data lifecycle policy", "privilege": "GetLifecyclePolicy", "resource_types": [ { @@ -49080,7 +53987,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list the tags associated with a resource.", + "description": "Grants permission to list the tags associated with a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -49092,31 +53999,47 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add or update tags of a resource.", + "description": "Grants permission to add or update tags of a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to remove associated with a resource.", + "description": "Grants permission to remove tags associated with a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing data lifecycle policy.", + "description": "Grants permission to update an existing data lifecycle policy", "privilege": "UpdateLifecyclePolicy", "resource_types": [ { @@ -49153,7 +54076,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "dms:cert-tag/${TagKey}", @@ -50085,73 +55008,82 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "drs:CreateAction", + "description": "Filters access by the name of a resource-creating API action", + "type": "String" + }, + { + "condition": "drs:EC2InstanceARN", + "description": "Filters access by the EC2 instance the request originated from", "type": "String" } ], - "prefix": "ds", + "prefix": "drs", "privileges": [ { "access_level": "Write", - "description": "Accepts a directory sharing request that was sent from the directory owner account.", - "privilege": "AcceptSharedDirectory", + "description": "Grants permission to get associate failback client to recovery instance", + "privilege": "AssociateFailbackClientToRecoveryInstanceForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services", - "privilege": "AddIpRoutes", + "description": "Grants permission to batch create volume snapshot group", + "privilege": "BatchCreateVolumeSnapshotGroupForDrs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DescribeSecurityGroups" - ], - "resource_type": "directory*" + "dependent_actions": [], + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Adds two domain controllers in the specified Region for the specified directory.", - "privilege": "AddRegion", + "description": "Grants permission to batch delete snapshot request", + "privilege": "BatchDeleteSnapshotRequestForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Adds or overwrites one or more tags for the specified Amazon Directory Services directory.", - "privilege": "AddTagsToResource", + "access_level": "Write", + "description": "Grants permission to create converted snapshot", + "privilege": "CreateConvertedSnapshotForDrs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "directory*" + "dependent_actions": [], + "resource_type": "SourceServerResource*" }, { "condition_keys": [ @@ -50165,32 +55097,58 @@ }, { "access_level": "Write", - "description": "Authorizes an application for your AWS Directory.", - "privilege": "AuthorizeApplication", + "description": "Grants permission to extend a source server", + "privilege": "CreateExtendedSourceServer", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Cancels an in-progress schema extension to a Microsoft AD directory.", - "privilege": "CancelSchemaExtension", + "description": "Grants permission to create recovery instance", + "privilege": "CreateRecoveryInstanceForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Verifies that the alias is available for use.", - "privilege": "CheckAlias", + "access_level": "Write", + "description": "Grants permission to create replication configuration template", + "privilege": "CreateReplicationConfigurationTemplate", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a session", + "privilege": "CreateSessionForDrs", "resource_types": [ { "condition_keys": [], @@ -50200,546 +55158,595 @@ ] }, { - "access_level": "Tagging", - "description": "Creates an AD Connector to connect to an on-premises directory.", - "privilege": "ConnectDirectory", + "access_level": "Write", + "description": "Grants permission to create a source server", + "privilege": "CreateSourceServerForDrs", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates an alias for a directory and assigns the alias to the directory.", - "privilege": "CreateAlias", + "description": "Grants permission to delete a job", + "privilege": "DeleteJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "JobResource*" } ] }, { "access_level": "Write", - "description": "Creates a computer account in the specified directory, and joins the computer to the directory.", - "privilege": "CreateComputer", + "description": "Grants permission to delete recovery instance", + "privilege": "DeleteRecoveryInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Creates a conditional forwarder associated with your AWS directory.", - "privilege": "CreateConditionalForwarder", + "description": "Grants permission to delete replication configuration template", + "privilege": "DeleteReplicationConfigurationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "ReplicationConfigurationTemplateResource*" } ] }, { - "access_level": "Tagging", - "description": "Creates a Simple AD directory.", - "privilege": "CreateDirectory", + "access_level": "Write", + "description": "Grants permission to delete source server", + "privilege": "DeleteSourceServer", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Tagging", - "description": "Creates a IdentityPool Directory in the AWS cloud.", - "privilege": "CreateIdentityPoolDirectory", + "access_level": "Read", + "description": "Grants permission to describe job log items", + "privilege": "DescribeJobLogItems", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "JobResource*" } ] }, { - "access_level": "Write", - "description": "Creates a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account.", - "privilege": "CreateLogSubscription", + "access_level": "Read", + "description": "Grants permission to describe jobs", + "privilege": "DescribeJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Creates a Microsoft AD in the AWS cloud.", - "privilege": "CreateMicrosoftAD", + "access_level": "Read", + "description": "Grants permission to describe recovery instances", + "privilege": "DescribeRecoveryInstances", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" + "ec2:DescribeInstances" ], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud.", - "privilege": "CreateSnapshot", + "access_level": "Read", + "description": "Grants permission to describe recovery snapshots", + "privilege": "DescribeRecoverySnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain.", - "privilege": "CreateTrust", + "access_level": "Read", + "description": "Grants permission to describe replication configuration template", + "privilege": "DescribeReplicationConfigurationTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a conditional forwarder that has been set up for your AWS directory.", - "privilege": "DeleteConditionalForwarder", + "access_level": "Read", + "description": "Grants permission to describe replication server associations", + "privilege": "DescribeReplicationServerAssociationsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an AWS Directory Service directory.", - "privilege": "DeleteDirectory", + "access_level": "Read", + "description": "Grants permission to describe snapshot requests", + "privilege": "DescribeSnapshotRequestsForDrs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteNetworkInterface", - "ec2:DeleteSecurityGroup", - "ec2:DescribeNetworkInterfaces", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress" - ], - "resource_type": "directory*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified log subscription.", - "privilege": "DeleteLogSubscription", + "access_level": "Read", + "description": "Grants permission to describe source servers", + "privilege": "DescribeSourceServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a directory snapshot.", - "privilege": "DeleteSnapshot", + "description": "Grants permission to disconnect recovery instance", + "privilege": "DisconnectRecoveryInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain.", - "privilege": "DeleteTrust", + "description": "Grants permission to disconnect source server", + "privilege": "DisconnectSourceServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Deletes from the system the certificate that was registered for a secured LDAP connection.", - "privilege": "DeregisterCertificate", + "access_level": "Read", + "description": "Grants permission to get agent command", + "privilege": "GetAgentCommandForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Removes the specified directory as a publisher to the specified SNS topic.", - "privilege": "DeregisterEventTopic", + "access_level": "Read", + "description": "Grants permission to get agent confirmed resume info", + "privilege": "GetAgentConfirmedResumeInfoForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Read", - "description": "Displays information about the certificate registered for a secured LDAP connection.", - "privilege": "DescribeCertificate", + "description": "Grants permission to get agent installation assets", + "privilege": "GetAgentInstallationAssetsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Obtains information about the conditional forwarders for this account.", - "privilege": "DescribeConditionalForwarders", + "description": "Grants permission to get agent replication info", + "privilege": "GetAgentReplicationInfoForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "Obtains information about the directories that belong to this account.", - "privilege": "DescribeDirectories", + "access_level": "Read", + "description": "Grants permission to get agent runtime configuration", + "privilege": "GetAgentRuntimeConfigurationForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Read", - "description": "Provides information about any domain controllers in your directory.", - "privilege": "DescribeDomainControllers", + "description": "Grants permission to get agent snapshot credits", + "privilege": "GetAgentSnapshotCreditsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Read", - "description": "Obtains information about which SNS topics receive status messages from the specified directory.", - "privilege": "DescribeEventTopics", + "description": "Grants permission to get channel commands", + "privilege": "GetChannelCommandsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes the status of LDAP security for the specified directory.", - "privilege": "DescribeLDAPSSettings", + "description": "Grants permission to get failback command", + "privilege": "GetFailbackCommandForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Read", - "description": "Provides information about the Regions that are configured for multi-Region replication.", - "privilege": "DescribeRegions", + "description": "Grants permission to get failback launch requested", + "privilege": "GetFailbackLaunchRequestedForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Read", - "description": "Returns the shared directories in your account.", - "privilege": "DescribeSharedDirectories", + "description": "Grants permission to get failback replication configuration", + "privilege": "GetFailbackReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Read", - "description": "Obtains information about the directory snapshots that belong to this account.", - "privilege": "DescribeSnapshots", + "description": "Grants permission to get launch configuration", + "privilege": "GetLaunchConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Read", - "description": "Obtains information about the trust relationships for this account.", - "privilege": "DescribeTrusts", + "description": "Grants permission to get replication configuration", + "privilege": "GetReplicationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get suggested failback client device mapping", + "privilege": "GetSuggestedFailbackClientDeviceMappingForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "RecoveryInstanceResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initialize service", + "privilege": "InitializeService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:CreateServiceLinkedRole", + "iam:GetInstanceProfile" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Disables alternative client authentication methods for the specified directory.", - "privilege": "DisableClientAuthentication", + "description": "Grants permission to issue an agent certificate", + "privilege": "IssueAgentCertificateForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Deactivates LDAP secure calls for the specified directory.", - "privilege": "DisableLDAPS", + "access_level": "Read", + "description": "Grants permission to list extensible source servers", + "privilege": "ListExtensibleSourceServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.", - "privilege": "DisableRadius", + "access_level": "Read", + "description": "Grants permission to list staging accounts", + "privilege": "ListStagingAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Disables single-sign on for a directory.", - "privilege": "DisableSso", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enables alternative client authentication methods for the specified directory.", - "privilege": "EnableClientAuthentication", + "description": "Grants permission to notify agent authentication", + "privilege": "NotifyAgentAuthenticationForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Activates the switch for the specific directory to always use LDAP secure calls.", - "privilege": "EnableLDAPS", + "description": "Grants permission to notify agent is connected", + "privilege": "NotifyAgentConnectedForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory.", - "privilege": "EnableRadius", + "description": "Grants permission to notify agent is disconnected", + "privilege": "NotifyAgentDisconnectedForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Enables single-sign on for a directory.", - "privilege": "EnableSso", + "description": "Grants permission to notify agent replication progress", + "privilege": "NotifyAgentReplicationProgressForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "", - "privilege": "GetAuthorizedApplicationDetails", + "access_level": "Write", + "description": "Grants permission to notify consistency attained", + "privilege": "NotifyConsistencyAttainedForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { - "access_level": "Read", - "description": "Obtains directory limit information for the current region.", - "privilege": "GetDirectoryLimits", + "access_level": "Write", + "description": "Grants permission to notify replication server authentication", + "privilege": "NotifyReplicationServerAuthenticationForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RecoveryInstanceResource*" } ] }, { - "access_level": "Read", - "description": "Obtains the manual snapshot limits for a directory.", - "privilege": "GetSnapshotLimits", + "access_level": "Write", + "description": "Grants permission to notify replicator volume events", + "privilege": "NotifyVolumeEventForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Obtains the aws applications authorized for a directory.", - "privilege": "ListAuthorizedApplications", + "access_level": "Write", + "description": "Grants permission to retry data replication", + "privilege": "RetryDataReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "For the specified directory, lists all the certificates registered for a secured LDAP connection.", - "privilege": "ListCertificates", + "access_level": "Write", + "description": "Grants permission to send agent logs", + "privilege": "SendAgentLogsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Lists the address blocks that you have added to a directory.", - "privilege": "ListIpRoutes", + "access_level": "Write", + "description": "Grants permission to send agent metrics", + "privilege": "SendAgentMetricsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Lists the active log subscriptions for the AWS account.", - "privilege": "ListLogSubscriptions", + "access_level": "Write", + "description": "Grants permission to send channel command result", + "privilege": "SendChannelCommandResultForDrs", "resource_types": [ { "condition_keys": [], @@ -50749,102 +55756,179 @@ ] }, { - "access_level": "List", - "description": "Lists all schema extensions applied to a Microsoft AD Directory.", - "privilege": "ListSchemaExtensions", + "access_level": "Write", + "description": "Grants permission to send client logs", + "privilege": "SendClientLogsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Lists all tags on an Amazon Directory Services directory.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to send client metrics", + "privilege": "SendClientMetricsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Registers a certificate for secured LDAP connection.", - "privilege": "RegisterCertificate", + "description": "Grants permission to send volume throughput statistics", + "privilege": "SendVolumeStatsForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Associates a directory with an SNS topic.", - "privilege": "RegisterEventTopic", + "description": "Grants permission to start failback launch", + "privilege": "StartFailbackLaunch", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sns:GetTopicAttributes" + "dependent_actions": [], + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "directory*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Rejects a directory sharing request that was sent from the directory owner account.", - "privilege": "RejectSharedDirectory", + "description": "Grants permission to start recovery", + "privilege": "StartRecovery", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "drs:CreateRecoveryInstanceForDrs", + "drs:ListTagsForResource", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "iam:PassRole" + ], + "resource_type": "SourceServerResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Removes IP address blocks from a directory.", - "privilege": "RemoveIpRoutes", + "description": "Grants permission to stop failback", + "privilege": "StopFailback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { - "access_level": "Write", - "description": "Stops all replication and removes the domain controllers from the specified Region. You cannot remove the primary Region with this operation.", - "privilege": "RemoveRegion", + "access_level": "Tagging", + "description": "Grants permission to assign a resource tag", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "JobResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RecoveryInstanceResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationConfigurationTemplateResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "drs:CreateAction" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Removes tags from an Amazon Directory Services directory.", - "privilege": "RemoveTagsFromResource", + "access_level": "Write", + "description": "Grants permission to terminate recovery instances", + "privilege": "TerminateRecoveryInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "ec2:DeleteTags" + "ec2:DeleteVolume", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:TerminateInstances" ], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" }, { "condition_keys": [ @@ -50856,249 +55940,319 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "JobResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RecoveryInstanceResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationConfigurationTemplateResource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Resets the password for any user in your AWS Managed Microsoft AD or Simple AD directory.", - "privilege": "ResetUserPassword", + "description": "Grants permission to update agent backlog", + "privilege": "UpdateAgentBacklogForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Restores a directory using an existing directory snapshot.", - "privilege": "RestoreFromSnapshot", + "description": "Grants permission to update agent conversion info", + "privilege": "UpdateAgentConversionInfoForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Shares a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region.", - "privilege": "ShareDirectory", + "description": "Grants permission to update agent replication info", + "privilege": "UpdateAgentReplicationInfoForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Applies a schema extension to a Microsoft AD directory.", - "privilege": "StartSchemaExtension", + "description": "Grants permission to update agent replication process state", + "privilege": "UpdateAgentReplicationProcessStateForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Unauthorizes an application from your AWS Directory.", - "privilege": "UnauthorizeApplication", + "description": "Grants permission to update agent source properties", + "privilege": "UpdateAgentSourcePropertiesForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Stops the directory sharing between the directory owner and consumer accounts.", - "privilege": "UnshareDirectory", + "description": "Grants permission to update failback client device mapping", + "privilege": "UpdateFailbackClientDeviceMappingForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Updates a conditional forwarder that has been set up for your AWS directory.", - "privilege": "UpdateConditionalForwarder", + "description": "Grants permission to update failback client last seen", + "privilege": "UpdateFailbackClientLastSeenForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Adds or removes domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request.", - "privilege": "UpdateNumberOfDomainControllers", + "description": "Grants permission to update failback replication configuration", + "privilege": "UpdateFailbackReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { "access_level": "Write", - "description": "Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory.", - "privilege": "UpdateRadius", + "description": "Grants permission to update launch configuration", + "privilege": "UpdateLaunchConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Updates the trust that has been set up between your AWS Managed Microsoft AD directory and an on-premises Active Directory.", - "privilege": "UpdateTrust", + "description": "Grants permission to update a replication certificate", + "privilege": "UpdateReplicationCertificateForDrs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "RecoveryInstanceResource*" } ] }, { - "access_level": "Read", - "description": "Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain.", - "privilege": "VerifyTrust", + "access_level": "Write", + "description": "Grants permission to update replication configuration", + "privilege": "UpdateReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "directory*" + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update replication configuration template", + "privilege": "UpdateReplicationConfigurationTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationConfigurationTemplateResource*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}", + "arn": "arn:${Partition}:drs:${Region}:${Account}:job/${JobID}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "directory" - } - ], - "service_name": "AWS Directory Service" - }, - { - "conditions": [ - { - "condition": "dynamodb:Attributes", - "description": "Filter based on the attribute (field or column) names of the table.", - "type": "String" + "resource": "JobResource" }, { - "condition": "dynamodb:EnclosingOperation", - "description": "Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa.", - "type": "String" + "arn": "arn:${Partition}:drs:${Region}:${Account}:recovery-instance/${RecoveryInstanceID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "drs:EC2InstanceARN" + ], + "resource": "RecoveryInstanceResource" }, { - "condition": "dynamodb:FullTableScan", - "description": "Used to block full table scan.", - "type": "Bool" + "arn": "arn:${Partition}:drs:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ReplicationConfigurationTemplateResource" }, { - "condition": "dynamodb:LeadingKeys", - "description": "Filters based on the partition key of the table.", - "type": "String" - }, + "arn": "arn:${Partition}:drs:${Region}:${Account}:source-server/${SourceServerID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SourceServerResource" + } + ], + "service_name": "AWS Elastic Disaster Recovery" + }, + { + "conditions": [ { - "condition": "dynamodb:ReturnConsumedCapacity", - "description": "Filter based on the ReturnConsumedCapacity parameter of a request. Contains either \"TOTAL\" or \"NONE\".", + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the value of the request to AWS DS", "type": "String" }, { - "condition": "dynamodb:ReturnValues", - "description": "Filter based on the ReturnValues parameter of request. Contains one of the following: \"ALL_OLD\", \"UPDATED_OLD\",\"ALL_NEW\",\"UPDATED_NEW\", or \"NONE\".", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the AWS DS Resource being acted upon", "type": "String" }, { - "condition": "dynamodb:Select", - "description": "Filter based on the Select parameter of a Query or Scan request.", - "type": "String" + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" } ], - "prefix": "dynamodb", + "prefix": "ds", "privileges": [ { - "access_level": "Read", - "description": "Returns the attributes of one or more items from one or more tables", - "privilege": "BatchGetItem", + "access_level": "Write", + "description": "Grants permission to accept a directory sharing request that was sent from the directory owner account", + "privilege": "AcceptSharedDirectory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services", + "privilege": "AddIpRoutes", + "resource_types": [ { - "condition_keys": [ - "dynamodb:Attributes", - "dynamodb:LeadingKeys", - "dynamodb:ReturnConsumedCapacity", - "dynamodb:Select" + "condition_keys": [], + "dependent_actions": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DescribeSecurityGroups" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { "access_level": "Write", - "description": "Puts or deletes multiple items in one or more tables", - "privilege": "BatchWriteItem", + "description": "Grants permission to add two domain controllers in the specified Region for the specified directory", + "privilege": "AddRegion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "dynamodb:Attributes", - "dynamodb:LeadingKeys", - "dynamodb:ReturnConsumedCapacity" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key", - "privilege": "ConditionCheckItem", + "access_level": "Tagging", + "description": "Grants permission to add or overwrite one or more tags for the specified Amazon Directory Services directory", + "privilege": "AddTagsToResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "directory*" }, { "condition_keys": [ - "dynamodb:Attributes", - "dynamodb:LeadingKeys", - "dynamodb:ReturnConsumedCapacity", - "dynamodb:ReturnValues" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -51107,376 +56261,413 @@ }, { "access_level": "Write", - "description": "Creates a backup for an existing table", - "privilege": "CreateBackup", + "description": "Grants permission to authorize an application for your AWS Directory", + "privilege": "AuthorizeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { "access_level": "Write", - "description": "Enables the user to create a global table from an existing table", - "privilege": "CreateGlobalTable", + "description": "Grants permission to cancel an in-progress schema extension to a Microsoft AD directory", + "privilege": "CancelSchemaExtension", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-table*" - }, + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to verify that the alias is available for use", + "privilege": "CheckAlias", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateTable operation adds a new table to your account", - "privilege": "CreateTable", + "description": "Grants permission to create an AD Connector to connect to an on-premises directory", + "privilege": "ConnectDirectory", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateNetworkInterface", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Adds a new replica table", - "privilege": "CreateTableReplica", + "description": "Grants permission to create an alias for a directory and assigns the alias to the directory", + "privilege": "CreateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { "access_level": "Write", - "description": "Deletes an existing backup of a table", - "privilege": "DeleteBackup", + "description": "Grants permission to create a computer account in the specified directory, and joins the computer to the directory", + "privilege": "CreateComputer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup*" + "resource_type": "directory*" } ] }, { "access_level": "Write", - "description": "Deletes a single item in a table by primary key", - "privilege": "DeleteItem", + "description": "Grants permission to create a conditional forwarder associated with your AWS directory", + "privilege": "CreateConditionalForwarder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Simple AD directory", + "privilege": "CreateDirectory", + "resource_types": [ { "condition_keys": [ - "dynamodb:Attributes", - "dynamodb:EnclosingOperation", - "dynamodb:LeadingKeys", - "dynamodb:ReturnConsumedCapacity", - "dynamodb:ReturnValues" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateNetworkInterface", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteTable operation deletes a table and all of its items", - "privilege": "DeleteTable", + "description": "Grants permission to create an IdentityPool Directory in the AWS cloud", + "privilege": "CreateIdentityPoolDirectory", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a replica table and all of its items", - "privilege": "DeleteTableReplica", + "description": "Grants permission to create a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account", + "privilege": "CreateLogSubscription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Describes an existing backup of a table", - "privilege": "DescribeBackup", + "access_level": "Write", + "description": "Grants permission to create a Microsoft AD in the AWS cloud", + "privilege": "CreateMicrosoftAD", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "backup*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateNetworkInterface", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Checks the status of the backup restore settings on the specified table", - "privilege": "DescribeContinuousBackups", + "access_level": "Write", + "description": "Grants permission to create a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud", + "privilege": "CreateSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Describes the contributor insights status and related details for a given table or global secondary index", - "privilege": "DescribeContributorInsights", + "access_level": "Write", + "description": "Grants permission to initiate the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain", + "privilege": "CreateTrust", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Describes an existing Export of a table", - "privilege": "DescribeExport", + "access_level": "Write", + "description": "Grants permission to delete a conditional forwarder that has been set up for your AWS directory", + "privilege": "DeleteConditionalForwarder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "export*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Returns information about the specified global table", - "privilege": "DescribeGlobalTable", + "access_level": "Write", + "description": "Grants permission to delete an AWS Directory Service directory", + "privilege": "DeleteDirectory", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-table*" + "dependent_actions": [ + "ec2:DeleteNetworkInterface", + "ec2:DeleteSecurityGroup", + "ec2:DescribeNetworkInterfaces", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress" + ], + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Returns settings information about the specified global table", - "privilege": "DescribeGlobalTableSettings", + "access_level": "Write", + "description": "Grants permission to delete the specified log subscription", + "privilege": "DeleteLogSubscription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-table*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the status of Kinesis streaming and related details for a given table", - "privilege": "DescribeKinesisStreamingDestination", + "access_level": "Write", + "description": "Grants permission to delete a directory snapshot", + "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Returns the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there", - "privilege": "DescribeLimits", + "access_level": "Write", + "description": "Grants permission to delete an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain", + "privilege": "DeleteTrust", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Describes one or more of the Reserved Capacity purchased", - "privilege": "DescribeReservedCapacity", + "access_level": "Write", + "description": "Grants permission to delete from the system the certificate that was registered for a secured LDAP connection", + "privilege": "DeregisterCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Describes Reserved Capacity offerings that are available for purchase", - "privilege": "DescribeReservedCapacityOfferings", + "access_level": "Write", + "description": "Grants permission to remove the specified directory as a publisher to the specified SNS topic", + "privilege": "DeregisterEventTopic", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "Returns information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table", - "privilege": "DescribeStream", + "description": "Grants permission to display information about the certificate registered for a secured LDAP connection", + "privilege": "DescribeCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "Returns information about the table", - "privilege": "DescribeTable", + "description": "Grants permission to retrieve information about the type of client authentication for the specified directory, if the type is specified. If no type is specified, information about all client authentication types that are supported for the specified directory is retrieved. Currently, only SmartCard is supported", + "privilege": "DescribeClientAuthenticationSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "Describes the auto scaling settings across all replicas of the global table", - "privilege": "DescribeTableReplicaAutoScaling", + "description": "Grants permission to obtain information about the conditional forwarders for this account", + "privilege": "DescribeConditionalForwarders", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Gives a description of the Time to Live (TTL) status on the specified table.", - "privilege": "DescribeTimeToLive", + "access_level": "List", + "description": "Grants permission to obtain information about the directories that belong to this account", + "privilege": "DescribeDirectories", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop replication from the DynamoDB table to the Kinesis data stream", - "privilege": "DisableKinesisStreamingDestination", + "access_level": "Read", + "description": "Grants permission to provide information about any domain controllers in your directory", + "privilege": "DescribeDomainControllers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow", - "privilege": "EnableKinesisStreamingDestination", + "access_level": "Read", + "description": "Grants permission to obtain information about which SNS topics receive status messages from the specified directory", + "privilege": "DescribeEventTopics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { - "access_level": "Write", - "description": "Initiates an Export of a DynamoDB table to S3", - "privilege": "ExportTableToPointInTime", + "access_level": "Read", + "description": "Grants permission to describe the status of LDAP security for the specified directory", + "privilege": "DescribeLDAPSSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "The GetItem operation returns a set of attributes for the item with the given primary key", - "privilege": "GetItem", + "description": "Grants permission to provide information about the Regions that are configured for multi-Region replication", + "privilege": "DescribeRegions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "dynamodb:Attributes", - "dynamodb:EnclosingOperation", - "dynamodb:LeadingKeys", - "dynamodb:ReturnConsumedCapacity", - "dynamodb:Select" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "Retrieves the stream records from a given shard", - "privilege": "GetRecords", + "description": "Grants permission to retrieve information about the configurable settings for the specified directory", + "privilege": "DescribeSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "directory*" } ] }, { "access_level": "Read", - "description": "Returns a shard iterator", - "privilege": "GetShardIterator", + "description": "Grants permission to return the shared directories in your account", + "privilege": "DescribeSharedDirectories", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "directory*" } ] }, { - "access_level": "List", - "description": "List backups associated with the account and endpoint", - "privilege": "ListBackups", + "access_level": "Read", + "description": "Grants permission to obtain information about the directory snapshots that belong to this account", + "privilege": "DescribeSnapshots", "resource_types": [ { "condition_keys": [], @@ -51486,9 +56677,9 @@ ] }, { - "access_level": "List", - "description": "Lists the ContributorInsightsSummary for all tables and global secondary indexes associated with the current account and endpoint", - "privilege": "ListContributorInsights", + "access_level": "Read", + "description": "Grants permission to obtain information about the trust relationships for this account", + "privilege": "DescribeTrusts", "resource_types": [ { "condition_keys": [], @@ -51498,58 +56689,1035 @@ ] }, { - "access_level": "List", - "description": "List exports associated with the account and endpoint", - "privilege": "ListExports", + "access_level": "Write", + "description": "Grants permission to disable alternative client authentication methods for the specified directory", + "privilege": "DisableClientAuthentication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "List", - "description": "Lists all global tables that have a replica in the specified region", - "privilege": "ListGlobalTables", + "access_level": "Write", + "description": "Grants permission to deactivate LDAP secure calls for the specified directory", + "privilege": "DisableLDAPS", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "Returns an array of stream ARNs associated with the current account and endpoint", - "privilege": "ListStreams", + "access_level": "Write", + "description": "Grants permission to disable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory", + "privilege": "DisableRadius", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "List", - "description": "Returns an array of table names associated with the current account and endpoint", - "privilege": "ListTables", + "access_level": "Write", + "description": "Grants permission to disable single-sign on for a directory", + "privilege": "DisableSso", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directory*" } ] }, { - "access_level": "Read", - "description": "List all tags on an Amazon DynamoDB resource", - "privilege": "ListTagsOfResource", - "resource_types": [ + "access_level": "Write", + "description": "Grants permission to enable alternative client authentication methods for the specified directory", + "privilege": "EnableClientAuthentication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate the switch for the specific directory to always use LDAP secure calls", + "privilege": "EnableLDAPS", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory", + "privilege": "EnableRadius", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable single-sign on for a directory", + "privilege": "EnableSso", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the details of the authorized applications on a directory", + "privilege": "GetAuthorizedApplicationDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to obtain directory limit information for the current region", + "privilege": "GetDirectoryLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to obtain the manual snapshot limits for a directory", + "privilege": "GetSnapshotLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to obtain the AWS applications authorized for a directory", + "privilege": "ListAuthorizedApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the certificates registered for a secured LDAP connection, for the specified directory", + "privilege": "ListCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the address blocks that you have added to a directory", + "privilege": "ListIpRoutes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the active log subscriptions for the AWS account", + "privilege": "ListLogSubscriptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all schema extensions applied to a Microsoft AD Directory", + "privilege": "ListSchemaExtensions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all tags on an Amazon Directory Services directory", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register a certificate for secured LDAP connection", + "privilege": "RegisterCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a directory with an SNS topic", + "privilege": "RegisterEventTopic", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "sns:GetTopicAttributes" + ], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject a directory sharing request that was sent from the directory owner account", + "privilege": "RejectSharedDirectory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove IP address blocks from a directory", + "privilege": "RemoveIpRoutes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop all replication and removes the domain controllers from the specified Region. You cannot remove the primary Region with this operation", + "privilege": "RemoveRegion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from an Amazon Directory Services directory", + "privilege": "RemoveTagsFromResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DeleteTags" + ], + "resource_type": "directory*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reset the password for any user in your AWS Managed Microsoft AD or Simple AD directory", + "privilege": "ResetUserPassword", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a directory using an existing directory snapshot", + "privilege": "RestoreFromSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to share a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region", + "privilege": "ShareDirectory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to apply a schema extension to a Microsoft AD directory", + "privilege": "StartSchemaExtension", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to unauthorize an application from your AWS Directory", + "privilege": "UnauthorizeApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop the directory sharing between the directory owner and consumer accounts", + "privilege": "UnshareDirectory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a conditional forwarder that has been set up for your AWS directory", + "privilege": "UpdateConditionalForwarder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add or remove domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request", + "privilege": "UpdateNumberOfDomainControllers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory", + "privilege": "UpdateRadius", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the configurable settings for the specified directory", + "privilege": "UpdateSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the trust that has been set up between your AWS Managed Microsoft AD directory and an on-premises Active Directory", + "privilege": "UpdateTrust", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to verify a trust relationship between your Microsoft AD in the AWS cloud and an external domain", + "privilege": "VerifyTrust", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "directory" + } + ], + "service_name": "AWS Directory Service" + }, + { + "conditions": [ + { + "condition": "dynamodb:Attributes", + "description": "Filter based on the attribute (field or column) names of the table", + "type": "String" + }, + { + "condition": "dynamodb:EnclosingOperation", + "description": "Used to block Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa", + "type": "String" + }, + { + "condition": "dynamodb:FullTableScan", + "description": "Used to block full table scan", + "type": "Bool" + }, + { + "condition": "dynamodb:LeadingKeys", + "description": "Filters based on the partition key of the table", + "type": "String" + }, + { + "condition": "dynamodb:ReturnConsumedCapacity", + "description": "Filter based on the ReturnConsumedCapacity parameter of a request. Contains either \"TOTAL\" or \"NONE\"", + "type": "String" + }, + { + "condition": "dynamodb:ReturnValues", + "description": "Filter based on the ReturnValues parameter of request. Contains one of the following: \"ALL_OLD\", \"UPDATED_OLD\",\"ALL_NEW\",\"UPDATED_NEW\", or \"NONE\"", + "type": "String" + }, + { + "condition": "dynamodb:Select", + "description": "Filter based on the Select parameter of a Query or Scan request", + "type": "String" + } + ], + "prefix": "dynamodb", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to return the attributes of one or more items from one or more tables", + "privilege": "BatchGetItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "dynamodb:Attributes", + "dynamodb:LeadingKeys", + "dynamodb:ReturnConsumedCapacity", + "dynamodb:Select" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put or delete multiple items in one or more tables", + "privilege": "BatchWriteItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "dynamodb:Attributes", + "dynamodb:LeadingKeys", + "dynamodb:ReturnConsumedCapacity" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to the ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key", + "privilege": "ConditionCheckItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "dynamodb:Attributes", + "dynamodb:LeadingKeys", + "dynamodb:ReturnConsumedCapacity", + "dynamodb:ReturnValues" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a backup for an existing table", + "privilege": "CreateBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a global table from an existing table", + "privilege": "CreateGlobalTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-table*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to the CreateTable operation adds a new table to your account", + "privilege": "CreateTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a new replica table", + "privilege": "CreateTableReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing backup of a table", + "privilege": "DeleteBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes a single item in a table by primary key", + "privilege": "DeleteItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "dynamodb:Attributes", + "dynamodb:EnclosingOperation", + "dynamodb:LeadingKeys", + "dynamodb:ReturnConsumedCapacity", + "dynamodb:ReturnValues" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to the DeleteTable operation which deletes a table and all of its items", + "privilege": "DeleteTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a replica table and all of its items", + "privilege": "DeleteTableReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an existing backup of a table", + "privilege": "DescribeBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to check the status of the backup restore settings on the specified table", + "privilege": "DescribeContinuousBackups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the contributor insights status and related details for a given table or global secondary index", + "privilege": "DescribeContributorInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an existing Export of a table", + "privilege": "DescribeExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "export*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about the specified global table", + "privilege": "DescribeGlobalTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return settings information about the specified global table", + "privilege": "DescribeGlobalTableSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an existing import", + "privilege": "DescribeImport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "import*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to grant permission to describe the status of Kinesis streaming and related details for a given table", + "privilege": "DescribeKinesisStreamingDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there", + "privilege": "DescribeLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more of the Reserved Capacity purchased", + "privilege": "DescribeReservedCapacity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe Reserved Capacity offerings that are available for purchase", + "privilege": "DescribeReservedCapacityOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table", + "privilege": "DescribeStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about the table", + "privilege": "DescribeTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the auto scaling settings across all replicas of the global table", + "privilege": "DescribeTableReplicaAutoScaling", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to give a description of the Time to Live (TTL) status on the specified table", + "privilege": "DescribeTimeToLive", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to grant permission to stop replication from the DynamoDB table to the Kinesis data stream", + "privilege": "DisableKinesisStreamingDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to grant permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow", + "privilege": "EnableKinesisStreamingDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initiate an Export of a DynamoDB table to S3", + "privilege": "ExportTableToPointInTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key", + "privilege": "GetItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "dynamodb:Attributes", + "dynamodb:EnclosingOperation", + "dynamodb:LeadingKeys", + "dynamodb:ReturnConsumedCapacity", + "dynamodb:Select" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the stream records from a given shard", + "privilege": "GetRecords", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return a shard iterator", + "privilege": "GetShardIterator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initiate an import from S3 to a DynamoDB table", + "privilege": "ImportTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list backups associated with the account and endpoint", + "privilege": "ListBackups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the ContributorInsightsSummary for all tables and global secondary indexes associated with the current account and endpoint", + "privilege": "ListContributorInsights", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list exports associated with the account and endpoint", + "privilege": "ListExports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all global tables that have a replica in the specified region", + "privilege": "ListGlobalTables", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list imports associated with the account and endpoint", + "privilege": "ListImports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return an array of stream ARNs associated with the current account and endpoint", + "privilege": "ListStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return an array of table names associated with the current account and endpoint", + "privilege": "ListTables", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all tags on an Amazon DynamoDB resource", + "privilege": "ListTagsOfResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], @@ -51652,7 +57820,7 @@ }, { "access_level": "Write", - "description": "Purchases Reserved Capacity for use with your account", + "description": "Grants permission to purchases reserved capacity for use with your account", "privilege": "PurchaseReservedCapacityOfferings", "resource_types": [ { @@ -51664,7 +57832,7 @@ }, { "access_level": "Write", - "description": "Creates a new item, or replaces an old item with a new item", + "description": "Grants permission to create a new item, or replace an old item with a new item", "privilege": "PutItem", "resource_types": [ { @@ -51687,7 +57855,7 @@ }, { "access_level": "Read", - "description": "Uses the primary key of a table or a secondary index to directly access items from that table or index", + "description": "Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index", "privilege": "Query", "resource_types": [ { @@ -51715,7 +57883,19 @@ }, { "access_level": "Write", - "description": "Creates a new table from an existing backup", + "description": "Grants permission to create a new table from recovery point on AWS Backup", + "privilege": "RestoreTableFromAwsBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new table from an existing backup", "privilege": "RestoreTableFromBackup", "resource_types": [ { @@ -51732,7 +57912,7 @@ }, { "access_level": "Write", - "description": "Restores a table to a point in time", + "description": "Grants permission to restore a table to a point in time", "privilege": "RestoreTableToPointInTime", "resource_types": [ { @@ -51744,7 +57924,7 @@ }, { "access_level": "Read", - "description": "Returns one or more items and item attributes by accessing every item in a table or a secondary index", + "description": "Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index", "privilege": "Scan", "resource_types": [ { @@ -51769,9 +57949,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a backup on AWS Backup with advanced features enabled", + "privilege": "StartAwsBackupJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Tagging", - "description": "Associate a set of tags with an Amazon DynamoDB resource", + "description": "Grants permission to associate a set of tags with an Amazon DynamoDB resource", "privilege": "TagResource", "resource_types": [ { @@ -51783,7 +57975,7 @@ }, { "access_level": "Tagging", - "description": "Removes the association of tags from an Amazon DynamoDB resource.", + "description": "Grants permission to remove the association of tags from an Amazon DynamoDB resource", "privilege": "UntagResource", "resource_types": [ { @@ -51795,7 +57987,7 @@ }, { "access_level": "Write", - "description": "Enables or disables continuous backups", + "description": "Grants permission to enable or disable continuous backups", "privilege": "UpdateContinuousBackups", "resource_types": [ { @@ -51807,7 +57999,7 @@ }, { "access_level": "Write", - "description": "Updates the status for contributor insights for a specific table or global secondary index", + "description": "Grants permission to update the status for contributor insights for a specific table or global secondary index", "privilege": "UpdateContributorInsights", "resource_types": [ { @@ -51824,7 +58016,7 @@ }, { "access_level": "Write", - "description": "Enables the user to add or remove replicas in the specified global table", + "description": "Grants permission to add or remove replicas in the specified global table", "privilege": "UpdateGlobalTable", "resource_types": [ { @@ -51841,7 +58033,7 @@ }, { "access_level": "Write", - "description": "Enables the user to update settings of the specified global table", + "description": "Grants permission to update settings of the specified global table", "privilege": "UpdateGlobalTableSettings", "resource_types": [ { @@ -51858,7 +58050,7 @@ }, { "access_level": "Write", - "description": "Edits an existing item's attributes, or adds a new item to the table if it does not already exist", + "description": "Grants permission to edit an existing item's attributes, or adds a new item to the table if it does not already exist", "privilege": "UpdateItem", "resource_types": [ { @@ -51881,7 +58073,7 @@ }, { "access_level": "Write", - "description": "Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table", + "description": "Grants permission to modify the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table", "privilege": "UpdateTable", "resource_types": [ { @@ -51893,7 +58085,7 @@ }, { "access_level": "Write", - "description": "Updates auto scaling settings on your replica table", + "description": "Grants permission to update auto scaling settings on your replica table", "privilege": "UpdateTableReplicaAutoScaling", "resource_types": [ { @@ -51905,7 +58097,7 @@ }, { "access_level": "Write", - "description": "Enables or disables TTL for the specified table", + "description": "Grants permission to enable or disable TTL for the specified table", "privilege": "UpdateTimeToLive", "resource_types": [ { @@ -51938,7 +58130,7 @@ "resource": "backup" }, { - "arn": "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/export/${exportName}", + "arn": "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/export/${ExportName}", "condition_keys": [], "resource": "export" }, @@ -51946,6 +58138,11 @@ "arn": "arn:${Partition}:dynamodb::${Account}:global-table/${GlobalTableName}", "condition_keys": [], "resource": "global-table" + }, + { + "arn": "arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/import/${ImportName}", + "condition_keys": [], + "resource": "import" } ], "service_name": "Amazon DynamoDB" @@ -51959,13 +58156,13 @@ }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs assigned to the AWS resource", + "description": "Filters access by a tag key and value pair of a resource", "type": "String" }, { "condition": "aws:TagKeys", "description": "Filters access by a list of tag keys that are allowed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "ebs:Description", @@ -52136,16 +58333,26 @@ { "condition": "aws:TagKeys", "description": "Filters access by a list of tag keys that are allowed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "ec2:AccepterVpc", "description": "Filters access by the ARN of an accepter VPC in a VPC peering connection", "type": "ARN" }, + { + "condition": "ec2:Add/group", + "description": "Filters access by the group being added to a snapshot", + "type": "String" + }, + { + "condition": "ec2:Add/userId", + "description": "Filters access by the account id being added to a snapshot", + "type": "String" + }, { "condition": "ec2:AllocationId", - "description": "Filters access by the Allocation Id of the Elastic Ip", + "description": "Filters access by the allocation ID of the Elastic IP address", "type": "String" }, { @@ -52153,6 +58360,11 @@ "description": "Filters access by whether the user wants to associate a public IP address with the instance", "type": "Bool" }, + { + "condition": "ec2:Attribute", + "description": "Filters access by an attribute of a resource", + "type": "String" + }, { "condition": "ec2:Attribute/${AttributeName}", "description": "Filters access by an attribute being set on a resource", @@ -52213,6 +58425,11 @@ "description": "Filters access by the duration after which DPD timeout occurs on a VPN tunnel", "type": "Numeric" }, + { + "condition": "ec2:DhcpOptionsID", + "description": "Filters access by the ID of a dynamic host configuration protocol (DHCP) options set", + "type": "String" + }, { "condition": "ec2:DirectoryArn", "description": "Filters access by the ARN of the directory", @@ -52220,7 +58437,7 @@ }, { "condition": "ec2:Domain", - "description": "Filters access by the domain of the Elastic Ip Address", + "description": "Filters access by the domain of the Elastic IP address", "type": "String" }, { @@ -52253,6 +58470,11 @@ "description": "Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel", "type": "String" }, + { + "condition": "ec2:ImageID", + "description": "Filters access by the ID of an image", + "type": "String" + }, { "condition": "ec2:ImageType", "description": "Filters access by the type of image (machine, aki, or ari)", @@ -52263,11 +58485,31 @@ "description": "Filters access by the range of inside IP addresses for a VPN tunnel", "type": "String" }, + { + "condition": "ec2:InsideTunnelIpv6Cidr", + "description": "Filters access by a range of inside IPv6 addresses for a VPN tunnel", + "type": "String" + }, + { + "condition": "ec2:InstanceAutoRecovery", + "description": "Filters access by whether the instance type supports auto recovery", + "type": "String" + }, + { + "condition": "ec2:InstanceID", + "description": "Filters access by the ID of an instance", + "type": "String" + }, { "condition": "ec2:InstanceMarketType", "description": "Filters access by the market or purchasing option of an instance (on-demand or spot)", "type": "String" }, + { + "condition": "ec2:InstanceMetadataTags", + "description": "Filters access by whether the instance allows access to instance tags from the instance metadata", + "type": "String" + }, { "condition": "ec2:InstanceProfile", "description": "Filters access by the ARN of an instance profile", @@ -52278,6 +58520,21 @@ "description": "Filters access by the type of instance", "type": "String" }, + { + "condition": "ec2:InternetGatewayID", + "description": "Filters access by the ID of an internet gateway", + "type": "String" + }, + { + "condition": "ec2:Ipv4IpamPoolId", + "description": "Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation", + "type": "String" + }, + { + "condition": "ec2:Ipv6IpamPoolId", + "description": "Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation", + "type": "String" + }, { "condition": "ec2:IsLaunchTemplateResource", "description": "Filters access by whether users are able to override resources that are specified in the launch template", @@ -52285,17 +58542,17 @@ }, { "condition": "ec2:KeyPairName", - "description": "Filters access by a key pair name", + "description": "Filters access by the name of a key pair", "type": "String" }, { "condition": "ec2:KeyPairType", - "description": "Filters access by a key pair type", + "description": "Filters access by the type of a key pair", "type": "String" }, { "condition": "ec2:KmsKeyId", - "description": "Filters access by an Id of your AWS Key Management Service", + "description": "Filters access by the ID of an AWS KMS key", "type": "String" }, { @@ -52318,6 +58575,16 @@ "description": "Filters access by whether tokens are required when calling the instance metadata service (optional or required)", "type": "String" }, + { + "condition": "ec2:NetworkAclID", + "description": "Filters access by the ID of a network access control list (ACL)", + "type": "String" + }, + { + "condition": "ec2:NetworkInterfaceID", + "description": "Filters access by the ID of an elastic network interface", + "type": "String" + }, { "condition": "ec2:NewInstanceProfile", "description": "Filters access by the ARN of the instance profile being attached", @@ -52393,6 +58660,11 @@ "description": "Filters access by the ARN of the placement group", "type": "ARN" }, + { + "condition": "ec2:PlacementGroupName", + "description": "Filters access by the name of a placement group", + "type": "String" + }, { "condition": "ec2:PlacementGroupStrategy", "description": "Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition)", @@ -52415,7 +58687,7 @@ }, { "condition": "ec2:PublicIpAddress", - "description": "Filters access by the Public Ip", + "description": "Filters access by a public IP address", "type": "String" }, { @@ -52438,6 +58710,21 @@ "description": "Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel", "type": "Numeric" }, + { + "condition": "ec2:Remove/group", + "description": "Filters access by the group being removed from a snapshot", + "type": "String" + }, + { + "condition": "ec2:Remove/userId", + "description": "Filters access by the account id being removed from a snapshot", + "type": "String" + }, + { + "condition": "ec2:ReplayWindowSizePackets", + "description": "Filters access by the number of packets in an IKE replay window", + "type": "String" + }, { "condition": "ec2:RequesterVpc", "description": "Filters access by the ARN of a requester VPC in a VPC peering connection", @@ -52468,6 +58755,11 @@ "description": "Filters access by the root device type of the instance (ebs or instance-store)", "type": "String" }, + { + "condition": "ec2:RouteTableID", + "description": "Filters access by the ID of a route table", + "type": "String" + }, { "condition": "ec2:RoutingType", "description": "Filters access by the routing type for the VPN connection", @@ -52478,11 +58770,21 @@ "description": "Filters access by the ARN of the IAM SAML identity provider", "type": "ARN" }, + { + "condition": "ec2:SecurityGroupID", + "description": "Filters access by the ID of a security group", + "type": "String" + }, { "condition": "ec2:ServerCertificateArn", "description": "Filters access by the ARN of the server certificate", "type": "ARN" }, + { + "condition": "ec2:SnapshotID", + "description": "Filters access by the ID of a snapshot", + "type": "String" + }, { "condition": "ec2:SnapshotTime", "description": "Filters access by the initiation time of a snapshot", @@ -52503,11 +58805,21 @@ "description": "Filters access by the ARN of the subnet", "type": "ARN" }, + { + "condition": "ec2:SubnetID", + "description": "Filters access by the ID of a subnet", + "type": "String" + }, { "condition": "ec2:Tenancy", "description": "Filters access by the tenancy of the VPC or instance (default, dedicated, or host)", "type": "String" }, + { + "condition": "ec2:VolumeID", + "description": "Filters access by the ID of a volume", + "type": "String" + }, { "condition": "ec2:VolumeIops", "description": "Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume", @@ -52533,6 +58845,16 @@ "description": "Filters access by the ARN of the VPC", "type": "ARN" }, + { + "condition": "ec2:VpcID", + "description": "Filters access by the ID of a virtual private cloud (VPC)", + "type": "String" + }, + { + "condition": "ec2:VpcPeeringConnectionID", + "description": "Filters access by the ID of a VPC peering connection", + "type": "String" + }, { "condition": "ec2:VpceServiceName", "description": "Filters access by the name of the VPC endpoint service", @@ -52557,7 +58879,9 @@ "privilege": "AcceptReservedInstancesExchangeQuote", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -52571,7 +58895,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -52580,11 +58903,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52596,11 +58925,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52612,14 +58947,20 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" - } - ] - }, + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to accept one or more interface VPC endpoint connections to your VPC endpoint service", @@ -52628,11 +58969,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52644,9 +58991,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" @@ -52655,12 +59002,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52670,7 +59024,9 @@ "privilege": "AdvertiseByoipCidr", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -52682,11 +59038,7 @@ "privilege": "AllocateAddress", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -52695,11 +59047,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "ipv4pool-ec2" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52710,19 +59070,47 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", - "ec2:Quantity", - "ec2:Region" + "ec2:Quantity" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "dedicated-host*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to allocate a CIDR from an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "AllocateIpamPoolCidr", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52738,7 +59126,6 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -52749,8 +59136,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID" ], "dependent_actions": [], "resource_type": "security-group*" @@ -52758,11 +59145,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52775,13 +59169,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52794,13 +59195,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52815,7 +59223,6 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -52826,14 +59233,17 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -52845,13 +59255,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52867,7 +59284,6 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -52878,11 +59294,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52894,7 +59317,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -52903,12 +59326,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52926,6 +59356,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "role*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52939,7 +59376,10 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", @@ -52947,7 +59387,7 @@ "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -52956,6 +59396,13 @@ "iam:PassRole" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52967,11 +59414,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -52983,8 +59436,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -52993,7 +59446,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53003,8 +59456,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -53013,11 +59466,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53030,12 +59489,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53048,8 +59514,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -53058,7 +59524,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53067,23 +59532,28 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an attachment with a transit gateway route table", - "privilege": "AssociateTransitGatewayRouteTable", + "description": "Grants permission to associate a policy table with a transit gateway attachment", + "privilege": "AssociateTransitGatewayPolicyTable", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53092,21 +59562,15 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "transit-gateway-route-table*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to associate a branch network interface with a trunk network interface", - "privilege": "AssociateTrunkInterface", - "resource_types": [ + "resource_type": "transit-gateway-policy-table*" + }, { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53114,113 +59578,101 @@ }, { "access_level": "Write", - "description": "Grants permission to associate a CIDR block with a VPC", - "privilege": "AssociateVpcCidrBlock", + "description": "Grants permission to associate an attachment with a transit gateway route table", + "privilege": "AssociateTransitGatewayRouteTable", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "vpc*" + "resource_type": "transit-gateway-attachment*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "ipv6pool-ec2" + "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups", - "privilege": "AttachClassicLinkVpc", + "description": "Grants permission to associate a branch network interface with a trunk network interface", + "privilege": "AssociateTrunkInterface", "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AvailabilityZone", - "ec2:EbsOptimized", - "ec2:InstanceMarketType", - "ec2:InstanceProfile", - "ec2:InstanceType", - "ec2:MetadataHttpEndpoint", - "ec2:MetadataHttpPutResponseHopLimit", - "ec2:MetadataHttpTokens", - "ec2:PlacementGroup", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:RootDeviceType", - "ec2:Tenancy" + "ec2:Region" ], "dependent_actions": [], - "resource_type": "instance*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a CIDR block with a VPC", + "privilege": "AssociateVpcCidrBlock", + "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:Ipv4IpamPoolId", + "ec2:Ipv6IpamPoolId", "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], - "resource_type": "security-group*" + "resource_type": "vpc*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "vpc*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to attach an internet gateway to a VPC", - "privilege": "AttachInternetGateway", - "resource_types": [ + "resource_type": "ipam-pool" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "internet-gateway*" + "resource_type": "ipv6pool-ec2" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Region" ], "dependent_actions": [], - "resource_type": "vpc*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to attach a network interface to an instance", - "privilege": "AttachNetworkInterface", + "description": "Grants permission to link an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups", + "privilege": "AttachClassicLinkVpc", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", @@ -53228,7 +59680,6 @@ "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -53236,17 +59687,114 @@ "dependent_actions": [], "resource_type": "instance*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "security-group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:Tenancy", + "ec2:VpcID" + ], + "dependent_actions": [], + "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to attach an internet gateway to a VPC", + "privilege": "AttachInternetGateway", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:InternetGatewayID", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "internet-gateway*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:Tenancy", + "ec2:VpcID" + ], + "dependent_actions": [], + "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to attach a network interface to an instance", + "privilege": "AttachNetworkInterface", + "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", + "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:MetadataHttpEndpoint", + "ec2:MetadataHttpPutResponseHopLimit", + "ec2:MetadataHttpTokens", + "ec2:PlacementGroup", + "ec2:ProductCode", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53260,6 +59808,7 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", @@ -53267,7 +59816,7 @@ "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -53281,8 +59830,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -53290,6 +59839,13 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53301,9 +59857,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" @@ -53311,11 +59867,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53331,13 +59893,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53349,14 +59917,28 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "security-group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-group-rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53368,14 +59950,28 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "security-group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "security-group-rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53385,7 +59981,9 @@ "privilege": "BundleInstance", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53397,7 +59995,9 @@ "privilege": "CancelBundleTask", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53412,11 +60012,17 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:CapacityReservationFleet", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53428,11 +60034,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation-fleet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53442,7 +60054,9 @@ "privilege": "CancelConversionTask", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53456,7 +60070,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53465,11 +60078,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "export-instance-task" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53481,7 +60100,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53490,11 +60108,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "import-snapshot-task" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53504,7 +60128,9 @@ "privilege": "CancelReservedInstancesListing", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53518,11 +60144,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "spot-fleet-request*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53534,11 +60166,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "spot-instances-request*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53548,7 +60186,9 @@ "privilege": "ConfirmProductInstance", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53561,11 +60201,17 @@ "resource_types": [ { "condition_keys": [ - "ec2:Owner", - "ec2:Region" + "ec2:Owner" ], "dependent_actions": [], "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53576,11 +60222,18 @@ "resource_types": [ { "condition_keys": [ - "ec2:Owner", - "ec2:Region" + "ec2:ImageID", + "ec2:Owner" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53591,16 +60244,23 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:OutpostArn", - "ec2:Region", + "ec2:SnapshotID", "ec2:SourceOutpostArn" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53611,15 +60271,21 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:CapacityReservationFleet", - "ec2:Region" + "ec2:CapacityReservationFleet" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "capacity-reservation*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53628,16 +60294,21 @@ "description": "Grants permission to create a Capacity Reservation Fleet", "privilege": "CreateCapacityReservationFleet", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "capacity-reservation-fleet*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "capacity-reservation-fleet*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53647,11 +60318,7 @@ "privilege": "CreateCarrierGateway", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -53660,12 +60327,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53676,13 +60352,10 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], @@ -53694,8 +60367,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID" ], "dependent_actions": [], "resource_type": "security-group" @@ -53703,11 +60376,20 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53723,7 +60405,6 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -53734,29 +60415,55 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device", - "privilege": "CreateCustomerGateway", + "description": "Grants permission to allow a service to access a customer owned IP (CoIP) pool", + "privilege": "CreateCoipPoolPermission", "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a customer gateway, which provides information to AWS about your customer gateway device", + "privilege": "CreateCustomerGateway", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "customer-gateway*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53766,7 +60473,9 @@ "privilege": "CreateDefaultSubnet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53778,7 +60487,9 @@ "privilege": "CreateDefaultVpc", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -53791,14 +60502,21 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:DhcpOptionsID" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "dhcp-options*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53808,11 +60526,7 @@ "privilege": "CreateEgressOnlyInternetGateway", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -53821,12 +60535,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53836,11 +60559,7 @@ "privilege": "CreateFleet", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -53848,14 +60567,12 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", - "ec2:Region", "ec2:RootDeviceType", "ec2:Tenancy" ], @@ -53865,10 +60582,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -53880,7 +60597,6 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53889,7 +60605,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53901,7 +60616,7 @@ "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -53912,8 +60627,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -53922,8 +60637,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -53934,8 +60649,8 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], @@ -53946,12 +60661,36 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:KmsKeyId", + "ec2:ParentSnapshot", + "ec2:VolumeID", + "ec2:VolumeIops", + "ec2:VolumeSize", + "ec2:VolumeThroughput", + "ec2:VolumeType" + ], + "dependent_actions": [], + "resource_type": "volume" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -53961,11 +60700,7 @@ "privilege": "CreateFlowLogs", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags", "iam:PassRole" @@ -53976,7 +60711,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -53988,8 +60723,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -53998,12 +60733,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54014,16 +60758,22 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Owner", - "ec2:Public", - "ec2:Region" + "ec2:Public" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54034,11 +60784,8 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Owner", - "ec2:Public", - "ec2:Region" + "ec2:ImageID", + "ec2:Owner" ], "dependent_actions": [ "ec2:CreateTags" @@ -54050,14 +60797,17 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -54067,18 +60817,25 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54087,16 +60844,21 @@ "description": "Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run", "privilege": "CreateInstanceEventWindow", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "instance-event-window*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "instance-event-window*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54106,11 +60868,7 @@ "privilege": "CreateInstanceExportTask", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -54121,19 +60879,31 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54142,53 +60912,157 @@ "description": "Grants permission to create an internet gateway for a VPC", "privilege": "CreateInternetGateway", "resource_types": [ + { + "condition_keys": [ + "ec2:InternetGatewayID" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "internet-gateway*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM)", + "privilege": "CreateIpam", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ - "ec2:CreateTags" + "ec2:CreateTags", + "iam:CreateServiceLinkedRole" ], - "resource_type": "internet-gateway*" + "resource_type": "ipam*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a 2048-bit RSA key pair", - "privilege": "CreateKeyPair", + "description": "Grants permission to create an IP address pool for Amazon VPC IP Address Manager (IPAM), which is a collection of contiguous IP address CIDRs", + "privilege": "CreateIpamPool", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:KeyPairType", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon VPC IP Address Manager (IPAM) scope, which is the highest-level container within IPAM", + "privilege": "CreateIpamScope", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], "dependent_actions": [ "ec2:CreateTags" ], - "resource_type": "key-pair*" + "resource_type": "ipam*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a launch template", - "privilege": "CreateLaunchTemplate", + "description": "Grants permission to create a 2048-bit RSA key pair", + "privilege": "CreateKeyPair", "resource_types": [ + { + "condition_keys": [ + "ec2:KeyPairType" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "key-pair*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a launch template", + "privilege": "CreateLaunchTemplate", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54200,11 +61074,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54216,7 +61096,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54225,11 +61104,39 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "local-gateway-virtual-interface-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to allow a service to access a local gateway route table", + "privilege": "CreateLocalGatewayRouteTablePermission", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "local-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54241,7 +61148,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -54250,23 +61156,28 @@ "resource_type": "local-gateway-route-table*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "local-gateway-route-table-vpc-association*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54275,16 +61186,21 @@ "description": "Grants permission to create a managed prefix list", "privilege": "CreateManagedPrefixList", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "prefix-list*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "prefix-list*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54294,11 +61210,7 @@ "privilege": "CreateNatGateway", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -54308,8 +61220,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -54321,11 +61233,19 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-ip" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54336,9 +61256,7 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:NetworkAclID" ], "dependent_actions": [ "ec2:CreateTags" @@ -54348,12 +61266,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54365,26 +61292,52 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-acl*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a path to analyze for reachability", - "privilege": "CreateNetworkInsightsPath", + "description": "Grants permission to create a Network Access Scope", + "privilege": "CreateNetworkInsightsAccessScope", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "network-insights-access-scope*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a path to analyze for reachability", + "privilege": "CreateNetworkInsightsPath", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -54395,10 +61348,10 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -54409,7 +61362,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54421,7 +61374,7 @@ "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -54432,7 +61385,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54441,7 +61393,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54451,9 +61402,9 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection" @@ -54461,11 +61412,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54476,9 +61435,7 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:NetworkInterfaceID" ], "dependent_actions": [ "ec2:CreateTags" @@ -54489,8 +61446,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -54499,12 +61456,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54519,14 +61485,21 @@ "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", + "ec2:NetworkInterfaceID", "ec2:Permission", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54535,17 +61508,47 @@ "description": "Grants permission to create a placement group", "privilege": "CreatePlacementGroup", "resource_types": [ + { + "condition_keys": [ + "ec2:PlacementGroupName", + "ec2:PlacementGroupStrategy" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "placement-group*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:PlacementGroupStrategy", "ec2:Region" ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a public IPv4 address pool for public IPv4 CIDRs that you own and bring to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", + "privilege": "CreatePublicIpv4Pool", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], - "resource_type": "placement-group*" + "resource_type": "network-insights-access-scope*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54559,14 +61562,17 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -54577,19 +61583,13 @@ "resource_type": "instance*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "replace-root-volume-task*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:VolumeID" ], "dependent_actions": [], "resource_type": "volume*" @@ -54599,13 +61599,22 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54615,7 +61624,9 @@ "privilege": "CreateReservedInstancesListing", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -54628,15 +61639,22 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Owner", - "ec2:Region" + "ec2:ImageID", + "ec2:Owner" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54648,12 +61666,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54664,9 +61689,7 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:RouteTableID" ], "dependent_actions": [ "ec2:CreateTags" @@ -54676,12 +61699,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54692,9 +61724,7 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:SecurityGroupID" ], "dependent_actions": [ "ec2:CreateTags" @@ -54704,12 +61734,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54720,11 +61759,9 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:OutpostArn", "ec2:ParentVolume", - "ec2:Region", + "ec2:SnapshotID", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], @@ -54737,14 +61774,24 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", + "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54758,10 +61805,10 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -54773,11 +61820,9 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:OutpostArn", "ec2:ParentVolume", - "ec2:Region", + "ec2:SnapshotID", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], @@ -54788,14 +61833,24 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Encrypted", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", + "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54805,7 +61860,9 @@ "privilege": "CreateSpotDatafeedSubscription", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -54819,15 +61876,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54838,9 +61902,7 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:SubnetID" ], "dependent_actions": [ "ec2:CreateTags" @@ -54850,12 +61912,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54865,7 +61936,9 @@ "privilege": "CreateSubnetCidrReservation", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -54879,7 +61952,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54888,12 +61960,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation-fleet" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:Tenancy", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "carrier-gateway" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -54901,7 +61982,6 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -54912,7 +61992,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54926,7 +62005,6 @@ "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54935,7 +62013,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54944,7 +62022,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54954,7 +62031,6 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:ElasticGpuType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54966,7 +62042,6 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54975,7 +62050,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54984,7 +62058,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -54993,7 +62066,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55004,7 +62076,6 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55013,7 +62084,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55022,10 +62092,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -55035,7 +62105,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55044,7 +62113,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55055,14 +62123,17 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -55073,7 +62144,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55082,7 +62152,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55091,7 +62161,30 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55100,7 +62193,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55111,7 +62203,6 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55120,7 +62211,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55129,7 +62219,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55138,7 +62227,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55147,7 +62235,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55156,7 +62243,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55165,7 +62251,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55174,7 +62259,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55183,7 +62267,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55192,13 +62275,45 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-acl" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope-analysis" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-analysis" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-path" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -55206,8 +62321,8 @@ "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", + "ec2:NetworkInterfaceID", "ec2:Permission", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -55218,8 +62333,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55228,7 +62343,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55237,7 +62351,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55248,7 +62361,6 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:InstanceType", - "ec2:Region", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -55259,8 +62371,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -55269,8 +62381,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -55279,7 +62391,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55292,8 +62403,8 @@ "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], @@ -55303,7 +62414,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55312,7 +62422,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55322,8 +62431,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -55332,7 +62441,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "subnet-cidr-reservation" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55341,7 +62457,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55350,7 +62465,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55359,7 +62473,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55368,7 +62481,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55377,7 +62489,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55386,7 +62497,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55395,20 +62505,35 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -55420,9 +62545,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" @@ -55430,7 +62555,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55439,7 +62563,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" ], @@ -55449,7 +62572,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55459,9 +62581,9 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection" @@ -55474,6 +62596,7 @@ "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", + "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", @@ -55483,9 +62606,9 @@ "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PreSharedKeys", - "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], @@ -55495,7 +62618,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55503,7 +62625,8 @@ }, { "condition_keys": [ - "ec2:CreateAction" + "ec2:CreateAction", + "ec2:Region" ], "dependent_actions": [], "resource_type": "" @@ -55515,16 +62638,21 @@ "description": "Grants permission to create a traffic mirror filter", "privilege": "CreateTrafficMirrorFilter", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "traffic-mirror-filter*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "traffic-mirror-filter*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55536,11 +62664,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55552,7 +62686,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -55563,29 +62697,32 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "traffic-mirror-session*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-target*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55595,11 +62732,7 @@ "privilege": "CreateTrafficMirrorTarget", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -55608,11 +62741,30 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-interface" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:VpceServiceName", + "ec2:VpceServiceOwner" + ], + "dependent_actions": [], + "resource_type": "vpc-endpoint" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55621,16 +62773,21 @@ "description": "Grants permission to create a transit gateway", "privilege": "CreateTransitGateway", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "transit-gateway*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "transit-gateway*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55639,16 +62796,21 @@ "description": "Grants permission to create a Connect attachment from a specified transit gateway attachment", "privilege": "CreateTransitGatewayConnect", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "transit-gateway-attachment*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "transit-gateway-attachment*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55660,7 +62822,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -55668,6 +62829,11 @@ ], "resource_type": "transit-gateway-attachment*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-connect-peer*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -55675,7 +62841,7 @@ "ec2:Region" ], "dependent_actions": [], - "resource_type": "transit-gateway-connect-peer*" + "resource_type": "" } ] }, @@ -55687,7 +62853,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -55695,6 +62860,11 @@ ], "resource_type": "transit-gateway*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-multicast-domain*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -55702,7 +62872,7 @@ "ec2:Region" ], "dependent_actions": [], - "resource_type": "transit-gateway-multicast-domain*" + "resource_type": "" } ] }, @@ -55714,7 +62884,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -55722,6 +62891,11 @@ ], "resource_type": "transit-gateway*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-attachment*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -55729,7 +62903,38 @@ "ec2:Region" ], "dependent_actions": [], - "resource_type": "transit-gateway-attachment*" + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a transit gateway policy table", + "privilege": "CreateTransitGatewayPolicyTable", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "transit-gateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55741,7 +62946,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55750,7 +62954,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55759,11 +62962,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55775,7 +62984,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -55784,11 +62992,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55800,7 +63014,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -55808,6 +63021,11 @@ ], "resource_type": "transit-gateway*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -55815,25 +63033,37 @@ "ec2:Region" ], "dependent_actions": [], - "resource_type": "transit-gateway-route-table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to attach a VPC to a transit gateway", - "privilege": "CreateTransitGatewayVpcAttachment", + "description": "Grants permission to create an announcement for a transit gateway route table", + "privilege": "CreateTransitGatewayRouteTableAnnouncement", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ "ec2:CreateTags" ], - "resource_type": "transit-gateway*" + "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement*" }, { "condition_keys": [ @@ -55842,14 +63072,36 @@ "ec2:Region" ], "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to attach a VPC to a transit gateway", + "privilege": "CreateTransitGatewayVpcAttachment", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "transit-gateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], "resource_type": "transit-gateway-attachment*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" @@ -55858,12 +63110,21 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55874,13 +63135,12 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:KmsKeyId", "ec2:ParentSnapshot", - "ec2:Region", + "ec2:VolumeID", + "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", "ec2:VolumeType" @@ -55889,6 +63149,15 @@ "ec2:CreateTags" ], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55899,9 +63168,9 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" + "ec2:Ipv4IpamPoolId", + "ec2:Ipv6IpamPoolId", + "ec2:VpcID" ], "dependent_actions": [ "ec2:CreateTags" @@ -55911,11 +63180,27 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "ipv6pool-ec2" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55927,8 +63212,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcID" ], "dependent_actions": [ "ec2:CreateTags", @@ -55938,9 +63223,6 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", "ec2:VpceServiceName", "ec2:VpceServiceOwner" ], @@ -55950,8 +63232,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID" ], "dependent_actions": [], "resource_type": "route-table" @@ -55959,8 +63241,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID" ], "dependent_actions": [], "resource_type": "security-group" @@ -55968,11 +63250,20 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55984,11 +63275,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -55999,15 +63296,21 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", "ec2:VpceServicePrivateDnsName" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56019,9 +63322,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [ "ec2:CreateTags" @@ -56030,14 +63333,21 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AccepterVpc", - "ec2:Region", - "ec2:RequesterVpc" + "ec2:RequesterVpc", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56049,7 +63359,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ @@ -56059,13 +63368,12 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", + "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", @@ -56075,9 +63383,9 @@ "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PreSharedKeys", - "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ReplayWindowSizePackets", "ec2:RoutingType" ], "dependent_actions": [], @@ -56086,7 +63394,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56095,11 +63402,27 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56111,11 +63434,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56124,16 +63453,21 @@ "description": "Grants permission to create a virtual private gateway", "privilege": "CreateVpnGateway", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "vpn-gateway*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "vpn-gateway*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56145,11 +63479,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "carrier-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56165,13 +63505,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56187,7 +63533,6 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -56199,12 +63544,33 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deny a service from accessing a customer owned IP (CoIP) pool", + "privilege": "DeleteCoipPoolPermission", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56216,11 +63582,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "customer-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56232,11 +63604,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:DhcpOptionsID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dhcp-options*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56248,11 +63627,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "egress-only-internet-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56264,11 +63649,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fleet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56280,11 +63671,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-flow-log*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56298,11 +63695,17 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56314,11 +63717,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56330,11 +63739,84 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "internet-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) and remove all monitored data associated with the IPAM including the historical data for CIDRs", + "privilege": "DeleteIpam", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "DeleteIpamPool", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the scope for an Amazon VPC IP Address Manager (IPAM)", + "privilege": "DeleteIpamScope", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56348,11 +63830,17 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "key-pair" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56364,11 +63852,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56380,11 +63874,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56396,11 +63896,39 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "local-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deny a service from accessing a local gateway route table", + "privilege": "DeleteLocalGatewayRouteTablePermission", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "local-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56412,11 +63940,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "local-gateway-route-table-vpc-association*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56428,11 +63962,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "prefix-list*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56444,11 +63984,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "natgateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56460,12 +64006,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-acl*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56477,12 +64030,63 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-acl*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Network Access Scope", + "privilege": "DeleteNetworkInsightsAccessScope", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Network Access Scope analysis", + "privilege": "DeleteNetworkInsightsAccessScopeAnalysis", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope-analysis*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56494,11 +64098,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-analysis*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56510,11 +64120,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-path*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56527,13 +64143,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56548,13 +64171,20 @@ "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56566,12 +64196,41 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "placement-group" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a public IPv4 address pool for public IPv4 CIDRs that you own and brought to Amazon to manage with Amazon VPC IP Address Manager (IPAM)", + "privilege": "DeletePublicIpv4Pool", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipv4pool-ec2*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56581,7 +64240,31 @@ "privilege": "DeleteQueuedReservedInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove an IAM policy that enables cross-account sharing from a resource", + "privilege": "DeleteResourcePolicy", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -56595,8 +64278,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -56604,12 +64287,10 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], - "resource_type": "prefix-list" + "resource_type": "" } ] }, @@ -56621,12 +64302,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56638,12 +64326,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56658,14 +64353,21 @@ "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56675,7 +64377,9 @@ "privilege": "DeleteSpotDatafeedSubscription", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -56690,12 +64394,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -56705,7 +64416,9 @@ "privilege": "DeleteSubnetCidrReservation", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -56719,7 +64432,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56728,7 +64440,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56737,7 +64448,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "carrier-gateway" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56746,7 +64464,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56755,7 +64472,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56764,7 +64480,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56773,7 +64488,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56782,7 +64496,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56791,7 +64504,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56800,7 +64512,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56809,7 +64520,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56818,7 +64528,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56827,7 +64536,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56836,7 +64544,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56845,7 +64552,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56854,7 +64560,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56863,7 +64568,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56872,7 +64576,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56881,7 +64584,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56890,7 +64592,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56899,7 +64600,30 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56908,7 +64632,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56917,7 +64640,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56926,7 +64648,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56935,7 +64656,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56944,7 +64664,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56953,7 +64672,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56962,7 +64680,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56971,7 +64688,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56980,7 +64696,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56989,7 +64704,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -56998,7 +64712,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57007,7 +64720,38 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope-analysis" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-analysis" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-path" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57016,7 +64760,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57025,7 +64768,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57034,7 +64776,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57043,7 +64784,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57052,7 +64792,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57061,7 +64800,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57070,7 +64808,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57079,7 +64816,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57088,7 +64824,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57097,7 +64832,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57106,7 +64840,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57115,7 +64848,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "subnet-cidr-reservation" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57124,7 +64864,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57133,7 +64872,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57142,7 +64880,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57151,7 +64888,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57160,7 +64896,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57169,7 +64904,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57178,7 +64912,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57187,7 +64928,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57196,7 +64944,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57205,7 +64952,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57214,7 +64960,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57223,7 +64968,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57232,7 +64976,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57241,7 +64984,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57250,11 +64992,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway" + }, + { + "condition_keys": [ + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57266,11 +65015,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57282,18 +65037,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "traffic-mirror-filter-rule*" + }, { "condition_keys": [ "ec2:Region" ], "dependent_actions": [], - "resource_type": "traffic-mirror-filter-rule*" + "resource_type": "" } ] }, @@ -57305,11 +65064,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-session*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57321,11 +65086,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-target*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57337,11 +65108,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57353,11 +65130,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57369,11 +65152,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-connect-peer*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57385,11 +65174,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57401,11 +65196,39 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a transit gateway policy table", + "privilege": "DeleteTransitGatewayPolicyTable", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57417,7 +65240,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57426,11 +65248,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57442,11 +65270,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57458,11 +65292,39 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a transit gateway route table announcement", + "privilege": "DeleteTransitGatewayRouteTableAnnouncement", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57474,11 +65336,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57493,8 +65361,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -57502,6 +65370,13 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57513,12 +65388,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57530,7 +65412,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -57539,11 +65420,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57555,11 +65442,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57571,12 +65464,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServiceName" ], "dependent_actions": [], "resource_type": "vpc-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57589,12 +65488,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57606,11 +65512,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57622,11 +65534,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57638,11 +65556,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57652,7 +65576,53 @@ "privilege": "DeprovisionByoipCidr", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deprovision a CIDR provisioned from an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "DeprovisionIpamPoolCidr", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deprovision a CIDR from a public IPv4 pool", + "privilege": "DeprovisionPublicIpv4PoolCidr", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipv4pool-ec2*" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57666,15 +65636,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57684,7 +65661,9 @@ "privilege": "DeregisterInstanceEventNotificationAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57699,7 +65678,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -57710,11 +65689,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57727,7 +65712,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -57738,11 +65723,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57752,7 +65743,9 @@ "privilege": "DescribeAccountAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57764,7 +65757,9 @@ "privilege": "DescribeAddresses", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57781,11 +65776,17 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-ip" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57795,7 +65796,9 @@ "privilege": "DescribeAggregateIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57807,7 +65810,9 @@ "privilege": "DescribeAvailabilityZones", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57819,7 +65824,9 @@ "privilege": "DescribeBundleTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57831,7 +65838,23 @@ "privilege": "DescribeByoipCidrs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe one or more Capacity Reservation Fleets", + "privilege": "DescribeCapacityReservationFleets", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57843,7 +65866,9 @@ "privilege": "DescribeCapacityReservations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57855,7 +65880,9 @@ "privilege": "DescribeCarrierGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57867,7 +65894,9 @@ "privilege": "DescribeClassicLinkInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -57885,13 +65914,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57907,13 +65942,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57929,13 +65970,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57951,13 +65998,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57973,13 +66026,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -57989,7 +66048,9 @@ "privilege": "DescribeCoipPools", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58001,7 +66062,9 @@ "privilege": "DescribeConversionTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58013,7 +66076,9 @@ "privilege": "DescribeCustomerGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58025,7 +66090,9 @@ "privilege": "DescribeDhcpOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58037,7 +66104,9 @@ "privilege": "DescribeEgressOnlyInternetGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58049,7 +66118,9 @@ "privilege": "DescribeElasticGpus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58061,7 +66132,9 @@ "privilege": "DescribeExportImageTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58073,7 +66146,36 @@ "privilege": "DescribeExportTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe fast-launch enabled Windows AMIs", + "privilege": "DescribeFastLaunchImages", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageID", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58085,7 +66187,9 @@ "privilege": "DescribeFastSnapshotRestores", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58099,11 +66203,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fleet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58115,11 +66225,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fleet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58131,11 +66247,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fleet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58145,7 +66267,9 @@ "privilege": "DescribeFlowLogs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58162,11 +66286,17 @@ "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "fpga-image" + "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58176,7 +66306,9 @@ "privilege": "DescribeFpgaImages", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58188,7 +66320,9 @@ "privilege": "DescribeHostReservationOfferings", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58200,7 +66334,9 @@ "privilege": "DescribeHostReservations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58212,7 +66348,9 @@ "privilege": "DescribeHosts", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58224,7 +66362,9 @@ "privilege": "DescribeIamInstanceProfileAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58236,7 +66376,9 @@ "privilege": "DescribeIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58248,7 +66390,9 @@ "privilege": "DescribeIdentityIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58262,15 +66406,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58280,7 +66431,9 @@ "privilege": "DescribeImages", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58292,7 +66445,9 @@ "privilege": "DescribeImportImageTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58304,7 +66459,9 @@ "privilege": "DescribeImportSnapshotTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58320,20 +66477,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58343,7 +66510,9 @@ "privilege": "DescribeInstanceCreditSpecifications", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58355,7 +66524,9 @@ "privilege": "DescribeInstanceEventNotificationAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58367,7 +66538,9 @@ "privilege": "DescribeInstanceEventWindows", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58379,7 +66552,9 @@ "privilege": "DescribeInstanceStatus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58391,7 +66566,9 @@ "privilege": "DescribeInstanceTypeOfferings", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58403,7 +66580,9 @@ "privilege": "DescribeInstanceTypes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58415,7 +66594,9 @@ "privilege": "DescribeInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58427,7 +66608,51 @@ "privilege": "DescribeInternetGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) pools", + "privilege": "DescribeIpamPools", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe Amazon VPC IP Address Manager (IPAM) scopes", + "privilege": "DescribeIpamScopes", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe an Amazon VPC IP Address Manager (IPAM)", + "privilege": "DescribeIpams", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58439,7 +66664,9 @@ "privilege": "DescribeIpv6Pools", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58451,7 +66678,9 @@ "privilege": "DescribeKeyPairs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58463,7 +66692,9 @@ "privilege": "DescribeLaunchTemplateVersions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58475,7 +66706,23 @@ "privilege": "DescribeLaunchTemplates", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to allow a service to describe local gateway route table permissions", + "privilege": "DescribeLocalGatewayRouteTablePermissions", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58487,7 +66734,9 @@ "privilege": "DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58499,7 +66748,9 @@ "privilege": "DescribeLocalGatewayRouteTableVpcAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58511,7 +66762,9 @@ "privilege": "DescribeLocalGatewayRouteTables", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58523,7 +66776,9 @@ "privilege": "DescribeLocalGatewayVirtualInterfaceGroups", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58535,7 +66790,9 @@ "privilege": "DescribeLocalGatewayVirtualInterfaces", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58547,7 +66804,9 @@ "privilege": "DescribeLocalGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58559,7 +66818,9 @@ "privilege": "DescribeManagedPrefixLists", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58571,7 +66832,9 @@ "privilege": "DescribeMovingAddresses", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58583,7 +66846,9 @@ "privilege": "DescribeNatGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58595,7 +66860,37 @@ "privilege": "DescribeNetworkAcls", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe one or more Network Access Scope analyses", + "privilege": "DescribeNetworkInsightsAccessScopeAnalyses", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the Network Access Scopes", + "privilege": "DescribeNetworkInsightsAccessScopes", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58607,7 +66902,9 @@ "privilege": "DescribeNetworkInsightsAnalyses", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58619,7 +66916,9 @@ "privilege": "DescribeNetworkInsightsPaths", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58631,7 +66930,9 @@ "privilege": "DescribeNetworkInterfaceAttribute", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58643,7 +66944,9 @@ "privilege": "DescribeNetworkInterfacePermissions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58655,7 +66958,9 @@ "privilege": "DescribeNetworkInterfaces", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58667,7 +66972,9 @@ "privilege": "DescribePlacementGroups", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58679,7 +66986,9 @@ "privilege": "DescribePrefixLists", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58691,7 +67000,9 @@ "privilege": "DescribePrincipalIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58703,7 +67014,9 @@ "privilege": "DescribePublicIpv4Pools", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58715,7 +67028,9 @@ "privilege": "DescribeRegions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58727,7 +67042,9 @@ "privilege": "DescribeReplaceRootVolumeTasks", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58739,7 +67056,9 @@ "privilege": "DescribeReservedInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58751,7 +67070,9 @@ "privilege": "DescribeReservedInstancesListings", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58763,7 +67084,9 @@ "privilege": "DescribeReservedInstancesModifications", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58775,7 +67098,9 @@ "privilege": "DescribeReservedInstancesOfferings", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58787,7 +67112,9 @@ "privilege": "DescribeRouteTables", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58799,7 +67126,9 @@ "privilege": "DescribeScheduledInstanceAvailability", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58811,7 +67140,9 @@ "privilege": "DescribeScheduledInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58823,7 +67154,9 @@ "privilege": "DescribeSecurityGroupReferences", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58835,7 +67168,9 @@ "privilege": "DescribeSecurityGroupRules", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58847,7 +67182,9 @@ "privilege": "DescribeSecurityGroups", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58859,7 +67196,40 @@ "privilege": "DescribeSnapshotAttribute", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:OutpostArn", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", + "ec2:SnapshotTime", + "ec2:SourceOutpostArn", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the storage tier status for Amazon EBS snapshots", + "privilege": "DescribeSnapshotTierStatus", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58871,7 +67241,9 @@ "privilege": "DescribeSnapshots", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58883,7 +67255,9 @@ "privilege": "DescribeSpotDatafeedSubscription", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58895,7 +67269,17 @@ "privilege": "DescribeSpotFleetInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "spot-fleet-request" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58907,7 +67291,17 @@ "privilege": "DescribeSpotFleetRequestHistory", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "spot-fleet-request" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58919,7 +67313,9 @@ "privilege": "DescribeSpotFleetRequests", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58931,7 +67327,9 @@ "privilege": "DescribeSpotInstanceRequests", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58943,7 +67341,9 @@ "privilege": "DescribeSpotPriceHistory", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58955,7 +67355,9 @@ "privilege": "DescribeStaleSecurityGroups", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58969,15 +67371,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -58987,7 +67396,9 @@ "privilege": "DescribeSubnets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -58999,7 +67410,9 @@ "privilege": "DescribeTags", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59011,7 +67424,9 @@ "privilege": "DescribeTrafficMirrorFilters", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59023,7 +67438,9 @@ "privilege": "DescribeTrafficMirrorSessions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59035,7 +67452,9 @@ "privilege": "DescribeTrafficMirrorTargets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59047,7 +67466,9 @@ "privilege": "DescribeTransitGatewayAttachments", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59059,7 +67480,9 @@ "privilege": "DescribeTransitGatewayConnectPeers", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59071,7 +67494,9 @@ "privilege": "DescribeTransitGatewayConnects", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59083,7 +67508,9 @@ "privilege": "DescribeTransitGatewayMulticastDomains", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59095,7 +67522,37 @@ "privilege": "DescribeTransitGatewayPeeringAttachments", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to describe a transit gateway policy table", + "privilege": "DescribeTransitGatewayPolicyTables", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to describe a transit gateway route table announcement", + "privilege": "DescribeTransitGatewayRouteTableAnnouncements", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59107,7 +67564,9 @@ "privilege": "DescribeTransitGatewayRouteTables", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59119,7 +67578,9 @@ "privilege": "DescribeTransitGatewayVpcAttachments", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59131,7 +67592,9 @@ "privilege": "DescribeTransitGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59143,7 +67606,9 @@ "privilege": "DescribeTrunkInterfaceAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59155,7 +67620,26 @@ "privilege": "DescribeVolumeAttribute", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:KmsKeyId", + "ec2:ParentSnapshot", + "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", + "ec2:VolumeIops", + "ec2:VolumeSize", + "ec2:VolumeThroughput", + "ec2:VolumeType" + ], + "dependent_actions": [], + "resource_type": "volume" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59167,7 +67651,9 @@ "privilege": "DescribeVolumeStatus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59179,7 +67665,9 @@ "privilege": "DescribeVolumes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59191,7 +67679,9 @@ "privilege": "DescribeVolumesModifications", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59203,7 +67693,19 @@ "privilege": "DescribeVpcAttribute", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}", + "ec2:Tenancy", + "ec2:VpcID" + ], + "dependent_actions": [], + "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59215,7 +67717,9 @@ "privilege": "DescribeVpcClassicLink", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59227,7 +67731,9 @@ "privilege": "DescribeVpcClassicLinkDnsSupport", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59239,7 +67745,9 @@ "privilege": "DescribeVpcEndpointConnectionNotifications", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59251,7 +67759,9 @@ "privilege": "DescribeVpcEndpointConnections", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59263,7 +67773,9 @@ "privilege": "DescribeVpcEndpointServiceConfigurations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59275,7 +67787,9 @@ "privilege": "DescribeVpcEndpointServicePermissions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59287,7 +67801,9 @@ "privilege": "DescribeVpcEndpointServices", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59299,7 +67815,9 @@ "privilege": "DescribeVpcEndpoints", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59311,7 +67829,9 @@ "privilege": "DescribeVpcPeeringConnections", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59323,7 +67843,9 @@ "privilege": "DescribeVpcs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59335,7 +67857,9 @@ "privilege": "DescribeVpnConnections", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59347,7 +67871,9 @@ "privilege": "DescribeVpnGateways", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59363,6 +67889,7 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", @@ -59370,7 +67897,6 @@ "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -59381,12 +67907,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59398,7 +67931,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:InternetGatewayID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -59407,12 +67940,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59426,14 +67966,17 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -59445,13 +67988,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59466,8 +68016,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -59481,6 +68031,7 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", @@ -59488,13 +68039,20 @@ "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59506,9 +68064,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" @@ -59516,11 +68074,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59530,7 +68094,36 @@ "privilege": "DisableEbsEncryptionByDefault", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable faster launching for Windows AMIs", + "privilege": "DisableFastLaunch", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageID", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59548,13 +68141,20 @@ "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59566,15 +68166,38 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", + "privilege": "DisableIpamOrganizationAdminAccount", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [ + "organizations:DeregisterDelegatedAdministrator" + ], + "resource_type": "" } ] }, @@ -59584,7 +68207,9 @@ "privilege": "DisableSerialConsoleAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59598,7 +68223,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -59607,11 +68231,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59623,8 +68261,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -59633,11 +68271,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59649,12 +68293,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59666,12 +68317,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59686,7 +68344,6 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -59696,13 +68353,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59718,13 +68382,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59742,6 +68412,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "role*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59755,20 +68432,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59780,11 +68467,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59796,8 +68489,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -59807,12 +68500,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59825,12 +68525,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59843,8 +68550,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -59853,7 +68560,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -59862,11 +68568,47 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a policy table from a transit gateway", + "privilege": "DisassociateTransitGatewayPolicyTable", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59878,7 +68620,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -59887,11 +68628,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59901,7 +68648,9 @@ "privilege": "DisassociateTrunkInterface", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59915,12 +68664,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59930,7 +68686,44 @@ "privilege": "EnableEbsEncryptionByDefault", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable faster launching for Windows AMIs", + "privilege": "EnableFastLaunch", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageID", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "launch-template" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59948,13 +68741,20 @@ "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -59966,15 +68766,40 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable an AWS Organizations member account as an Amazon VPC IP Address Manager (IPAM) admin account", + "privilege": "EnableIpamOrganizationAdminAccount", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "organizations:EnableAWSServiceAccess", + "organizations:RegisterDelegatedAdministrator" + ], + "resource_type": "" } ] }, @@ -59984,7 +68809,9 @@ "privilege": "EnableSerialConsoleAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -59998,20 +68825,33 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "transit-gateway-attachment*" + "resource_type": "transit-gateway-route-table*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "transit-gateway-route-table*" + "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-route-table-announcement" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60023,8 +68863,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -60033,11 +68873,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-gateway*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60052,8 +68898,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -60061,6 +68907,13 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60072,12 +68925,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60089,12 +68949,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60110,13 +68977,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60132,13 +69005,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60148,11 +69027,7 @@ "privilege": "ExportImage", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -60161,15 +69036,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60179,7 +69063,9 @@ "privilege": "ExportTransitGatewayRoutes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60194,6 +69080,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "certificate*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60203,7 +69096,9 @@ "privilege": "GetAssociatedIpv6PoolCidrs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60217,11 +69112,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:CapacityReservationFleet", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60231,7 +69133,9 @@ "privilege": "GetCoipPoolUsage", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60247,20 +69151,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60270,7 +69184,33 @@ "privilege": "GetConsoleScreenshot", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", + "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:MetadataHttpEndpoint", + "ec2:MetadataHttpPutResponseHopLimit", + "ec2:MetadataHttpTokens", + "ec2:NewInstanceProfile", + "ec2:PlacementGroup", + "ec2:ProductCode", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60282,7 +69222,9 @@ "privilege": "GetDefaultCreditSpecification", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60294,7 +69236,9 @@ "privilege": "GetEbsDefaultKmsKeyId", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60306,7 +69250,9 @@ "privilege": "GetEbsEncryptionByDefault", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60320,11 +69266,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-flow-log*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60336,11 +69288,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:CapacityReservationFleet", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60350,7 +69309,157 @@ "privilege": "GetHostReservationPurchasePreview", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view a list of instance types with specified instance attributes", + "privilege": "GetInstanceTypesFromInstanceRequirements", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the binary representation of the UEFI variable store", + "privilege": "GetInstanceUefiData", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", + "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:MetadataHttpEndpoint", + "ec2:MetadataHttpPutResponseHopLimit", + "ec2:MetadataHttpTokens", + "ec2:NewInstanceProfile", + "ec2:PlacementGroup", + "ec2:ProductCode", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve historical information about a CIDR within an Amazon VPC IP Address Manager (IPAM) scope", + "privilege": "GetIpamAddressHistory", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of all the CIDR allocations in an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "GetIpamPoolAllocations", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the CIDRs provisioned to an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "GetIpamPoolCidrs", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about the resources in an Amazon VPC IP Address Manager (IPAM) scope", + "privilege": "GetIpamResourceCidrs", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60366,20 +69475,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60391,11 +69510,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "prefix-list*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60407,11 +69532,45 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "prefix-list*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the findings for one or more Network Access Scope analyses", + "privilege": "GetNetworkInsightsAccessScopeAnalysisFindings", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the content for a specified Network Access Scope", + "privilege": "GetNetworkInsightsAccessScopeContent", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60425,20 +69584,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60448,7 +69617,31 @@ "privilege": "GetReservedInstancesExchangeQuote", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an IAM policy that enables cross-account sharing", + "privilege": "GetResourcePolicy", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60460,7 +69653,23 @@ "privilege": "GetSerialConsoleAccessStatus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to calculate the Spot placement score for a Region or Availability Zone based on the specified target capacity and compute requirements", + "privilege": "GetSpotPlacementScores", + "resource_types": [ + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60472,7 +69681,9 @@ "privilege": "GetSubnetCidrReservations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60484,7 +69695,9 @@ "privilege": "GetTransitGatewayAttachmentPropagations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60496,7 +69709,53 @@ "privilege": "GetTransitGatewayMulticastDomainAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about associations for a transit gateway policy table", + "privilege": "GetTransitGatewayPolicyTableAssociations", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about associations for a transit gateway policy table entry", + "privilege": "GetTransitGatewayPolicyTableEntries", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "transit-gateway-policy-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60508,7 +69767,9 @@ "privilege": "GetTransitGatewayPrefixListReferences", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60520,7 +69781,9 @@ "privilege": "GetTransitGatewayRouteTableAssociations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60532,7 +69795,9 @@ "privilege": "GetTransitGatewayRouteTablePropagations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60546,37 +69811,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:AuthenticationType", - "ec2:DPDTimeoutSeconds", - "ec2:GatewayType", - "ec2:IKEVersions", - "ec2:InsideTunnelCidr", - "ec2:Phase1DHGroup", - "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase1LifetimeSeconds", - "ec2:Phase2DHGroup", - "ec2:Phase2EncryptionAlgorithms", - "ec2:Phase2IntegrityAlgorithms", - "ec2:Phase2LifetimeSeconds", - "ec2:PreSharedKeys", - "ec2:Region", - "ec2:RekeyFuzzPercentage", - "ec2:RekeyMarginTimeSeconds", - "ec2:ResourceTag/${TagKey}", - "ec2:RoutingType" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpn-connection-device-type" + }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], - "resource_type": "vpn-connection-device-type" + "resource_type": "" } ] }, @@ -60586,7 +69836,9 @@ "privilege": "GetVpnConnectionDeviceTypes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60604,13 +69856,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60621,12 +69879,10 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:RootDeviceType" ], "dependent_actions": [ @@ -60635,11 +69891,7 @@ "resource_type": "image*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "import-image-task*" }, @@ -60648,13 +69900,22 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60667,14 +69928,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:EbsOptimized", - "ec2:InstanceProfile", - "ec2:InstanceType", - "ec2:PlacementGroup", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:RootDeviceType", - "ec2:Tenancy" + "ec2:InstanceID", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance*" @@ -60685,8 +69940,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -60698,8 +69953,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -60709,12 +69964,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60723,16 +69985,21 @@ "description": "Grants permission to import a public key from an RSA key pair that was created with a third-party tool", "privilege": "ImportKeyPair", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "key-pair*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region" ], - "dependent_actions": [ - "ec2:CreateTags" - ], - "resource_type": "key-pair*" + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60742,11 +70009,7 @@ "privilege": "ImportSnapshot", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -60754,16 +70017,23 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60778,8 +70048,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -60787,6 +70057,69 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list Amazon Machine Images (AMIs) that are currently in the Recycle Bin", + "privilege": "ListImagesInRecycleBin", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageID", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Amazon EBS snapshots that are currently in the Recycle Bin", + "privilege": "ListSnapshotsInRecycleBin", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", + "ec2:SnapshotTime", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60799,13 +70132,21 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "elastic-ip" + "resource_type": "elastic-ip*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60815,7 +70156,9 @@ "privilege": "ModifyAvailabilityZoneGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60829,13 +70172,20 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:CapacityReservationFleet", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60847,12 +70197,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation-fleet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60864,12 +70221,12 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" @@ -60880,8 +70237,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID" ], "dependent_actions": [], "resource_type": "security-group" @@ -60889,11 +70246,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60903,7 +70267,9 @@ "privilege": "ModifyDefaultCreditSpecification", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60915,7 +70281,9 @@ "privilege": "ModifyEbsDefaultKmsKeyId", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -60929,8 +70297,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -60939,10 +70307,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -60953,7 +70321,6 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -60962,7 +70329,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -60974,7 +70340,7 @@ "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -60985,8 +70351,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -60997,8 +70363,8 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], @@ -61009,12 +70375,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61026,14 +70399,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61045,12 +70425,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61060,7 +70447,9 @@ "privilege": "ModifyIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -61072,7 +70461,9 @@ "privilege": "ModifyIdentityIdFormat", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -61086,16 +70477,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61107,17 +70506,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -61128,8 +70531,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -61141,8 +70544,8 @@ "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -61150,6 +70553,13 @@ ], "dependent_actions": [], "resource_type": "volume" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61161,17 +70571,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -61182,11 +70596,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "capacity-reservation" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61198,23 +70618,34 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61227,11 +70658,18 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Attribute/${AttributeName}", - "ec2:Region", + "ec2:InstanceID", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61243,11 +70681,56 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the recovery behaviour for an instance", + "privilege": "ModifyInstanceMaintenanceOptions", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", + "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:MetadataHttpEndpoint", + "ec2:MetadataHttpPutResponseHopLimit", + "ec2:MetadataHttpTokens", + "ec2:PlacementGroup", + "ec2:ProductCode", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61259,23 +70742,34 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61287,17 +70781,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -61308,7 +70806,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61317,80 +70814,201 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "placement-group" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a launch template", - "privilege": "ModifyLaunchTemplate", + "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM)", + "privilege": "ModifyIpam", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "launch-template*" + "resource_type": "ipam*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a managed prefix list", - "privilege": "ModifyManagedPrefixList", + "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "ModifyIpamPool", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "prefix-list*" + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an attribute of a network interface", - "privilege": "ModifyNetworkInterfaceAttribute", + "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) resource CIDR", + "privilege": "ModifyIpamResourceCidr", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:AvailabilityZone", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Subnet", - "ec2:Vpc" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "network-interface*" + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the configurations of an Amazon VPC IP Address Manager (IPAM) scope", + "privilege": "ModifyIpamScope", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-scope*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a launch template", + "privilege": "ModifyLaunchTemplate", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a managed prefix list", + "privilege": "ModifyManagedPrefixList", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "prefix-list*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an attribute of a network interface", + "privilege": "ModifyNetworkInterfaceAttribute", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:AvailabilityZone", + "ec2:NetworkInterfaceID", + "ec2:ResourceTag/${TagKey}", + "ec2:Subnet", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "network-interface*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -61401,12 +71019,59 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the options for instance hostnames for the specified instance", + "privilege": "ModifyPrivateDnsNameOptions", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", + "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:MetadataHttpEndpoint", + "ec2:MetadataHttpPutResponseHopLimit", + "ec2:MetadataHttpTokens", + "ec2:NewInstanceProfile", + "ec2:PlacementGroup", + "ec2:ProductCode", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61418,16 +71083,23 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", - "ec2:Region", "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "reserved-instances*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61439,8 +71111,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -61449,7 +71123,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61458,11 +71131,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "security-group-rule" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61474,16 +71153,59 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Add/group", + "ec2:Add/userId", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:Remove/group", + "ec2:Remove/userId", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", + "ec2:SnapshotTime", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to archive Amazon EBS snapshots", + "privilege": "ModifySnapshotTier", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:AvailabilityZone", + "ec2:Encrypted", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61495,8 +71217,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61505,7 +71227,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61515,12 +71236,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61532,14 +71260,22 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61551,12 +71287,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61568,8 +71311,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61577,11 +71320,18 @@ }, { "condition_keys": [ - "ec2:Attribute/${AttributeName}", - "ec2:Region" + "ec2:Attribute", + "ec2:Attribute/${AttributeName}" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter-rule*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61593,8 +71343,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61603,7 +71353,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61612,11 +71361,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "traffic-mirror-target" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61628,8 +71383,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61638,11 +71393,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61654,7 +71415,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61663,8 +71425,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61673,11 +71435,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61689,8 +71457,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61699,11 +71467,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61715,12 +71490,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -61728,6 +71504,13 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61739,12 +71522,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -61752,6 +71536,13 @@ ], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61763,13 +71554,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61781,8 +71580,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61791,8 +71590,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID" ], "dependent_actions": [], "resource_type": "route-table" @@ -61800,8 +71599,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID" ], "dependent_actions": [], "resource_type": "security-group" @@ -61809,11 +71608,18 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61825,8 +71631,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -61835,12 +71641,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61852,13 +71665,44 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the payer responsibility for a VPC endpoint service", + "privilege": "ModifyVpcEndpointServicePayerResponsibility", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61870,12 +71714,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61888,13 +71739,21 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61906,13 +71765,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "dependent_actions": [], "resource_type": "vpc*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61924,12 +71791,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", + "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", @@ -61939,14 +71808,21 @@ "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PreSharedKeys", - "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61958,12 +71834,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61975,12 +71858,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -61992,12 +71882,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", + "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", @@ -62007,14 +71899,21 @@ "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PreSharedKeys", - "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], "resource_type": "vpn-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62028,20 +71927,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62051,7 +71960,31 @@ "privilege": "MoveAddressToVpc", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to move a BYOIP IPv4 CIDR to Amazon VPC IP Address Manager (IPAM) from a public IPv4 pool", + "privilege": "MoveByoipCidrToIpam", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62063,7 +71996,61 @@ "privilege": "ProvisionByoipCidr", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision a CIDR to an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "ProvisionIpamPoolCidr", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision a CIDR to a public IPv4 pool", + "privilege": "ProvisionPublicIpv4PoolCidr", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipv4pool-ec2" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62077,13 +72064,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [ "ec2:CreateTags" ], "resource_type": "dedicated-host*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62093,7 +72086,9 @@ "privilege": "PurchaseReservedInstancesOffering", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62105,7 +72100,31 @@ "privilege": "PurchaseScheduledInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to attach an IAM policy that enables cross-account sharing to a resource", + "privilege": "PutResourcePolicy", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62121,20 +72140,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62146,9 +72175,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:Owner", - "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62160,14 +72188,21 @@ "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62177,7 +72212,9 @@ "privilege": "RegisterInstanceEventNotificationAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62192,7 +72229,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -62203,11 +72240,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62220,7 +72263,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -62231,11 +72274,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62247,7 +72296,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62256,11 +72304,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62272,11 +72326,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62288,11 +72348,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62304,11 +72370,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62321,12 +72393,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", - "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62341,11 +72420,17 @@ "ec2:AllocationId", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-ip" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62357,11 +72442,39 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to release an allocation within an Amazon VPC IP Address Manager (IPAM) pool", + "privilege": "ReleaseIpamPoolAllocation", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "ipam-pool*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62375,7 +72488,10 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", @@ -62383,7 +72499,7 @@ "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" @@ -62392,6 +72508,13 @@ "iam:PassRole" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62403,7 +72526,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], @@ -62414,12 +72537,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62431,12 +72561,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:NetworkAclID", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-acl*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62448,8 +72585,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -62457,131 +72594,10 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy", - "ec2:Vpc" - ], - "dependent_actions": [], - "resource_type": "carrier-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "egress-only-internet-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AvailabilityZone", - "ec2:EbsOptimized", - "ec2:InstanceMarketType", - "ec2:InstanceProfile", - "ec2:InstanceType", - "ec2:MetadataHttpEndpoint", - "ec2:MetadataHttpPutResponseHopLimit", - "ec2:MetadataHttpTokens", - "ec2:PlacementGroup", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:RootDeviceType", - "ec2:Tenancy" - ], - "dependent_actions": [], - "resource_type": "instance" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "internet-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "local-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "natgateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AssociatePublicIpAddress", - "ec2:AuthorizedService", - "ec2:AvailabilityZone", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Subnet", - "ec2:Vpc" - ], - "dependent_actions": [], - "resource_type": "network-interface" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "prefix-list" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "transit-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "vpc-endpoint" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AccepterVpc", - "ec2:Region", - "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "vpc-peering-connection" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], - "resource_type": "vpn-gateway" + "resource_type": "" } ] }, @@ -62593,8 +72609,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "dependent_actions": [], @@ -62604,12 +72620,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62621,7 +72644,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62630,11 +72652,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62644,7 +72672,9 @@ "privilege": "ReportInstanceStatus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62658,7 +72688,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62667,10 +72696,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -62682,7 +72711,6 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62691,7 +72719,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62700,8 +72727,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62710,8 +72737,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -62723,8 +72750,8 @@ "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" @@ -62736,12 +72763,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62751,11 +72785,7 @@ "privilege": "RequestSpotInstances", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region" - ], + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -62764,10 +72794,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -62779,7 +72809,6 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62792,8 +72821,8 @@ "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", + "ec2:NetworkInterfaceID", "ec2:Permission", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -62804,8 +72833,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -62814,8 +72843,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -62827,8 +72856,8 @@ "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" @@ -62840,12 +72869,21 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62858,14 +72896,21 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AllocationId", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "elastic-ip" + "resource_type": "elastic-ip*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62875,7 +72920,9 @@ "privilege": "ResetEbsDefaultKmsKeyId", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -62889,14 +72936,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "fpga-image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62908,16 +72962,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], "dependent_actions": [], "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62931,19 +72993,27 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62956,13 +73026,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62974,16 +73051,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -62993,7 +73078,36 @@ "privilege": "RestoreAddressToClassic", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore an Amazon Machine Image (AMI) from the Recycle Bin", + "privilege": "RestoreImageFromRecycleBin", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageID", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -63007,11 +73121,75 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "prefix-list*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore an Amazon EBS snapshot from the Recycle Bin", + "privilege": "RestoreSnapshotFromRecycleBin", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", + "ec2:SnapshotTime", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore an archived Amazon EBS snapshot for use temporarily or permanently, or modify the restore period or restore type for a snapshot that was previously temporarily restored", + "privilege": "RestoreSnapshotTier", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Encrypted", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", + "ec2:SnapshotTime", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63027,13 +73205,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63045,12 +73229,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63062,12 +73253,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63079,10 +73277,12 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -63093,18 +73293,21 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:RootDeviceType", "ec2:Tenancy" ], @@ -63113,12 +73316,12 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", + "ec2:NetworkInterfaceID", "ec2:Subnet", "ec2:Vpc" ], @@ -63128,8 +73331,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -63139,8 +73344,10 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], @@ -63148,12 +73355,12 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ParentSnapshot", - "ec2:Region", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -63165,7 +73372,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63175,7 +73383,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:ElasticGpuType", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63186,12 +73395,18 @@ "dependent_actions": [], "resource_type": "elastic-inference" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:IsLaunchTemplateResource", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63200,17 +73415,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "launch-template" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "license-configuration" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63219,15 +73442,26 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63239,10 +73473,10 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ImageID", "ec2:ImageType", "ec2:Owner", "ec2:Public", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType" ], @@ -63254,7 +73488,6 @@ "aws:ResourceTag/${TagKey}", "ec2:KeyPairName", "ec2:KeyPairType", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63266,7 +73499,7 @@ "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" @@ -63277,8 +73510,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -63287,8 +73520,8 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], @@ -63299,8 +73532,8 @@ "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:VolumeSize" ], @@ -63311,12 +73544,19 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "subnet" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63326,7 +73566,17 @@ "privilege": "SearchLocalGatewayRoutes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "local-gateway-route-table" + }, + { + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -63338,7 +73588,9 @@ "privilege": "SearchTransitGatewayMulticastGroups", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -63352,11 +73604,17 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63370,19 +73628,28 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63396,19 +73663,28 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63422,31 +73698,70 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "license-configuration" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to start analyzing a specified path", - "privilege": "StartNetworkInsightsAnalysis", + "description": "Grants permission to start a Network Access Scope analysis", + "privilege": "StartNetworkInsightsAccessScopeAnalysis", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "network-insights-access-scope-analysis*" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], + "dependent_actions": [], + "resource_type": "network-insights-access-scope" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start analyzing a specified path", + "privilege": "StartNetworkInsightsAnalysis", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [ "ec2:CreateTags" ], @@ -63455,11 +73770,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-path*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63471,15 +73794,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "vpc-endpoint-service*" - } - ] - }, - { + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { "access_level": "Write", "description": "Grants permission to stop an Amazon EBS-backed instance", "privilege": "StopInstances", @@ -63489,17 +73818,24 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63515,13 +73851,19 @@ "ec2:CloudwatchLogGroupArn", "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63535,6 +73877,7 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceID", "ec2:InstanceMarketType", "ec2:InstanceProfile", "ec2:InstanceType", @@ -63542,13 +73885,19 @@ "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63561,13 +73910,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63580,13 +73936,20 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", - "ec2:Region", + "ec2:NetworkInterfaceID", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63600,20 +73963,30 @@ "aws:ResourceTag/${TagKey}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:PlacementGroup", - "ec2:Region", + "ec2:ProductCode", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63625,12 +73998,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63642,12 +74022,19 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "dependent_actions": [], "resource_type": "security-group*" + }, + { + "condition_keys": [ + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -63657,7 +74044,9 @@ "privilege": "WithdrawByoipCidr", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Region" + ], "dependent_actions": [], "resource_type": "" } @@ -63672,6 +74061,7 @@ "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AllocationId", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Domain", "ec2:PublicIpAddress", @@ -63686,6 +74076,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -63698,8 +74089,11 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:CapacityReservationFleet", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -63729,6 +74123,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", "ec2:CloudwatchLogGroupArn", @@ -63758,11 +74153,14 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AutoPlacement", "ec2:AvailabilityZone", "ec2:HostRecovery", "ec2:InstanceType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Quantity", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -63775,6 +74173,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:DhcpOptionsID", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -63798,6 +74197,8 @@ "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:ElasticGpuType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -63836,6 +74237,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -63848,6 +74250,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", @@ -63873,8 +74276,12 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:ImageID", "ec2:ImageType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Owner", "ec2:Public", "ec2:Region", @@ -63922,17 +74329,24 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", + "ec2:InstanceAutoRecovery", + "ec2:InstanceID", "ec2:InstanceMarketType", + "ec2:InstanceMetadataTags", "ec2:InstanceProfile", "ec2:InstanceType", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:MetadataHttpEndpoint", "ec2:MetadataHttpPutResponseHopLimit", "ec2:MetadataHttpTokens", "ec2:NewInstanceProfile", "ec2:PlacementGroup", + "ec2:ProductCode", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", @@ -63946,11 +74360,51 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:InternetGatewayID", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "resource": "internet-gateway" }, + { + "arn": "arn:${Partition}:ec2::${Account}:ipam/${IpamId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "ipam" + }, + { + "arn": "arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "ipam-pool" + }, + { + "arn": "arn:${Partition}:ec2::${Account}:ipam-scope/${IpamScopeId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "ipam-scope" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}", "condition_keys": [ @@ -63979,8 +74433,10 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:IsLaunchTemplateResource", "ec2:KeyPairName", "ec2:KeyPairType", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -63992,12 +74448,20 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "resource": "launch-template" }, + { + "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration/${LicenseConfigurationId}", + "condition_keys": [], + "resource": "license-configuration" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}", "condition_keys": [ @@ -64081,12 +74545,35 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:NetworkAclID", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "resource": "network-acl" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope-analysis/${NetworkInsightsAccessScopeAnalysisId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "network-insights-access-scope-analysis" + }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-access-scope/${NetworkInsightsAccessScopeId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "network-insights-access-scope" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}", "condition_keys": [ @@ -64116,10 +74603,14 @@ "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AssociatePublicIpAddress", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthorizedService", "ec2:AuthorizedUser", "ec2:AvailabilityZone", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", + "ec2:NetworkInterfaceID", "ec2:Permission", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -64134,6 +74625,9 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", + "ec2:PlacementGroupName", "ec2:PlacementGroupStrategy", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64146,6 +74640,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64169,6 +74664,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", @@ -64179,6 +74675,11 @@ ], "resource": "reserved-instances" }, + { + "arn": "arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}", + "condition_keys": [], + "resource": "group" + }, { "arn": "arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}", "condition_keys": [], @@ -64192,6 +74693,7 @@ "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:RouteTableID", "ec2:Vpc" ], "resource": "route-table" @@ -64202,8 +74704,13 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", + "ec2:Attribute/${AttributeName}", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SecurityGroupID", "ec2:Vpc" ], "resource": "security-group" @@ -64225,14 +74732,22 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Add/group", + "ec2:Add/userId", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", + "ec2:Remove/group", + "ec2:Remove/userId", "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotID", "ec2:SnapshotTime", "ec2:SourceOutpostArn", "ec2:VolumeSize" @@ -64245,6 +74760,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64262,16 +74778,31 @@ ], "resource": "spot-instances-request" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:subnet-cidr-reservation/${SubnetCidrReservationId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "subnet-cidr-reservation" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}", "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", + "ec2:IsLaunchTemplateResource", + "ec2:LaunchTemplate", "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:SubnetID", "ec2:Vpc" ], "resource": "subnet" @@ -64282,6 +74813,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64291,6 +74823,7 @@ { "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}", "condition_keys": [ + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region" ], @@ -64302,6 +74835,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64325,6 +74859,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64348,6 +74883,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64365,12 +74901,35 @@ ], "resource": "transit-gateway-multicast-domain" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-policy-table/${TransitGatewayPolicyTableId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "transit-gateway-policy-table" + }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table-announcement/${TransitGatewayRouteTableAnnouncementId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "transit-gateway-route-table-announcement" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-route-table/${TransitGatewayRouteTableId}", "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -64383,13 +74942,17 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", + "ec2:IsLaunchTemplateResource", "ec2:KmsKeyId", + "ec2:LaunchTemplate", "ec2:ParentSnapshot", "ec2:Region", "ec2:ResourceTag/${TagKey}", + "ec2:VolumeID", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -64403,6 +74966,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -64417,6 +74981,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -64441,10 +75006,14 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", + "ec2:Ipv4IpamPoolId", + "ec2:Ipv6IpamPoolId", "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:VpcID" ], "resource": "vpc" }, @@ -64455,20 +75024,19 @@ "aws:ResourceTag/${TagKey}", "aws:TagKeys", "ec2:AccepterVpc", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpcPeeringConnectionID" ], "resource": "vpc-peering-connection" }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}", "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "resource": "vpn-connection-device-type" }, @@ -64478,12 +75046,14 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:Attribute", "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", + "ec2:InsideTunnelIpv6Cidr", "ec2:Phase1DHGroup", "ec2:Phase1EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", @@ -64496,6 +75066,7 @@ "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ReplayWindowSizePackets", "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], @@ -64580,7 +75151,13 @@ "service_name": "Amazon EC2 Instance Connect" }, { - "conditions": [], + "conditions": [ + { + "condition": "ssm:SourceInstanceARN", + "description": "Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile", + "type": "String" + } + ], "prefix": "ec2messages", "privileges": [ { @@ -64637,7 +75214,9 @@ "privilege": "GetMessages", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ssm:SourceInstanceARN" + ], "dependent_actions": [], "resource_type": "" } @@ -64649,7 +75228,9 @@ "privilege": "SendReply", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ssm:SourceInstanceARN" + ], "dependent_actions": [], "resource_type": "" } @@ -64663,22 +75244,22 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags", + "description": "Filters access by the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" }, { "condition": "ecr:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" } ], @@ -64720,6 +75301,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve repository scanning configuration for a list of repositories", + "privilege": "BatchGetRepositoryScanningConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to retrieve the image from the upstream registry and import it to your private registry", + "privilege": "BatchImportUpstreamImage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to inform Amazon ECR that the image layer upload for a specified registry, repository name, and upload ID, has completed", @@ -64734,14 +75339,21 @@ }, { "access_level": "Write", - "description": "Grants permission to create an image repository", - "privilege": "CreateRepository", + "description": "Grants permission to create new pull-through cache rule", + "privilege": "CreatePullThroughCacheRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "repository*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an image repository", + "privilege": "CreateRepository", + "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64764,6 +75376,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the pull-through cache rule", + "privilege": "DeletePullThroughCacheRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to delete the registry policy", @@ -64836,6 +75460,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe the pull-through cache rules", + "privilege": "DescribePullThroughCacheRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe the registry settings", @@ -64920,6 +75556,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve registry scanning configuration", + "privilege": "GetRegistryScanningConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the repository policy for a specified repository", @@ -64965,6 +75613,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -65028,6 +75684,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update registry scanning configuration", + "privilege": "PutRegistryScanningConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the replication configuration for the registry", @@ -65117,6 +75785,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -65160,7 +75836,7 @@ { "condition": "aws:TagKeys", "description": "Filters create requests based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "ecr-public:ResourceTag/${TagKey}", @@ -65497,57 +76173,57 @@ }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on tag keys that are passed in the request", + "description": "Filters access by the tag keys that are passed in the request", "type": "String" }, { "condition": "ecs:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "ecs:capacity-provider", - "description": "Filters access based on the ARN of an Amazon ECS capacity provider", + "description": "Filters access by the ARN of an Amazon ECS capacity provider", "type": "ARN" }, { "condition": "ecs:cluster", - "description": "Filters access based on the ARN of an Amazon ECS cluster", + "description": "Filters access by the ARN of an Amazon ECS cluster", "type": "ARN" }, { "condition": "ecs:container-instances", - "description": "Filters access based on the ARN of an Amazon ECS container instance", + "description": "Filters access by the ARN of an Amazon ECS container instance", "type": "ARN" }, { "condition": "ecs:container-name", - "description": "Filters access based on the name of an Amazon ECS container which is defined in the ECS task definition", + "description": "Filters access by the name of an Amazon ECS container which is defined in the ECS task definition", "type": "String" }, { "condition": "ecs:enable-execute-command", - "description": "Filters access based on execute-command capability of your Amazon ECS task or Amazon ECS service", + "description": "Filters access by the execute-command capability of your Amazon ECS task or Amazon ECS service", "type": "String" }, { "condition": "ecs:service", - "description": "Filters access based on the ARN of an Amazon ECS service", + "description": "Filters access by the ARN of an Amazon ECS service", "type": "ARN" }, { "condition": "ecs:task", - "description": "Filters access based on the ARN of an Amazon ECS task", + "description": "Filters access by the ARN of an Amazon ECS task", "type": "ARN" }, { "condition": "ecs:task-definition", - "description": "Filters access based on the ARN of an Amazon ECS task definition", + "description": "Filters access by the ARN of an Amazon ECS task definition", "type": "ARN" } ], @@ -66334,7 +77010,8 @@ }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -66487,7 +77164,7 @@ "resource": "cluster" }, { - "arn": "arn:${Partition}:ecs:${Region}:${Account}:container-instance/${ContainerInstanceId}", + "arn": "arn:${Partition}:ecs:${Region}:${Account}:container-instance/${ClusterName}/${ContainerInstanceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ecs:ResourceTag/${TagKey}" @@ -66495,7 +77172,7 @@ "resource": "container-instance" }, { - "arn": "arn:${Partition}:ecs:${Region}:${Account}:service/${ServiceName}", + "arn": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ecs:ResourceTag/${TagKey}" @@ -66503,7 +77180,7 @@ "resource": "service" }, { - "arn": "arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}", + "arn": "arn:${Partition}:ecs:${Region}:${Account}:task/${ClusterName}/${TaskId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ecs:ResourceTag/${TagKey}" @@ -66527,7 +77204,7 @@ "resource": "capacity-provider" }, { - "arn": "arn:${Partition}:ecs:${region}:${Account}:task-set/${ClusterName}/${ServiceName}/${TaskSetId}", + "arn": "arn:${Partition}:ecs:${Region}:${Account}:task-set/${ClusterName}/${ServiceName}/${TaskSetId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ecs:ResourceTag/${TagKey}" @@ -66537,502 +77214,6 @@ ], "service_name": "Amazon Elastic Container Service" }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the EKS service.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the EKS service.", - "type": "String" - } - ], - "prefix": "eks", - "privileges": [ - { - "access_level": "Read", - "description": "Permission to view Kubernetes objects via AWS EKS console", - "privilege": "AccessKubernetesApi", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an Amazon EKS add-on.", - "privilege": "CreateAddon", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an Amazon EKS cluster.", - "privilege": "CreateCluster", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an AWS Fargate profile.", - "privilege": "CreateFargateProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an Amazon EKS Nodegroup.", - "privilege": "CreateNodegroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes an Amazon EKS add-on.", - "privilege": "DeleteAddon", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes an Amazon EKS cluster.", - "privilege": "DeleteCluster", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes an AWS Fargate profile.", - "privilege": "DeleteFargateProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fargateprofile*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes an Amazon EKS Nodegroup.", - "privilege": "DeleteNodegroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns descriptive information about an Amazon EKS add-on.", - "privilege": "DescribeAddon", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns descriptive version information about the add-ons that Amazon EKS Add-ons supports.", - "privilege": "DescribeAddonVersions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Returns descriptive information about an Amazon EKS cluster.", - "privilege": "DescribeCluster", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns descriptive information about an AWS Fargate profile associated with a cluster.", - "privilege": "DescribeFargateProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fargateprofile*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns descriptive information about an Amazon EKS nodegroup.", - "privilege": "DescribeNodegroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes a given update for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region).", - "privilege": "DescribeUpdate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup" - } - ] - }, - { - "access_level": "List", - "description": "Lists the Amazon EKS add-ons in your AWS account (in the specified or default region) for a given cluster.", - "privilege": "ListAddons", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "Lists the Amazon EKS clusters in your AWS account (in the specified or default region).", - "privilege": "ListClusters", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the AWS Fargate profiles in your AWS account (in the specified or default region) associated with a given cluster.", - "privilege": "ListFargateProfiles", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "Lists the Amazon EKS nodegroups in your AWS account (in the specified or default region) attached to given cluster.", - "privilege": "ListNodegroups", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "List tags for the specified resource.", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fargateprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup" - } - ] - }, - { - "access_level": "List", - "description": "Lists the updates for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region).", - "privilege": "ListUpdates", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup" - } - ] - }, - { - "access_level": "Tagging", - "description": "Tags the specified resource.", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fargateprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Untags the specified resource.", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fargateprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Update Amazon EKS add-on configurations, such as the VPC-CNI version.", - "privilege": "UpdateAddon", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "addon*" - } - ] - }, - { - "access_level": "Write", - "description": "Update Amazon EKS cluster configurations (eg: API server endpoint access).", - "privilege": "UpdateClusterConfig", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Update the Kubernetes version of an Amazon EKS cluster.", - "privilege": "UpdateClusterVersion", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Update Amazon EKS nodegroup configurations (eg: min/max/desired capacity or labels).", - "privilege": "UpdateNodegroupConfig", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Update the Kubernetes version of an Amazon EKS nodegroup.", - "privilege": "UpdateNodegroupVersion", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "nodegroup*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:eks:${Region}:${Account}:cluster/${ClusterName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cluster" - }, - { - "arn": "arn:${Partition}:eks:${Region}:${Account}:nodegroup/${ClusterName}/${NodegroupName}/${UUID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "nodegroup" - }, - { - "arn": "arn:${Partition}:eks:${Region}:${Account}:addon/${ClusterName}/${AddonName}/${UUID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "addon" - }, - { - "arn": "arn:${Partition}:eks:${Region}:${Account}:fargateprofile/${ClusterName}/${FargateProfileName}/${UUID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "fargateprofile" - } - ], - "service_name": "Amazon Elastic Container Service for Kubernetes" - }, { "conditions": [ { @@ -67048,7 +77229,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by the list of all the tag key names present in the request the user makes to the EKS service", - "type": "String" + "type": "ArrayOfString" }, { "condition": "eks:clientId", @@ -67232,6 +77413,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to deregister an External cluster", + "privilege": "DeregisterCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve descriptive information about an Amazon EKS add-on", @@ -67452,6 +77645,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to register an External cluster", + "privilege": "RegisterCluster", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to tag the specified resource", @@ -68026,12 +78234,30 @@ "resource_type": "parametergroup*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [], "resource_type": "cluster" }, { - "condition_keys": [], + "condition_keys": [ + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [], "resource_type": "replicationgroup" }, @@ -68052,16 +78278,7 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "elasticache:CacheNodeType", - "elasticache:EngineVersion", - "elasticache:EngineType", - "elasticache:MultiAZEnabled", - "elasticache:AuthTokenEnabled", - "elasticache:SnapshotRetentionLimit", - "elasticache:CacheParameterGroupName" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -68082,6 +78299,7 @@ }, { "condition_keys": [ + "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "elasticache:CacheParameterGroupName" @@ -68105,6 +78323,7 @@ }, { "condition_keys": [ + "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -68127,6 +78346,7 @@ }, { "condition_keys": [ + "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -68183,12 +78403,44 @@ "resource_type": "cluster" }, { - "condition_keys": [], + "condition_keys": [ + "elasticache:NumNodeGroups", + "elasticache:CacheNodeType", + "elasticache:ReplicasPerNodeGroup", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:AtRestEncryptionEnabled", + "elasticache:TransitEncryptionEnabled", + "elasticache:AutomaticFailoverEnabled", + "elasticache:MultiAZEnabled", + "elasticache:ClusterModeEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:KmsKeyId", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [], "resource_type": "globalreplicationgroup" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:NumNodeGroups", + "elasticache:CacheNodeType", + "elasticache:ReplicasPerNodeGroup", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:AtRestEncryptionEnabled", + "elasticache:TransitEncryptionEnabled", + "elasticache:AutomaticFailoverEnabled", + "elasticache:MultiAZEnabled", + "elasticache:ClusterModeEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:KmsKeyId", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [], "resource_type": "replicationgroup" }, @@ -68214,23 +78466,7 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "elasticache:NumNodeGroups", - "elasticache:CacheNodeType", - "elasticache:ReplicasPerNodeGroup", - "elasticache:EngineVersion", - "elasticache:EngineType", - "elasticache:AtRestEncryptionEnabled", - "elasticache:TransitEncryptionEnabled", - "elasticache:AutomaticFailoverEnabled", - "elasticache:MultiAZEnabled", - "elasticache:ClusterModeEnabled", - "elasticache:AuthTokenEnabled", - "elasticache:SnapshotRetentionLimit", - "elasticache:KmsKeyId", - "elasticache:CacheParameterGroupName" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -68243,7 +78479,11 @@ "privilege": "CreateSnapshot", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:KmsKeyId" + ], "dependent_actions": [ "elasticache:AddTagsToResource", "s3:DeleteObject", @@ -68264,10 +78504,7 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "elasticache:KmsKeyId" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -68288,8 +78525,9 @@ }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -68309,14 +78547,15 @@ "resource_type": "user*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "usergroup*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -68375,7 +78614,9 @@ "privilege": "DeleteCacheCluster", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", @@ -68389,13 +78630,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -68481,7 +78715,9 @@ "privilege": "DeleteReplicationGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", @@ -68495,13 +78731,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -68951,11 +79180,46 @@ "dependent_actions": [], "resource_type": "cluster" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replicationgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reserved-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usergroup" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -68971,7 +79235,14 @@ "privilege": "ModifyCacheCluster", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [], "resource_type": "cluster*" }, @@ -68987,13 +79258,7 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "elasticache:CacheNodeType", - "elasticache:EngineVersion", - "elasticache:MultiAZEnabled", - "elasticache:AuthTokenEnabled", - "elasticache:SnapshotRetentionLimit", - "elasticache:CacheParameterGroupName" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -69066,7 +79331,15 @@ "privilege": "ModifyReplicationGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:AutomaticFailoverEnabled", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], "dependent_actions": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", @@ -69093,14 +79366,7 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "elasticache:CacheNodeType", - "elasticache:EngineVersion", - "elasticache:AutomaticFailoverEnabled", - "elasticache:MultiAZEnabled", - "elasticache:AuthTokenEnabled", - "elasticache:SnapshotRetentionLimit", - "elasticache:CacheParameterGroupName" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -69190,8 +79456,9 @@ }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -69377,68 +79644,124 @@ { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "elasticache:CacheParameterGroupName" ], "resource": "parametergroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" ], "resource": "securitygroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" ], "resource": "subnetgroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "elasticache:AtRestEncryptionEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:AutomaticFailoverEnabled", + "elasticache:CacheNodeType", + "elasticache:CacheParameterGroupName", + "elasticache:ClusterModeEnabled", + "elasticache:EngineType", + "elasticache:EngineVersion", + "elasticache:KmsKeyId", + "elasticache:MultiAZEnabled", + "elasticache:NumNodeGroups", + "elasticache:ReplicasPerNodeGroup", + "elasticache:SnapshotRetentionLimit", + "elasticache:TransitEncryptionEnabled" ], "resource": "replicationgroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "elasticache:AuthTokenEnabled", + "elasticache:CacheNodeType", + "elasticache:CacheParameterGroupName", + "elasticache:EngineType", + "elasticache:EngineVersion", + "elasticache:MultiAZEnabled", + "elasticache:SnapshotRetentionLimit" ], "resource": "cluster" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" ], "resource": "reserved-instance" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "elasticache:KmsKeyId" ], "resource": "snapshot" }, { "arn": "arn:${Partition}:elasticache::${Account}:globalreplicationgroup:${GlobalReplicationGroupId}", - "condition_keys": [], + "condition_keys": [ + "elasticache:AtRestEncryptionEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:AutomaticFailoverEnabled", + "elasticache:CacheNodeType", + "elasticache:CacheParameterGroupName", + "elasticache:ClusterModeEnabled", + "elasticache:EngineType", + "elasticache:EngineVersion", + "elasticache:KmsKeyId", + "elasticache:MultiAZEnabled", + "elasticache:NumNodeGroups", + "elasticache:ReplicasPerNodeGroup", + "elasticache:SnapshotRetentionLimit", + "elasticache:TransitEncryptionEnabled" + ], "resource": "globalreplicationgroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" ], "resource": "user" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" ], "resource": "usergroup" } @@ -69460,7 +79783,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "elasticbeanstalk:FromApplication", @@ -70457,7 +80780,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by a list of tag keys that are allowed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "elasticfilesystem:AccessPointArn", @@ -70558,6 +80881,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "file-system*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -70589,6 +80920,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new replication configuration", + "privilege": "CreateReplicationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system*" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to create or overwrite tags associated with a file system; deprecated, see TagResource", @@ -70657,6 +81000,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a replication configuration", + "privilege": "DeleteReplicationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system*" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to delete the specified tags from a file system; deprecated, see UntagResource", @@ -70669,7 +81024,8 @@ }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -70782,6 +81138,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to view the description of an Amazon EFS replication configuration specified by FileSystemId; or to view the description of all replication configurations owned by the caller's AWS account in the AWS region of the endpoint that is being called", + "privilege": "DescribeReplicationConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the tags associated with a file system", @@ -70897,6 +81265,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "file-system" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -70914,6 +81290,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "file-system" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -70963,7 +81347,7 @@ { "condition": "aws:TagKeys", "description": "The list of all the tag key names associated with the resource in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "elasticloadbalancing:ResourceTag/${TagKey}", @@ -70975,7 +81359,7 @@ "privileges": [ { "access_level": "Write", - "description": "Adds the specified certificates to the specified secure listener", + "description": "Grants permission to add the specified certificates to the specified secure listener", "privilege": "AddListenerCertificates", "resource_types": [ { @@ -70992,7 +81376,7 @@ }, { "access_level": "Tagging", - "description": "Adds the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags", + "description": "Grants permission to add the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags", "privilege": "AddTags", "resource_types": [ { @@ -71042,7 +81426,7 @@ }, { "access_level": "Write", - "description": "Creates a listener for the specified Application Load Balancer", + "description": "Grants permission to create a listener for the specified Application Load Balancer", "privilege": "CreateListener", "resource_types": [ { @@ -71067,7 +81451,7 @@ }, { "access_level": "Write", - "description": "Creates a load balancer", + "description": "Grants permission to create a load balancer", "privilege": "CreateLoadBalancer", "resource_types": [ { @@ -71092,7 +81476,7 @@ }, { "access_level": "Write", - "description": "Creates a rule for the specified listener", + "description": "Grants permission to create a rule for the specified listener", "privilege": "CreateRule", "resource_types": [ { @@ -71117,7 +81501,7 @@ }, { "access_level": "Write", - "description": "Creates a target group.", + "description": "Grants permission to create a target group", "privilege": "CreateTargetGroup", "resource_types": [ { @@ -71137,7 +81521,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified listener", + "description": "Grants permission to delete the specified listener", "privilege": "DeleteListener", "resource_types": [ { @@ -71154,7 +81538,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified load balancer", + "description": "Grants permission to delete the specified load balancer", "privilege": "DeleteLoadBalancer", "resource_types": [ { @@ -71171,7 +81555,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified rule", + "description": "Grants permission to delete the specified rule", "privilege": "DeleteRule", "resource_types": [ { @@ -71188,7 +81572,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified target group", + "description": "Grants permission to delete the specified target group", "privilege": "DeleteTargetGroup", "resource_types": [ { @@ -71200,7 +81584,7 @@ }, { "access_level": "Write", - "description": "Deregisters the specified targets from the specified target group", + "description": "Grants permission to deregister the specified targets from the specified target group", "privilege": "DeregisterTargets", "resource_types": [ { @@ -71212,7 +81596,7 @@ }, { "access_level": "Read", - "description": "Describes the Elastic Load Balancing resource limits for the AWS account", + "description": "Grants permission to describe the Elastic Load Balancing resource limits for the AWS account", "privilege": "DescribeAccountLimits", "resource_types": [ { @@ -71224,7 +81608,7 @@ }, { "access_level": "Read", - "description": "Describes the certificates for the specified secure listener", + "description": "Grants permission to describe the certificates for the specified secure listener", "privilege": "DescribeListenerCertificates", "resource_types": [ { @@ -71236,7 +81620,7 @@ }, { "access_level": "Read", - "description": "Describes the specified listeners or the listeners for the specified Application Load Balancer", + "description": "Grants permission to describe the specified listeners or the listeners for the specified Application Load Balancer", "privilege": "DescribeListeners", "resource_types": [ { @@ -71248,7 +81632,7 @@ }, { "access_level": "Read", - "description": "Describes the attributes for the specified load balancer", + "description": "Grants permission to describe the attributes for the specified load balancer", "privilege": "DescribeLoadBalancerAttributes", "resource_types": [ { @@ -71260,7 +81644,7 @@ }, { "access_level": "Read", - "description": "Describes the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers", + "description": "Grants permission to describe the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers", "privilege": "DescribeLoadBalancers", "resource_types": [ { @@ -71272,7 +81656,7 @@ }, { "access_level": "Read", - "description": "Describes the specified rules or the rules for the specified listener", + "description": "Grants permission to describe the specified rules or the rules for the specified listener", "privilege": "DescribeRules", "resource_types": [ { @@ -71284,7 +81668,7 @@ }, { "access_level": "Read", - "description": "Describes the specified policies or all policies used for SSL negotiation", + "description": "Grants permission to describe the specified policies or all policies used for SSL negotiation", "privilege": "DescribeSSLPolicies", "resource_types": [ { @@ -71296,49 +81680,19 @@ }, { "access_level": "Read", - "description": "Describes the tags associated with the specified resource", + "description": "Grants permission to describe the tags associated with the specified resource", "privilege": "DescribeTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener-rule/app" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "listener-rule/net" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "listener/app" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "listener/net" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "loadbalancer/app/" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "loadbalancer/net/" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "targetgroup" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes the attributes for the specified target group", + "description": "Grants permission to describe the attributes for the specified target group", "privilege": "DescribeTargetGroupAttributes", "resource_types": [ { @@ -71350,7 +81704,7 @@ }, { "access_level": "Read", - "description": "Describes the specified target groups or all of your target groups", + "description": "Grants permission to describe the specified target groups or all of your target groups", "privilege": "DescribeTargetGroups", "resource_types": [ { @@ -71362,7 +81716,7 @@ }, { "access_level": "Read", - "description": "Describes the health of the specified targets or all of your targets", + "description": "Grants permission to describe the health of the specified targets or all of your targets", "privilege": "DescribeTargetHealth", "resource_types": [ { @@ -71374,7 +81728,7 @@ }, { "access_level": "Write", - "description": "Modifies the specified properties of the specified listener", + "description": "Grants permission to modify the specified properties of the specified listener", "privilege": "ModifyListener", "resource_types": [ { @@ -71391,7 +81745,7 @@ }, { "access_level": "Write", - "description": "Modifies the attributes of the specified load balancer", + "description": "Grants permission to modify the attributes of the specified load balancer", "privilege": "ModifyLoadBalancerAttributes", "resource_types": [ { @@ -71408,7 +81762,7 @@ }, { "access_level": "Write", - "description": "Modifies the specified rule", + "description": "Grants permission to modify the specified rule", "privilege": "ModifyRule", "resource_types": [ { @@ -71425,7 +81779,7 @@ }, { "access_level": "Write", - "description": "Modifies the health checks used when evaluating the health state of the targets in the specified target group", + "description": "Grants permission to modify the health checks used when evaluating the health state of the targets in the specified target group", "privilege": "ModifyTargetGroup", "resource_types": [ { @@ -71437,7 +81791,7 @@ }, { "access_level": "Write", - "description": "Modifies the specified attributes of the specified target group", + "description": "Grants permission to modify the specified attributes of the specified target group", "privilege": "ModifyTargetGroupAttributes", "resource_types": [ { @@ -71449,7 +81803,7 @@ }, { "access_level": "Write", - "description": "Registers the specified targets with the specified target group", + "description": "Grants permission to register the specified targets with the specified target group", "privilege": "RegisterTargets", "resource_types": [ { @@ -71461,7 +81815,7 @@ }, { "access_level": "Write", - "description": "Removes the specified certificates of the specified secure listener", + "description": "Grants permission to remove the specified certificates of the specified secure listener", "privilege": "RemoveListenerCertificates", "resource_types": [ { @@ -71478,7 +81832,7 @@ }, { "access_level": "Tagging", - "description": "Removes one or more tags from the specified load balancer", + "description": "Grants permission to remove one or more tags from the specified load balancer", "privilege": "RemoveTags", "resource_types": [ { @@ -71528,7 +81882,7 @@ }, { "access_level": "Write", - "description": "Not found", + "description": "Grants permission to set the type of IP addresses used by the subnets of the specified load balancer", "privilege": "SetIpAddressType", "resource_types": [ { @@ -71545,7 +81899,7 @@ }, { "access_level": "Write", - "description": "Sets the priorities of the specified rules", + "description": "Grants permission to set the priorities of the specified rules", "privilege": "SetRulePriorities", "resource_types": [ { @@ -71562,7 +81916,7 @@ }, { "access_level": "Write", - "description": "Associates the specified security groups with the specified load balancer", + "description": "Grants permission to associate the specified security groups with the specified load balancer", "privilege": "SetSecurityGroups", "resource_types": [ { @@ -71579,7 +81933,7 @@ }, { "access_level": "Write", - "description": "Enables the Availability Zone for the specified subnets for the specified load balancer", + "description": "Grants permission to enable the Availability Zone for the specified subnets for the specified load balancer", "privilege": "SetSubnets", "resource_types": [ { @@ -71596,7 +81950,7 @@ }, { "access_level": "Write", - "description": "Gives WebAcl permission to WAF", + "description": "Grants permission to give WebAcl permission to WAF", "privilege": "SetWebAcl", "resource_types": [ { @@ -71682,7 +82036,7 @@ { "condition": "aws:TagKeys", "description": "The list of all the tag key names associated with the resource in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "elasticloadbalancing:ResourceTag/", @@ -71699,7 +82053,7 @@ "privileges": [ { "access_level": "Tagging", - "description": "Adds the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags", + "description": "Grants permission to add the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags", "privilege": "AddTags", "resource_types": [ { @@ -71719,7 +82073,7 @@ }, { "access_level": "Write", - "description": "Associates one or more security groups with your load balancer in a virtual private cloud (VPC)", + "description": "Grants permission to associate one or more security groups with your load balancer in a virtual private cloud (VPC)", "privilege": "ApplySecurityGroupsToLoadBalancer", "resource_types": [ { @@ -71731,7 +82085,7 @@ }, { "access_level": "Write", - "description": "Adds one or more subnets to the set of configured subnets for the specified load balancer", + "description": "Grants permission to add one or more subnets to the set of configured subnets for the specified load balancer", "privilege": "AttachLoadBalancerToSubnets", "resource_types": [ { @@ -71743,7 +82097,7 @@ }, { "access_level": "Write", - "description": "Specifies the health check settings to use when evaluating the health state of your back-end instances", + "description": "Grants permission to specify the health check settings to use when evaluating the health state of your back-end instances", "privilege": "ConfigureHealthCheck", "resource_types": [ { @@ -71755,7 +82109,7 @@ }, { "access_level": "Write", - "description": "Generates a stickiness policy with sticky session lifetimes that follow that of an application-generated cookie", + "description": "Grants permission to generate a stickiness policy with sticky session lifetimes that follow that of an application-generated cookie", "privilege": "CreateAppCookieStickinessPolicy", "resource_types": [ { @@ -71767,7 +82121,7 @@ }, { "access_level": "Write", - "description": "Generates a stickiness policy with sticky session lifetimes controlled by the lifetime of the browser (user-agent) or a specified expiration period", + "description": "Grants permission to generate a stickiness policy with sticky session lifetimes controlled by the lifetime of the browser (user-agent) or a specified expiration period", "privilege": "CreateLBCookieStickinessPolicy", "resource_types": [ { @@ -71779,7 +82133,7 @@ }, { "access_level": "Write", - "description": "Creates a load balancer", + "description": "Grants permission to create a load balancer", "privilege": "CreateLoadBalancer", "resource_types": [ { @@ -71799,7 +82153,7 @@ }, { "access_level": "Write", - "description": "Creates one or more listeners for the specified load balancer", + "description": "Grants permission to create one or more listeners for the specified load balancer", "privilege": "CreateLoadBalancerListeners", "resource_types": [ { @@ -71811,7 +82165,7 @@ }, { "access_level": "Write", - "description": "Creates a policy with the specified attributes for the specified load balancer", + "description": "Grants permission to create a policy with the specified attributes for the specified load balancer", "privilege": "CreateLoadBalancerPolicy", "resource_types": [ { @@ -71823,7 +82177,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified load balancer", + "description": "Grants permission to delete the specified load balancer", "privilege": "DeleteLoadBalancer", "resource_types": [ { @@ -71835,7 +82189,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified listeners from the specified load balancer", + "description": "Grants permission to delete the specified listeners from the specified load balancer", "privilege": "DeleteLoadBalancerListeners", "resource_types": [ { @@ -71847,7 +82201,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified policy from the specified load balancer. This policy must not be enabled for any listeners", + "description": "Grants permission to delete the specified policy from the specified load balancer. This policy must not be enabled for any listeners", "privilege": "DeleteLoadBalancerPolicy", "resource_types": [ { @@ -71859,7 +82213,7 @@ }, { "access_level": "Write", - "description": "Deregisters the specified instances from the specified load balancer", + "description": "Grants permission to deregister the specified instances from the specified load balancer", "privilege": "DeregisterInstancesFromLoadBalancer", "resource_types": [ { @@ -71871,7 +82225,7 @@ }, { "access_level": "Read", - "description": "Describes the state of the specified instances with respect to the specified load balancer", + "description": "Grants permission to describe the state of the specified instances with respect to the specified load balancer", "privilege": "DescribeInstanceHealth", "resource_types": [ { @@ -71883,7 +82237,7 @@ }, { "access_level": "Read", - "description": "Describes the attributes for the specified load balancer", + "description": "Grants permission to describe the attributes for the specified load balancer", "privilege": "DescribeLoadBalancerAttributes", "resource_types": [ { @@ -71895,7 +82249,7 @@ }, { "access_level": "Read", - "description": "Describes the specified policies", + "description": "Grants permission to describe the specified policies", "privilege": "DescribeLoadBalancerPolicies", "resource_types": [ { @@ -71907,7 +82261,7 @@ }, { "access_level": "Read", - "description": "Describes the specified load balancer policy types", + "description": "Grants permission to describe the specified load balancer policy types", "privilege": "DescribeLoadBalancerPolicyTypes", "resource_types": [ { @@ -71919,7 +82273,7 @@ }, { "access_level": "List", - "description": "Describes the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers", + "description": "Grants permission to describe the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers", "privilege": "DescribeLoadBalancers", "resource_types": [ { @@ -71931,19 +82285,19 @@ }, { "access_level": "Read", - "description": "Describes the tags associated with the specified load balancers", + "description": "Grants permission to describe the tags associated with the specified load balancers", "privilege": "DescribeTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loadbalancer*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Removes the specified subnets from the set of configured subnets for the load balancer", + "description": "Grants permission to remove the specified subnets from the set of configured subnets for the load balancer", "privilege": "DetachLoadBalancerFromSubnets", "resource_types": [ { @@ -71955,7 +82309,7 @@ }, { "access_level": "Write", - "description": "Removes the specified Availability Zones from the set of Availability Zones for the specified load balancer", + "description": "Grants permission to remove the specified Availability Zones from the set of Availability Zones for the specified load balancer", "privilege": "DisableAvailabilityZonesForLoadBalancer", "resource_types": [ { @@ -71967,7 +82321,7 @@ }, { "access_level": "Write", - "description": "Adds the specified Availability Zones to the set of Availability Zones for the specified load balancer", + "description": "Grants permission to add the specified Availability Zones to the set of Availability Zones for the specified load balancer", "privilege": "EnableAvailabilityZonesForLoadBalancer", "resource_types": [ { @@ -71979,7 +82333,7 @@ }, { "access_level": "Write", - "description": "Modifies the attributes of the specified load balancer", + "description": "Grants permission to modify the attributes of the specified load balancer", "privilege": "ModifyLoadBalancerAttributes", "resource_types": [ { @@ -71991,7 +82345,7 @@ }, { "access_level": "Write", - "description": "Adds the specified instances to the specified load balancer", + "description": "Grants permission to add the specified instances to the specified load balancer", "privilege": "RegisterInstancesWithLoadBalancer", "resource_types": [ { @@ -72003,7 +82357,7 @@ }, { "access_level": "Tagging", - "description": "Removes one or more tags from the specified load balancer", + "description": "Grants permission to remove one or more tags from the specified load balancer", "privilege": "RemoveTags", "resource_types": [ { @@ -72023,7 +82377,7 @@ }, { "access_level": "Write", - "description": "Sets the certificate that terminates the specified listener's SSL connections", + "description": "Grants permission to set the certificate that terminates the specified listener's SSL connections", "privilege": "SetLoadBalancerListenerSSLCertificate", "resource_types": [ { @@ -72035,7 +82389,7 @@ }, { "access_level": "Write", - "description": "Replaces the set of policies associated with the specified port on which the back-end server is listening with a new set of policies", + "description": "Grants permission to replace the set of policies associated with the specified port on which the back-end server is listening with a new set of policies", "privilege": "SetLoadBalancerPoliciesForBackendServer", "resource_types": [ { @@ -72047,7 +82401,7 @@ }, { "access_level": "Write", - "description": "Replaces the current set of policies for the specified load balancer port with the specified set of policies", + "description": "Grants permission to replace the current set of policies for the specified load balancer port with the specified set of policies", "privilege": "SetLoadBalancerPoliciesOfListener", "resource_types": [ { @@ -72085,6 +82439,11 @@ { "condition": "aws:TagKeys", "description": "Filters access by whether the tag keys are provided with the action regardless of tag value", + "type": "ArrayOfString" + }, + { + "condition": "elasticmapreduce:ExecutionRoleArn", + "description": "Filters access by whether the execution role ARN is provided with the action", "type": "String" }, { @@ -72133,6 +82492,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "cluster*" + }, + { + "condition_keys": [ + "elasticmapreduce:ExecutionRoleArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -72151,6 +82517,16 @@ "dependent_actions": [], "resource_type": "editor" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook-execution" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -72343,6 +82719,18 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to block an identity from opening a collaborative workspace", + "privilege": "DeleteWorkspaceAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "editor*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on", @@ -72715,6 +83103,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list identities that are granted access to a workspace", + "privilege": "ListWorkspaceAccessIdentities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "editor*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to change cluster settings such as number of steps that can be executed concurrently for a cluster", @@ -72816,6 +83216,18 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to allow an identity to open a collaborative workspace", + "privilege": "PutWorkspaceAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "editor*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to remove an automatic scaling policy from an instance group", @@ -72867,6 +83279,16 @@ "dependent_actions": [], "resource_type": "editor" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook-execution" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio" + }, { "condition_keys": [ "aws:TagKeys" @@ -72995,6 +83417,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an EMR notebook", + "privilege": "UpdateEditor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "editor*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update an EMR notebook repository", @@ -73098,7 +83532,7 @@ }, { "access_level": "Write", - "description": "Create a job.", + "description": "Create a job", "privilege": "CreateJob", "resource_types": [ { @@ -73121,19 +83555,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a preset.", + "description": "Create a preset", "privilege": "CreatePreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "preset*" + "resource_type": "" } ] }, @@ -73199,7 +83633,7 @@ }, { "access_level": "List", - "description": "Get a list of all presets associated with the current AWS account.", + "description": "Get a list of all presets associated with the current AWS account", "privilege": "ListPresets", "resource_types": [ { @@ -73235,7 +83669,7 @@ }, { "access_level": "Read", - "description": "Get detailed information about a preset.", + "description": "Get detailed information about a preset", "privilege": "ReadPreset", "resource_types": [ { @@ -73283,7 +83717,7 @@ }, { "access_level": "Write", - "description": "Pause or reactivate a pipeline, so the pipeline stops or restarts processing jobs, update the status for the pipeline.", + "description": "Pause or reactivate a pipeline, so the pipeline stops or restarts processing jobs, update the status for the pipeline", "privilege": "UpdatePipelineStatus", "resource_types": [ { @@ -73317,18 +83751,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "Arn" + "description": "Filters access by tags that are passed in the request", + "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "elemental-activations", @@ -73484,168 +83918,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "Arn" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "elemental-activations", - "privileges": [ - { - "access_level": "List", - "description": "Grants permission to complete the process of uploading a Software file for AWS Elemental Appliances and Software Purchases", - "privilege": "CompleteFileUpload", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to download the Software files for AWS Elemental Appliances and Software Purchases", - "privilege": "DownloadSoftware", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to generate Software Licenses for AWS Elemental Appliances and Software Purchases", - "privilege": "GenerateLicenses", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an activation", - "privilege": "GetActivation", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "activation*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list tags for an AWS Elemental Activations resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "activation" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to start the process of uploading a Software file for AWS Elemental Appliances and Software Purchases", - "privilege": "StartFileUpload", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add a tag for an AWS Elemental Activations resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "activation" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove a tag from an AWS Elemental Activations resource", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "activation" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:elemental-activations:${Region}:${Account}:activation/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "activation" - } - ], - "service_name": "Elemental Activations" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "request tag", + "description": "Filters access by request tag", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "resource tag", + "description": "Filters access by resource tag", "type": "String" }, { "condition": "aws:TagKeys", - "description": "tag keys", - "type": "String" + "description": "Filters access by tag keys", + "type": "ArrayOfString" } ], "prefix": "elemental-appliances-software", "privileges": [ { "access_level": "Tagging", - "description": "Create a quote", + "description": "Grants permission to create a quote", "privilege": "CreateQuote", "resource_types": [ { @@ -73665,7 +83956,7 @@ }, { "access_level": "Read", - "description": "Describe a quote", + "description": "Grants permission to describe a quote", "privilege": "GetQuote", "resource_types": [ { @@ -73677,7 +83968,7 @@ }, { "access_level": "List", - "description": "List the quotes in the user account", + "description": "Grants permission to list the quotes in the user account", "privilege": "ListQuotes", "resource_types": [ { @@ -73689,7 +83980,7 @@ }, { "access_level": "Read", - "description": "This action lists tags for an AWS Elemental Appliances and Software resource", + "description": "Grants permission to lists tags for an AWS Elemental Appliances and Software resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -73701,7 +83992,7 @@ }, { "access_level": "Tagging", - "description": "This action tags an AWS Elemental Appliances and Software resource", + "description": "Grants permission to tag an AWS Elemental Appliances and Software resource", "privilege": "TagResource", "resource_types": [ { @@ -73721,7 +84012,7 @@ }, { "access_level": "Tagging", - "description": "This action removes a tag from an AWS Elemental Appliances and Software resource", + "description": "Grants permission to remove a tag from an AWS Elemental Appliances and Software resource", "privilege": "UntagResource", "resource_types": [ { @@ -73740,7 +84031,7 @@ }, { "access_level": "Write", - "description": "Modify a quote", + "description": "Grants permission to modify a quote", "privilege": "UpdateQuote", "resource_types": [ { @@ -74148,100 +84439,47 @@ "service_name": "Amazon EMR on EKS (EMR Containers)" }, { - "conditions": [], - "prefix": "es", - "privileges": [ - { - "access_level": "Write", - "description": "Allows the destination domain owner to accept an inbound cross-cluster search connection request", - "privilege": "AcceptInboundCrossClusterSearchConnection", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to attach resource tags to an Amazon ES domain.", - "privilege": "AddTags", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an Amazon ES domain.", - "privilege": "CreateElasticsearchDomain", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain" - } - ] - }, + "conditions": [ { - "access_level": "Write", - "description": "Grants permission to create the service-linked role required for Amazon ES domains that use VPC access.", - "privilege": "CreateElasticsearchServiceRole", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "Write", - "description": "Creates a new cross-cluster search connection from a source domain to a destination domain", - "privilege": "CreateOutboundCrossClusterSearchConnection", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon ES domain and all of its data.", - "privilege": "DeleteElasticsearchDomain", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "emr-serverless", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete the service-linked role required for Amazon ES domains that use VPC access.", - "privilege": "DeleteElasticsearchServiceRole", + "description": "Grants permission to cancel a job run", + "privilege": "CancelJobRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "jobRun*" } ] }, { "access_level": "Write", - "description": "Allows the destination domain owner to delete an existing inbound cross-cluster search connection", - "privilege": "DeleteInboundCrossClusterSearchConnection", + "description": "Grants permission to create an Application", + "privilege": "CreateApplication", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -74249,92 +84487,44 @@ }, { "access_level": "Write", - "description": "Allows the source domain owner to delete an existing outbound cross-cluster search connection", - "privilege": "DeleteOutboundCrossClusterSearchConnection", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view a description of the domain configuration for the specified Amazon ES domain, including the domain ID, domain service endpoint, and domain ARN.", - "privilege": "DescribeElasticsearchDomain", + "description": "Grants permission to get application", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view a description of the configuration options and status of an Amazon ES domain.", - "privilege": "DescribeElasticsearchDomainConfig", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to view a description of the domain configuration for up to five specified Amazon ES domains.", - "privilege": "DescribeElasticsearchDomains", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to view the instance count, storage, and master node limits for a given Elasticsearch version and instance type.", - "privilege": "DescribeElasticsearchInstanceTypeLimits", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists all the inbound cross-cluster search connections for a destination domain", - "privilege": "DescribeInboundCrossClusterSearchConnections", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists all the outbound cross-cluster search connections for a source domain", - "privilege": "DescribeOutboundCrossClusterSearchConnections", + "description": "Grants permission to get a job run", + "privilege": "GetJobRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "jobRun*" } ] }, { "access_level": "List", - "description": "Grants permission to fetch reserved instance offerings for ES", - "privilege": "DescribeReservedElasticsearchInstanceOfferings", + "description": "Grants permission to list applications", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], @@ -74345,265 +84535,158 @@ }, { "access_level": "List", - "description": "Grants permission to fetch ES reserved instances already purchased by customer", - "privilege": "DescribeReservedElasticsearchInstances", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to send cross-cluster requests to a destination domain.", - "privilege": "ESCrossClusterGet", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to send HTTP DELETE requests to the Elasticsearch APIs.", - "privilege": "ESHttpDelete", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to send HTTP GET requests to the Elasticsearch APIs.", - "privilege": "ESHttpGet", + "description": "Grants permission to list job runs associated with an application", + "privilege": "ListJobRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Grants permission to send HTTP HEAD requests to the Elasticsearch APIs.", - "privilege": "ESHttpHead", + "description": "Grants permission to list tags for the specified resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to send HTTP PATCH requests to the Elasticsearch APIs.", - "privilege": "ESHttpPatch", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain" + "resource_type": "jobRun" } ] }, { "access_level": "Write", - "description": "Grants permission to send HTTP POST requests to the Elasticsearch APIs.", - "privilege": "ESHttpPost", + "description": "Grants permission to Start an application", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to send HTTP PUT requests to the Elasticsearch APIs.", - "privilege": "ESHttpPut", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to fetch list of compatible elastic search versions to which Amazon ES domain can be upgraded", - "privilege": "GetCompatibleElasticsearchVersions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to fetch upgrade history for given ES domain", - "privilege": "GetUpgradeHistory", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to fetch upgrade status for given ES domain", - "privilege": "GetUpgradeStatus", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to display the names of all Amazon ES domains that the current user owns.", - "privilege": "ListDomainNames", + "description": "Grants permission to start a job run", + "privilege": "StartJobRun", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all instance types and available features for a given Elasticsearch version.", - "privilege": "ListElasticsearchInstanceTypeDetails", - "resource_types": [ + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "application*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all Elasticsearch instance types that are supported for a given Elasticsearch version.", - "privilege": "ListElasticsearchInstanceTypes", + "access_level": "Write", + "description": "Grants permission to Stop an application", + "privilege": "StopApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all supported Elasticsearch versions on Amazon ES.", - "privilege": "ListElasticsearchVersions", + "access_level": "Tagging", + "description": "Grants permission to tag the specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to display all of the tags for an Amazon ES domain.", - "privilege": "ListTags", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to purchase ES reserved instances", - "privilege": "PurchaseReservedElasticsearchInstanceOffering", - "resource_types": [ + "resource_type": "jobRun" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Allows the destination domain owner to reject an inbound cross-cluster search connection request", - "privilege": "RejectInboundCrossClusterSearchConnection", + "access_level": "Tagging", + "description": "Grants permission to untag the specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove tags from Amazon ES domains.", - "privilege": "RemoveTags", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the configuration of an Amazon ES domain, such as the instance type or number of instances.", - "privilege": "UpdateElasticsearchDomainConfig", - "resource_types": [ + "resource_type": "jobRun" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to initiate upgrade of elastic search domain to given version", - "privilege": "UpgradeElasticsearchDomain", + "description": "Grants permission to Update an application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "application*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:es:${Region}:${Account}:domain/${DomainName}", - "condition_keys": [], - "resource": "domain" + "arn": "arn:${Partition}:emr-serverless:${Region}:${Account}:/applications/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + }, + { + "arn": "arn:${Partition}:emr-serverless:${Region}:${Account}:/applications/${ApplicationId}/jobruns/${JobRunId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "jobRun" } ], - "service_name": "Amazon Elasticsearch Service" + "service_name": "Amazon EMR Serverless" }, { "conditions": [ @@ -74620,7 +84703,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "es", @@ -74925,6 +85008,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view detail stage progress of an OpenSearch Service domain", + "privilege": "DescribeDomainChangeProgress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view a description of the configuration options and status of an OpenSearch Service domain", @@ -74963,7 +85058,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view a description of the configuration and status of an OpenSearch Service domain. This permission is deprecated. Use DescribeDomainConfig instead.s", + "description": "Grants permission to view a description of the configuration and status of an OpenSearch Service domain. This permission is deprecated. Use DescribeDomainConfig instead", "privilege": "DescribeElasticsearchDomainConfig", "resource_types": [ { @@ -75556,78 +85651,73 @@ "resource": "opensearchservice_role" } ], - "service_name": "Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)" + "service_name": "Amazon OpenSearch Service" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access to event bus and rule actions based on the allowed set of values for each of the tags", + "description": "Filters access by the allowed set of values for each of the tags to event bus and rule actions", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access to event bus and rule actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource to event bus and rule actions", "type": "String" }, { - "condition": "aws:SourceAccount", - "description": "Filters access to PutEvents actions based on whether the source of the request comes from a specific account", - "type": "String" - }, - { - "condition": "aws:SourceArn", - "description": "Filters access to PutEvents actions based on the Amazon Resource Name (ARN) of the source making the request", - "type": "String" + "condition": "aws:TagKeys", + "description": "Filters access by the tags in the request to event bus and rule actions", + "type": "ArrayOfString" }, { - "condition": "aws:TagKeys", - "description": "Filters access to event bus and rule actions based on the presence of mandatory tags in the request", - "type": "String" + "condition": "events:EventBusArn", + "description": "Filters access by the ARN of the event buses that can be associated with an endpoint to CreateEndpoint and UpdateEndpoint actions", + "type": "ArrayOfARN" }, { "condition": "events:ManagedBy", - "description": "Used internally by AWS services. If a rule is created by an AWS service on your behalf, the value is the principal name of the service that created the rule", + "description": "Filters access by AWS services. If a rule is created by an AWS service on your behalf, the value is the principal name of the service that created the rule", "type": "String" }, { "condition": "events:TargetArn", - "description": "Filters access to PutTargets actions based on the ARN of a target that can be put to a rule", - "type": "ARN" + "description": "Filters access by the ARN of a target that can be put to a rule to PutTargets actions", + "type": "ArrayOfARN" }, { "condition": "events:creatorAccount", - "description": "Filters access to rule actions based on the account the rule was created in", + "description": "Filters access by the account the rule was created in to rule actions", "type": "String" }, { "condition": "events:detail-type", - "description": "Filters access to PutEvents and PutRule actions based on the literal string of the detail-type of the event", + "description": "Filters access by the literal string of the detail-type of the event to PutEvents and PutRule actions", "type": "String" }, { "condition": "events:detail.eventTypeCode", - "description": "Filters access to PutRule actions based on the literal string for the detail.eventTypeCode field of the event", + "description": "Filters access by the literal string for the detail.eventTypeCode field of the event to PutRule actions", "type": "String" }, { "condition": "events:detail.service", - "description": "Filters access to PutRule actions based on the literal string for the detail.service field of the event", + "description": "Filters access by the literal string for the detail.service field of the event to PutRule actions", "type": "String" }, { "condition": "events:detail.userIdentity.principalId", - "description": "Filters access to PutRule actions based on the literal string for the detail.useridentity.principalid field of the event", + "description": "Filters access by the literal string for the detail.useridentity.principalid field of the event to PutRule actions", "type": "String" }, { "condition": "events:eventBusInvocation", - "description": "Filters access to PutEvents actions based on whether the event was generated via API or cross-account bus invocation", + "description": "Filters access by whether the event was generated via API or cross-account bus invocation to PutEvents actions", "type": "String" }, { "condition": "events:source", - "description": "Filters access to PutEvents and PutRule actions based on the AWS service or AWS partner event source that generated the event. Matches the literal string of the source field of the event", + "description": "Filters access by the AWS service or AWS partner event source that generated the event to PutEvents and PutRule actions. Matches the literal string of the source field of the event", "type": "ArrayOfString" } ], @@ -75683,6 +85773,11 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "archive*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-bus*" } ] }, @@ -75698,6 +85793,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint", + "privilege": "CreateEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + }, + { + "condition_keys": [ + "events:EventBusArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create event buses", @@ -75790,6 +85904,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an endpoint", + "privilege": "DeleteEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete event buses", @@ -75822,11 +85948,17 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -75874,6 +86006,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details about an endpoint", + "privilege": "DescribeEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve details about event buses", @@ -75930,7 +86074,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -75949,11 +86098,17 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -75962,17 +86117,23 @@ }, { "access_level": "Write", - "description": "Grants permissions to enable rules", + "description": "Grants permission to enable rules", "privilege": "EnableRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -76029,7 +86190,19 @@ }, { "access_level": "List", - "description": "Grants permission to to retrieve a list of the event buses in your account", + "description": "Grants permission to retrieve a list of endpoints", + "privilege": "ListEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of the event buses in your account", "privilege": "ListEventBuses", "resource_types": [ { @@ -76124,7 +86297,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -76143,7 +86321,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -76168,9 +86351,7 @@ "condition_keys": [ "events:detail-type", "events:source", - "events:eventBusInvocation", - "aws:SourceArn", - "aws:SourceAccount" + "events:eventBusInvocation" ], "dependent_actions": [], "resource_type": "" @@ -76209,7 +86390,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -76220,7 +86406,8 @@ "events:detail.eventTypeCode", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -76235,12 +86422,18 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ "events:TargetArn", - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -76267,11 +86460,17 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ - "events:creatorAccount" + "events:creatorAccount", + "events:ManagedBy" ], "dependent_actions": [], "resource_type": "" @@ -76303,7 +86502,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -76318,7 +86522,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to test whether an event pattern matches the provided event", + "description": "Grants permission to test whether an event pattern matches the provided event", "privilege": "TestEventPattern", "resource_types": [ { @@ -76341,7 +86545,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule" + "resource_type": "rule-on-custom-event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule-on-default-event-bus" }, { "condition_keys": [ @@ -76388,6 +86597,25 @@ "resource_type": "connection*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an endpoint", + "privilege": "UpdateEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + }, + { + "condition_keys": [ + "events:EventBusArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -76404,11 +86632,18 @@ "resource": "event-bus" }, { - "arn": "arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName}", + "arn": "arn:${Partition}:events:${Region}:${Account}:rule/${RuleName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "rule" + "resource": "rule-on-default-event-bus" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:rule/${EventBusName}/${RuleName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rule-on-custom-event-bus" }, { "arn": "arn:${Partition}:events:${Region}:${Account}:archive/${ArchiveName}", @@ -76429,10 +86664,470 @@ "arn": "arn:${Partition}:events:${Region}:${Account}:api-destination/${ApiDestinationName}", "condition_keys": [], "resource": "api-destination" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:endpoint/${EndpointName}", + "condition_keys": [], + "resource": "endpoint" } ], "service_name": "Amazon EventBridge" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed the request on behalf of the IAM principal", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource that make the request on behalf of the IAM principal", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request on behalf of the IAM principal", + "type": "ArrayOfString" + } + ], + "prefix": "evidently", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to send a batched evaluate feature request", + "privilege": "BatchEvaluateFeature", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Feature*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an experiment", + "privilege": "CreateExperiment", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a feature", + "privilege": "CreateFeature", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a launch", + "privilege": "CreateLaunch", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a project", + "privilege": "CreateProject", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an experiment", + "privilege": "DeleteExperiment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a feature", + "privilege": "DeleteFeature", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Feature*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a launch", + "privilege": "DeleteLaunch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Launch*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send an evaluate feature request", + "privilege": "EvaluateFeature", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Feature*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get experiment details", + "privilege": "GetExperiment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get experiment result", + "privilege": "GetExperimentResults", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get feature details", + "privilege": "GetFeature", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Feature*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get launch details", + "privilege": "GetLaunch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Launch*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get project details", + "privilege": "GetProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list experiments", + "privilege": "ListExperiments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list features", + "privilege": "ListFeatures", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list launches", + "privilege": "ListLaunches", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list projects", + "privilege": "ListProjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for resources", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send performance events", + "privilege": "PutProjectEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an experiment", + "privilege": "StartExperiment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a launch", + "privilege": "StartLaunch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Launch*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an experiment", + "privilege": "StopExperiment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a launch", + "privilege": "StopLaunch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Launch*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag resources", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag resources", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update experiment", + "privilege": "UpdateExperiment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Experiment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update feature", + "privilege": "UpdateFeature", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Feature*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a launch", + "privilege": "UpdateLaunch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Launch*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update project", + "privilege": "UpdateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update project data delivery", + "privilege": "UpdateProjectDataDelivery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:evidently:${Region}:${OwnerAccountId}:project/${ProjectName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Project" + }, + { + "arn": "arn:${Partition}:evidently:${Region}:${OwnerAccountId}:project/${ProjectName}/feature/${FeatureName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Feature" + }, + { + "arn": "arn:${Partition}:evidently:${Region}:${OwnerAccountId}:project/${ProjectName}/experiment/${ExperimentName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Experiment" + }, + { + "arn": "arn:${Partition}:evidently:${Region}:${OwnerAccountId}:project/${ProjectName}/launch/${LaunchName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Launch" + } + ], + "service_name": "Amazon CloudWatch Evidently" + }, { "conditions": [], "prefix": "execute-api", @@ -76505,19 +87200,27 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permissions to create a FinSpace environment", + "description": "Grants permission to create a FinSpace environment", "privilege": "CreateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to create a FinSpace user.", + "description": "Grants permission to create a FinSpace user", "privilege": "CreateUser", "resource_types": [ { @@ -76529,41 +87232,32 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permissions to delete a FinSpace environment.", - "privilege": "DeleteEnvironment", - "resource_types": [ + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a FinSpace user.", - "privilege": "DeleteUser", + "description": "Grants permission to delete a FinSpace environment", + "privilege": "DeleteEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "environment*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" } ] }, { "access_level": "Read", - "description": "Grants permissions to describe a FinSpace environment.", + "description": "Grants permission to describe a FinSpace environment", "privilege": "GetEnvironment", "resource_types": [ { @@ -76575,7 +87269,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to request status of the loading of sample data bundle.", + "description": "Grants permission to request status of the loading of sample data bundle", "privilege": "GetLoadSampleDataSetGroupIntoEnvironmentStatus", "resource_types": [ { @@ -76587,7 +87281,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a FinSpace user.", + "description": "Grants permission to describe a FinSpace user", "privilege": "GetUser", "resource_types": [ { @@ -76604,7 +87298,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list FinSpace environments in the AWS account.", + "description": "Grants permission to list FinSpace environments in the AWS account", "privilege": "ListEnvironments", "resource_types": [ { @@ -76616,7 +87310,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of tags for a resource.", + "description": "Grants permission to return a list of tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -76628,7 +87322,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list FinSpace users in an environment.", + "description": "Grants permission to list FinSpace users in an environment", "privilege": "ListUsers", "resource_types": [ { @@ -76645,7 +87339,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to load sample data bundle into your FinSpace environment.", + "description": "Grants permission to load sample data bundle into your FinSpace environment", "privilege": "LoadSampleDataSetGroupIntoEnvironment", "resource_types": [ { @@ -76655,9 +87349,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to reset the password for a FinSpace user", + "privilege": "ResetUserPassword", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, { "access_level": "Tagging", - "description": "Grants permissions to tag a resource.", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { @@ -76669,7 +87380,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to untag a resource.", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { @@ -76681,7 +87392,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a FinSpace environment", + "description": "Grants permission to update a FinSpace environment", "privilege": "UpdateEnvironment", "resource_types": [ { @@ -76690,18 +87401,35 @@ "resource_type": "environment*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a FinSpace user", + "privilege": "UpdateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] } ], "resources": [ { - "arn": "arn:${Partition}:finspace:${Region}:${Account}:environment/${environmentId}", + "arn": "arn:${Partition}:finspace:${Region}:${Account}:environment/${EnvironmentId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "environment" }, { - "arn": "arn:${Partition}:finspace:${Region}:${Account}:user/${userId}", + "arn": "arn:${Partition}:finspace:${Region}:${Account}:user/${UserId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -76725,14 +87453,14 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "firehose", "privileges": [ { "access_level": "Write", - "description": "Grants permissions to create a delivery stream", + "description": "Grants permission to create a delivery stream", "privilege": "CreateDeliveryStream", "resource_types": [ { @@ -76776,7 +87504,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list your delivery streams", + "description": "Grants permission to list your delivery streams", "privilege": "ListDeliveryStreams", "resource_types": [ { @@ -76788,7 +87516,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list the tags for the specified delivery stream", + "description": "Grants permission to list the tags for the specified delivery stream", "privilege": "ListTagsForDeliveryStream", "resource_types": [ { @@ -76800,7 +87528,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to write a single data record into an Amazon Kinesis Firehose delivery stream", + "description": "Grants permission to write a single data record into an Amazon Kinesis Firehose delivery stream", "privilege": "PutRecord", "resource_types": [ { @@ -76812,7 +87540,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to write multiple data records into a delivery stream in a single call, which can achieve higher throughput per producer than when writing single records", + "description": "Grants permission to write multiple data records into a delivery stream in a single call, which can achieve higher throughput per producer than when writing single records", "privilege": "PutRecordBatch", "resource_types": [ { @@ -76824,7 +87552,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to enable server-side encryption (SSE) for the delivery stream", + "description": "Grants permission to enable server-side encryption (SSE) for the delivery stream", "privilege": "StartDeliveryStreamEncryption", "resource_types": [ { @@ -76836,7 +87564,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to disable the specified destination of the specified delivery stream", + "description": "Grants permission to disable the specified destination of the specified delivery stream", "privilege": "StopDeliveryStreamEncryption", "resource_types": [ { @@ -76848,7 +87576,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to add or update tags for the specified delivery stream", + "description": "Grants permission to add or update tags for the specified delivery stream", "privilege": "TagDeliveryStream", "resource_types": [ { @@ -76868,7 +87596,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to remove tags from the specified delivery stream", + "description": "Grants permission to remove tags from the specified delivery stream", "privilege": "UntagDeliveryStream", "resource_types": [ { @@ -76887,7 +87615,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the specified destination of the specified delivery stream", + "description": "Grants permission to update the specified destination of the specified delivery stream", "privilege": "UpdateDestination", "resource_types": [ { @@ -76924,7 +87652,7 @@ { "condition": "aws:TagKeys", "description": "Filters access by a list of tag keys that are allowed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "fis:Operations", @@ -77043,6 +87771,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get information about the specified resource type", + "privilege": "GetTargetResourceType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to inject an API internal error on the provided AWS service from an FIS Experiment", @@ -77147,7 +87887,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list the tags for an AWS FIS resource.", + "description": "Grants permission to list the tags for an AWS FIS resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -77167,6 +87907,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the resource types", + "privilege": "ListTargetResourceTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to run an AWS FIS experiment", @@ -77321,18 +88073,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by the the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "fms", @@ -77349,6 +88101,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to set the Firewall Manager administrator as a tenant administrator of a third-party firewall service", + "privilege": "AssociateThirdPartyFirewall", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to permanently deletes an AWS Firewall Manager applications list", @@ -77416,6 +88180,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a Firewall Manager administrator from a third-party firewall tenant", + "privilege": "DisassociateThirdPartyFirewall", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator", @@ -77500,6 +88276,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the onboarding status of a Firewall Manager administrator account to third-party firewall vendor tenant", + "privilege": "GetThirdPartyFirewallAssociationStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve violations for a resource based on the specified AWS Firewall Manager policy and AWS account", @@ -77584,6 +88372,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of all of the third-party firewall policies that are associated with the third-party firewall administrator's account", + "privilege": "ListThirdPartyFirewallFirewallPolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create an AWS Firewall Manager applications list", @@ -77725,22 +88525,37 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "forecast", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an auto predictor", + "privilege": "CreateAutoPredictor", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a dataset", @@ -77801,6 +88616,46 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an explainability", + "privilege": "CreateExplainability", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an explainability export using an explainability resource", + "privilege": "CreateExplainabilityExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a forecast", @@ -77821,6 +88676,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint using a Predictor resource", + "privilege": "CreateForecastEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a forecast export job using a forecast resource", @@ -77841,6 +88716,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an monitor using a Predictor resource", + "privilege": "CreateMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a predictor", @@ -77881,6 +88776,66 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a what-if analysis", + "privilege": "CreateWhatIfAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a what-if forecast", + "privilege": "CreateWhatIfForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a what-if forecast export using what-if forecast resources", + "privilege": "CreateWhatIfForecastExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a dataset", @@ -77917,6 +88872,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an explainability", + "privilege": "DeleteExplainability", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an explainability export", + "privilege": "DeleteExplainabilityExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a forecast", @@ -77929,6 +88908,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an endpoint resource", + "privilege": "DeleteForecastEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a forecast export job", @@ -77941,6 +88932,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a monitor resource", + "privilege": "DeleteMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a predictor", @@ -77985,6 +88988,21 @@ "dependent_actions": [], "resource_type": "datasetImportJob*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport*" + }, { "condition_keys": [], "dependent_actions": [], @@ -77995,6 +89013,11 @@ "dependent_actions": [], "resource_type": "forecastExport*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + }, { "condition_keys": [], "dependent_actions": [], @@ -78004,6 +89027,69 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "predictorBacktestExportJob*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a what-if analysis", + "privilege": "DeleteWhatIfAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a what-if forecast", + "privilege": "DeleteWhatIfForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a what-if forecast export", + "privilege": "DeleteWhatIfForecastExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an auto predictor", + "privilege": "DescribeAutoPredictor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor*" } ] }, @@ -78043,6 +89129,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe an explainability", + "privilege": "DescribeExplainability", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an explainability export", + "privilege": "DescribeExplainabilityExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a forecast", @@ -78055,6 +89165,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe an endpoint resource", + "privilege": "DescribeForecastEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a forecast export job", @@ -78067,6 +89189,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe an monitor resource", + "privilege": "DescribeMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a predictor", @@ -78091,6 +89225,42 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a what-if analysis", + "privilege": "DescribeWhatIfAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a what-if forecast", + "privilege": "DescribeWhatIfForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a what-if forecast export", + "privilege": "DescribeWhatIfForecastExport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the Accuracy Metrics for a predictor", @@ -78104,7 +89274,31 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to get the forecast context of a timeseries for an endpoint", + "privilege": "GetRecentForecastContext", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to invoke the endpoint to get forecast for a timeseries", + "privilege": "InvokeForecastEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list all the dataset groups", "privilege": "ListDatasetGroups", "resource_types": [ @@ -78116,7 +89310,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the dataset import jobs", "privilege": "ListDatasetImportJobs", "resource_types": [ @@ -78128,7 +89322,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the datasets", "privilege": "ListDatasets", "resource_types": [ @@ -78140,7 +89334,31 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to list all the explainabilities", + "privilege": "ListExplainabilities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the explainability exports", + "privilege": "ListExplainabilityExports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list all the forecast export jobs", "privilege": "ListForecastExportJobs", "resource_types": [ @@ -78152,7 +89370,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the forecasts", "privilege": "ListForecasts", "resource_types": [ @@ -78164,7 +89382,31 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to list all the monitor evaluation result for a monitor", + "privilege": "ListMonitorEvaluations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the monitor resources", + "privilege": "ListMonitors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list all the predictor backtest export jobs", "privilege": "ListPredictorBacktestExportJobs", "resource_types": [ @@ -78176,7 +89418,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the predictors", "privilege": "ListPredictors", "resource_types": [ @@ -78207,6 +89449,21 @@ "dependent_actions": [], "resource_type": "datasetImportJob" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport" + }, { "condition_keys": [], "dependent_actions": [], @@ -78217,6 +89474,11 @@ "dependent_actions": [], "resource_type": "forecastExport" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor" + }, { "condition_keys": [], "dependent_actions": [], @@ -78226,6 +89488,57 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "predictorBacktestExportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the what-if analyses", + "privilege": "ListWhatIfAnalyses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the what-if forecast exports", + "privilege": "ListWhatIfForecastExports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the what-if forecasts", + "privilege": "ListWhatIfForecasts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -78241,6 +89554,38 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a what-if forecast for a single item", + "privilege": "QueryWhatIfForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to resume Amazon Forecast resource jobs", + "privilege": "ResumeResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop Amazon Forecast resource jobs", @@ -78251,6 +89596,21 @@ "dependent_actions": [], "resource_type": "datasetImportJob*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport*" + }, { "condition_keys": [], "dependent_actions": [], @@ -78261,6 +89621,11 @@ "dependent_actions": [], "resource_type": "forecastExport*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor*" + }, { "condition_keys": [], "dependent_actions": [], @@ -78271,6 +89636,21 @@ "dependent_actions": [], "resource_type": "predictorBacktestExportJob*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -78301,6 +89681,21 @@ "dependent_actions": [], "resource_type": "datasetImportJob" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport" + }, { "condition_keys": [], "dependent_actions": [], @@ -78311,6 +89706,11 @@ "dependent_actions": [], "resource_type": "forecastExport" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor" + }, { "condition_keys": [], "dependent_actions": [], @@ -78321,6 +89721,21 @@ "dependent_actions": [], "resource_type": "predictorBacktestExportJob" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -78351,6 +89766,21 @@ "dependent_actions": [], "resource_type": "datasetImportJob" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainability" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "explainabilityExport" + }, { "condition_keys": [], "dependent_actions": [], @@ -78361,6 +89791,11 @@ "dependent_actions": [], "resource_type": "forecastExport" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitor" + }, { "condition_keys": [], "dependent_actions": [], @@ -78371,6 +89806,21 @@ "dependent_actions": [], "resource_type": "predictorBacktestExportJob" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfAnalysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "whatIfForecastExport" + }, { "condition_keys": [ "aws:TagKeys" @@ -78452,6 +89902,55 @@ "aws:ResourceTag/${TagKey}" ], "resource": "forecastExport" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:explainability/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "explainability" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:explainability-export/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "explainabilityExport" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:monitor/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "monitor" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:what-if-analysis/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "whatIfAnalysis" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:what-if-forecast/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "whatIfForecast" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:what-if-forecast-export/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "whatIfForecastExport" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:forecast-endpoint/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "endpoint" } ], "service_name": "Amazon Forecast" @@ -78471,7 +89970,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "frauddetector", @@ -78499,7 +89998,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable" + "resource_type": "variable*" } ] }, @@ -78597,6 +90096,16 @@ "dependent_actions": [], "resource_type": "detector*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "external-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-version" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -78997,6 +90506,28 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get more details of a particular prediction", + "privilege": "GetEventPredictionMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type*" + } + ] + }, { "access_level": "List", "description": "Grants permission to get all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning", @@ -79105,11 +90636,43 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to get a list of past predictions", + "privilege": "ListEventPredictions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-import" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-prediction" + }, { "condition_keys": [], "dependent_actions": [], @@ -79334,6 +90897,11 @@ "description": "Grants permission to assign tags to a resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-import" + }, { "condition_keys": [], "dependent_actions": [], @@ -79409,6 +90977,11 @@ "description": "Grants permission to remove tags from a resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-import" + }, { "condition_keys": [], "dependent_actions": [], @@ -79488,6 +91061,16 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "detector*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "external-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-version" } ] }, @@ -79723,25 +91306,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to Amazon FreeRTOS.", + "description": "A tag key that is present in the request that the user makes to Amazon FreeRTOS", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag key component of a tag attached to an Amazon FreeRTOS resource.", + "description": "The tag key component of a tag attached to an Amazon FreeRTOS resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the resource in the request.", - "type": "String" + "description": "The list of all the tag key names associated with the resource in the request", + "type": "ArrayOfString" } ], "prefix": "freertos", "privileges": [ { "access_level": "Write", - "description": "Creates a software configuration.", + "description": "Creates a software configuration", "privilege": "CreateSoftwareConfiguration", "resource_types": [ { @@ -79761,7 +91344,7 @@ }, { "access_level": "Write", - "description": "Deletes the software configuration.", + "description": "Deletes the software configuration", "privilege": "DeleteSoftwareConfiguration", "resource_types": [ { @@ -79773,7 +91356,7 @@ }, { "access_level": "Read", - "description": "Describes the hardware platform.", + "description": "Describes the hardware platform", "privilege": "DescribeHardwarePlatform", "resource_types": [ { @@ -79785,7 +91368,7 @@ }, { "access_level": "Read", - "description": "Describes the software configuration.", + "description": "Describes the software configuration", "privilege": "DescribeSoftwareConfiguration", "resource_types": [ { @@ -79797,7 +91380,7 @@ }, { "access_level": "Read", - "description": "Get the URL for Amazon FreeRTOS software download.", + "description": "Get the URL for Amazon FreeRTOS software download", "privilege": "GetSoftwareURL", "resource_types": [ { @@ -79809,7 +91392,7 @@ }, { "access_level": "Read", - "description": "Get the URL for Amazon FreeRTOS software download based on the configuration.", + "description": "Get the URL for Amazon FreeRTOS software download based on the configuration", "privilege": "GetSoftwareURLForConfiguration", "resource_types": [ { @@ -79821,7 +91404,7 @@ }, { "access_level": "List", - "description": "Lists versions of AmazonFreeRTOS.", + "description": "Lists versions of AmazonFreeRTOS", "privilege": "ListFreeRTOSVersions", "resource_types": [ { @@ -79833,7 +91416,7 @@ }, { "access_level": "List", - "description": "Lists the hardware platforms.", + "description": "Lists the hardware platforms", "privilege": "ListHardwarePlatforms", "resource_types": [ { @@ -79845,7 +91428,7 @@ }, { "access_level": "List", - "description": "Lists the hardware vendors.", + "description": "Lists the hardware vendors", "privilege": "ListHardwareVendors", "resource_types": [ { @@ -79857,7 +91440,7 @@ }, { "access_level": "List", - "description": "Lists the software configurations.", + "description": "Lists the software configurations", "privilege": "ListSoftwareConfigurations", "resource_types": [ { @@ -79869,7 +91452,7 @@ }, { "access_level": "Write", - "description": "Updates the software configuration.", + "description": "Updates the software configuration", "privilege": "UpdateSoftwareConfiguration", "resource_types": [ { @@ -79882,7 +91465,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:freertos:${Region}:${Account}:configuration/${configurationName}", + "arn": "arn:${Partition}:freertos:${Region}:${Account}:configuration/${ConfigurationName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -79895,18 +91478,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" }, { "condition": "fsx:IsBackupCopyDestination", @@ -79918,6 +91501,11 @@ "description": "Filters access by whether the backup is a source backup for a CopyBackup operation", "type": "Bool" }, + { + "condition": "fsx:ParentVolumeId", + "description": "Filters access by the containing parent volume for mutating volume operations", + "type": "String" + }, { "condition": "fsx:StorageVirtualMachineId", "description": "Filters access by the containing storage virtual machine for a volume for mutating volume operations", @@ -80016,6 +91604,33 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new data respository association for an Amazon FSx for Lustre file system", + "privilege": "CreateDataRepositoryAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "association*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new data respository task for an Amazon FSx for Lustre file system", @@ -80092,6 +91707,33 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new snapshot on a volume", + "privilege": "CreateSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new storage virtual machine in an Amazon FSx for Ontap file system", @@ -80131,11 +91773,17 @@ ], "resource_type": "volume*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "fsx:StorageVirtualMachineId" + "fsx:StorageVirtualMachineId", + "fsx:ParentVolumeId" ], "dependent_actions": [], "resource_type": "" @@ -80177,7 +91825,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a backup, deleting its contents. After deletion, the backup no longer exists, and its data is no longer available.", + "description": "Grants permission to delete a backup, deleting its contents. After deletion, the backup no longer exists, and its data is no longer available", "privilege": "DeleteBackup", "resource_types": [ { @@ -80187,6 +91835,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a data repository association", + "privilege": "DeleteDataRepositoryAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a file system, deleting its contents and any existing automatic backups of the file system", @@ -80217,26 +91877,31 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a storage virtual machine, deleting its contents.", - "privilege": "DeleteStorageVirtualMachine", + "description": "Grants permission to delete a snapshot on a volume", + "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "storage-virtual-machine*" - }, + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a storage virtual machine, deleting its contents", + "privilege": "DeleteStorageVirtualMachine", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "storage-virtual-machine*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a volume, deleting its contents and any existing automatic backups of the volume.", + "description": "Grants permission to delete a volume, deleting its contents and any existing automatic backups of the volume", "privilege": "DeleteVolume", "resource_types": [ { @@ -80244,10 +91909,17 @@ "dependent_actions": [], "resource_type": "volume*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backup" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys", - "fsx:StorageVirtualMachineId" + "fsx:StorageVirtualMachineId", + "fsx:ParentVolumeId" ], "dependent_actions": [], "resource_type": "" @@ -80280,7 +91952,19 @@ }, { "access_level": "Read", - "description": "Grants permission to return the descriptions of all data repository task owned by your AWS account in the AWS Region of the endpoint that you're calling", + "description": "Grants permission to return the descriptions of all data repository associations owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeDataRepositoryAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the descriptions of all data repository tasks owned by your AWS account in the AWS Region of the endpoint that you're calling", "privilege": "DescribeDataRepositoryTasks", "resource_types": [ { @@ -80314,6 +91998,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return the descriptions of all snapshots owned by your AWS account in the AWS Region of the endpoint you're calling", + "privilege": "DescribeSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return the descriptions of all storage virtual machines owned by your AWS account in the AWS Region of the endpoint that you're calling", @@ -80367,6 +92063,11 @@ "description": "Grants permission to list tags for an Amazon FSx resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association" + }, { "condition_keys": [], "dependent_actions": [], @@ -80377,6 +92078,11 @@ "dependent_actions": [], "resource_type": "file-system" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, { "condition_keys": [], "dependent_actions": [], @@ -80406,11 +92112,45 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to release file system NFS V3 locks", + "privilege": "ReleaseFileSystemNfsV3Locks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore volume state from a snapshot", + "privilege": "RestoreVolumeFromSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume*" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to tag an Amazon FSx resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association" + }, { "condition_keys": [], "dependent_actions": [], @@ -80421,6 +92161,11 @@ "dependent_actions": [], "resource_type": "file-system" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, { "condition_keys": [], "dependent_actions": [], @@ -80451,6 +92196,11 @@ "description": "Grants permission to remove a tag from an Amazon FSx resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association" + }, { "condition_keys": [], "dependent_actions": [], @@ -80461,6 +92211,11 @@ "dependent_actions": [], "resource_type": "file-system" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, { "condition_keys": [], "dependent_actions": [], @@ -80485,6 +92240,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update data repository association configuration", + "privilege": "UpdateDataRepositoryAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update file system configuration", @@ -80497,6 +92264,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update snapshot configuration", + "privilege": "UpdateSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update storage virtual machine configuration", @@ -80506,13 +92285,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "storage-virtual-machine*" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -80528,8 +92300,8 @@ }, { "condition_keys": [ - "aws:TagKeys", - "fsx:StorageVirtualMachineId" + "fsx:StorageVirtualMachineId", + "fsx:ParentVolumeId" ], "dependent_actions": [], "resource_type": "" @@ -80566,12 +92338,26 @@ ], "resource": "task" }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:association/${FileSystemId}/${DataRepositoryAssociationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "association" + }, { "arn": "arn:${Partition}:fsx:${Region}:${Account}:volume/${FileSystemId}/${VolumeId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "volume" + }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:snapshot/${VolumeId}/${SnapshotId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "snapshot" } ], "service_name": "Amazon FSx" @@ -80591,7 +92377,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "gamelift", @@ -81941,6 +93727,705 @@ ], "service_name": "Amazon GameLift" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "gamesparks", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a game", + "privilege": "CreateGame", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot of a game", + "privilege": "CreateSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a stage in a game", + "privilege": "CreateStage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a game", + "privilege": "DeleteGame", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a stage from a game", + "privilege": "DeleteStage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disconnect a player from the game runtime", + "privilege": "DisconnectPlayer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to export a snapshot of the game configuration", + "privilege": "ExportSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about an extension", + "privilege": "GetExtension", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about an extension version", + "privilege": "GetExtensionVersion", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about a game", + "privilege": "GetGame", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the configuration for the game", + "privilege": "GetGameConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about a job that is generating code for a snapshot", + "privilege": "GetGeneratedCodeJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the status of a player connection", + "privilege": "GetPlayerConnectionStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a snapshot of the game", + "privilege": "GetSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to gets information about a stage", + "privilege": "GetStage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a stage deployment", + "privilege": "GetStageDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to import a snapshot of a game configuration", + "privilege": "ImportGameConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to invoke backend services for a specific game", + "privilege": "InvokeBackend", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the extension versions", + "privilege": "ListExtensionVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the extensions", + "privilege": "ListExtensions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the games", + "privilege": "ListGames", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of code generation jobs for a snapshot", + "privilege": "ListGeneratedCodeJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of snapshot summaries for a game", + "privilege": "ListSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of stage deployment summaries for a game", + "privilege": "ListStageDeployments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of stage summaries for a game", + "privilege": "ListStages", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags associated with a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous process that generates client code for system-defined and custom messages", + "privilege": "StartGeneratedCodeJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deploy a snapshot to a stage and creates a new game runtime", + "privilege": "StartStageDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to adds tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change the metadata of a game", + "privilege": "UpdateGame", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change the working copy of the game configuration", + "privilege": "UpdateGameConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the metadata of a snapshot", + "privilege": "UpdateSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the metadata of a stage", + "privilege": "UpdateStage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "game*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:gamesparks:${Region}:${Account}:game/${GameId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "game" + }, + { + "arn": "arn:${Partition}:gamesparks:${Region}:${Account}:game/${GameId}/stage/${StageName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "stage" + } + ], + "service_name": "Amazon GameSparks" + }, { "conditions": [ { @@ -81950,13 +94435,13 @@ }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:TagKeys", "description": "Filters access by the tag keys in a request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "geo", @@ -82058,15 +94543,22 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a geofence-collection", - "privilege": "CreateGeofenceCollection", + "access_level": "Read", + "description": "Grants permission to calculate a route matrix using a given route calculator resource", + "privilege": "CalculateRouteMatrix", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" - }, + "resource_type": "route-calculator*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a geofence-collection", + "privilege": "CreateGeofenceCollection", + "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -82082,11 +94574,6 @@ "description": "Grants permission to create a map resource", "privilege": "CreateMap", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "map*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -82102,11 +94589,6 @@ "description": "Grants permission to create a place index resource", "privilege": "CreatePlaceIndex", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "place-index*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -82122,11 +94604,6 @@ "description": "Grants permission to create a route calculator resource", "privilege": "CreateRouteCalculator", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "route-calculator*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -82142,11 +94619,6 @@ "description": "Grants permission to create a tracker resource", "privilege": "CreateTracker", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tracker*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -82303,7 +94775,7 @@ }, { "access_level": "Read", - "description": "Grant permission to retrieve the device position history", + "description": "Grants permission to retrieve the device position history", "privilege": "GetDevicePositionHistory", "resource_types": [ { @@ -82315,7 +94787,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the geofence details from a geofence-collection.", + "description": "Grants permission to retrieve the geofence details from a geofence-collection", "privilege": "GetGeofence", "resource_types": [ { @@ -82374,7 +94846,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to retrieve a list of devices and their latest positions from the given tracker resource", "privilege": "ListDevicePositions", "resource_types": [ @@ -82525,6 +94997,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to generate suggestions for addresses and points of interest based on partial or misspelled free-form text", + "privilege": "SearchPlaceIndexForSuggestions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "place-index*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to geocode free-form text, such as an address, name, city or region", @@ -82619,7 +95103,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the description of a geofence collection", + "description": "Grants permission to update a geofence collection", "privilege": "UpdateGeofenceCollection", "resource_types": [ { @@ -82631,7 +95115,43 @@ }, { "access_level": "Write", - "description": "Grants permission to update the description of a tracker resource", + "description": "Grants permission to update a map resource", + "privilege": "UpdateMap", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "map*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a place index resource", + "privilege": "UpdatePlaceIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "place-index*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a route calculator resource", + "privilege": "UpdateRouteCalculator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "route-calculator*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a tracker resource", "privilege": "UpdateTracker", "resource_types": [ { @@ -82683,14 +95203,24 @@ }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + }, { "condition": "glacier:ArchiveAgeInDays", - "description": "How long an archive has been stored in the vault, in days.", + "description": "Filters access by how long an archive has been stored in the vault, in days", "type": "String" }, { "condition": "glacier:ResourceTag/", - "description": "A customer-defined tag.", + "description": "Filters access by a customer-defined tag", "type": "String" } ], @@ -82698,7 +95228,7 @@ "privileges": [ { "access_level": "Write", - "description": "Aborts a multipart upload identified by the upload ID", + "description": "Grants permission to abort a multipart upload identified by the upload ID", "privilege": "AbortMultipartUpload", "resource_types": [ { @@ -82710,7 +95240,7 @@ }, { "access_level": "Permissions management", - "description": "Aborts the vault locking process if the vault lock is not in the Locked state", + "description": "Grants permission to abort the vault locking process if the vault lock is not in the Locked state", "privilege": "AbortVaultLock", "resource_types": [ { @@ -82722,19 +95252,27 @@ }, { "access_level": "Tagging", - "description": "Adds the specified tags to a vault", + "description": "Grants permission to add the specified tags to a vault", "privilege": "AddTagsToVault", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "vault*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Completes a multipart upload process", + "description": "Grants permission to complete a multipart upload process", "privilege": "CompleteMultipartUpload", "resource_types": [ { @@ -82746,7 +95284,7 @@ }, { "access_level": "Permissions management", - "description": "Completes the vault locking process", + "description": "Grants permission to complete the vault locking process", "privilege": "CompleteVaultLock", "resource_types": [ { @@ -82758,7 +95296,7 @@ }, { "access_level": "Write", - "description": "Creates a new vault with the specified name", + "description": "Grants permission to create a new vault with the specified name", "privilege": "CreateVault", "resource_types": [ { @@ -82770,7 +95308,7 @@ }, { "access_level": "Write", - "description": "Deletes an archive from a vault", + "description": "Grants permission to delete an archive from a vault", "privilege": "DeleteArchive", "resource_types": [ { @@ -82789,7 +95327,7 @@ }, { "access_level": "Write", - "description": "Deletes a vault", + "description": "Grants permission to delete a vault", "privilege": "DeleteVault", "resource_types": [ { @@ -82801,7 +95339,7 @@ }, { "access_level": "Permissions management", - "description": "Deletes the access policy associated with the specified vault", + "description": "Grants permission to delete the access policy associated with the specified vault", "privilege": "DeleteVaultAccessPolicy", "resource_types": [ { @@ -82813,7 +95351,7 @@ }, { "access_level": "Write", - "description": "Deletes the notification configuration set for a vault", + "description": "Grants permission to delete the notification configuration set for a vault", "privilege": "DeleteVaultNotifications", "resource_types": [ { @@ -82825,7 +95363,7 @@ }, { "access_level": "Read", - "description": "Returns information about a job you previously initiated", + "description": "Grants permission to get information about a job previously initiated", "privilege": "DescribeJob", "resource_types": [ { @@ -82837,7 +95375,7 @@ }, { "access_level": "Read", - "description": "Returns information about a vault", + "description": "Grants permission to get information about a vault", "privilege": "DescribeVault", "resource_types": [ { @@ -82849,7 +95387,7 @@ }, { "access_level": "Read", - "description": "Returns the current data retrieval policy for the account and region specified in the GET request", + "description": "Grants permission to get the data retrieval policy", "privilege": "GetDataRetrievalPolicy", "resource_types": [ { @@ -82861,7 +95399,7 @@ }, { "access_level": "Read", - "description": "Downloads the output of the job you initiated", + "description": "Grants permission to download the output of the job specified", "privilege": "GetJobOutput", "resource_types": [ { @@ -82873,7 +95411,7 @@ }, { "access_level": "Read", - "description": "Retrieves the access-policy subresource set on the vault", + "description": "Grants permission to retrieve the access-policy subresource set on the vault", "privilege": "GetVaultAccessPolicy", "resource_types": [ { @@ -82885,7 +95423,7 @@ }, { "access_level": "Read", - "description": "Retrieves attributes from the lock-policy subresource set on the specified vault", + "description": "Grants permission to retrieve attributes from the lock-policy subresource set on the specified vault", "privilege": "GetVaultLock", "resource_types": [ { @@ -82897,7 +95435,7 @@ }, { "access_level": "Read", - "description": "Retrieves the notification-configuration subresource set on the vault", + "description": "Grants permission to retrieve the notification-configuration subresource set on the vault", "privilege": "GetVaultNotifications", "resource_types": [ { @@ -82909,7 +95447,7 @@ }, { "access_level": "Write", - "description": "Initiates a job of the specified type", + "description": "Grants permission to initiate a job of the specified type", "privilege": "InitiateJob", "resource_types": [ { @@ -82928,7 +95466,7 @@ }, { "access_level": "Write", - "description": "Initiates a multipart upload", + "description": "Grants permission to initiate a multipart upload", "privilege": "InitiateMultipartUpload", "resource_types": [ { @@ -82940,7 +95478,7 @@ }, { "access_level": "Permissions management", - "description": "Initiates the vault locking process", + "description": "Grants permission to initiate the vault locking process", "privilege": "InitiateVaultLock", "resource_types": [ { @@ -82952,7 +95490,7 @@ }, { "access_level": "List", - "description": "Lists jobs for a vault that are in-progress and jobs that have recently finished", + "description": "Grants permission to list jobs for a vault that are in-progress and jobs that have recently finished", "privilege": "ListJobs", "resource_types": [ { @@ -82964,7 +95502,7 @@ }, { "access_level": "List", - "description": "Lists in-progress multipart uploads for the specified vault", + "description": "Grants permission to list in-progress multipart uploads for the specified vault", "privilege": "ListMultipartUploads", "resource_types": [ { @@ -82976,7 +95514,7 @@ }, { "access_level": "List", - "description": "Lists the parts of an archive that have been uploaded in a specific multipart upload", + "description": "Grants permission to list the parts of an archive that have been uploaded in a specific multipart upload", "privilege": "ListParts", "resource_types": [ { @@ -82988,7 +95526,7 @@ }, { "access_level": "List", - "description": "This operation lists the provisioned capacity for the specified AWS account.", + "description": "Grants permission to list the provisioned capacity for the specified AWS account", "privilege": "ListProvisionedCapacity", "resource_types": [ { @@ -83000,7 +95538,7 @@ }, { "access_level": "List", - "description": "Lists all the tags attached to a vault", + "description": "Grants permission to list all the tags attached to a vault", "privilege": "ListTagsForVault", "resource_types": [ { @@ -83012,7 +95550,7 @@ }, { "access_level": "List", - "description": "Lists all vaults", + "description": "Grants permission to list all vaults", "privilege": "ListVaults", "resource_types": [ { @@ -83024,7 +95562,7 @@ }, { "access_level": "Write", - "description": "This operation purchases a provisioned capacity unit for an AWS account.", + "description": "Grants permission to purchases a provisioned capacity unit for an AWS account", "privilege": "PurchaseProvisionedCapacity", "resource_types": [ { @@ -83036,7 +95574,7 @@ }, { "access_level": "Tagging", - "description": "Removes one or more tags from the set of tags attached to a vault", + "description": "Grants permission to remove one or more tags from the set of tags attached to a vault", "privilege": "RemoveTagsFromVault", "resource_types": [ { @@ -83048,7 +95586,7 @@ }, { "access_level": "Permissions management", - "description": "Sets and then enacts a data retrieval policy in the region specified in the PUT request", + "description": "Grants permission to set and then enacts a data retrieval policy in the region specified in the PUT request", "privilege": "SetDataRetrievalPolicy", "resource_types": [ { @@ -83060,7 +95598,7 @@ }, { "access_level": "Permissions management", - "description": "Configures an access policy for a vault and will overwrite an existing policy", + "description": "Grants permission to configure an access policy for a vault; will overwrite an existing policy", "privilege": "SetVaultAccessPolicy", "resource_types": [ { @@ -83072,7 +95610,7 @@ }, { "access_level": "Write", - "description": "Configures vault notifications", + "description": "Grants permission to configure vault notifications", "privilege": "SetVaultNotifications", "resource_types": [ { @@ -83084,7 +95622,7 @@ }, { "access_level": "Write", - "description": "Adds an archive to a vault", + "description": "Grants permission to upload an archive to a vault", "privilege": "UploadArchive", "resource_types": [ { @@ -83096,7 +95634,7 @@ }, { "access_level": "Write", - "description": "Uploads a part of an archive", + "description": "Grants permission to upload a part of an archive", "privilege": "UploadMultipartPart", "resource_types": [ { @@ -83114,7 +95652,7 @@ "resource": "vault" } ], - "service_name": "Amazon Glacier" + "service_name": "Amazon S3 Glacier" }, { "conditions": [ @@ -83131,14 +95669,14 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "globalaccelerator", "privileges": [ { "access_level": "Write", - "description": "Grants permission to add a virtual private cloud (VPC) subnet endpoint to a custom routing accelerator endpoint group.", + "description": "Grants permission to add a virtual private cloud (VPC) subnet endpoint to a custom routing accelerator endpoint group", "privilege": "AddCustomRoutingEndpoints", "resource_types": [ { @@ -83150,7 +95688,7 @@ }, { "access_level": "Write", - "description": "Grants permission to advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", + "description": "Grants permission to advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP)", "privilege": "AdvertiseByoipCidr", "resource_types": [ { @@ -83162,7 +95700,7 @@ }, { "access_level": "Write", - "description": "Grants permission to allows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", + "description": "Grants permission to allows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet", "privilege": "AllowCustomRoutingTraffic", "resource_types": [ { @@ -83174,7 +95712,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a standard accelerator.", + "description": "Grants permission to create a standard accelerator", "privilege": "CreateAccelerator", "resource_types": [ { @@ -83204,7 +95742,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create an endpoint group for the specified listener for a custom routing accelerator.", + "description": "Grants permission to create an endpoint group for the specified listener for a custom routing accelerator", "privilege": "CreateCustomRoutingEndpointGroup", "resource_types": [ { @@ -83216,7 +95754,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a listener to process inbound connections from clients to a custom routing accelerator.", + "description": "Grants permission to create a listener to process inbound connections from clients to a custom routing accelerator", "privilege": "CreateCustomRoutingListener", "resource_types": [ { @@ -83228,7 +95766,7 @@ }, { "access_level": "Write", - "description": "Grants permission to add an endpoint group to a standard accelerator listener.", + "description": "Grants permission to add an endpoint group to a standard accelerator listener", "privilege": "CreateEndpointGroup", "resource_types": [ { @@ -83240,7 +95778,7 @@ }, { "access_level": "Write", - "description": "Grants permission to add a listener to a standard accelerator.", + "description": "Grants permission to add a listener to a standard accelerator", "privilege": "CreateListener", "resource_types": [ { @@ -83252,7 +95790,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a standard accelerator.", + "description": "Grants permission to delete a standard accelerator", "privilege": "DeleteAccelerator", "resource_types": [ { @@ -83264,7 +95802,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a custom routing accelerator.", + "description": "Grants permission to delete a custom routing accelerator", "privilege": "DeleteCustomRoutingAccelerator", "resource_types": [ { @@ -83276,7 +95814,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an endpoint group from a listener for a custom routing accelerator.", + "description": "Grants permission to delete an endpoint group from a listener for a custom routing accelerator", "privilege": "DeleteCustomRoutingEndpointGroup", "resource_types": [ { @@ -83288,7 +95826,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a listener for a custom routing accelerator.", + "description": "Grants permission to delete a listener for a custom routing accelerator", "privilege": "DeleteCustomRoutingListener", "resource_types": [ { @@ -83300,7 +95838,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an endpoint group associated with a standard accelerator listener.", + "description": "Grants permission to delete an endpoint group associated with a standard accelerator listener", "privilege": "DeleteEndpointGroup", "resource_types": [ { @@ -83312,7 +95850,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a listener from a standard accelerator.", + "description": "Grants permission to delete a listener from a standard accelerator", "privilege": "DeleteListener", "resource_types": [ { @@ -83324,7 +95862,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disallows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", + "description": "Grants permission to disallows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet", "privilege": "DenyCustomRoutingTraffic", "resource_types": [ { @@ -83336,7 +95874,7 @@ }, { "access_level": "Write", - "description": "Grants permission to releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", + "description": "Grants permission to releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP)", "privilege": "DeprovisionByoipCidr", "resource_types": [ { @@ -83348,7 +95886,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a standard accelerator.", + "description": "Grants permissions to describe a standard accelerator", "privilege": "DescribeAccelerator", "resource_types": [ { @@ -83360,7 +95898,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator attributes.", + "description": "Grants permission to describe a standard accelerator attributes", "privilege": "DescribeAcceleratorAttributes", "resource_types": [ { @@ -83372,7 +95910,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a custom routing accelerator.", + "description": "Grants permission to describe a custom routing accelerator", "privilege": "DescribeCustomRoutingAccelerator", "resource_types": [ { @@ -83384,7 +95922,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the attributes of a custom routing accelerator.", + "description": "Grants permission to describe the attributes of a custom routing accelerator", "privilege": "DescribeCustomRoutingAcceleratorAttributes", "resource_types": [ { @@ -83396,7 +95934,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe an endpoint group for a custom routing accelerator.", + "description": "Grants permission to describe an endpoint group for a custom routing accelerator", "privilege": "DescribeCustomRoutingEndpointGroup", "resource_types": [ { @@ -83408,7 +95946,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a listener for a custom routing accelerator.", + "description": "Grants permission to describe a listener for a custom routing accelerator", "privilege": "DescribeCustomRoutingListener", "resource_types": [ { @@ -83420,7 +95958,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator endpoint group.", + "description": "Grants permission to describe a standard accelerator endpoint group", "privilege": "DescribeEndpointGroup", "resource_types": [ { @@ -83432,7 +95970,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator listener.", + "description": "Grants permission to describe a standard accelerator listener", "privilege": "DescribeListener", "resource_types": [ { @@ -83444,7 +95982,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all standard accelerators.", + "description": "Grants permission to list all standard accelerators", "privilege": "ListAccelerators", "resource_types": [ { @@ -83456,7 +95994,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the BYOIP cidrs.", + "description": "Grants permission to list the BYOIP cidrs", "privilege": "ListByoipCidrs", "resource_types": [ { @@ -83468,7 +96006,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the custom routing accelerators for an AWS account.", + "description": "Grants permission to list the custom routing accelerators for an AWS account", "privilege": "ListCustomRoutingAccelerators", "resource_types": [ { @@ -83480,7 +96018,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the endpoint groups that are associated with a listener for a custom routing accelerator.", + "description": "Grants permission to list the endpoint groups that are associated with a listener for a custom routing accelerator", "privilege": "ListCustomRoutingEndpointGroups", "resource_types": [ { @@ -83492,7 +96030,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the listeners for a custom routing accelerator.", + "description": "Grants permission to list the listeners for a custom routing accelerator", "privilege": "ListCustomRoutingListeners", "resource_types": [ { @@ -83504,7 +96042,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the port mappings for a custom routing accelerator.", + "description": "Grants permission to list the port mappings for a custom routing accelerator", "privilege": "ListCustomRoutingPortMappings", "resource_types": [ { @@ -83528,7 +96066,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all endpoint groups associated with a standard accelerator listener.", + "description": "Grants permission to list all endpoint groups associated with a standard accelerator listener", "privilege": "ListEndpointGroups", "resource_types": [ { @@ -83540,7 +96078,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all listeners associated with a standard accelerator.", + "description": "Grants permission to list all listeners associated with a standard accelerator", "privilege": "ListListeners", "resource_types": [ { @@ -83552,7 +96090,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list tags for a globalaccelerator resource.", + "description": "Grants permission to list tags for a globalaccelerator resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -83564,7 +96102,7 @@ }, { "access_level": "Write", - "description": "Grants permission to provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP).", + "description": "Grants permission to provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP)", "privilege": "ProvisionByoipCidr", "resource_types": [ { @@ -83576,7 +96114,7 @@ }, { "access_level": "Write", - "description": "Grants permission to remove virtual private cloud (VPC) subnet endpoints from a custom routing accelerator endpoint group.", + "description": "Grants permission to remove virtual private cloud (VPC) subnet endpoints from a custom routing accelerator endpoint group", "privilege": "RemoveCustomRoutingEndpoints", "resource_types": [ { @@ -83588,7 +96126,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add tags to a globalaccelerator resource.", + "description": "Grants permission to add tags to a globalaccelerator resource", "privilege": "TagResource", "resource_types": [ { @@ -83608,7 +96146,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a globalaccelerator resource.", + "description": "Grants permission to remove tags from a globalaccelerator resource", "privilege": "UntagResource", "resource_types": [ { @@ -83627,7 +96165,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a standard accelerator.", + "description": "Grants permission to update a standard accelerator", "privilege": "UpdateAccelerator", "resource_types": [ { @@ -83639,7 +96177,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a standard accelerator attributes.", + "description": "Grants permission to update a standard accelerator attributes", "privilege": "UpdateAcceleratorAttributes", "resource_types": [ { @@ -83651,7 +96189,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a custom routing accelerator.", + "description": "Grants permission to update a custom routing accelerator", "privilege": "UpdateCustomRoutingAccelerator", "resource_types": [ { @@ -83663,7 +96201,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the attributes for a custom routing accelerator.", + "description": "Grants permission to update the attributes for a custom routing accelerator", "privilege": "UpdateCustomRoutingAcceleratorAttributes", "resource_types": [ { @@ -83675,7 +96213,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a listener for a custom routing accelerator.", + "description": "Grants permission to update a listener for a custom routing accelerator", "privilege": "UpdateCustomRoutingListener", "resource_types": [ { @@ -83687,7 +96225,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an endpoint group on a standard accelerator listener.", + "description": "Grants permission to update an endpoint group on a standard accelerator listener", "privilege": "UpdateEndpointGroup", "resource_types": [ { @@ -83699,7 +96237,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a listener on a standard accelerator.", + "description": "Grants permission to update a listener on a standard accelerator", "privilege": "UpdateListener", "resource_types": [ { @@ -83711,7 +96249,7 @@ }, { "access_level": "Write", - "description": "Grants permission to stops advertising a BYOIP IPv4 address.", + "description": "Grants permission to stops advertising a BYOIP IPv4 address", "privilege": "WithdrawByoipCidr", "resource_types": [ { @@ -83762,7 +96300,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "glue:CredentialIssuingService", @@ -83777,17 +96315,17 @@ { "condition": "glue:SecurityGroupIds", "description": "Filters access by the ID of security groups configured for the Glue job", - "type": "String" + "type": "ArrayOfString" }, { "condition": "glue:SubnetIds", "description": "Filters access by the ID of subnets configured for the Glue job", - "type": "String" + "type": "ArrayOfString" }, { "condition": "glue:VpcIds", "description": "Filters access by the ID of the VPC configured for the Glue job", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "glue", @@ -83894,11 +96432,18 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "table*" - }, + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve one or more blueprints", + "privilege": "BatchGetBlueprints", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tableversion*" + "resource_type": "blueprint*" } ] }, @@ -83906,6 +96451,18 @@ "access_level": "Read", "description": "Grants permission to retrieve one or more crawlers", "privilege": "BatchGetCrawlers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "crawler*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve one or more Custom Entity Types", + "privilege": "BatchGetCustomEntityTypes", "resource_types": [ { "condition_keys": [], @@ -83922,7 +96479,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "devendpoint*" } ] }, @@ -83934,7 +96491,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -83968,7 +96525,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -83980,7 +96537,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -83992,7 +96549,29 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update one or more partitions", + "privilege": "BatchUpdatePartition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, @@ -84008,6 +96587,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to cancel a statement in an interactive session", + "privilege": "CancelStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a check the validity of schema version", @@ -84020,6 +96611,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a blueprint", + "privilege": "CreateBlueprint", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a classifier", @@ -84043,9 +96649,12 @@ "resource_type": "catalog*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "" } ] }, @@ -84066,18 +96675,25 @@ }, { "access_level": "Write", - "description": "Grants permission to create a database", - "privilege": "CreateDatabase", + "description": "Grants permission to create a Custom Entity Type", + "privilege": "CreateCustomEntityType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a database", + "privilege": "CreateDatabase", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "catalog*" } ] }, @@ -84120,7 +96736,10 @@ "privilege": "CreateMLTransform", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -84148,6 +96767,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a specified partition index in an existing table", + "privilege": "CreatePartitionIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new schema registry", @@ -84157,6 +96798,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "registry*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -84174,6 +96823,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "schema*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -84201,6 +96858,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an interactive session", + "privilege": "CreateSession", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a table", @@ -84215,11 +96887,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" } ] }, @@ -84252,11 +96919,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "userdefinedfunction*" } ] }, @@ -84275,6 +96937,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a blueprint", + "privilege": "DeleteBlueprint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a classifier", @@ -84287,6 +96961,50 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the partition column statistics of a column", + "privilege": "DeleteColumnStatisticsForPartition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the table statistics of columns", + "privilege": "DeleteColumnStatisticsForTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a connection", @@ -84308,6 +97026,18 @@ "access_level": "Write", "description": "Grants permission to delete a crawler", "privilege": "DeleteCrawler", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "crawler*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Custom Entity Type", + "privilege": "DeleteCustomEntityType", "resource_types": [ { "condition_keys": [], @@ -84330,6 +97060,16 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userdefinedfunction*" } ] }, @@ -84341,7 +97081,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "devendpoint*" } ] }, @@ -84353,7 +97093,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -84391,6 +97131,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified partition index from an existing table", + "privilege": "DeletePartitionIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a schema registry", @@ -84461,6 +97223,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an interactive session after stopping the session if not already stopped", + "privilege": "DeleteSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a table", @@ -84502,11 +97276,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tableversion*" } ] }, @@ -84518,7 +97287,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -84552,7 +97321,43 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a blueprint", + "privilege": "GetBlueprint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a blueprint run", + "privilege": "GetBlueprintRun", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve all runs of a blueprint", + "privilege": "GetBlueprintRuns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" } ] }, @@ -84592,6 +97397,50 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve partition statistics of columns", + "privilege": "GetColumnStatisticsForPartition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve table statistics of columns", + "privilege": "GetColumnStatisticsForTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a connection", @@ -84634,7 +97483,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "crawler*" } ] }, @@ -84662,6 +97511,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to read a Custom Entity Type", + "privilege": "GetCustomEntityType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve catalog encryption settings", @@ -84670,7 +97531,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "catalog*" } ] }, @@ -84728,7 +97589,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "devendpoint*" } ] }, @@ -84752,7 +97613,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -84776,7 +97637,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -84788,7 +97649,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -84848,7 +97709,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlTransform*" } ] }, @@ -84886,6 +97747,28 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve partition indexes for a table", + "privilege": "GetPartitionIndexes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the partitions of a table", @@ -85048,6 +97931,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve an interactive session", + "privilege": "GetSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve result and information about a statement in an interactive session", + "privilege": "GetStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a table", @@ -85089,11 +97996,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tableversion*" } ] }, @@ -85116,11 +98018,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tableversion*" } ] }, @@ -85151,6 +98048,11 @@ "description": "Grants permission to retrieve all tags associated with a resource", "privilege": "GetTags", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint" + }, { "condition_keys": [], "dependent_actions": [], @@ -85186,7 +98088,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -85204,7 +98106,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a function definition.", + "description": "Grants permission to retrieve a function definition", "privilege": "GetUserDefinedFunction", "resource_types": [ { @@ -85254,7 +98156,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85266,7 +98168,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85278,7 +98180,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85290,7 +98192,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85306,13 +98208,46 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve all blueprints", + "privilege": "ListBlueprints", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve all crawlers", "privilege": "ListCrawlers", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve all Custom Entity Types", + "privilege": "ListCustomEntityTypes", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -85324,7 +98259,10 @@ "privilege": "ListDevEndpoints", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -85336,7 +98274,10 @@ "privilege": "ListJobs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -85350,6 +98291,14 @@ { "condition_keys": [], "dependent_actions": [], + "resource_type": "mlTransform*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] @@ -85395,13 +98344,40 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of interactive session", + "privilege": "ListSessions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of statements in an interactive session", + "privilege": "ListStatements", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve all triggers", "privilege": "ListTriggers", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -85439,7 +98415,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "catalog*" } ] }, @@ -85480,7 +98456,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85555,7 +98531,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run a code or statement in an interactive session", + "privilege": "RunStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" } ] }, @@ -85581,6 +98569,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start running a blueprint", + "privilege": "StartBlueprintRun", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start a crawler", @@ -85589,7 +98589,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "crawler*" } ] }, @@ -85637,7 +98637,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, @@ -85673,7 +98673,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -85685,7 +98685,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85697,7 +98697,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "crawler*" } ] }, @@ -85713,6 +98713,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to stop an interactive session", + "privilege": "StopSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "session*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop a trigger", @@ -85721,7 +98733,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -85733,7 +98745,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -85742,6 +98754,11 @@ "description": "Grants permission to add tags to a resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint" + }, { "condition_keys": [], "dependent_actions": [], @@ -85782,6 +98799,11 @@ "description": "Grants permission to remove tags associated with a resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint" + }, { "condition_keys": [], "dependent_actions": [], @@ -85809,13 +98831,26 @@ }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a blueprint", + "privilege": "UpdateBlueprint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "blueprint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a classifier", @@ -85828,6 +98863,50 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update partition statistics of columns", + "privilege": "UpdateColumnStatisticsForPartition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update table statistics of columns", + "privilege": "UpdateColumnStatisticsForTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a connection", @@ -85853,7 +98932,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "crawler*" } ] }, @@ -85894,7 +98973,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "devendpoint*" } ] }, @@ -85903,6 +98982,11 @@ "description": "Grants permission to update a job", "privilege": "UpdateJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, { "condition_keys": [ "glue:VpcIds", @@ -86007,7 +99091,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "trigger*" } ] }, @@ -86041,7 +99125,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, @@ -86124,6 +99208,13 @@ ], "resource": "workflow" }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:blueprint/${BlueprintName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "blueprint" + }, { "arn": "arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}", "condition_keys": [ @@ -86144,110 +99235,35 @@ "aws:ResourceTag/${TagKey}" ], "resource": "schema" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:session/${SessionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "session" } ], "service_name": "AWS Glue" }, { - "conditions": [], - "prefix": "grafana", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a workspace", - "privilege": "CreateWorkspace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a workspace", - "privilege": "DeleteWorkspace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a workspace", - "privilege": "DescribeWorkspace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the permissions on a wokspace", - "privilege": "ListPermissions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, + "conditions": [ { - "access_level": "List", - "description": "Grants permission to list workspaces", - "privilege": "ListWorkspaces", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "Permissions management", - "description": "Grants permission to modify the permissions on a workspace", - "privilege": "UpdatePermissions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workspace*" - } - ] + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to modify a workspace", - "privilege": "UpdateWorkspace", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workspace*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:grafana::${Region}:${Account}:workspaces/${ResourceId}", - "condition_keys": [], - "resource": "workspace" + "condition": "aws:TagKeys", + "description": "Filters access by actions based on the presence of tag keys in the request", + "type": "ArrayOfString" } ], - "service_name": "Amazon Managed Service for Grafana" - }, - { - "conditions": [], "prefix": "grafana", "privileges": [ { @@ -86270,7 +99286,10 @@ "privilege": "CreateWorkspace", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [ "organizations:DescribeOrganization", "sso:CreateManagedApplicationInstance", @@ -86281,6 +99300,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create API keys for a workspace", + "privilege": "CreateWorkspaceApiKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a workspace", @@ -86295,6 +99326,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete API keys from a workspace", + "privilege": "DeleteWorkspaceApiKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a workspace", @@ -86309,7 +99352,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe authetication providers on a workspace", + "description": "Grants permission to describe authentication providers on a workspace", "privilege": "DescribeWorkspaceAuthentication", "resource_types": [ { @@ -86343,6 +99386,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list tags associated with a workspace", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list workspaces", @@ -86355,6 +99410,46 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to, or update tag values of, a workspace", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a workspace", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to modify the permissions on a workspace", @@ -86381,7 +99476,7 @@ }, { "access_level": "Write", - "description": "Grants permission to modify authetication providers on a workspace", + "description": "Grants permission to modify authentication providers on a workspace", "privilege": "UpdateWorkspaceAuthentication", "resource_types": [ { @@ -86395,7 +99490,9 @@ "resources": [ { "arn": "arn:${Partition}:grafana:${Region}:${Account}:/workspaces/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "workspace" } ], @@ -86403,54 +99500,62 @@ }, { "conditions": [ - { - "condition": "aws:CurrentTime", - "description": "Filters access by checking date/time conditions for the current date and time", - "type": "Date" - }, - { - "condition": "aws:EpochTime", - "description": "Filters access by checking date/time conditions for the current date and time in epoch or Unix time", - "type": "Date" - }, - { - "condition": "aws:MultiFactorAuthAge", - "description": "Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA", - "type": "Numeric" - }, - { - "condition": "aws:MultiFactorAuthPresent", - "description": "Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request", - "type": "Boolean" - }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the mandatory tags", + "description": "Filters access by checking tag key/value pairs included in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", + "description": "Filters access by checking tag key/value pairs associated with a specific resource", "type": "String" }, - { - "condition": "aws:SecureTransport", - "description": "Filters access by checking whether the request was sent using SSL", - "type": "Boolean" - }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request", - "type": "String" - }, - { - "condition": "aws:UserAgent", - "description": "Filters access by the requester's client application", - "type": "String" + "description": "Filters access by checking tag keys passed in the request", + "type": "ArrayOfString" } ], "prefix": "greengrass", "privileges": [ + { + "access_level": "Permissions management", + "description": "Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources", + "privilege": "AssociateServiceRoleToAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a list of client devices with a core device", + "privilege": "BatchAssociateClientDeviceWithCoreDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "coreDevice*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a list of client devices from a core device", + "privilege": "BatchDisassociateClientDeviceFromCoreDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "coreDevice*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to cancel a deployment", @@ -86543,6 +99648,20 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a deployment. To delete an active deployment, it needs to be cancelled first", + "privilege": "DeleteDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iot:DeleteJob" + ], + "resource_type": "deployment*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve metadata for a version of a component", @@ -86555,6 +99674,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate the service role from an account. Without a service role, deployments will not work", + "privilege": "DisassociateServiceRoleFromAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the recipe for a version of a component", @@ -86579,6 +99710,20 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the connectivity information for a Greengrass core device", + "privilege": "GetConnectivityInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iot:GetThingShadow" + ], + "resource_type": "connectivityInfo*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieves metadata for a AWS IoT Greengrass core device", @@ -86608,6 +99753,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the service role that is attached to an account", + "privilege": "GetServiceRoleForAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a paginated list of client devices associated to a AWS IoT Greengrass core device", + "privilege": "ListClientDevicesAssociatedWithCoreDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "coreDevice*" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve a paginated list of all versions for a component", @@ -86692,7 +99861,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list the tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ @@ -86807,9 +99976,29 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the connectivity information for a Greengrass core. Any devices that belong to the group that has this core will receive this information in order to find the location of the core and connect to it", + "privilege": "UpdateConnectivityInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iot:GetThingShadow", + "iot:UpdateThingShadow" + ], + "resource_type": "connectivityInfo*" + } + ] } ], "resources": [ + { + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/things/${ThingName}/connectivityInfo", + "condition_keys": [], + "resource": "connectivityInfo" + }, { "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}", "condition_keys": [ @@ -86861,7 +100050,7 @@ { "condition": "aws:MultiFactorAuthPresent", "description": "Filters actions based on whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request", - "type": "Boolean" + "type": "Bool" }, { "condition": "aws:RequestTag/${TagKey}", @@ -86876,7 +100065,7 @@ { "condition": "aws:SecureTransport", "description": "Filters actions based on whether the request was sent using SSL", - "type": "Boolean" + "type": "Bool" }, { "condition": "aws:TagKeys", @@ -87037,7 +100226,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a group.", + "description": "Grants permission to create a group", "privilege": "CreateGroup", "resource_types": [ { @@ -87955,7 +101144,10 @@ "privilege": "StartBulkDeployment", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -88372,40 +101564,40 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" }, { - "condition": "groundstation:configId", + "condition": "groundstation:ConfigId", "description": "Filters access by the ID of a config", "type": "String" }, { - "condition": "groundstation:configType", + "condition": "groundstation:ConfigType", "description": "Filters access by the type of a config", "type": "String" }, { - "condition": "groundstation:contactId", + "condition": "groundstation:ContactId", "description": "Filters access by the ID of a contact", "type": "String" }, { - "condition": "groundstation:dataflowEndpointGroupId", + "condition": "groundstation:DataflowEndpointGroupId", "description": "Filters access by the ID of a dataflow endpoint group", "type": "String" }, { - "condition": "groundstation:groundStationId", + "condition": "groundstation:GroundStationId", "description": "Filters access by the ID of a ground station", "type": "String" }, { - "condition": "groundstation:missionProfileId", + "condition": "groundstation:MissionProfileId", "description": "Filters access by the ID of a mission profile", "type": "String" }, { - "condition": "groundstation:satelliteId", + "condition": "groundstation:SatelliteId", "description": "Filters access by the ID of a satellite", "type": "String" } @@ -88787,49 +101979,49 @@ ], "resources": [ { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:config/${configType}/${configId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:config/${ConfigType}/${ConfigId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "groundstation:configId", - "groundstation:configType" + "groundstation:ConfigId", + "groundstation:ConfigType" ], "resource": "Config" }, { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:contact/${contactId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:contact/${ContactId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "groundstation:contactId" + "groundstation:ContactId" ], "resource": "Contact" }, { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:dataflow-endpoint-group/${dataflowEndpointGroupId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:dataflow-endpoint-group/${DataflowEndpointGroupId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "groundstation:dataflowEndpointGroupId" + "groundstation:DataflowEndpointGroupId" ], "resource": "DataflowEndpointGroup" }, { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:groundstation:${groundStationId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:groundstation:${GroundStationId}", "condition_keys": [ - "groundstation:groundStationId" + "groundstation:GroundStationId" ], "resource": "GroundStationResource" }, { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:mission-profile/${missionProfileId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:mission-profile/${MissionProfileId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "groundstation:missionProfileId" + "groundstation:MissionProfileId" ], "resource": "MissionProfile" }, { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:satellite/${satelliteId}", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:satellite/${SatelliteId}", "condition_keys": [ - "groundstation:satelliteId" + "groundstation:SatelliteId" ], "resource": "Satellite" } @@ -88908,18 +102100,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "guardduty", @@ -88993,7 +102185,10 @@ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "iam:DeleteRolePolicy", + "iam:PutRolePolicy" + ], "resource_type": "" } ] @@ -89148,6 +102343,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details about malware scans", + "privilege": "DescribeMalwareScans", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve details about the delegated administrator associated with a GuardDuty detector", @@ -89186,7 +102393,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate a GuardDuty member account from its GuardDuty master account", + "description": "Grants permission to disassociate a GuardDuty member account from its GuardDuty administrator account", "privilege": "DisassociateFromMasterAccount", "resource_types": [ { @@ -89198,7 +102405,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate GuardDuty member accounts from their master GuardDuty account", + "description": "Grants permission to disassociate GuardDuty member accounts from their administrator GuardDuty account", "privilege": "DisassociateMembers", "resource_types": [ { @@ -89270,7 +102477,7 @@ }, { "access_level": "Read", - "description": "Grants permsission to retrieve GuardDuty IPSets", + "description": "Grants permission to retrieve GuardDuty IPSets", "privilege": "GetIPSet", "resource_types": [ { @@ -89294,7 +102501,19 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve details of the GuardDuty master account associated with a member account", + "description": "Grants permission to retrieve the malware scan settings", + "privilege": "GetMalwareScanSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details of the GuardDuty administrator account associated with a member account", "privilege": "GetMasterAccount", "resource_types": [ { @@ -89318,7 +102537,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the member accounts associated with a master account", + "description": "Grants permission to retrieve the member accounts associated with an administrator account", "privilege": "GetMembers", "resource_types": [ { @@ -89414,7 +102633,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a lists of all of the GuardDuty membership invitations that were sent to an AWS account", + "description": "Grants permission to retrieve a list of all of the GuardDuty membership invitations that were sent to an AWS account", "privilege": "ListInvitations", "resource_types": [ { @@ -89426,7 +102645,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrierve a lsit of GuardDuty member accounts associated with a master account", + "description": "Grants permission to retrieve a list of GuardDuty member accounts associated with an administrator account", "privilege": "ListMembers", "resource_types": [ { @@ -89647,11 +102866,26 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:DeleteRolePolicy", + "iam:PutRolePolicy" + ], "resource_type": "ipset*" } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the malware scan settings", + "privilege": "UpdateMalwareScanSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update which data sources are enabled for member accounts detectors", @@ -89698,7 +102932,10 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:DeleteRolePolicy", + "iam:PutRolePolicy" + ], "resource_type": "threatintelset*" } ] @@ -89745,12 +102982,12 @@ "conditions": [ { "condition": "health:eventTypeCode", - "description": "The type of event.", + "description": "Filters access by event type", "type": "String" }, { "condition": "health:service", - "description": "The service of the event.", + "description": "Filters access by impacted service", "type": "String" } ], @@ -89758,7 +102995,7 @@ "privileges": [ { "access_level": "Read", - "description": "Gets a list of accounts that have been affected by the specified events in organization.", + "description": "Grants permission to retrieve a list of accounts that have been affected by the specified events in organization", "privilege": "DescribeAffectedAccountsForOrganization", "resource_types": [ { @@ -89772,7 +103009,7 @@ }, { "access_level": "Read", - "description": "Gets a list of entities that have been affected by the specified events.", + "description": "Grants permission to retrieve a list of entities that have been affected by the specified events", "privilege": "DescribeAffectedEntities", "resource_types": [ { @@ -89792,7 +103029,7 @@ }, { "access_level": "Read", - "description": "Gets a list of entities that have been affected by the specified events and accounts in organization.", + "description": "Grants permission to retrieve a list of entities that have been affected by the specified events and accounts in organization", "privilege": "DescribeAffectedEntitiesForOrganization", "resource_types": [ { @@ -89806,7 +103043,7 @@ }, { "access_level": "Read", - "description": "Returns the number of entities that are affected by each of the specified events.", + "description": "Grants permission to retrieve the number of entities that are affected by each of the specified events", "privilege": "DescribeEntityAggregates", "resource_types": [ { @@ -89818,7 +103055,7 @@ }, { "access_level": "Read", - "description": "Returns the number of events of each event type (issue, scheduled change, and account notification).", + "description": "Grants permission to retrieve the number of events of each event type (issue, scheduled change, and account notification)", "privilege": "DescribeEventAggregates", "resource_types": [ { @@ -89830,7 +103067,7 @@ }, { "access_level": "Read", - "description": "Returns detailed information about one or more specified events.", + "description": "Grants permission to retrieve detailed information about one or more specified events", "privilege": "DescribeEventDetails", "resource_types": [ { @@ -89850,7 +103087,7 @@ }, { "access_level": "Read", - "description": "Returns detailed information about one or more specified events for provided accounts in organization.", + "description": "Grants permission to retrieve detailed information about one or more specified events for provided accounts in organization", "privilege": "DescribeEventDetailsForOrganization", "resource_types": [ { @@ -89864,7 +103101,7 @@ }, { "access_level": "Read", - "description": "Returns the event types that meet the specified filter criteria.", + "description": "Grants permission to retrieve the event types that meet the specified filter criteria", "privilege": "DescribeEventTypes", "resource_types": [ { @@ -89876,7 +103113,7 @@ }, { "access_level": "Read", - "description": "Returns information about events that meet the specified filter criteria.", + "description": "Grants permission to retrieve information about events that meet the specified filter criteria", "privilege": "DescribeEvents", "resource_types": [ { @@ -89888,7 +103125,7 @@ }, { "access_level": "Read", - "description": "Returns information about events that meet the specified filter criteria in organization.", + "description": "Grants permission to retrieve information about events that meet the specified filter criteria in organization", "privilege": "DescribeEventsForOrganization", "resource_types": [ { @@ -89902,7 +103139,7 @@ }, { "access_level": "Read", - "description": "Returns the status of enabling or disabling the Organizational View feature", + "description": "Grants permission to retrieve the status of enabling or disabling the Organizational View feature", "privilege": "DescribeHealthServiceStatusForOrganization", "resource_types": [ { @@ -89916,7 +103153,7 @@ }, { "access_level": "Permissions management", - "description": "Disables the Organizational View feature.", + "description": "Grants permission to disable the Organizational View feature", "privilege": "DisableHealthServiceAccessForOrganization", "resource_types": [ { @@ -89931,7 +103168,7 @@ }, { "access_level": "Permissions management", - "description": "Enables the Organizational View feature.", + "description": "Grants permission to enable the Organizational View feature", "privilege": "EnableHealthServiceAccessForOrganization", "resource_types": [ { @@ -89959,18 +103196,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by the presence of tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "healthlake", @@ -90334,6 +103571,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete Amazon Honeycode domains for your AWS Account", + "privilege": "DeleteDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to remove groups from an Amazon Honeycode team for your AWS Account", @@ -90454,6 +103703,18 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all pending and approved team associations with your AWS Account", @@ -90550,6 +103811,30 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update an Amazon Honeycode team for your AWS Account", @@ -90602,7 +103887,7 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "iam:AWSServiceName", @@ -93007,78 +106292,616 @@ ], "service_name": "Identity And Access Management" }, + { + "conditions": [], + "prefix": "identity-sync", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a sync filter on the sync profile", + "privilege": "CreateSyncFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a sync profile for the identity source", + "privilege": "CreateSyncProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ds:AuthorizeApplication" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a sync target for the identity source", + "privilege": "CreateSyncTarget", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a sync filter from the sync profile", + "privilege": "DeleteSyncFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a sync profile from the source", + "privilege": "DeleteSyncProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ds:UnauthorizeApplication" + ], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a sync target from the source", + "privilege": "DeleteSyncTarget", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncTargetResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a sync profile by using a sync profile name", + "privilege": "GetSyncProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a sync target from the sync profile", + "privilege": "GetSyncTarget", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncTargetResource*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the sync filters from the sync profile", + "privilege": "ListSyncFilters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a sync process or to resume a sync process that was previously paused", + "privilege": "StartSync", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop any planned sync process in the sync schedule from starting", + "privilege": "StopSync", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a sync target on the sync profile", + "privilege": "UpdateSyncTarget", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncProfileResource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SyncTargetResource*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:identity-sync:${Region}:${Account}:profile/${SyncProfileName}", + "condition_keys": [], + "resource": "SyncProfileResource" + }, + { + "arn": "arn:${Partition}:identity-sync:${Region}:${Account}:target/${SyncProfileName}/${SyncTargetName}", + "condition_keys": [], + "resource": "SyncTargetResource" + } + ], + "service_name": "AWS Identity Sync" + }, { "conditions": [], "prefix": "identitystore", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a group in the specified IdentityStore", + "privilege": "CreateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a member to a group in the specified IdentityStore", + "privilege": "CreateGroupMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a user in the specified IdentityStore", + "privilege": "CreateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a group in the specified IdentityStore", + "privilege": "DeleteGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a member that is part of a group in the specified IdentityStore", + "privilege": "DeleteGroupMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "GroupMembership*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a user in the specified IdentityStore", + "privilege": "DeleteUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to retrieves information about group from the directory that AWS Identity Store provides by default", + "description": "Grants permission to retrieve information about a group in the specified IdentityStore", "privilege": "DescribeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about a member that is part of a group in the specified IdentityStore", + "privilege": "DescribeGroupMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "GroupMembership*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieves information about user from the directory that AWS Identity Store provides by default", + "description": "Grants permission to retrieve information about user in the specified IdentityStore", "privilege": "DescribeUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve ID information about group in the specified IdentityStore", + "privilege": "GetGroupId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve ID information of a member which is part of a group in the specified IdentityStore", + "privilege": "GetGroupMembershipId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "GroupMembership*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieves ID information about user in the specified IdentityStore", + "privilege": "GetUserId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to check if a member is a part of groups in the specified IdentityStore", + "privilege": "IsMemberInGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AllGroupMemberships*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" } ] }, { "access_level": "List", - "description": "Grants permission to search for groups within the associated directory", + "description": "Grants permission to retrieve all members that are part of a group in the specified IdentityStore", + "privilege": "ListGroupMemberships", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AllGroupMemberships*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list groups of the target member in the specified IdentityStore", + "privilege": "ListGroupMembershipsForMember", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AllGroupMemberships*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for groups within the specified IdentityStore", "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "AllGroups*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" } ] }, { "access_level": "List", - "description": "Grants permission to search for users within the associated directory", + "description": "Grants permission to search for users in the specified IdentityStore", "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "AllUsers*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update information about a group in the specified IdentityStore", + "privilege": "UpdateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Group*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update user information in the specified IdentityStore", + "privilege": "UpdateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Identitystore*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "User*" } ] } ], - "resources": [], + "resources": [ + { + "arn": "arn:${Partition}:identitystore::${Account}:identitystore/${IdentityStoreId}", + "condition_keys": [], + "resource": "Identitystore" + }, + { + "arn": "arn:${Partition}:identitystore:::user/${UserId}", + "condition_keys": [], + "resource": "User" + }, + { + "arn": "arn:${Partition}:identitystore:::group/${GroupId}", + "condition_keys": [], + "resource": "Group" + }, + { + "arn": "arn:${Partition}:identitystore:::membership/${MembershipId}", + "condition_keys": [], + "resource": "GroupMembership" + }, + { + "arn": "arn:${Partition}:identitystore:::user/*", + "condition_keys": [], + "resource": "AllUsers" + }, + { + "arn": "arn:${Partition}:identitystore:::group/*", + "condition_keys": [], + "resource": "AllGroups" + }, + { + "arn": "arn:${Partition}:identitystore:::membership/*", + "condition_keys": [], + "resource": "AllGroupMemberships" + } + ], "service_name": "AWS Identity Store" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions by the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions by tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions by the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" }, { "condition": "imagebuilder:CreatedResourceTag/", @@ -93088,6 +106911,16 @@ { "condition": "imagebuilder:CreatedResourceTagKeys", "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "imagebuilder:Ec2MetadataHttpTokens", + "description": "Filters access by the EC2 Instance Metadata HTTP Token Requirement specified in the request", + "type": "String" + }, + { + "condition": "imagebuilder:StatusTopicArn", + "description": "Filters access by the SNS Topic Arn in the request to which terminal state notifications will be published", "type": "String" } ], @@ -93287,7 +107120,9 @@ "aws:RequestTag/${TagKey}", "aws:TagKeys", "imagebuilder:CreatedResourceTagKeys", - "imagebuilder:CreatedResourceTag/" + "imagebuilder:CreatedResourceTag/", + "imagebuilder:Ec2MetadataHttpTokens", + "imagebuilder:StatusTopicArn" ], "dependent_actions": [], "resource_type": "" @@ -93550,6 +107385,29 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import an image", + "privilege": "ImportVmImage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeImportImageTasks", + "iam:CreateServiceLinkedRole" + ], + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the component build versions in your account", @@ -93938,7 +107796,9 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "imagebuilder:CreatedResourceTagKeys", - "imagebuilder:CreatedResourceTag/" + "imagebuilder:CreatedResourceTag/", + "imagebuilder:Ec2MetadataHttpTokens", + "imagebuilder:StatusTopicArn" ], "dependent_actions": [], "resource_type": "" @@ -94550,6 +108410,425 @@ "resources": [], "service_name": "Amazon Inspector" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "inspector2", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate an account with an Amazon Inspector administrator account", + "privilege": "AssociateMember", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about Amazon Inspector accounts for an account", + "privilege": "BatchGetAccountStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve free trial period eligibility about Amazon Inspector accounts for an account", + "privilege": "BatchGetFreeTrialInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel the generation of a findings report", + "privilege": "CancelFindingsReport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create and define the settings for a findings filter", + "privilege": "CreateFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Filter*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to request the generation of a findings report", + "privilege": "CreateFindingsReport", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a findings filter", + "privilege": "DeleteFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Filter*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Inspector configuration settings for an AWS organization", + "privilege": "DescribeOrganizationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable an Amazon Inspector account", + "privilege": "Disable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable an account as the delegated Amazon Inspector administrator account for an AWS organization", + "privilege": "DisableDelegatedAdminAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to an Amazon Inspector administrator account to disassociate from an Inspector member account", + "privilege": "DisassociateMember", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable and specify the configuration settings for a new Amazon Inspector account", + "privilege": "Enable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable an account as the delegated Amazon Inspector administrator account for an AWS organization", + "privilege": "EnableDelegatedAdminAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Inspector administrator account for an account", + "privilege": "GetDelegatedAdminAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve status for a requested findings report", + "privilege": "GetFindingsReportStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about an account that's associated with an Amazon Inspector administrator account", + "privilege": "GetMember", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve feature configuration permissions associated with an Amazon Inspector account within an organization", + "privilege": "ListAccountPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve the types of statistics Amazon Inspector can generate for resources Inspector monitors", + "privilege": "ListCoverage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve statistical data and other information about the resources Amazon Inspector monitors", + "privilege": "ListCoverageStatistics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve information about the delegated Amazon Inspector administrator account for an AWS organization", + "privilege": "ListDelegatedAdminAccounts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve information about all findings filters", + "privilege": "ListFilters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve statistical data and other information about Amazon Inspector findings", + "privilege": "ListFindingAggregations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about one or more findings", + "privilege": "ListFindings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve information about the Amazon Inspector member accounts that are associated with an Inspector administrator account", + "privilege": "ListMembers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the tags for an Amazon Inspector resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve aggregated usage data for an account", + "privilege": "ListUsageTotals", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add or update the tags for an Amazon Inspector resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from an Amazon Inspector resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the settings for a findings filter", + "privilege": "UpdateFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Filter*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update Amazon Inspector configuration settings for an AWS organization", + "privilege": "UpdateOrganizationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:inspector2:${Region}:${Account}:owner/${OwnerId}/filter/${FilterId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Filter" + }, + { + "arn": "arn:${Partition}:inspector2:${Region}:${Account}:finding/${FindingId}", + "condition_keys": [], + "resource": "Finding" + } + ], + "service_name": "Amazon Inspector2" + }, { "conditions": [ { @@ -94565,6 +108844,11 @@ { "condition": "aws:TagKeys", "description": "Filters access by a list of tag keys associated to the IoT resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "iot:ClientMode", + "description": "Filters access by the mode of the client for IoT Tunnel", "type": "String" }, { @@ -94580,12 +108864,12 @@ { "condition": "iot:ThingGroupArn", "description": "Filters access by a list of IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel", - "type": "String" + "type": "ArrayOfString" }, { "condition": "iot:TunnelDestinationService", "description": "Filters access by a list of destination services for an IoT Tunnel", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "iot", @@ -96067,6 +110351,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a managed job template", + "privilege": "DescribeManagedJobTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "jobtemplate*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get information about a mitigation action", @@ -96399,18 +110695,6 @@ } ] }, - { - "access_level": "Read", - "description": "Grants permission to get the list of all jobs for a thing that are not in a terminal state", - "privilege": "GetPendingJobExecutions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" - } - ] - }, { "access_level": "Read", "description": "Grants permission to get percentiles for IoT fleet index", @@ -96812,6 +111096,30 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list managed job templates", + "privilege": "ListManagedJobTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Adds support to list metric datapoints collected for IoT devices", + "privilege": "ListMetricValues", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing*" + } + ] + }, { "access_level": "List", "description": "Grants permission to get a list of all mitigation actions that match the specified filter criteria", @@ -97359,6 +111667,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to put verification state on a violation", + "privilege": "PutVerificationStateOnViolation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to receive from the specified topic", @@ -97494,6 +111814,27 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to rotate the access token of a tunnel", + "privilege": "RotateTunnelAccessToken", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "tunnel*" + }, + { + "condition_keys": [ + "iot:ThingGroupArn", + "iot:TunnelDestinationService", + "iot:ClientMode" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to search IoT fleet index", @@ -97590,18 +111931,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to get and start the next pending job execution for a thing", - "privilege": "StartNextPendingJobExecution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" - } - ] - }, { "access_level": "Write", "description": "Grants permission to start an on-demand Device Defender audit", @@ -98100,18 +112429,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to update a job execution", - "privilege": "UpdateJobExecution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" - } - ] - }, { "access_level": "Write", "description": "Grants permission to update the definition for the specified mitigation action", @@ -98552,7 +112869,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "iot1click", @@ -98938,17 +113255,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to IoT Analytics.", + "description": "Filters access based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the IoT Analytics resource in the request.", - "type": "String" + "description": "Filters access based on the presence of tag keys in the request", + "type": "ArrayOfString" }, { "condition": "iotanalytics:ResourceTag/${TagKey}", - "description": "The preface string for a tag key and value pair attached to an IoT Analytics resource.", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" } ], @@ -98956,7 +113273,7 @@ "privileges": [ { "access_level": "Write", - "description": "Puts a batch of messages into the specified channel.", + "description": "Puts a batch of messages into the specified channel", "privilege": "BatchPutMessage", "resource_types": [ { @@ -98968,7 +113285,7 @@ }, { "access_level": "Write", - "description": "Cancels reprocessing for the specified pipeline.", + "description": "Cancels reprocessing for the specified pipeline", "privilege": "CancelPipelineReprocessing", "resource_types": [ { @@ -98980,7 +113297,7 @@ }, { "access_level": "Write", - "description": "Creates a channel.", + "description": "Creates a channel", "privilege": "CreateChannel", "resource_types": [ { @@ -99000,7 +113317,7 @@ }, { "access_level": "Write", - "description": "Creates a dataset.", + "description": "Creates a dataset", "privilege": "CreateDataset", "resource_types": [ { @@ -99020,7 +113337,7 @@ }, { "access_level": "Write", - "description": "Generates content of the specified dataset (by executing the dataset actions).", + "description": "Generates content from the specified dataset (by executing the dataset actions)", "privilege": "CreateDatasetContent", "resource_types": [ { @@ -99032,7 +113349,7 @@ }, { "access_level": "Write", - "description": "Creates a datastore.", + "description": "Creates a datastore", "privilege": "CreateDatastore", "resource_types": [ { @@ -99052,7 +113369,7 @@ }, { "access_level": "Write", - "description": "Creates a pipeline.", + "description": "Creates a pipeline", "privilege": "CreatePipeline", "resource_types": [ { @@ -99072,7 +113389,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified channel.", + "description": "Deletes the specified channel", "privilege": "DeleteChannel", "resource_types": [ { @@ -99084,7 +113401,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified dataset.", + "description": "Deletes the specified dataset", "privilege": "DeleteDataset", "resource_types": [ { @@ -99096,7 +113413,7 @@ }, { "access_level": "Write", - "description": "Deletes the content of the specified dataset.", + "description": "Deletes the content of the specified dataset", "privilege": "DeleteDatasetContent", "resource_types": [ { @@ -99108,7 +113425,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified datastore.", + "description": "Deletes the specified datastore", "privilege": "DeleteDatastore", "resource_types": [ { @@ -99120,7 +113437,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified pipeline.", + "description": "Deletes the specified pipeline", "privilege": "DeletePipeline", "resource_types": [ { @@ -99132,7 +113449,7 @@ }, { "access_level": "Read", - "description": "Describes the specified channel.", + "description": "Describes the specified channel", "privilege": "DescribeChannel", "resource_types": [ { @@ -99144,7 +113461,7 @@ }, { "access_level": "Read", - "description": "Describes the specified dataset.", + "description": "Describes the specified dataset", "privilege": "DescribeDataset", "resource_types": [ { @@ -99156,7 +113473,7 @@ }, { "access_level": "Read", - "description": "Describes the specified datastore.", + "description": "Describes the specified datastore", "privilege": "DescribeDatastore", "resource_types": [ { @@ -99168,7 +113485,7 @@ }, { "access_level": "Read", - "description": "Describes logging options for the the account.", + "description": "Describes logging options for the the account", "privilege": "DescribeLoggingOptions", "resource_types": [ { @@ -99180,7 +113497,7 @@ }, { "access_level": "Read", - "description": "Describes the specified pipeline.", + "description": "Describes the specified pipeline", "privilege": "DescribePipeline", "resource_types": [ { @@ -99192,7 +113509,7 @@ }, { "access_level": "Read", - "description": "Gets the content of the specified dataset.", + "description": "Gets the content of the specified dataset", "privilege": "GetDatasetContent", "resource_types": [ { @@ -99204,7 +113521,7 @@ }, { "access_level": "List", - "description": "Lists the channels for the account.", + "description": "Lists the channels for the account", "privilege": "ListChannels", "resource_types": [ { @@ -99216,7 +113533,7 @@ }, { "access_level": "List", - "description": "Lists information about dataset contents that have been created.", + "description": "Lists information about dataset contents that have been created", "privilege": "ListDatasetContents", "resource_types": [ { @@ -99228,7 +113545,7 @@ }, { "access_level": "List", - "description": "Lists the datasets for the account.", + "description": "Lists the datasets for the account", "privilege": "ListDatasets", "resource_types": [ { @@ -99240,7 +113557,7 @@ }, { "access_level": "List", - "description": "Lists the datastores for the account.", + "description": "Lists the datastores for the account", "privilege": "ListDatastores", "resource_types": [ { @@ -99252,7 +113569,7 @@ }, { "access_level": "List", - "description": "Lists the pipelines for the account.", + "description": "Lists the pipelines for the account", "privilege": "ListPipelines", "resource_types": [ { @@ -99264,7 +113581,7 @@ }, { "access_level": "Read", - "description": "Lists the tags (metadata) which you have assigned to the resource.", + "description": "Lists the tags (metadata) which you have assigned to the resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -99291,7 +113608,7 @@ }, { "access_level": "Write", - "description": "Puts logging options for the the account.", + "description": "Puts logging options for the the account", "privilege": "PutLoggingOptions", "resource_types": [ { @@ -99303,7 +113620,7 @@ }, { "access_level": "Read", - "description": "Runs the specified pipeline activity.", + "description": "Runs the specified pipeline activity", "privilege": "RunPipelineActivity", "resource_types": [ { @@ -99315,7 +113632,7 @@ }, { "access_level": "Read", - "description": "Samples the specified channel's data.", + "description": "Samples the specified channel's data", "privilege": "SampleChannelData", "resource_types": [ { @@ -99327,7 +113644,7 @@ }, { "access_level": "Write", - "description": "Starts reprocessing for the specified pipeline.", + "description": "Starts reprocessing for the specified pipeline", "privilege": "StartPipelineReprocessing", "resource_types": [ { @@ -99339,7 +113656,7 @@ }, { "access_level": "Tagging", - "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource.", + "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource", "privilege": "TagResource", "resource_types": [ { @@ -99374,7 +113691,7 @@ }, { "access_level": "Tagging", - "description": "Removes the given tags (metadata) from the resource.", + "description": "Removes the given tags (metadata) from the resource", "privilege": "UntagResource", "resource_types": [ { @@ -99409,7 +113726,7 @@ }, { "access_level": "Write", - "description": "Updates the specified channel.", + "description": "Updates the specified channel", "privilege": "UpdateChannel", "resource_types": [ { @@ -99421,7 +113738,7 @@ }, { "access_level": "Write", - "description": "Updates the specified dataset.", + "description": "Updates the specified dataset", "privilege": "UpdateDataset", "resource_types": [ { @@ -99433,7 +113750,7 @@ }, { "access_level": "Write", - "description": "Updates the specified datastore.", + "description": "Updates the specified datastore", "privilege": "UpdateDatastore", "resource_types": [ { @@ -99445,7 +113762,7 @@ }, { "access_level": "Write", - "description": "Updates the specified pipeline.", + "description": "Updates the specified pipeline", "privilege": "UpdatePipeline", "resource_types": [ { @@ -99500,18 +113817,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "iotdeviceadvisor", @@ -99539,7 +113856,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "Suitedefinition*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a Device Advisor endpoint", + "privilege": "GetEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -99551,7 +113880,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "Suitedefinition*" } ] }, @@ -99563,7 +113892,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun*" + "resource_type": "Suiterun*" } ] }, @@ -99575,7 +113904,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun*" + "resource_type": "Suiterun*" } ] }, @@ -99599,7 +113928,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "Suitedefinition*" } ] }, @@ -99611,12 +113940,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" + "resource_type": "Suitedefinition" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun" + "resource_type": "Suiterun" } ] }, @@ -99643,7 +113972,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun*" + "resource_type": "Suiterun*" } ] }, @@ -99655,12 +113984,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" + "resource_type": "Suitedefinition" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun" + "resource_type": "Suiterun" }, { "condition_keys": [ @@ -99680,12 +114009,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" + "resource_type": "Suitedefinition" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun" + "resource_type": "Suiterun" }, { "condition_keys": [ @@ -99704,25 +114033,25 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "Suitedefinition*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suitedefinition/${suiteDefinitionId}", + "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suitedefinition/${SuiteDefinitionId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "suitedefinition" + "resource": "Suitedefinition" }, { - "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suiterun/${suiteDefinitionId}/${suiteRunId}", + "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suiterun/${SuiteDefinitionId}/${SuiteRunId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "suiterun" + "resource": "Suiterun" } ], "service_name": "AWS IoT Core Device Advisor" @@ -99742,7 +114071,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions by the tag keys in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "iotevents:keyValue", @@ -99760,7 +114089,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "alarmModel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a detector instance within the AWS IoT Events system", + "privilege": "BatchDeleteDetector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detectorModel*" } ] }, @@ -99772,7 +114113,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "alarmModel*" } ] }, @@ -99784,7 +114125,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "alarmModel*" } ] }, @@ -99808,7 +114149,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "alarmModel*" } ] }, @@ -99820,7 +114161,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "alarmModel*" } ] }, @@ -99832,7 +114173,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "detectorModel*" } ] }, @@ -100129,6 +114470,11 @@ "description": "Grants permission to list the tags (metadata) which you have assigned to the resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "alarmModel" + }, { "condition_keys": [], "dependent_actions": [], @@ -100170,6 +114516,11 @@ "description": "Grants permission to adds to or modifies the tags of the given resource.Tags are metadata which can be used to manage a resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "alarmModel" + }, { "condition_keys": [], "dependent_actions": [], @@ -100195,6 +114546,11 @@ "description": "Grants permission to remove the given tags (metadata) from the resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "alarmModel" + }, { "condition_keys": [], "dependent_actions": [], @@ -100279,7 +114635,7 @@ "resource": "alarmModel" }, { - "arn": "arn:${Partition}:iotevents:${Region}:${Account}:input/${inputName}", + "arn": "arn:${Partition}:iotevents:${Region}:${Account}:input/${InputName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -100303,7 +114659,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions by the tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "iotfleethub", @@ -100430,7 +114786,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}", + "arn": "arn:${Partition}:iotfleethub:${Region}:${Account}:application/${ApplicationId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -100442,630 +114798,422 @@ { "conditions": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", + "condition": "iotfleetwise:UpdateToDecoderManifestArn", + "description": "Filters access by a list of IoT FleetWise Decoder Manifest ARNs", "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", + "condition": "iotfleetwise:UpdateToModelManifestArn", + "description": "Filters access by a list of IoT FleetWise Model Manifest ARNs", "type": "String" } ], - "prefix": "iotfleethub", + "prefix": "iotfleetwise", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an application", - "privilege": "CreateApplication", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "sso:CreateManagedApplicationInstance", - "sso:DescribeRegisteredRegions" - ], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an dashboard", - "privilege": "CreateDashboard", + "description": "Grants permission to associate the given vehicle to a fleet", + "privilege": "AssociateVehicle", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an application", - "privilege": "DeleteApplication", - "resource_types": [ + "resource_type": "fleet*" + }, { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "application*" + "dependent_actions": [], + "resource_type": "vehicle*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an dashboard", - "privilege": "DeleteDashboard", + "description": "Grants permission to create a campaign", + "privilege": "CreateCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an application", - "privilege": "DescribeApplication", - "resource_types": [ + "resource_type": "fleet*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an dashboard", - "privilege": "DescribeDashboard", - "resource_types": [ + "resource_type": "signalcatalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "vehicle*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all applications", - "privilege": "ListApplications", + "access_level": "Write", + "description": "Grants permission to create a decoder manifest for an existing model", + "privilege": "CreateDecoderManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "modelmanifest*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all dashboards", - "privilege": "ListDashboards", + "access_level": "Write", + "description": "Grants permission to create a fleet", + "privilege": "CreateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "signalcatalog*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to create a model manifest definition", + "privilege": "CreateModelManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" + "resource_type": "signalcatalog*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a signal catalog", + "privilege": "CreateSignalCatalog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a vehicle", + "privilege": "CreateVehicle", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "application" + "dependent_actions": [ + "iot:CreateThing", + "iot:DescribeThing" + ], + "resource_type": "decodermanifest*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "modelmanifest*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an application", - "privilege": "UpdateApplication", + "description": "Grants permission to delete a campaign", + "privilege": "DeleteCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "campaign*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an dashboard", - "privilege": "UpdateDashboard", + "description": "Grants permission to delete the given decoder manifest", + "privilege": "DeleteDecoderManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "decodermanifest*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "application" - }, - { - "arn": "arn:${Partition}:iotfleethub::${Account}:dashboard/${DashboardId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - } - ], - "service_name": "Fleet Hub for AWS IoT Device Management" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", - "type": "String" - }, - { - "condition": "iotsitewise:assetHierarchyPath", - "description": "Filters access by an asset hierarchy path, which is the string of asset IDs in the asset's hierarchy, each separated by a forward slash", - "type": "String" - }, - { - "condition": "iotsitewise:childAssetId", - "description": "Filters access by the ID of a child asset being associated to a parent asset", - "type": "String" - }, - { - "condition": "iotsitewise:group", - "description": "Filters access by the ID of an AWS Single Sign-On group", - "type": "String" - }, - { - "condition": "iotsitewise:iam", - "description": "Filters access by the ID of an AWS IAM identity", - "type": "String" - }, - { - "condition": "iotsitewise:portal", - "description": "Filters access by the ID of a portal", - "type": "String" - }, - { - "condition": "iotsitewise:project", - "description": "Filters access by the ID of a project", - "type": "String" - }, - { - "condition": "iotsitewise:propertyId", - "description": "Filters access by the ID of an asset property", - "type": "String" }, - { - "condition": "iotsitewise:user", - "description": "Filters access by the ID of an AWS Single Sign-On user", - "type": "String" - } - ], - "prefix": "iotsitewise", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a child asset to a parent asset by a hierarchy", - "privilege": "AssociateAssets", + "description": "Grants permission to delete a fleet", + "privilege": "DeleteFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate assets to a project", - "privilege": "BatchAssociateProjectAssets", + "description": "Grants permission to delete the given model manifest", + "privilege": "DeleteModelManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "modelmanifest*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate assets from a project", - "privilege": "BatchDisassociateProjectAssets", + "description": "Grants permission to delete a specific signal catalog", + "privilege": "DeleteSignalCatalog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "signalcatalog*" } ] }, { "access_level": "Write", - "description": "Grants permission to put property values for asset properties", - "privilege": "BatchPutAssetPropertyValue", + "description": "Grants permission to delete a vehicle", + "privilege": "DeleteVehicle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "vehicle*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an access policy for a portal or a project", - "privilege": "CreateAccessPolicy", + "description": "Grants permission to disassociate a vehicle from an existing fleet", + "privilege": "DisassociateVehicle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal" + "resource_type": "fleet*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "vehicle*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an asset from an asset model", - "privilege": "CreateAsset", + "access_level": "Read", + "description": "Grants permission to get summary information for a given campaign", + "privilege": "GetCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "campaign*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an asset model", - "privilege": "CreateAssetModel", + "access_level": "Read", + "description": "Grants permission to get summary information for a given decoder manifest definition", + "privilege": "GetDecoderManifest", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "decodermanifest*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a dashboard in a project", - "privilege": "CreateDashboard", + "access_level": "Read", + "description": "Grants permission to get summary information for a fleet", + "privilege": "GetFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a gateway", - "privilege": "CreateGateway", + "access_level": "Read", + "description": "Grants permission to get summary information for a given model manifest definition", + "privilege": "GetModelManifest", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a portal", - "privilege": "CreatePortal", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "sso:CreateManagedApplicationInstance", - "sso:DescribeRegisteredRegions" - ], - "resource_type": "" + "resource_type": "modelmanifest*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a project in a portal", - "privilege": "CreateProject", + "access_level": "Read", + "description": "Grants permission to get the account registration status with IoT FleetWise", + "privilege": "GetRegisterAccountStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an access policy", - "privilege": "DeleteAccessPolicy", + "access_level": "Read", + "description": "Grants permission to get summary information for a specific signal catalog", + "privilege": "GetSignalCatalog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "signalcatalog*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an asset", - "privilege": "DeleteAsset", + "access_level": "Read", + "description": "Grants permission to get summary information for a vehicle", + "privilege": "GetVehicle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "vehicle*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an asset model", - "privilege": "DeleteAssetModel", + "access_level": "Read", + "description": "Grants permission to get the status of the campaigns running on a specific vehicle", + "privilege": "GetVehicleStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "vehicle*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dashboard", - "privilege": "DeleteDashboard", + "description": "Grants permission to import an existing decoder manifest", + "privilege": "ImportDecoderManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a gateway", - "privilege": "DeleteGateway", + "description": "Grants permission to create a signal catalog by importing existing definitions", + "privilege": "ImportSignalCatalog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a portal", - "privilege": "DeletePortal", + "access_level": "Read", + "description": "Grants permission to list campaigns", + "privilege": "ListCampaigns", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "portal*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a project", - "privilege": "DeleteProject", + "access_level": "List", + "description": "Grants permission to list network interfaces associated to the existing decoder manifest", + "privilege": "ListDecoderManifestNetworkInterfaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "decodermanifest*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an access policy", - "privilege": "DescribeAccessPolicy", + "access_level": "List", + "description": "Grants permission to list decoder manifest signals", + "privilege": "ListDecoderManifestSignals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "decodermanifest*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an asset", - "privilege": "DescribeAsset", + "description": "Grants permission to list all decoder manifests, with an optional filter on model manifest", + "privilege": "ListDecoderManifests", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an asset model", - "privilege": "DescribeAssetModel", + "description": "Grants permission to list all fleets", + "privilege": "ListFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an asset property", - "privilege": "DescribeAssetProperty", + "description": "Grants permission to list all the fleets that the given vehicle is associated with", + "privilege": "ListFleetsForVehicle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "vehicle*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dashboard", - "privilege": "DescribeDashboard", + "access_level": "List", + "description": "Grants permission to list all nodes for the given model manifest", + "privilege": "ListModelManifestNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "modelmanifest*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the default encryption configuration for the AWS account", - "privilege": "DescribeDefaultEncryptionConfiguration", + "description": "Grants permission to list all model manifests, with an optional filter on signal catalog", + "privilege": "ListModelManifests", "resource_types": [ { "condition_keys": [], @@ -101076,32 +115224,32 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a gateway", - "privilege": "DescribeGateway", + "description": "Grants permission to list all nodes for a given signal catalog", + "privilege": "ListSignalCatalogNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "signalcatalog*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a capability configuration for a gateway", - "privilege": "DescribeGatewayCapabilityConfiguration", + "description": "Grants permission to list all signal catalogs", + "privilege": "ListSignalCatalogs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe logging options for the AWS account", - "privilege": "DescribeLoggingOptions", + "description": "Grants permission to list all vehicles, with an optional filter on model manifest", + "privilege": "ListVehicles", "resource_types": [ { "condition_keys": [], @@ -101112,169 +115260,296 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a portal", - "privilege": "DescribePortal", + "description": "Grants permission to list vehicles in the given fleet", + "privilege": "ListVehiclesInFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "fleet*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a project", - "privilege": "DescribeProject", + "access_level": "Write", + "description": "Grants permission to register an AWS account to IoT FleetWise", + "privilege": "RegisterAccount", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "project*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the storage configuration for the AWS account", - "privilege": "DescribeStorageConfiguration", + "access_level": "Write", + "description": "Grants permission to update the given campaign", + "privilege": "UpdateCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "campaign*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a child asset from a parent asset by a hierarchy", - "privilege": "DisassociateAssets", + "description": "Grants permission to update a decoder manifest defnition", + "privilege": "UpdateDecoderManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "decodermanifest*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve computed aggregates for an asset property", - "privilege": "GetAssetPropertyAggregates", + "access_level": "Write", + "description": "Grants permission to update the fleet", + "privilege": "UpdateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "fleet*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the latest value for an asset property", - "privilege": "GetAssetPropertyValue", + "access_level": "Write", + "description": "Grants permission to update the given model manifest definition", + "privilege": "UpdateModelManifest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "modelmanifest*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the value history for an asset property", - "privilege": "GetAssetPropertyValueHistory", + "access_level": "Write", + "description": "Grants permission to update a specific signal catalog definition", + "privilege": "UpdateSignalCatalog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "signalcatalog*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all access policies for an identity or a resource", - "privilege": "ListAccessPolicies", + "access_level": "Write", + "description": "Grants permission to update the vehicle", + "privilege": "UpdateVehicle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal" + "resource_type": "vehicle*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all asset models", - "privilege": "ListAssetModels", - "resource_types": [ + "resource_type": "decodermanifest" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "modelmanifest" + }, + { + "condition_keys": [ + "iotfleetwise:UpdateToModelManifestArn", + "iotfleetwise:UpdateToDecoderManifestArn" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:campaign/${CampaignName}", + "condition_keys": [], + "resource": "campaign" }, { - "access_level": "List", - "description": "Grants permission to list the asset relationship graph for an asset", - "privilege": "ListAssetRelationships", + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:decoder-manifest/${Name}", + "condition_keys": [], + "resource": "decodermanifest" + }, + { + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:fleet/${FleetId}", + "condition_keys": [], + "resource": "fleet" + }, + { + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:model-manifest/${Name}", + "condition_keys": [], + "resource": "modelmanifest" + }, + { + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:signal-catalog/${Name}", + "condition_keys": [], + "resource": "signalcatalog" + }, + { + "arn": "arn:${Partition}:iotfleetwise:${Region}:${Account}:vehicle/${VehicleId}", + "condition_keys": [], + "resource": "vehicle" + } + ], + "service_name": "AWS IoT FleetWise" + }, + { + "conditions": [ + { + "condition": "iot:JobId", + "description": "Filters access by jobId for iotjobsdata:DescribeJobExecution and iotjobsdata:UpdateJobExecution APIs", + "type": "String" + } + ], + "prefix": "iotjobsdata", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to describe a job execution", + "privilege": "DescribeJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "thing*" + }, + { + "condition_keys": [ + "iot:JobId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assets", - "privilege": "ListAssets", + "access_level": "Read", + "description": "Grants permission to get the list of all jobs for a thing that are not in a terminal state", + "privilege": "GetPendingJobExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model" + "resource_type": "thing*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assets associated to an asset by a hierarchy", - "privilege": "ListAssociatedAssets", + "access_level": "Write", + "description": "Grants permission to get and start the next pending job execution for a thing", + "privilege": "StartNextPendingJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "thing*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all dashboards in a project", - "privilege": "ListDashboards", + "access_level": "Write", + "description": "Grants permission to update a job execution", + "privilege": "UpdateJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "thing*" + }, + { + "condition_keys": [ + "iot:JobId" + ], + "dependent_actions": [], + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", + "condition_keys": [], + "resource": "thing" + } + ], + "service_name": "AWS IoT Jobs DataPlane" + }, + { + "conditions": [ + { + "condition": "iotroborunner:ActionResourceId", + "description": "Filters access by the action's identifier", + "type": "String" }, { - "access_level": "List", - "description": "Grants permission to list all gateways", - "privilege": "ListGateways", + "condition": "iotroborunner:ActionTemplateResourceId", + "description": "Filters access by the action template's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:ActivityResourceId", + "description": "Filters access by the activity's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:DestinationRelationshipResourceId", + "description": "Filters access by the destination relationship's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:DestinationResourceId", + "description": "Filters access by the destination's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:SiteResourceId", + "description": "Filters access by the site's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:TaggingResourceTagKey", + "description": "Filters access by the metadata tag name", + "type": "String" + }, + { + "condition": "iotroborunner:TaskResourceId", + "description": "Filters access by the task's identifer", + "type": "String" + }, + { + "condition": "iotroborunner:WorkerFleetResourceId", + "description": "Filters access by the worker fleet's identifier", + "type": "String" + }, + { + "condition": "iotroborunner:WorkerResourceId", + "description": "Filters access by the workers identifier", + "type": "String" + } + ], + "prefix": "iotroborunner", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an action", + "privilege": "CreateAction", "resource_types": [ { "condition_keys": [], @@ -101284,9 +115559,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all portals", - "privilege": "ListPortals", + "access_level": "Write", + "description": "Grants permission to create an action template", + "privilege": "CreateActionTemplate", "resource_types": [ { "condition_keys": [], @@ -101296,94 +115571,57 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all assets associated with a project", - "privilege": "ListProjectAssets", + "access_level": "Write", + "description": "Grants permission to create an action template dependency", + "privilege": "CreateActionTemplateDependency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all projects in a portal", - "privilege": "ListProjects", + "access_level": "Write", + "description": "Grants permission to create an activity", + "privilege": "CreateActivity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to create an activity dependency", + "privilege": "CreateActivityDependency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "gateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "portal" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to set the default encryption configuration for the AWS account", - "privilege": "PutDefaultEncryptionConfiguration", + "description": "Grants permission to create a destination", + "privilege": "CreateDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SiteResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to set logging options for the AWS account", - "privilege": "PutLoggingOptions", + "description": "Grants permission to create a destination relationship", + "privilege": "CreateDestinationRelationship", "resource_types": [ { "condition_keys": [], @@ -101394,8 +115632,8 @@ }, { "access_level": "Write", - "description": "Grants permission to set storage configuration for the AWS account", - "privilege": "PutStorageConfiguration", + "description": "Grants permission to create a site", + "privilege": "CreateSite", "resource_types": [ { "condition_keys": [], @@ -101405,317 +115643,165 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a task", + "privilege": "CreateTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "gateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "portal" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a task dependency", + "privilege": "CreateTaskDependency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "gateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "portal" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an access policy", - "privilege": "UpdateAccessPolicy", + "description": "Grants permission to create a worker", + "privilege": "CreateWorker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "WorkerFleetResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset", - "privilege": "UpdateAsset", + "description": "Grants permission to create a worker fleet", + "privilege": "CreateWorkerFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "SiteResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset model", - "privilege": "UpdateAssetModel", + "description": "Grants permission to delete an action", + "privilege": "DeleteAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "ActionResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an AssetModel property routing", - "privilege": "UpdateAssetModelPropertyRouting", + "description": "Grants permission to delete an action template", + "privilege": "DeleteActionTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "ActionTemplateResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset property", - "privilege": "UpdateAssetProperty", + "description": "Grants permission to delete an action template dependency", + "privilege": "DeleteActionTemplateDependency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a dashboard", - "privilege": "UpdateDashboard", + "description": "Grants permission to delete an activity", + "privilege": "DeleteActivity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "ActivityResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a gateway", - "privilege": "UpdateGateway", + "description": "Grants permission to delete an activity dependency", + "privilege": "DeleteActivityDependency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a capability configuration for a gateway", - "privilege": "UpdateGatewayCapabilityConfiguration", + "description": "Grants permission to delete a destination", + "privilege": "DeleteDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "DestinationResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a portal", - "privilege": "UpdatePortal", + "description": "Grants permission to delete a destination relationship", + "privilege": "DeleteDestinationRelationship", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "DestinationRelationshipResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a project", - "privilege": "UpdateProject", + "description": "Grants permission to delete a site", + "privilege": "DeleteSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "SiteResource*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "asset" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "asset-model" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "gateway" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "portal" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "project" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:access-policy/${AccessPolicyId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "access-policy" - } - ], - "service_name": "AWS IoT SiteWise" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the thingsgraph service.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service.", - "type": "String" - } - ], - "prefix": "iotthingsgraph", - "privileges": [ { "access_level": "Write", - "description": "Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed.", - "privilege": "AssociateEntityToThing", + "description": "Grants permission to delete a task", + "privilege": "DeleteTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing", - "iot:DescribeThingGroup" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "TaskResource*" } ] }, { "access_level": "Write", - "description": "Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", - "privilege": "CreateFlowTemplate", + "description": "Grants permission to delete a task dependency", + "privilege": "DeleteTaskDependency", "resource_types": [ { "condition_keys": [], @@ -101726,230 +115812,164 @@ }, { "access_level": "Write", - "description": "Creates an instance of a system with specified configurations and Things.", - "privilege": "CreateSystemInstance", + "description": "Grants permission to delete a worker", + "privilege": "DeleteWorker", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WorkerResource*" } ] }, { "access_level": "Write", - "description": "Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", - "privilege": "CreateSystemTemplate", + "description": "Grants permission to delete a worker fleet", + "privilege": "DeleteWorkerFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WorkerFleetResource*" } ] }, { - "access_level": "Write", - "description": "Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance).", - "privilege": "DeleteFlowTemplate", + "access_level": "Read", + "description": "Grants permission to get an action", + "privilege": "GetAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "ActionResource*" } ] }, { - "access_level": "Write", - "description": "Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action.", - "privilege": "DeleteNamespace", + "access_level": "Read", + "description": "Grants permission to get an action template", + "privilege": "GetActionTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ActionTemplateResource*" } ] }, { - "access_level": "Write", - "description": "Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance.", - "privilege": "DeleteSystemInstance", + "access_level": "Read", + "description": "Grants permission to get an activity", + "privilege": "GetActivity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed.", - "privilege": "DeleteSystemTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "System*" - } - ] - }, - { - "access_level": "Write", - "description": "Deploys the system instance to the target specified in CreateSystemInstance.", - "privilege": "DeploySystemInstance", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "SystemInstance*" - } - ] - }, - { - "access_level": "Write", - "description": "Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run.", - "privilege": "DeprecateFlowTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Workflow*" - } - ] - }, - { - "access_level": "Write", - "description": "Deprecates the specified system.", - "privilege": "DeprecateSystemTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "System*" + "resource_type": "ActivityResource*" } ] }, { "access_level": "Read", - "description": "Gets the latest version of the user's namespace and the public version that it is tracking.", - "privilege": "DescribeNamespace", + "description": "Grants permission to get a destination", + "privilege": "GetDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing.", - "privilege": "DissociateEntityFromThing", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing", - "iot:DescribeThingGroup" - ], - "resource_type": "" + "resource_type": "DestinationResource*" } ] }, { "access_level": "Read", - "description": "Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default.", - "privilege": "GetEntities", + "description": "Grants permission to get a destination relationship", + "privilege": "GetDestinationRelationship", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "DestinationRelationshipResource*" } ] }, { "access_level": "Read", - "description": "Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow.", - "privilege": "GetFlowTemplate", + "description": "Grants permission to get a site", + "privilege": "GetSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "SiteResource*" } ] }, { "access_level": "Read", - "description": "Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted.", - "privilege": "GetFlowTemplateRevisions", + "description": "Grants permission to get a task", + "privilege": "GetTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "TaskResource*" } ] }, { "access_level": "Read", - "description": "Gets the status of a namespace deletion task.", - "privilege": "GetNamespaceDeletionStatus", + "description": "Grants permission to get a worker", + "privilege": "GetWorker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WorkerResource*" } ] }, { "access_level": "Read", - "description": "Gets a system instance.", - "privilege": "GetSystemInstance", + "description": "Grants permission to get a worker fleet", + "privilege": "GetWorkerFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "WorkerFleetResource*" } ] }, { "access_level": "Read", - "description": "Gets a system.", - "privilege": "GetSystemTemplate", + "description": "Grants permission to list action templates", + "privilege": "ListActionTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted.", - "privilege": "GetSystemTemplateRevisions", + "description": "Grants permission to list actions", + "privilege": "ListActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets the status of the specified upload.", - "privilege": "GetUploadStatus", + "description": "Grants permission to list activities", + "privilege": "ListActivities", "resource_types": [ { "condition_keys": [], @@ -101959,9 +115979,9 @@ ] }, { - "access_level": "List", - "description": "Lists details of a single workflow execution", - "privilege": "ListFlowExecutionMessages", + "access_level": "Read", + "description": "Grants permission to list destination relationships", + "privilege": "ListDestinationRelationships", "resource_types": [ { "condition_keys": [], @@ -101970,22 +115990,10 @@ } ] }, - { - "access_level": "List", - "description": "Lists all tags for a given resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "SystemInstance" - } - ] - }, { "access_level": "Read", - "description": "Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking.", - "privilege": "SearchEntities", + "description": "Grants permission to list destinations", + "privilege": "ListDestinations", "resource_types": [ { "condition_keys": [], @@ -101996,20 +116004,20 @@ }, { "access_level": "Read", - "description": "Searches for workflow executions of a system instance", - "privilege": "SearchFlowExecutions", + "description": "Grants permission to list sites", + "privilege": "ListSites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Searches for summary information about workflows.", - "privilege": "SearchFlowTemplates", + "description": "Grants permission to list tasks", + "privilege": "ListTasks", "resource_types": [ { "condition_keys": [], @@ -102020,274 +116028,393 @@ }, { "access_level": "Read", - "description": "Searches for system instances in the user's account.", - "privilege": "SearchSystemInstances", + "description": "Grants permission to list worker fleets", + "privilege": "ListWorkerFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SiteResource*" } ] }, { "access_level": "Read", - "description": "Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow.", - "privilege": "SearchSystemTemplates", + "description": "Grants permission to list workers", + "privilege": "ListWorkers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SiteResource*" } ] }, { - "access_level": "Read", - "description": "Searches for things associated with the specified entity. You can search by both device and device model.", - "privilege": "SearchThings", + "access_level": "Write", + "description": "Grants permission to update an action's state", + "privilege": "UpdateActionState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ActionResource*" } ] }, { - "access_level": "Tagging", - "description": "Tag a specified resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to update an activity", + "privilege": "UpdateActivity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "ActivityResource*" } ] }, { "access_level": "Write", - "description": "Removes the system instance and associated triggers from the target.", - "privilege": "UndeploySystemInstance", + "description": "Grants permission to update a destination", + "privilege": "UpdateDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "DestinationResource*" } ] }, { - "access_level": "Tagging", - "description": "Untag a specified resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update a site", + "privilege": "UpdateSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SiteResource*" } ] }, { "access_level": "Write", - "description": "Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace.", - "privilege": "UpdateFlowTemplate", + "description": "Grants permission to update a task", + "privilege": "UpdateTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "TaskResource*" } ] }, { "access_level": "Write", - "description": "Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed.", - "privilege": "UpdateSystemTemplate", + "description": "Grants permission to update a worker", + "privilege": "UpdateWorker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "WorkerResource*" } ] }, { "access_level": "Write", - "description": "Asynchronously uploads one or more entity definitions to the user's namespace.", - "privilege": "UploadEntityDefinitions", + "description": "Grants permission to update a worker fleet", + "privilege": "UpdateWorkerFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WorkerFleetResource*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}", - "condition_keys": [], - "resource": "Workflow" + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:action/${ActionId}", + "condition_keys": [ + "iotroborunner:ActionResourceId" + ], + "resource": "ActionResource" }, { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}", - "condition_keys": [], - "resource": "System" + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:action-template/${ActionTemplateId}", + "condition_keys": [ + "iotroborunner:ActionTemplateResourceId" + ], + "resource": "ActionTemplateResource" }, { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}", + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:activity/${ActivityId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "iotroborunner:ActivityResourceId" ], - "resource": "SystemInstance" + "resource": "ActivityResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:destination-relationship/${DestinationRelationshipId}", + "condition_keys": [ + "iotroborunner:DestinationRelationshipResourceId" + ], + "resource": "DestinationRelationshipResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:destination/${DestinationId}", + "condition_keys": [ + "iotroborunner:DestinationResourceId" + ], + "resource": "DestinationResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:site/${SiteId}", + "condition_keys": [ + "iotroborunner:SiteResourceId" + ], + "resource": "SiteResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:tag/${TagKey}", + "condition_keys": [ + "iotroborunner:TaggingResourceTagKey" + ], + "resource": "TaggingResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:task/${TaskId}", + "condition_keys": [ + "iotroborunner:TaskResourceId" + ], + "resource": "TaskResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:site/${SiteId}/worker-fleet/${WorkerFleetId}", + "condition_keys": [ + "iotroborunner:WorkerFleetResourceId" + ], + "resource": "WorkerFleetResource" + }, + { + "arn": "arn:${Partition}:iotroborunner:${Region}:${Account}:site/${SiteId}/worker-fleet/${WorkerFleetId}/worker/${WorkerId}", + "condition_keys": [ + "iotroborunner:WorkerResourceId" + ], + "resource": "WorkerResource" } ], - "service_name": "AWS IoT Things Graph" + "service_name": "AWS IoT RoboRunner" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a tag key that is present in the request that the user makes to IoT Wireless", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by tag key component of a tag attached to an IoT Wireless resource", + "description": "Filters access by the tags attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the list of all the tag key names associated with the resource in the request", + "description": "Filters access by the tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "iotsitewise:assetHierarchyPath", + "description": "Filters access by an asset hierarchy path, which is the string of asset IDs in the asset's hierarchy, each separated by a forward slash", + "type": "String" + }, + { + "condition": "iotsitewise:childAssetId", + "description": "Filters access by the ID of a child asset being associated whith a parent asset", + "type": "String" + }, + { + "condition": "iotsitewise:group", + "description": "Filters access by the ID of an AWS Single Sign-On group", + "type": "String" + }, + { + "condition": "iotsitewise:iam", + "description": "Filters access by the ID of an AWS IAM identity", + "type": "String" + }, + { + "condition": "iotsitewise:isAssociatedWithAssetProperty", + "description": "Filters access by data streams associated with or not associated with asset properties", + "type": "String" + }, + { + "condition": "iotsitewise:portal", + "description": "Filters access by the ID of a portal", + "type": "String" + }, + { + "condition": "iotsitewise:project", + "description": "Filters access by the ID of a project", + "type": "String" + }, + { + "condition": "iotsitewise:propertyAlias", + "description": "Filters access by the property alias", + "type": "String" + }, + { + "condition": "iotsitewise:propertyId", + "description": "Filters access by the ID of an asset property", + "type": "String" + }, + { + "condition": "iotsitewise:user", + "description": "Filters access by the ID of an AWS Single Sign-On user", "type": "String" } ], - "prefix": "iotwireless", + "prefix": "iotsitewise", "privileges": [ { "access_level": "Write", - "description": "Grants permission to link partner accounts with Aws account", - "privilege": "AssociateAwsAccountWithPartnerAccount", + "description": "Grants permission to associate a child asset with a parent asset through a hierarchy", + "privilege": "AssociateAssets", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId", - "privilege": "AssociateWirelessDeviceWithThing", + "description": "Grants permission to associate a time series with an asset property", + "privilege": "AssociateTimeSeriesToAssetProperty", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessDevice*" + "dependent_actions": [], + "resource_type": "asset*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "time-series*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a WirelessGateway with the IoT Core Identity certificate", - "privilege": "AssociateWirelessGatewayWithCertificate", + "description": "Grants permission to associate assets to a project", + "privilege": "BatchAssociateProjectAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate assets from a project", + "privilege": "BatchDisassociateProjectAssets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve computed aggregates for multiple asset properties", + "privilege": "BatchGetAssetPropertyAggregates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "time-series" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId", - "privilege": "AssociateWirelessGatewayWithThing", + "access_level": "Read", + "description": "Grants permission to retrieve the latest value for multiple asset properties", + "privilege": "BatchGetAssetPropertyValue", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessGateway*" + "dependent_actions": [], + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "time-series" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a Destination resource", - "privilege": "CreateDestination", + "access_level": "Read", + "description": "Grants permission to retrieve the value history for multiple asset properties", + "privilege": "BatchGetAssetPropertyValueHistory", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { "access_level": "Write", - "description": "Grants permission to create a DeviceProfile resource", - "privilege": "CreateDeviceProfile", + "description": "Grants permission to put property values for asset properties", + "privilege": "BatchPutAssetPropertyValue", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { "access_level": "Write", - "description": "Grants permission to create a ServiceProfile resource", - "privilege": "CreateServiceProfile", + "description": "Grants permission to create an access policy for a portal or a project", + "privilege": "CreateAccessPolicy", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -102300,9 +116427,14 @@ }, { "access_level": "Write", - "description": "Grants permission to create a WirelessDevice resource with given Destination", - "privilege": "CreateWirelessDevice", + "description": "Grants permission to create an asset from an asset model", + "privilege": "CreateAsset", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset-model*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -102315,8 +116447,8 @@ }, { "access_level": "Write", - "description": "Grants permission to create a WirelessGateway resource", - "privilege": "CreateWirelessGateway", + "description": "Grants permission to create an asset model", + "privilege": "CreateAssetModel", "resource_types": [ { "condition_keys": [ @@ -102330,21 +116462,26 @@ }, { "access_level": "Write", - "description": "Grants permission to create a task for a given WirelessGateway", - "privilege": "CreateWirelessGatewayTask", + "description": "Grants permission to create bulk import job", + "privilege": "CreateBulkImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a WirelessGateway task definition", - "privilege": "CreateWirelessGatewayTaskDefinition", + "description": "Grants permission to create a dashboard in a project", + "privilege": "CreateDashboard", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -102357,224 +116494,236 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a Destination", - "privilege": "DeleteDestination", + "description": "Grants permission to create a gateway", + "privilege": "CreateGateway", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DeviceProfile", - "privilege": "DeleteDeviceProfile", + "description": "Grants permission to create a portal", + "privilege": "CreatePortal", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DeviceProfile*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sso:CreateManagedApplicationInstance", + "sso:DescribeRegisteredRegions" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a ServiceProfile", - "privilege": "DeleteServiceProfile", + "description": "Grants permission to create a project in a portal", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile*" + "resource_type": "portal*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a WirelessDevice", - "privilege": "DeleteWirelessDevice", + "description": "Grants permission to delete an access policy", + "privilege": "DeleteAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "access-policy*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a WirelessGateway", - "privilege": "DeleteWirelessGateway", + "description": "Grants permission to delete an asset", + "privilege": "DeleteAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "asset*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete task for a given WirelessGateway", - "privilege": "DeleteWirelessGatewayTask", + "description": "Grants permission to delete an asset model", + "privilege": "DeleteAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "asset-model*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a WirelessGateway task definition", - "privilege": "DeleteWirelessGatewayTaskDefinition", + "description": "Grants permission to delete a dashboard", + "privilege": "DeleteDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGatewayTaskDefinition*" + "resource_type": "dashboard*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an AWS account from a partner account", - "privilege": "DisassociateAwsAccountFromPartnerAccount", + "description": "Grants permission to delete a gateway", + "privilege": "DeleteGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount*" + "resource_type": "gateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a wireless device from a AWS IoT thing", - "privilege": "DisassociateWirelessDeviceFromThing", + "description": "Grants permission to delete a portal", + "privilege": "DeletePortal", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "iot:DescribeThing" + "sso:DeleteManagedApplicationInstance" ], - "resource_type": "WirelessDevice*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "portal*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate", - "privilege": "DisassociateWirelessGatewayFromCertificate", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a WirelessGateway from a IoT Core thing", - "privilege": "DisassociateWirelessGatewayFromThing", + "description": "Grants permission to delete a time series", + "privilege": "DeleteTimeSeries", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessGateway*" + "dependent_actions": [], + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "time-series" } ] }, { "access_level": "Read", - "description": "Grants permission to get the Destination", - "privilege": "GetDestination", + "description": "Grants permission to describe an access policy", + "privilege": "DescribeAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "access-policy*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the DeviceProfile", - "privilege": "GetDeviceProfile", + "description": "Grants permission to describe an asset", + "privilege": "DescribeAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile*" + "resource_type": "asset*" } ] }, { "access_level": "Read", - "description": "Grants permission to get log levels by resource types", - "privilege": "GetLogLevelsByResourceTypes", + "description": "Grants permission to describe an asset model", + "privilege": "DescribeAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset-model*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the associated PartnerAccount", - "privilege": "GetPartnerAccount", + "description": "Grants permission to describe an asset property", + "privilege": "DescribeAssetProperty", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount*" + "resource_type": "asset*" } ] }, { "access_level": "Read", - "description": "Grants permission to get resource log level", - "privilege": "GetResourceLogLevel", + "description": "Grants permission to describe bulk import job", + "privilege": "DescribeBulkImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dashboard", + "privilege": "DescribeDashboard", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "dashboard*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format", - "privilege": "GetServiceEndpoint", + "description": "Grants permission to describe the default encryption configuration for the AWS account", + "privilege": "DescribeDefaultEncryptionConfiguration", "resource_types": [ { "condition_keys": [], @@ -102585,218 +116734,283 @@ }, { "access_level": "Read", - "description": "Grants permission to get the ServiceProfile", - "privilege": "GetServiceProfile", + "description": "Grants permission to describe a gateway", + "privilege": "DescribeGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile*" + "resource_type": "gateway*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the WirelessDevice", - "privilege": "GetWirelessDevice", + "description": "Grants permission to describe a capability configuration for a gateway", + "privilege": "DescribeGatewayCapabilityConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "gateway*" } ] }, { "access_level": "Read", - "description": "Grants permission to get statistics info for a given WirelessDevice", - "privilege": "GetWirelessDeviceStatistics", + "description": "Grants permission to describe logging options for the AWS account", + "privilege": "DescribeLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the WirelessGateway", - "privilege": "GetWirelessGateway", + "description": "Grants permission to describe a portal", + "privilege": "DescribePortal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "portal*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway", - "privilege": "GetWirelessGatewayCertificate", + "description": "Grants permission to describe a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to get Current firmware version and other information for the WirelessGateway", - "privilege": "GetWirelessGatewayFirmwareInformation", + "description": "Grants permission to describe the storage configuration for the AWS account", + "privilege": "DescribeStorageConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get statistics info for a given WirelessGateway", - "privilege": "GetWirelessGatewayStatistics", + "description": "Grants permission to describe a time series", + "privilege": "DescribeTimeSeries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the task for a given WirelessGateway", - "privilege": "GetWirelessGatewayTask", + "access_level": "Write", + "description": "Grants permission to disassociate a child asset from a parent asset by a hierarchy", + "privilege": "DisassociateAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "asset*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the given WirelessGateway task definition", - "privilege": "GetWirelessGatewayTaskDefinition", + "access_level": "Write", + "description": "Grants permission to disassociate a time series from an asset property", + "privilege": "DisassociateTimeSeriesFromAssetProperty", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGatewayTaskDefinition*" + "resource_type": "asset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series*" } ] }, { "access_level": "Read", - "description": "List information of available Destinations based on the AWS account.", - "privilege": "ListDestinations", + "description": "Grants permission to retrieve computed aggregates for an asset property", + "privilege": "GetAssetPropertyAggregates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { "access_level": "Read", - "description": "Grants permission to list information of available DeviceProfiles based on the AWS account", - "privilege": "ListDeviceProfiles", + "description": "Grants permission to retrieve the latest value for an asset property", + "privilege": "GetAssetPropertyValue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { "access_level": "Read", - "description": "Grants permission to list the available partner accounts", - "privilege": "ListPartnerAccounts", + "description": "Grants permission to retrieve the value history for an asset property", + "privilege": "GetAssetPropertyValueHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { "access_level": "Read", - "description": "Grants permission to list information of available ServiceProfiles based on the AWS account", - "privilege": "ListServiceProfiles", + "description": "Grants permission to retrieve interpolated values for an asset property", + "privilege": "GetInterpolatedAssetPropertyValues", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "time-series" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags for a given resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to list all access policies for an identity or a resource", + "privilege": "ListAccessPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" + "resource_type": "portal" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile" - }, + "resource_type": "project" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all asset models", + "privilege": "ListAssetModels", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the asset relationship graph for an asset", + "privilege": "ListAssetRelationships", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount" - }, + "resource_type": "asset*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assets", + "privilege": "ListAssets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" - }, + "resource_type": "asset-model" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assets associated with an asset through a hierarchy", + "privilege": "ListAssociatedAssets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" - }, + "resource_type": "asset*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list bulk import jobs", + "privilege": "ListBulkImportJobs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGatewayTaskDefinition" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list information of available WirelessDevices based on the AWS account", - "privilege": "ListWirelessDevices", + "access_level": "List", + "description": "Grants permission to list all dashboards in a project", + "privilege": "ListDashboards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list information of available WirelessGateway task definitions based on the AWS account", - "privilege": "ListWirelessGatewayTaskDefinitions", + "access_level": "List", + "description": "Grants permission to list all gateways", + "privilege": "ListGateways", "resource_types": [ { "condition_keys": [], @@ -102806,9 +117020,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list information of available WirelessGateways based on the AWS account", - "privilege": "ListWirelessGateways", + "access_level": "List", + "description": "Grants permission to list all portals", + "privilege": "ListPortals", "resource_types": [ { "condition_keys": [], @@ -102818,164 +117032,215 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to put resource log level", - "privilege": "PutResourceLogLevel", + "access_level": "List", + "description": "Grants permission to list all assets associated with a project", + "privilege": "ListProjectAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all projects in a portal", + "privilege": "ListProjects", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "portal*" } ] }, { - "access_level": "Write", - "description": "Grants permission to reset all resource log levels", - "privilege": "ResetAllResourceLogLevels", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "access-policy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, + { + "access_level": "List", + "description": "Grants permission to list time series", + "privilege": "ListTimeSeries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset" + } + ] + }, { "access_level": "Write", - "description": "Grants permission to reset resource log level", - "privilege": "ResetResourceLogLevel", + "description": "Grants permission to set the default encryption configuration for the AWS account", + "privilege": "PutDefaultEncryptionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set logging options for the AWS account", + "privilege": "PutLoggingOptions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send the decrypted application data frame to the target device", - "privilege": "SendDataToWirelessDevice", + "description": "Grants permission to configure storage settings for the AWS account", + "privilege": "PutStorageConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to tag a given resource", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" + "resource_type": "access-policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile" + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile" + "resource_type": "asset-model" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount" + "resource_type": "dashboard" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" + "resource_type": "gateway" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "portal" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGatewayTaskDefinition" + "resource_type": "project" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Write", - "description": "Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello'", - "privilege": "TestWirelessDevice", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "WirelessDevice*" - } - ] - }, { "access_level": "Tagging", - "description": "Grants permission to remove the given tags from the resource", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" + "resource_type": "access-policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile" + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile" + "resource_type": "asset-model" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount" + "resource_type": "dashboard" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice" + "resource_type": "gateway" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "portal" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGatewayTaskDefinition" + "resource_type": "project" }, { "condition_keys": [ @@ -102988,156 +117253,222 @@ }, { "access_level": "Write", - "description": "Grants permission to update a Destination resource", - "privilege": "UpdateDestination", + "description": "Grants permission to update an access policy", + "privilege": "UpdateAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "access-policy*" } ] }, { "access_level": "Write", - "description": "Grants permission to update log levels by resource types", - "privilege": "UpdateLogLevelsByResourceTypes", + "description": "Grants permission to update an asset", + "privilege": "UpdateAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a partner account", - "privilege": "UpdatePartnerAccount", + "description": "Grants permission to update an asset model", + "privilege": "UpdateAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SidewalkAccount*" + "resource_type": "asset-model*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a WirelessDevice resource", - "privilege": "UpdateWirelessDevice", + "description": "Grants permission to update an AssetModel property routing", + "privilege": "UpdateAssetModelPropertyRouting", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "asset-model*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a WirelessGateway resource", - "privilege": "UpdateWirelessGateway", + "description": "Grants permission to update an asset property", + "privilege": "UpdateAssetProperty", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "asset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a dashboard", + "privilege": "UpdateDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a gateway", + "privilege": "UpdateGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a capability configuration for a gateway", + "privilege": "UpdateGatewayCapabilityConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a portal", + "privilege": "UpdatePortal", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a project", + "privilege": "UpdateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "WirelessDevice" + "resource": "asset" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "WirelessGateway" + "resource": "asset-model" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:time-series/${TimeSeriesId}", + "condition_keys": [], + "resource": "time-series" + }, + { + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "DeviceProfile" + "resource": "gateway" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "ServiceProfile" + "resource": "portal" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Destination" + "resource": "project" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:SidewalkAccount/${SidewalkAccountId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "SidewalkAccount" + "resource": "dashboard" }, { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGatewayTaskDefinition/${WirelessGatewayTaskDefinitionId}", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:access-policy/${AccessPolicyId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "WirelessGatewayTaskDefinition" + "resource": "access-policy" + } + ], + "service_name": "AWS IoT SiteWise" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the thingsgraph service", + "type": "String" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", - "condition_keys": [], - "resource": "thing" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", - "condition_keys": [], - "resource": "cert" + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service", + "type": "String" } ], - "service_name": "AWS IoT Core for LoRaWAN" - }, - { - "conditions": [], - "prefix": "iq", + "prefix": "iotthingsgraph", "privileges": [ { "access_level": "Write", - "description": "Grants permission to submit new project requests", - "privilege": "CreateProject", + "description": "Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed", + "privilege": "AssociateEntityToThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iot:DescribeThing", + "iot:DescribeThingGroup" + ], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS IQ" - }, - { - "conditions": [], - "prefix": "iq-permission", - "privileges": [ + }, { "access_level": "Write", - "description": "Grants permission to approve an access grant", - "privilege": "ApproveAccessGrant", + "description": "Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request", + "privilege": "CreateFlowTemplate", "resource_types": [ { "condition_keys": [], @@ -103145,406 +117476,382 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS IQ Permissions" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags associated with the request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "ivs", - "privileges": [ - { - "access_level": "Read", - "description": "Grants permission to get multiple channels simultaneously by channel ARN", - "privilege": "BatchGetChannel", + "access_level": "Write", + "description": "Creates an instance of a system with specified configurations and Things", + "privilege": "CreateSystemInstance", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get multiple stream keys simultaneously by stream key ARN", - "privilege": "BatchGetStreamKey", + "access_level": "Write", + "description": "Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request", + "privilege": "CreateSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new channel and an associated stream key", - "privilege": "CreateChannel", + "description": "Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance)", + "privilege": "DeleteFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Stream-Key*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Workflow*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a a new recording configuration", - "privilege": "CreateRecordingConfiguration", + "description": "Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action", + "privilege": "DeleteNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a stream key", - "privilege": "CreateStreamKey", + "description": "Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance", + "privilege": "DeleteSystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SystemInstance*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a channel and channel's stream keys", - "privilege": "DeleteChannel", + "description": "Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed", + "privilege": "DeleteSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "System*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the playback key pair for a specified ARN", - "privilege": "DeletePlaybackKeyPair", + "description": "Deploys the system instance to the target specified in CreateSystemInstance", + "privilege": "DeploySystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "resource_type": "SystemInstance*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a recording configuration for the specified ARN", - "privilege": "DeleteRecordingConfiguration", + "description": "Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run", + "privilege": "DeprecateFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration*" + "resource_type": "Workflow*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the stream key for a specified ARN", - "privilege": "DeleteStreamKey", + "description": "Deprecates the specified system", + "privilege": "DeprecateSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "System*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the channel configuration for a specified channel ARN", - "privilege": "GetChannel", + "description": "Gets the latest version of the user's namespace and the public version that it is tracking", + "privilege": "DescribeNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the playback keypair information for a specified ARN", - "privilege": "GetPlaybackKeyPair", + "access_level": "Write", + "description": "Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing", + "privilege": "DissociateEntityFromThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "dependent_actions": [ + "iot:DescribeThing", + "iot:DescribeThingGroup" + ], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the recording configuration for the specified ARN", - "privilege": "GetRecordingConfiguration", + "description": "Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default", + "privilege": "GetEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about the active (live) stream on a specified channel", - "privilege": "GetStream", + "description": "Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow", + "privilege": "GetFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "Workflow*" } ] }, { "access_level": "Read", - "description": "Grants permission to get stream-key information for a specified ARN", - "privilege": "GetStreamKey", + "description": "Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted", + "privilege": "GetFlowTemplateRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "Workflow*" } ] }, { - "access_level": "Write", - "description": "Grants permission to import the public key", - "privilege": "ImportPlaybackKeyPair", + "access_level": "Read", + "description": "Gets the status of a namespace deletion task", + "privilege": "GetNamespaceDeletionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to get summary information about channels", - "privilege": "ListChannels", + "access_level": "Read", + "description": "Gets a system instance", + "privilege": "GetSystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "SystemInstance*" } ] }, { - "access_level": "List", - "description": "Grants permission to get summary information about playback key pairs", - "privilege": "ListPlaybackKeyPairs", + "access_level": "Read", + "description": "Gets a system", + "privilege": "GetSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "resource_type": "System*" } ] }, { - "access_level": "List", - "description": "Grants permission to get summary information about recording configurations", - "privilege": "ListRecordingConfigurations", + "access_level": "Read", + "description": "Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted", + "privilege": "GetSystemTemplateRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration*" + "resource_type": "System*" } ] }, { - "access_level": "List", - "description": "Grants permission to get summary information about stream keys", - "privilege": "ListStreamKeys", + "access_level": "Read", + "description": "Gets the status of the specified upload", + "privilege": "GetUploadStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Lists details of a single workflow execution", + "privilege": "ListFlowExecutionMessages", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to get summary information about live streams", - "privilege": "ListStreams", + "description": "Lists all tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "SystemInstance" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about the tags for a specified ARN", - "privilege": "ListTagsForResource", + "description": "Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking", + "privilege": "SearchEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Searches for workflow executions of a system instance", + "privilege": "SearchFlowExecutions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair" - }, + "resource_type": "SystemInstance*" + } + ] + }, + { + "access_level": "Read", + "description": "Searches for summary information about workflows", + "privilege": "SearchFlowTemplates", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Searches for system instances in the user's account", + "privilege": "SearchSystemInstances", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to insert metadata into an RTMP stream for a specified channel", - "privilege": "PutMetadata", + "access_level": "Read", + "description": "Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow", + "privilege": "SearchSystemTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disconnect a streamer on a specified channel", - "privilege": "StopStream", + "access_level": "Read", + "description": "Searches for things associated with the specified entity. You can search by both device and device model", + "privilege": "SearchThings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add or update tags for a resource with a specified ARN", + "description": "Tag a specified resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" + "resource_type": "SystemInstance" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Playback-Key-Pair" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Removes the system instance and associated triggers from the target", + "privilege": "UndeploySystemInstance", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recording-Configuration" - }, + "resource_type": "SystemInstance*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Untag a specified resource", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" + "resource_type": "SystemInstance" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -103552,176 +117859,174 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags for a resource with a specified ARN", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace", + "privilege": "UpdateFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Playback-Key-Pair" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Recording-Configuration" - }, + "resource_type": "Workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed", + "privilege": "UpdateSystemTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "System*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a channel's configuration", - "privilege": "UpdateChannel", + "description": "Asynchronously uploads one or more entity definitions to the user's namespace", + "privilege": "UploadEntityDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:ivs:${Region}:${Account}:channel/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Channel" - }, - { - "arn": "arn:${Partition}:ivs:${Region}:${Account}:stream-key/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Stream-Key" + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}", + "condition_keys": [], + "resource": "Workflow" }, { - "arn": "arn:${Partition}:ivs:${Region}:${Account}:playback-key/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Playback-Key-Pair" + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}", + "condition_keys": [], + "resource": "System" }, { - "arn": "arn:${Partition}:ivs:${Region}:${Account}:recording-configuration/${ResourceId}", + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Recording-Configuration" + "resource": "SystemInstance" } ], - "service_name": "Amazon Interactive Video Service" + "service_name": "AWS IoT Things Graph" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tags attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the tag keys in the request", "type": "String" } ], - "prefix": "kafka", + "prefix": "iottwinmaker", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster", - "privilege": "BatchAssociateScramSecret", + "description": "Grants permission to set values for multiple time series properties", + "privilege": "BatchPutPropertyValues", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "kms:CreateGrant", - "kms:RetireGrant" + "iottwinmaker:GetComponentType", + "iottwinmaker:GetEntity", + "iottwinmaker:GetWorkspace" ], - "resource_type": "" + "resource_type": "workspace*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster", - "privilege": "BatchDisassociateScramSecret", + "description": "Grants permission to create a componentType", + "privilege": "CreateComponentType", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kms:RetireGrant" + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an MSK cluster", - "privilege": "CreateCluster", + "description": "Grants permission to create an entity", + "privilege": "CreateEntity", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [ - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "iam:AttachRolePolicy", - "iam:CreateServiceLinkedRole", - "iam:PutRolePolicy", - "kms:CreateGrant", - "kms:DescribeKey" - ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an MSK configuration", - "privilege": "CreateConfiguration", + "description": "Grants permission to create a scene", + "privilege": "CreateScene", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an MSK cluster", - "privilege": "DeleteCluster", + "description": "Grants permission to create a workspace", + "privilege": "CreateWorkspace", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -103729,188 +118034,256 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the specified MSK configuration", - "privilege": "DeleteConfiguration", + "description": "Grants permission to delete a componentType", + "privilege": "DeleteComponentType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentType*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK cluster", - "privilege": "DescribeCluster", + "access_level": "Write", + "description": "Grants permission to delete an entity", + "privilege": "DeleteEntity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "entity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the cluster operation that is specified by the given ARN", - "privilege": "DescribeClusterOperation", + "access_level": "Write", + "description": "Grants permission to delete a scene", + "privilege": "DeleteScene", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "scene*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK configuration", - "privilege": "DescribeConfiguration", + "access_level": "Write", + "description": "Grants permission to delete a workspace", + "privilege": "DeleteWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an MSK configuration revision", - "privilege": "DescribeConfigurationRevision", + "description": "Grants permission to get a componentType", + "privilege": "GetComponentType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentType*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" } ] }, { "access_level": "Read", - "description": "Grants permission to get connection details for the brokers in an MSK cluster", - "privilege": "GetBootstrapBrokers", + "description": "Grants permission to get an entity", + "privilege": "GetEntity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get a list of the Apache Kafka versions to which you can update an MSK cluster", - "privilege": "GetCompatibleKafkaVersions", - "resource_types": [ + "resource_type": "entity*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all the operations that have been performed on the specified MSK cluster", - "privilege": "ListClusterOperations", + "access_level": "Read", + "description": "Grants permission to retrieve the property values", + "privilege": "GetPropertyValue", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iottwinmaker:GetComponentType", + "iottwinmaker:GetEntity", + "iottwinmaker:GetWorkspace" + ], + "resource_type": "workspace*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentType" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" } ] }, { - "access_level": "List", - "description": "Grants permission to list all MSK clusters in this account", - "privilege": "ListClusters", + "access_level": "Read", + "description": "Grants permission to retrieve the time series value history", + "privilege": "GetPropertyValueHistory", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iottwinmaker:GetComponentType", + "iottwinmaker:GetEntity", + "iottwinmaker:GetWorkspace" + ], + "resource_type": "workspace*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentType" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" } ] }, { - "access_level": "List", - "description": "Grants permission to list all revisions for an MSK configuration in this account", - "privilege": "ListConfigurationRevisions", + "access_level": "Read", + "description": "Grants permission to get a scene", + "privilege": "GetScene", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "scene*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all MSK configurations in this account", - "privilege": "ListConfigurations", + "access_level": "Read", + "description": "Grants permission to get a workspace", + "privilege": "GetWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "List", - "description": "Grants permission to list all Apache Kafka versions supported by Amazon MSK", - "privilege": "ListKafkaVersions", + "description": "Grants permission to list all componentTypes in a workspace", + "privilege": "ListComponentTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "List", - "description": "Grants permission to list brokers in an MSK cluster", - "privilege": "ListNodes", + "description": "Grants permission to list all entities in a workspace", + "privilege": "ListEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "List", - "description": "Grants permission to list the Scram Secrets associated with an Amazon MSK cluster", - "privilege": "ListScramSecrets", + "description": "Grants permission to list all scenes in a workspace", + "privilege": "ListScenes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "List", - "description": "Grants permission to list tags of an MSK resource", + "description": "Grants permission to list all tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "componentType" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scene" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to reboot broker", - "privilege": "RebootBroker", + "access_level": "List", + "description": "Grants permission to list all workspaces", + "privilege": "ListWorkspaces", "resource_types": [ { "condition_keys": [], @@ -103921,13 +118294,28 @@ }, { "access_level": "Tagging", - "description": "Grants permission to tag an MSK resource", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "componentType" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scene" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" }, { "condition_keys": [ @@ -103941,13 +118329,28 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from an MSK resource", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "componentType" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scene" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace" }, { "condition_keys": [ @@ -103960,1050 +118363,965 @@ }, { "access_level": "Write", - "description": "Grants permission to update the number of brokers of the MSK cluster", - "privilege": "UpdateBrokerCount", + "description": "Grants permission to update a componentType", + "privilege": "UpdateComponentType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the storage size of the brokers of the MSK cluster", - "privilege": "UpdateBrokerStorage", - "resource_types": [ + "resource_type": "componentType*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the broker type of an Amazon MSK cluster", - "privilege": "UpdateBrokerType", + "description": "Grants permission to update an entity", + "privilege": "UpdateEntity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the configuration of the MSK cluster", - "privilege": "UpdateClusterConfiguration", - "resource_types": [ + "resource_type": "entity*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the MSK cluster to the specified Apache Kafka version", - "privilege": "UpdateClusterKafkaVersion", + "description": "Grants permission to update a scene", + "privilege": "UpdateScene", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new revision of the MSK configuration", - "privilege": "UpdateConfiguration", - "resource_types": [ + "resource_type": "scene*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the monitoring settings for the MSK cluster", - "privilege": "UpdateMonitoring", + "description": "Grants permission to update a workspace", + "privilege": "UpdateWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the security settings for the MSK cluster", - "privilege": "UpdateSecurity", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "kms:RetireGrant" - ], - "resource_type": "" + "resource_type": "workspace*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${UUID}", + "arn": "arn:${Partition}:iottwinmaker:${Region}:${Account}:workspace/${WorkspaceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cluster" + "resource": "workspace" + }, + { + "arn": "arn:${Partition}:iottwinmaker:${Region}:${Account}:workspace/${WorkspaceId}/entity/${EntityId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "entity" + }, + { + "arn": "arn:${Partition}:iottwinmaker:${Region}:${Account}:workspace/${WorkspaceId}/component-type/${ComponentTypeId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "componentType" + }, + { + "arn": "arn:${Partition}:iottwinmaker:${Region}:${Account}:workspace/${WorkspaceId}/scene/${SceneId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "scene" } ], - "service_name": "Amazon Managed Streaming for Apache Kafka" + "service_name": "AWS IoT TwinMaker" }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key that is present in the request that the user makes to IoT Wireless", + "type": "String" + }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource. The resource tag context key will only apply to the cluster resource, not topics, groups and transactional IDs", + "description": "Filters access by tag key component of a tag attached to an IoT Wireless resource", "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names associated with the resource in the request", + "type": "ArrayOfString" } ], - "prefix": "kafka-cluster", + "prefix": "iotwireless", "privileges": [ { "access_level": "Write", - "description": "Grants permission to alter various aspects of the cluster, equivalent to Apache Kafka's ALTER CLUSTER ACL", - "privilege": "AlterCluster", + "description": "Grants permission to link partner accounts with AWS account", + "privilege": "AssociateAwsAccountWithPartnerAccount", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeCluster" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to alter the dynamic configuration of a cluster, equivalent to Apache Kafka's ALTER_CONFIGS CLUSTER ACL", - "privilege": "AlterClusterDynamicConfiguration", + "description": "Grants permission to associate the MulticastGroup with FuotaTask", + "privilege": "AssociateMulticastGroupWithFuotaTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeClusterDynamicConfiguration" - ], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to join groups on a cluster, equivalent to Apache Kafka's READ GROUP ACL", - "privilege": "AlterGroup", - "resource_types": [ + "dependent_actions": [], + "resource_type": "FuotaTask*" + }, { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeGroup" - ], - "resource_type": "group*" + "dependent_actions": [], + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to alter topics on a cluster, equivalent to Apache Kafka's ALTER TOPIC ACL", - "privilege": "AlterTopic", + "description": "Grants permission to associate the wireless device with FuotaTask", + "privilege": "AssociateWirelessDeviceWithFuotaTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeTopic" - ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "FuotaTask*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Grants permission to alter the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's ALTER_CONFIGS TOPIC ACL", - "privilege": "AlterTopicDynamicConfiguration", + "description": "Grants permission to associate the WirelessDevice with MulticastGroup", + "privilege": "AssociateWirelessDeviceWithMulticastGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeTopicDynamicConfiguration" - ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "MulticastGroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Grants permission to alter transactional IDs on a cluster, equivalent to Apache Kafka's WRITE TRANSACTIONAL_ID ACL", - "privilege": "AlterTransactionalId", + "description": "Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId", + "privilege": "AssociateWirelessDeviceWithThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeTransactionalId", - "kafka-cluster:WriteData" + "iot:DescribeThing" ], - "resource_type": "transactional-id*" + "resource_type": "WirelessDevice*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to connect and authenticate to the cluster", - "privilege": "Connect", + "description": "Grants permission to associate a WirelessGateway with the IoT Core Identity certificate", + "privilege": "AssociateWirelessGatewayWithCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "WirelessGateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to create topics on a cluster, equivalent to Apache Kafka's CREATE CLUSTER/TOPIC ACL", - "privilege": "CreateTopic", + "description": "Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId", + "privilege": "AssociateWirelessGatewayWithThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "kafka-cluster:Connect" + "iot:DescribeThing" ], - "resource_type": "topic*" + "resource_type": "WirelessGateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete groups on a cluster, equivalent to Apache Kafka's DELETE GROUP ACL", - "privilege": "DeleteGroup", + "description": "Grants permission to cancel the MulticastGroup session", + "privilege": "CancelMulticastGroupSession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeGroup" - ], - "resource_type": "group*" + "dependent_actions": [], + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete topics on a cluster, equivalent to Apache Kafka's DELETE TOPIC ACL", - "privilege": "DeleteTopic", + "description": "Grants permission to create a Destination resource", + "privilege": "CreateDestination", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeTopic" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe various aspects of the cluster, equivalent to Apache Kafka's DESCRIBE CLUSTER ACL", - "privilege": "DescribeCluster", + "access_level": "Write", + "description": "Grants permission to create a DeviceProfile resource", + "privilege": "CreateDeviceProfile", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the dynamic configuration of a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS CLUSTER ACL", - "privilege": "DescribeClusterDynamicConfiguration", + "access_level": "Write", + "description": "Grants permission to create a FuotaTask resource", + "privilege": "CreateFuotaTask", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe groups on a cluster, equivalent to Apache Kafka's DESCRIBE GROUP ACL", - "privilege": "DescribeGroup", + "access_level": "Write", + "description": "Grants permission to create a MulticastGroup resource", + "privilege": "CreateMulticastGroup", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "group*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe topics on a cluster, equivalent to Apache Kafka's DESCRIBE TOPIC ACL", - "privilege": "DescribeTopic", + "access_level": "Write", + "description": "Grants permission to create a NetworkAnalyzerConfiguration resource", + "privilege": "CreateNetworkAnalyzerConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" - ], - "resource_type": "topic*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS TOPIC ACL", - "privilege": "DescribeTopicDynamicConfiguration", - "resource_types": [ + "dependent_actions": [], + "resource_type": "WirelessDevice*" + }, { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" + "dependent_actions": [], + "resource_type": "WirelessGateway*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe transactional IDs on a cluster, equivalent to Apache Kafka's DESCRIBE TRANSACTIONAL_ID ACL", - "privilege": "DescribeTransactionalId", + "access_level": "Write", + "description": "Grants permission to create a ServiceProfile resource", + "privilege": "CreateServiceProfile", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "transactional-id*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to read data from topics on a cluster, equivalent to Apache Kafka's READ TOPIC ACL", - "privilege": "ReadData", + "access_level": "Write", + "description": "Grants permission to create a WirelessDevice resource with given Destination", + "privilege": "CreateWirelessDevice", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:AlterGroup", - "kafka-cluster:Connect", - "kafka-cluster:DescribeTopic" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to write data to topics on a cluster, equivalent to Apache Kafka's WRITE TOPIC ACL", - "privilege": "WriteData", + "description": "Grants permission to create a WirelessGateway resource", + "privilege": "CreateWirelessGateway", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:DescribeTopic" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "topic*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to write data idempotently on a cluster, equivalent to Apache Kafka's IDEMPOTENT_WRITE CLUSTER ACL", - "privilege": "WriteDataIdempotently", + "description": "Grants permission to create a task for a given WirelessGateway", + "privilege": "CreateWirelessGatewayTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "kafka-cluster:Connect", - "kafka-cluster:WriteData" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "WirelessGateway*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${ClusterUuid}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cluster" - }, - { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:topic/${ClusterName}/${ClusterUuid}/${TopicName}", - "condition_keys": [], - "resource": "topic" - }, - { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:group/${ClusterName}/${ClusterUuid}/${GroupName}", - "condition_keys": [], - "resource": "group" }, - { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:transactional-id/${ClusterName}/${ClusterUuid}/${TransactionalId}", - "condition_keys": [], - "resource": "transactional-id" - } - ], - "service_name": "Apache Kafka APIs for Amazon MSK clusters" - }, - { - "conditions": [], - "prefix": "kafkaconnect", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an MSK Connect connector", - "privilege": "CreateConnector", + "description": "Grants permission to create a WirelessGateway task definition", + "privilege": "CreateWirelessGatewayTaskDefinition", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "firehose:TagDeliveryStream", - "iam:AttachRolePolicy", - "iam:CreateServiceLinkedRole", - "iam:PassRole", - "iam:PutRolePolicy", - "logs:CreateLogDelivery", - "logs:DescribeLogGroups", - "logs:DescribeResourcePolicies", - "logs:GetLogDelivery", - "logs:ListLogDeliveries", - "logs:PutResourcePolicy", - "s3:GetBucketPolicy", - "s3:PutBucketPolicy" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an MSK Connect custom plugin", - "privilege": "CreateCustomPlugin", + "description": "Grants permission to delete a Destination", + "privilege": "DeleteDestination", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "s3:GetObject" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "Destination*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an MSK Connect worker configuration", - "privilege": "CreateWorkerConfiguration", + "description": "Grants permission to delete a DeviceProfile", + "privilege": "DeleteDeviceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "DeviceProfile*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an MSK Connect connector", - "privilege": "DeleteConnector", + "description": "Grants permission to delete the FuotaTask", + "privilege": "DeleteFuotaTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "FuotaTask*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK Connect connector", - "privilege": "DescribeConnector", + "access_level": "Write", + "description": "Grants permission to delete the MulticastGroup", + "privilege": "DeleteMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connector*" + "resource_type": "MulticastGroup*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK Connect custom plugin", - "privilege": "DescribeCustomPlugin", + "access_level": "Write", + "description": "Grants permission to delete the NetworkAnalyzerConfiguration", + "privilege": "DeleteNetworkAnalyzerConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "custom plugin*" + "resource_type": "NetworkAnalyzerConfiguration*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK Connect worker configuration", - "privilege": "DescribeWorkerConfiguration", + "access_level": "Write", + "description": "Grants permission to delete QueuedMessages", + "privilege": "DeleteQueuedMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worker configuration*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all MSK Connect connectors in this account", - "privilege": "ListConnectors", + "access_level": "Write", + "description": "Grants permission to delete a ServiceProfile", + "privilege": "DeleteServiceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ServiceProfile*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all MSK Connect custom plugins in this account", - "privilege": "ListCustomPlugins", + "access_level": "Write", + "description": "Grants permission to delete a WirelessDevice", + "privilege": "DeleteWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all MSK Connect worker configurations in this account", - "privilege": "ListWorkerConfigurations", + "access_level": "Write", + "description": "Grants permission to delete a WirelessGateway", + "privilege": "DeleteWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an MSK Connect connector", - "privilege": "UpdateConnector", + "description": "Grants permission to delete task for a given WirelessGateway", + "privilege": "DeleteWirelessGatewayTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:connector/${ConnectorName}/${UUID}", - "condition_keys": [], - "resource": "connector" - }, - { - "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:custom-plugin/${CustomPluginName}/${UUID}", - "condition_keys": [], - "resource": "custom plugin" - }, - { - "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:worker-configuration/${WorkerConfigurationName}/${UUID}", - "condition_keys": [], - "resource": "worker configuration" - } - ], - "service_name": "Amazon Managed Streaming for Kafka Connect" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "kendra", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to batch delete document", - "privilege": "BatchDeleteDocument", + "description": "Grants permission to delete a WirelessGateway task definition", + "privilege": "DeleteWirelessGatewayTaskDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGatewayTaskDefinition*" } ] }, { - "access_level": "Read", - "description": "Grants permission to do batch get document status", - "privilege": "BatchGetDocumentStatus", + "access_level": "Write", + "description": "Grants permission to disassociate an AWS account from a partner account", + "privilege": "DisassociateAwsAccountFromPartnerAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "SidewalkAccount*" } ] }, { "access_level": "Write", - "description": "Grants permission to batch put document", - "privilege": "BatchPutDocument", + "description": "Grants permission to disassociate the MulticastGroup from FuotaTask", + "privilege": "DisassociateMulticastGroupFromFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to clear out the suggestions for a given index, generated so far", - "privilege": "ClearQuerySuggestions", - "resource_types": [ + "resource_type": "FuotaTask*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a data source", - "privilege": "CreateDataSource", + "description": "Grants permission to disassociate the wireless device from FuotaTask", + "privilege": "DisassociateWirelessDeviceFromFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "FuotaTask*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Faq", - "privilege": "CreateFaq", + "description": "Grants permission to disassociate the wireless device from MulticastGroup", + "privilege": "DisassociateWirelessDeviceFromMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "MulticastGroup*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Index", - "privilege": "CreateIndex", + "description": "Grants permission to disassociate a wireless device from a AWS IoT thing", + "privilege": "DisassociateWirelessDeviceFromThing", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "condition_keys": [], + "dependent_actions": [ + "iot:DescribeThing" ], + "resource_type": "WirelessDevice*" + }, + { + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a QuerySuggestions BlockList", - "privilege": "CreateQuerySuggestionsBlockList", + "description": "Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate", + "privilege": "DisassociateWirelessGatewayFromCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a Thesaurus", - "privilege": "CreateThesaurus", + "description": "Grants permission to disassociate a WirelessGateway from a IoT Core thing", + "privilege": "DisassociateWirelessGatewayFromThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "dependent_actions": [ + "iot:DescribeThing" + ], + "resource_type": "WirelessGateway*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a data source", - "privilege": "DeleteDataSource", + "access_level": "Read", + "description": "Grants permission to get the Destination", + "privilege": "GetDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "Destination*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Faq", - "privilege": "DeleteFaq", + "access_level": "Read", + "description": "Grants permission to get the DeviceProfile", + "privilege": "GetDeviceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "DeviceProfile*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Index", - "privilege": "DeleteIndex", + "access_level": "Read", + "description": "Grants permission to get event configuration by resource types", + "privilege": "GetEventConfigurationByResourceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete principal mapping from index", - "privilege": "DeletePrincipalMapping", + "access_level": "Read", + "description": "Grants permission to get the FuotaTask", + "privilege": "GetFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, + "resource_type": "FuotaTask*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get log levels by resource types", + "privilege": "GetLogLevelsByResourceTypes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a QuerySuggestions BlockList", - "privilege": "DeleteQuerySuggestionsBlockList", + "access_level": "Read", + "description": "Grants permission to get the MulticastGroup", + "privilege": "GetMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, + "resource_type": "MulticastGroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the MulticastGroup session", + "privilege": "GetMulticastGroupSession", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "query-suggestions-block-list*" + "resource_type": "MulticastGroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Thesaurus", - "privilege": "DeleteThesaurus", + "access_level": "Read", + "description": "Grants permission to get the NetworkAnalyzerConfiguration", + "privilege": "GetNetworkAnalyzerConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, + "resource_type": "NetworkAnalyzerConfiguration*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the associated PartnerAccount", + "privilege": "GetPartnerAccount", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus*" + "resource_type": "SidewalkAccount*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a data source", - "privilege": "DescribeDataSource", + "description": "Grants permission to get position for a given resource", + "privilege": "GetPosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an Faq", - "privilege": "DescribeFaq", + "description": "Grants permission to get position configuration for a given resource", + "privilege": "GetPositionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an Index", - "privilege": "DescribeIndex", + "description": "Grants permission to get an event configuration for an identifier", + "privilege": "GetResourceEventConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe principal mapping from index", - "privilege": "DescribePrincipalMapping", - "resource_types": [ + "resource_type": "SidewalkAccount" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a QuerySuggestions BlockList", - "privilege": "DescribeQuerySuggestionsBlockList", + "description": "Grants permission to get resource log level", + "privilege": "GetResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "query-suggestions-block-list*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the query suggestions configuration for an index", - "privilege": "DescribeQuerySuggestionsConfig", + "description": "Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format", + "privilege": "GetServiceEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a Thesaurus", - "privilege": "DescribeThesaurus", + "description": "Grants permission to get the ServiceProfile", + "privilege": "GetServiceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, + "resource_type": "ServiceProfile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the WirelessDevice", + "privilege": "GetWirelessDevice", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus*" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Read", - "description": "Grants permission to get suggestions for a query prefix", - "privilege": "GetQuerySuggestions", + "description": "Grants permission to get statistics info for a given WirelessDevice", + "privilege": "GetWirelessDeviceStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "List", - "description": "Grants permission to get Data Source sync job history", - "privilege": "ListDataSourceSyncJobs", + "access_level": "Read", + "description": "Grants permission to get the WirelessGateway", + "privilege": "GetWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, + "resource_type": "WirelessGateway*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway", + "privilege": "GetWirelessGatewayCertificate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the data sources", - "privilege": "ListDataSources", + "access_level": "Read", + "description": "Grants permission to get Current firmware version and other information for the WirelessGateway", + "privilege": "GetWirelessGatewayFirmwareInformation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Faqs", - "privilege": "ListFaqs", + "access_level": "Read", + "description": "Grants permission to get statistics info for a given WirelessGateway", + "privilege": "GetWirelessGatewayStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list groups that are older than an ordering id", - "privilege": "ListGroupsOlderThanOrderingId", + "access_level": "Read", + "description": "Grants permission to get the task for a given WirelessGateway", + "privilege": "GetWirelessGatewayTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, + "resource_type": "WirelessGateway*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the given WirelessGateway task definition", + "privilege": "GetWirelessGatewayTaskDefinition", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "WirelessGatewayTaskDefinition*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the indexes", - "privilege": "ListIndices", + "access_level": "Read", + "description": "Grants permission to list information of available Destinations based on the AWS account", + "privilege": "ListDestinations", "resource_types": [ { "condition_keys": [], @@ -105013,785 +119331,851 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the QuerySuggestions BlockLists", - "privilege": "ListQuerySuggestionsBlockLists", + "access_level": "Read", + "description": "Grants permission to list information of available DeviceProfiles based on the AWS account", + "privilege": "ListDeviceProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to list information of available event configurations based on the AWS account", + "privilege": "ListEventConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "faq" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "query-suggestions-block-list" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thesaurus" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Thesauri", - "privilege": "ListThesauri", + "access_level": "Read", + "description": "Grants permission to list information of available FuotaTasks based on the AWS account", + "privilege": "ListFuotaTasks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to put principal mapping in index", - "privilege": "PutPrincipalMapping", + "access_level": "Read", + "description": "Grants permission to list information of available MulticastGroups based on the AWS account", + "privilege": "ListMulticastGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to query documents and faqs", - "privilege": "Query", + "description": "Grants permission to list information of available MulticastGroups by FuotaTask based on the AWS account", + "privilege": "ListMulticastGroupsByFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "FuotaTask*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start Data Source sync job", - "privilege": "StartDataSourceSyncJob", + "access_level": "Read", + "description": "Grants permission to list information of available NetworkAnalyzerConfigurations based on the AWS account", + "privilege": "ListNetworkAnalyzerConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the available partner accounts", + "privilege": "ListPartnerAccounts", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop Data Source sync job", - "privilege": "StopDataSourceSyncJob", + "access_level": "Read", + "description": "Grants permission to list information of available position configurations based on the AWS account", + "privilege": "ListPositionConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the Queued Messages", + "privilege": "ListQueuedMessages", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to send feedback about a query results", - "privilege": "SubmitFeedback", + "access_level": "Read", + "description": "Grants permission to list information of available ServiceProfiles based on the AWS account", + "privilege": "ListServiceProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource with given key value pairs", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to list all tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "Destination" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq" + "resource_type": "DeviceProfile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index" + "resource_type": "FuotaTask" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "query-suggestions-block-list" + "resource_type": "MulticastGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus" + "resource_type": "NetworkAnalyzerConfiguration" }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove the tag with the given key from a resource", - "privilege": "UntagResource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "ServiceProfile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq" + "resource_type": "SidewalkAccount" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "query-suggestions-block-list" + "resource_type": "WirelessGateway" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus" - }, + "resource_type": "WirelessGatewayTaskDefinition" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list information of available WirelessDevices based on the AWS account", + "privilege": "ListWirelessDevices", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a data source", - "privilege": "UpdateDataSource", + "access_level": "Read", + "description": "Grants permission to list information of available WirelessGateway task definitions based on the AWS account", + "privilege": "ListWirelessGatewayTaskDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list information of available WirelessGateways based on the AWS account", + "privilege": "ListWirelessGateways", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an Index", - "privilege": "UpdateIndex", + "description": "Grants permission to put position configuration for a given resource", + "privilege": "PutPositionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" } ] }, { "access_level": "Write", - "description": "Grants permission to update a QuerySuggestions BlockList", - "privilege": "UpdateQuerySuggestionsBlockList", + "description": "Grants permission to put resource log level", + "privilege": "PutResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "query-suggestions-block-list*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Write", - "description": "Grants permission to update the query suggestions configuration for an index", - "privilege": "UpdateQuerySuggestionsConfig", + "description": "Grants permission to reset all resource log levels", + "privilege": "ResetAllResourceLogLevels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a thesaurus", - "privilege": "UpdateThesaurus", + "description": "Grants permission to reset resource log level", + "privilege": "ResetResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus*" + "resource_type": "WirelessGateway" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "index" - }, - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/data-source/${DataSourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "data-source" - }, - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/faq/${FaqId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "faq" - }, - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "thesaurus" }, { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/query-suggestions-block-list/${QuerySuggestionsBlockListId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "query-suggestions-block-list" - } - ], - "service_name": "Amazon Kendra" - }, - { - "conditions": [], - "prefix": "kinesis", - "privileges": [ - { - "access_level": "Tagging", - "description": "Adds or updates tags for the specified Amazon Kinesis stream. Each stream can have up to 10 tags.", - "privilege": "AddTagsToStream", + "access_level": "Write", + "description": "Grants permission to send data to the MulticastGroup", + "privilege": "SendDataToMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Creates a Amazon Kinesis stream.", - "privilege": "CreateStream", + "description": "Grants permission to send the decrypted application data frame to the target device", + "privilege": "SendDataToWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Decreases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", - "privilege": "DecreaseStreamRetentionPeriod", + "description": "Grants permission to associate the WirelessDevices with MulticastGroup", + "privilege": "StartBulkAssociateWirelessDeviceWithMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Deletes a stream and all its shards and data.", - "privilege": "DeleteStream", + "description": "Grants permission to bulk disassociate the WirelessDevices from MulticastGroup", + "privilege": "StartBulkDisassociateWirelessDeviceFromMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Deregisters a stream consumer with a Kinesis data stream.", - "privilege": "DeregisterStreamConsumer", + "description": "Grants permission to start the FuotaTask", + "privilege": "StartFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "FuotaTask*" } ] }, { - "access_level": "Read", - "description": "Describes the shard limits and usage for the account.", - "privilege": "DescribeLimits", + "access_level": "Write", + "description": "Grants permission to start the MulticastGroup session", + "privilege": "StartMulticastGroupSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "MulticastGroup*" } ] }, { - "access_level": "Read", - "description": "Describes the specified stream.", - "privilege": "DescribeStream", + "access_level": "Write", + "description": "Grants permission to start NetworkAnalyzer stream", + "privilege": "StartNetworkAnalyzerStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "NetworkAnalyzerConfiguration*" } ] }, { - "access_level": "Read", - "description": "Gets the description of a registered stream consumer.", - "privilege": "DescribeStreamConsumer", + "access_level": "Tagging", + "description": "Grants permission to tag a given resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" + "resource_type": "Destination" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "Read", - "description": "Provides a summarized description of the specified Kinesis data stream without the shard list.", - "privilege": "DescribeStreamSummary", - "resource_types": [ + "resource_type": "DeviceProfile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "Write", - "description": "Disables enhanced monitoring.", - "privilege": "DisableEnhancedMonitoring", - "resource_types": [ + "resource_type": "FuotaTask" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MulticastGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "NetworkAnalyzerConfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ServiceProfile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SidewalkAccount" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "WirelessGatewayTaskDefinition" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "API_EnableEnhancedMonitoring.html", - "privilege": "EnableEnhancedMonitoring", + "description": "Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello'", + "privilege": "TestWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "Read", - "description": "Gets data records from a shard.", - "privilege": "GetRecords", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags from the resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "Read", - "description": "Gets a shard iterator. A shard iterator expires five minutes after it is returned to the requester.", - "privilege": "GetShardIterator", - "resource_types": [ + "resource_type": "Destination" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "Write", - "description": "Increases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", - "privilege": "IncreaseStreamRetentionPeriod", - "resource_types": [ + "resource_type": "DeviceProfile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "List", - "description": "Lists the shards in a stream and provides information about each shard.", - "privilege": "ListShards", - "resource_types": [ + "resource_type": "FuotaTask" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the stream consumers registered to receive data from a Kinesis stream using enhanced fan-out, and provides information about each consumer.", - "privilege": "ListStreamConsumers", - "resource_types": [ + "resource_type": "MulticastGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "NetworkAnalyzerConfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ServiceProfile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SidewalkAccount" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "WirelessGatewayTaskDefinition" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists your streams.", - "privilege": "ListStreams", + "access_level": "Write", + "description": "Grants permission to update a Destination resource", + "privilege": "UpdateDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Destination*" } ] }, { - "access_level": "Read", - "description": "Lists the tags for the specified Amazon Kinesis stream.", - "privilege": "ListTagsForStream", + "access_level": "Write", + "description": "Grants permission to update event configuration by resource types", + "privilege": "UpdateEventConfigurationByResourceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Merges two adjacent shards in a stream and combines them into a single shard to reduce the stream's capacity to ingest and transport data.", - "privilege": "MergeShards", + "description": "Grants permission to update the FuotaTask", + "privilege": "UpdateFuotaTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "FuotaTask*" } ] }, { "access_level": "Write", - "description": "Writes a single data record from a producer into an Amazon Kinesis stream.", - "privilege": "PutRecord", + "description": "Grants permission to update log levels by resource types", + "privilege": "UpdateLogLevelsByResourceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Writes multiple data records from a producer into an Amazon Kinesis stream in a single call (also referred to as a PutRecords request).", - "privilege": "PutRecords", + "description": "Grants permission to update the MulticastGroup", + "privilege": "UpdateMulticastGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "MulticastGroup*" } ] }, { "access_level": "Write", - "description": "Registers a stream consumer with a Kinesis data stream.", - "privilege": "RegisterStreamConsumer", + "description": "Grants permission to update the NetworkAnalyzerConfiguration", + "privilege": "UpdateNetworkAnalyzerConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" + "resource_type": "NetworkAnalyzerConfiguration*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Description for SplitShard", - "privilege": "RemoveTagsFromStream", - "resource_types": [ + "resource_type": "WirelessDevice*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "WirelessGateway*" } ] }, { "access_level": "Write", - "description": "Description for SplitShard", - "privilege": "SplitShard", + "description": "Grants permission to update a partner account", + "privilege": "UpdatePartnerAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "SidewalkAccount*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable or update server-side encryption using an AWS KMS key for a specified stream.", - "privilege": "StartStreamEncryption", + "description": "Grants permission to update position for a given resource", + "privilege": "UpdatePosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "kmsKey*" + "resource_type": "WirelessDevice" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Write", - "description": "Grants permission to disable server-side encryption for a specified stream.", - "privilege": "StopStreamEncryption", + "description": "Grants permission to update an event configuration for an identifier", + "privilege": "UpdateResourceEventConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "kmsKey*" + "resource_type": "SidewalkAccount" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" } ] }, { - "access_level": "Read", - "description": "Listening to a specific shard with enhanced fan-out.", - "privilege": "SubscribeToShard", + "access_level": "Write", + "description": "Grants permission to update a WirelessDevice resource", + "privilege": "UpdateWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Updates the shard count of the specified stream to the specified number of shards.", - "privilege": "UpdateShardCount", + "description": "Grants permission to update a WirelessGateway resource", + "privilege": "UpdateWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:kinesis:${Region}:${Account}:stream/${StreamName}", - "condition_keys": [], - "resource": "stream" + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessDevice" }, { - "arn": "arn:${Partition}:kinesis:${Region}:${Account}:${StreamType}/${StreamName}/consumer/${ConsumerName}:${ConsumerCreationTimpstamp}", + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessGateway" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DeviceProfile" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ServiceProfile" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Destination" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:SidewalkAccount/${SidewalkAccountId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SidewalkAccount" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGatewayTaskDefinition/${WirelessGatewayTaskDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessGatewayTaskDefinition" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:FuotaTask/${FuotaTaskId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "FuotaTask" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:MulticastGroup/${MulticastGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "MulticastGroup" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:NetworkAnalyzerConfiguration/${NetworkAnalyzerConfigurationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "NetworkAnalyzerConfiguration" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", "condition_keys": [], - "resource": "consumer" + "resource": "thing" }, { - "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", + "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", "condition_keys": [], - "resource": "kmsKey" + "resource": "cert" } ], - "service_name": "Amazon Kinesis" + "service_name": "AWS IoT Core for LoRaWAN" + }, + { + "conditions": [], + "prefix": "iq", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to submit new project requests", + "privilege": "CreateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS IQ" + }, + { + "conditions": [], + "prefix": "iq-permission", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to approve an access grant", + "privilege": "ApproveAccessGrant", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS IQ Permissions" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by the tags associated with the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tag keys in the request", + "description": "Filters access by the tag keys that are passed in the request", "type": "String" } ], - "prefix": "kinesisanalytics", + "prefix": "ivs", "privileges": [ { - "access_level": "Write", - "description": "Adds input to the application.", - "privilege": "AddApplicationInput", + "access_level": "Read", + "description": "Grants permission to get multiple channels simultaneously by channel ARN", + "privilege": "BatchGetChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Adds output to the application.", - "privilege": "AddApplicationOutput", + "access_level": "Read", + "description": "Grants permission to get multiple stream keys simultaneously by stream key ARN", + "privilege": "BatchGetStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stream-Key*" } ] }, { "access_level": "Write", - "description": "Adds reference data source to the application.", - "privilege": "AddApplicationReferenceDataSource", + "description": "Grants permission to create a new channel and an associated stream key", + "privilege": "CreateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an application.", - "privilege": "CreateApplication", - "resource_types": [ + "resource_type": "Channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stream-Key*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -105800,157 +120184,183 @@ }, { "access_level": "Write", - "description": "Deletes the application.", - "privilege": "DeleteApplication", + "description": "Grants permission to create a a new recording configuration", + "privilege": "CreateRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Recording-Configuration*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the specified output of the application.", - "privilege": "DeleteApplicationOutput", + "description": "Grants permission to create a stream key", + "privilege": "CreateStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] + "resource_type": "Stream-Key*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { "access_level": "Write", - "description": "Deletes the specified reference data source of the application.", - "privilege": "DeleteApplicationReferenceDataSource", + "description": "Grants permission to delete a channel and channel's stream keys", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stream-Key*" } ] }, { - "access_level": "Read", - "description": "Describes the specified application.", - "privilege": "DescribeApplication", + "access_level": "Write", + "description": "Grants permission to delete the playback key pair for a specified ARN", + "privilege": "DeletePlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Playback-Key-Pair*" } ] }, { - "access_level": "Read", - "description": "Discovers the input schema for the application.", - "privilege": "DiscoverInputSchema", + "access_level": "Write", + "description": "Grants permission to delete a recording configuration for the specified ARN", + "privilege": "DeleteRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Recording-Configuration*" } ] }, { - "access_level": "Read", - "description": "Grant permission to Kinesis Data Analytics console to display stream results for Kinesis Data Analytics SQL runtime applications.", - "privilege": "GetApplicationState", + "access_level": "Write", + "description": "Grants permission to delete the stream key for a specified ARN", + "privilege": "DeleteStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stream-Key*" } ] }, { - "access_level": "List", - "description": "List applications for the account", - "privilege": "ListApplications", + "access_level": "Read", + "description": "Grants permission to get the channel configuration for a specified channel ARN", + "privilege": "GetChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Channel*" } ] }, { "access_level": "Read", - "description": "Fetch the tags associated with the application.", - "privilege": "ListTagsForResource", + "description": "Grants permission to get the playback keypair information for a specified ARN", + "privilege": "GetPlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Playback-Key-Pair*" } ] }, { - "access_level": "Write", - "description": "Starts the application.", - "privilege": "StartApplication", + "access_level": "Read", + "description": "Grants permission to get the recording configuration for the specified ARN", + "privilege": "GetRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Recording-Configuration*" } ] }, { - "access_level": "Write", - "description": "Stops the application.", - "privilege": "StopApplication", + "access_level": "Read", + "description": "Grants permission to get information about the active (live) stream on a specified channel", + "privilege": "GetStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { - "access_level": "Tagging", - "description": "Add tags to the application.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to get stream-key information for a specified ARN", + "privilege": "GetStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - }, + "resource_type": "Stream-Key*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about the stream session on a specified channel", + "privilege": "GetStreamSession", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Channel*" } ] }, { - "access_level": "Tagging", - "description": "Remove the specified tags from the application.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to import the public key", + "privilege": "ImportPlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Playback-Key-Pair*" }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -105958,130 +120368,111 @@ ] }, { - "access_level": "Write", - "description": "Updates the application.", - "privilege": "UpdateApplication", + "access_level": "List", + "description": "Grants permission to get summary information about channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "application" - } - ], - "service_name": "Amazon Kinesis Analytics" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tag keys in the request", - "type": "String" - } - ], - "prefix": "kinesisanalytics", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to add cloudwatch logging option to the application", - "privilege": "AddApplicationCloudWatchLoggingOption", + "access_level": "List", + "description": "Grants permission to get summary information about playback key pairs", + "privilege": "ListPlaybackKeyPairs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Playback-Key-Pair*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add input to the application", - "privilege": "AddApplicationInput", + "access_level": "List", + "description": "Grants permission to get summary information about recording configurations", + "privilege": "ListRecordingConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Recording-Configuration*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add input processing configuration to the application", - "privilege": "AddApplicationInputProcessingConfiguration", + "access_level": "List", + "description": "Grants permission to get summary information about stream keys", + "privilege": "ListStreamKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add output to the application", - "privilege": "AddApplicationOutput", - "resource_types": [ + "resource_type": "Channel*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stream-Key*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add reference data source to the application", - "privilege": "AddApplicationReferenceDataSource", + "access_level": "List", + "description": "Grants permission to get summary information about streams sessions on a specified channel", + "privilege": "ListStreamSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add VPC configuration to the application", - "privilege": "AddApplicationVpcConfiguration", + "access_level": "List", + "description": "Grants permission to get summary information about live streams", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an application", - "privilege": "CreateApplication", + "access_level": "Read", + "description": "Grants permission to get information about the tags for a specified ARN", + "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Playback-Key-Pair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recording-Configuration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stream-Key" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -106089,259 +120480,309 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to create and return a URL that you can use to connect to an application's extension", - "privilege": "CreateApplicationPresignedUrl", + "access_level": "Write", + "description": "Grants permission to insert metadata into an RTMP stream for a specified channel", + "privilege": "PutMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a snapshot for an application", - "privilege": "CreateApplicationSnapshot", + "description": "Grants permission to disconnect a streamer on a specified channel", + "privilege": "StopStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the application", - "privilege": "DeleteApplication", + "access_level": "Tagging", + "description": "Grants permission to add or update tags for a resource with a specified ARN", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified cloudwatch logging option of the application", - "privilege": "DeleteApplicationCloudWatchLoggingOption", - "resource_types": [ + "resource_type": "Channel" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified input processing configuration of the application", - "privilege": "DeleteApplicationInputProcessingConfiguration", - "resource_types": [ + "resource_type": "Playback-Key-Pair" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified output of the application", - "privilege": "DeleteApplicationOutput", - "resource_types": [ + "resource_type": "Recording-Configuration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stream-Key" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified reference data source of the application", - "privilege": "DeleteApplicationReferenceDataSource", + "access_level": "Tagging", + "description": "Grants permission to remove tags for a resource with a specified ARN", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a snapshot for an application", - "privilege": "DeleteApplicationSnapshot", - "resource_types": [ + "resource_type": "Channel" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified VPC configuration of the application", - "privilege": "DeleteApplicationVpcConfiguration", - "resource_types": [ + "resource_type": "Playback-Key-Pair" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe the specified application", - "privilege": "DescribeApplication", - "resource_types": [ + "resource_type": "Recording-Configuration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stream-Key" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an application snapshot", - "privilege": "DescribeApplicationSnapshot", + "access_level": "Write", + "description": "Grants permission to update a channel's configuration", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Channel*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ivs:${Region}:${Account}:channel/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Channel" }, { - "access_level": "Read", - "description": "Grants permission to describe the application version of an application", - "privilege": "DescribeApplicationVersion", + "arn": "arn:${Partition}:ivs:${Region}:${Account}:stream-key/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stream-Key" + }, + { + "arn": "arn:${Partition}:ivs:${Region}:${Account}:playback-key/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Playback-Key-Pair" + }, + { + "arn": "arn:${Partition}:ivs:${Region}:${Account}:recording-configuration/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Recording-Configuration" + } + ], + "service_name": "Amazon Interactive Video Service" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags associated with the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "ivschat", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an encrypted token that is used to establish an individual WebSocket connection to a room", + "privilege": "CreateChatToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to discover the input schema for the application", - "privilege": "DiscoverInputSchema", + "access_level": "Write", + "description": "Grants permission to create a room that allows clients to connect and pass messages", + "privilege": "CreateRoom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Room*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list the snapshots for an application", - "privilege": "ListApplicationSnapshots", + "access_level": "Write", + "description": "Grants permission to send an event to a specific room which directs clients to delete a specific message", + "privilege": "DeleteMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list application versions of an application", - "privilege": "ListApplicationVersions", + "access_level": "Write", + "description": "Grants permission to delete the room for a specified room ARN", + "privilege": "DeleteRoom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] }, { - "access_level": "List", - "description": "Grants permission to list applications for the account", - "privilege": "ListApplications", + "access_level": "Write", + "description": "Grants permission to disconnect all connections using a specified user ID from a room", + "privilege": "DisconnectUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Room*" } ] }, { "access_level": "Read", - "description": "Grants permission to fetch the tags associated with the application", - "privilege": "ListTagsForResource", + "description": "Grants permission to get the room configuration for a specified room ARN", + "privilege": "GetRoom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] }, { - "access_level": "Write", - "description": "Grants permission to perform rollback operation on an application", - "privilege": "RollbackApplication", + "access_level": "List", + "description": "Grants permission to get summary information about rooms", + "privilege": "ListRooms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start the application", - "privilege": "StartApplication", + "access_level": "Read", + "description": "Grants permission to get information about the tags for a specified ARN", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stop the application", - "privilege": "StopApplication", + "description": "Grants permission to send an event to a room", + "privilege": "SendEvent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add tags to the application", + "description": "Grants permission to add or update tags for a resource with a specified ARN", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -106350,13 +120791,13 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove the specified tags from the application", + "description": "Grants permission to remove tags for a resource with a specified ARN", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room" }, { "condition_keys": [ @@ -106369,284 +120810,294 @@ }, { "access_level": "Write", - "description": "Grants permission to update the application", - "privilege": "UpdateApplication", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the maintenance configuration of an application", - "privilege": "UpdateApplicationMaintenanceConfiguration", + "description": "Grants permission to update the room configuration for a specified room ARN", + "privilege": "UpdateRoom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Room*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", + "arn": "arn:${Partition}:ivschat::${Account}:room/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "application" + "resource": "Room" } ], - "service_name": "Amazon Kinesis Analytics V2" + "service_name": "Amazon Interactive Video Service Chat" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters requests based on the allowed set of values for each of the tags", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the stream.", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters requests based on the presence of mandatory tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], - "prefix": "kinesisvideo", + "prefix": "kafka", "privileges": [ { "access_level": "Write", - "description": "Grants permission to connect as a master to the signaling channel specified by the endpoint", - "privilege": "ConnectAsMaster", + "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster", + "privilege": "BatchAssociateScramSecret", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" + "dependent_actions": [ + "kms:CreateGrant", + "kms:RetireGrant" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to connect as a viewer to the signaling channel specified by the endpoint", - "privilege": "ConnectAsViewer", + "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster", + "privilege": "BatchDisassociateScramSecret", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" + "dependent_actions": [ + "kms:RetireGrant" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a signaling channel", - "privilege": "CreateSignalingChannel", + "description": "Grants permission to create an MSK cluster", + "privilege": "CreateCluster", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "kms:CreateGrant", + "kms:DescribeKey" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a Kinesis video stream", - "privilege": "CreateStream", + "description": "Grants permission to create an MSK cluster", + "privilege": "CreateClusterV2", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateTags", + "ec2:CreateVpcEndpoint", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "kms:CreateGrant", + "kms:DescribeKey" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing signaling channel", - "privilege": "DeleteSignalingChannel", + "description": "Grants permission to create an MSK configuration", + "privilege": "CreateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing Kinesis video stream", - "privilege": "DeleteStream", + "description": "Grants permission to delete an MSK cluster", + "privilege": "DeleteCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "dependent_actions": [ + "ec2:DeleteVpcEndpoints", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcEndpoints" + ], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the specified signaling channel", - "privilege": "DescribeSignalingChannel", + "access_level": "Write", + "description": "Grants permission to delete the specified MSK configuration", + "privilege": "DeleteConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the specified Kinesis video stream", - "privilege": "DescribeStream", + "access_level": "Read", + "description": "Grants permission to describe an MSK cluster", + "privilege": "DescribeCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a media clip from a video stream", - "privilege": "GetClip", + "description": "Grants permission to describe the cluster operation that is specified by the given ARN", + "privilege": "DescribeClusterOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to create a URL for MPEG-DASH video streaming", - "privilege": "GetDASHStreamingSessionURL", + "description": "Grants permission to describe an MSK cluster", + "privilege": "DescribeClusterV2", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get an endpoint for a specified stream for either reading or writing media data to Kinesis Video Streams", - "privilege": "GetDataEndpoint", + "description": "Grants permission to describe an MSK configuration", + "privilege": "DescribeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "configuration*" } ] }, { "access_level": "Read", - "description": "Grants permission to create a URL for HLS video streaming", - "privilege": "GetHLSStreamingSessionURL", + "description": "Grants permission to describe an MSK configuration revision", + "privilege": "DescribeConfigurationRevision", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "configuration*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the ICE server configuration", - "privilege": "GetIceServerConfig", + "description": "Grants permission to get connection details for the brokers in an MSK cluster", + "privilege": "GetBootstrapBrokers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return media content of a Kinesis video stream", - "privilege": "GetMedia", + "access_level": "List", + "description": "Grants permission to get a list of the Apache Kafka versions to which you can update an MSK cluster", + "privilege": "GetCompatibleKafkaVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to read and return media data only from persisted storage", - "privilege": "GetMediaForFragmentList", + "access_level": "List", + "description": "Grants permission to return a list of all the operations that have been performed on the specified MSK cluster", + "privilege": "ListClusterOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get endpoints for a specified combination of protocol and role for a signaling channel", - "privilege": "GetSignalingChannelEndpoint", + "access_level": "List", + "description": "Grants permission to list all MSK clusters in this account", + "privilege": "ListClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the fragments from archival storage based on the pagination token or selector type with range specified", - "privilege": "ListFragments", + "description": "Grants permission to list all MSK clusters in this account", + "privilege": "ListClustersV2", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list your signaling channels", - "privilege": "ListSignalingChannels", + "description": "Grants permission to list all revisions for an MSK configuration in this account", + "privilege": "ListConfigurationRevisions", "resource_types": [ { "condition_keys": [], @@ -106657,8 +121108,8 @@ }, { "access_level": "List", - "description": "Grants permission to list your Kinesis video streams", - "privilege": "ListStreams", + "description": "Grants permission to list all MSK configurations in this account", + "privilege": "ListConfigurations", "resource_types": [ { "condition_keys": [], @@ -106668,72 +121119,74 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to fetch the tags associated with your resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to list all Apache Kafka versions supported by Amazon MSK", + "privilege": "ListKafkaVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list brokers in an MSK cluster", + "privilege": "ListNodes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to fetch the tags associated with Kinesis video stream", - "privilege": "ListTagsForStream", + "access_level": "List", + "description": "Grants permission to list the Scram Secrets associated with an Amazon MSK cluster", + "privilege": "ListScramSecrets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to send media data to a Kinesis video stream", - "privilege": "PutMedia", + "access_level": "Read", + "description": "Grants permission to list tags of an MSK resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "cluster" } ] }, { "access_level": "Write", - "description": "Grants permission to send the Alexa SDP offer to the master", - "privilege": "SendAlexaOfferToMaster", + "description": "Grants permission to reboot broker", + "privilege": "RebootBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to attach set of tags to your resource", + "description": "Grants permission to tag an MSK resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream" + "resource_type": "cluster" }, { "condition_keys": [ @@ -106747,17 +121200,16 @@ }, { "access_level": "Tagging", - "description": "Grants permission to attach set of tags to your Kinesis video streams", - "privilege": "TagStream", + "description": "Grants permission to remove tags from an MSK resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "cluster" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -106766,43 +121218,60 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from your resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update the number of brokers of the MSK cluster", + "privilege": "UpdateBrokerCount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the storage size of the brokers of the MSK cluster", + "privilege": "UpdateBrokerStorage", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the broker type of an Amazon MSK cluster", + "privilege": "UpdateBrokerType", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from your Kinesis video streams", - "privilege": "UntagStream", + "access_level": "Write", + "description": "Grants permission to update the configuration of the MSK cluster", + "privilege": "UpdateClusterConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the MSK cluster to the specified Apache Kafka version", + "privilege": "UpdateClusterKafkaVersion", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -106810,781 +121279,542 @@ }, { "access_level": "Write", - "description": "Grants permission to update the data retention period of your Kinesis video stream", - "privilege": "UpdateDataRetention", + "description": "Grants permission to create a new revision of the MSK configuration", + "privilege": "UpdateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing signaling channel", - "privilege": "UpdateSignalingChannel", + "description": "Grants permission to update the connectivity settings for the MSK cluster", + "privilege": "UpdateConnectivity", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" + "dependent_actions": [ + "ec2:DescribeRouteTables", + "ec2:DescribeSubnets" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Kinesis video stream", - "privilege": "UpdateStream", + "description": "Grants permission to update the monitoring settings for the MSK cluster", + "privilege": "UpdateMonitoring", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the security settings for the MSK cluster", + "privilege": "UpdateSecurity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "kms:RetireGrant" + ], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "stream" - }, - { - "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:channel/${ChannelName}/${CreationTime}", + "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${Uuid}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "channel" - } - ], - "service_name": "Amazon Kinesis Video Streams" - }, - { - "conditions": [ - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key", - "type": "String" - }, - { - "condition": "kms:BypassPolicyLockoutSafetyCheck", - "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request", - "type": "Bool" - }, - { - "condition": "kms:CallerAccount", - "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement", - "type": "String" - }, - { - "condition": "kms:CustomerMasterKeySpec", - "description": "The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key.", - "type": "String" - }, - { - "condition": "kms:CustomerMasterKeyUsage", - "description": "The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key.", - "type": "String" - }, - { - "condition": "kms:DataKeyPairSpec", - "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request", - "type": "String" - }, - { - "condition": "kms:EncryptionAlgorithm", - "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request", - "type": "String" - }, - { - "condition": "kms:EncryptionContextKeys", - "description": "Filters access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation", - "type": "ArrayOfString" - }, - { - "condition": "kms:ExpirationModel", - "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request", - "type": "String" - }, - { - "condition": "kms:GrantConstraintType", - "description": "Filters access to the CreateGrant operation based on the grant constraint in the request", - "type": "String" - }, - { - "condition": "kms:GrantIsForAWSResource", - "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service", - "type": "Bool" - }, - { - "condition": "kms:GrantOperations", - "description": "Filters access to the CreateGrant operation based on the operations in the grant", - "type": "ArrayOfString" - }, - { - "condition": "kms:GranteePrincipal", - "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant", - "type": "String" - }, - { - "condition": "kms:KeyOrigin", - "description": "Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key", - "type": "String" - }, - { - "condition": "kms:KeySpec", - "description": "Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", - "type": "String" - }, - { - "condition": "kms:KeyUsage", - "description": "Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", - "type": "String" - }, - { - "condition": "kms:MessageType", - "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request", - "type": "String" - }, - { - "condition": "kms:MultiRegion", - "description": "Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", - "type": "Bool" - }, - { - "condition": "kms:MultiRegionKeyType", - "description": "Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", - "type": "String" - }, - { - "condition": "kms:PrimaryRegion", - "description": "Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request", - "type": "String" - }, - { - "condition": "kms:ReEncryptOnSameKey", - "description": "Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation", - "type": "Bool" - }, - { - "condition": "kms:ReplicaRegion", - "description": "Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request", - "type": "String" - }, - { - "condition": "kms:RequestAlias", - "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request", - "type": "String" - }, - { - "condition": "kms:ResourceAliases", - "description": "Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key", - "type": "ArrayOfString" - }, - { - "condition": "kms:RetiringPrincipal", - "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant", - "type": "String" + "resource": "cluster" }, { - "condition": "kms:SigningAlgorithm", - "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request", - "type": "String" + "arn": "arn:${Partition}:kafka:${Region}:${Account}:configuration/${ConfigurationName}/${Uuid}", + "condition_keys": [], + "resource": "configuration" }, { - "condition": "kms:ValidTo", - "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date", - "type": "Date" + "arn": "arn:${Partition}:kafka:${Region}:${Account}:topic/${ClusterName}/${ClusterUuid}/${TopicName}", + "condition_keys": [], + "resource": "topic" }, { - "condition": "kms:ViaService", - "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service", - "type": "String" + "arn": "arn:${Partition}:kafka:${Region}:${Account}:group/${ClusterName}/${ClusterUuid}/${GroupName}", + "condition_keys": [], + "resource": "group" }, { - "condition": "kms:WrappingAlgorithm", - "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request", - "type": "String" - }, + "arn": "arn:${Partition}:kafka:${Region}:${Account}:transactional-id/${ClusterName}/${ClusterUuid}/${TransactionalId}", + "condition_keys": [], + "resource": "transactional-id" + } + ], + "service_name": "Amazon Managed Streaming for Apache Kafka" + }, + { + "conditions": [ { - "condition": "kms:WrappingKeySpec", - "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource. The resource tag context key will only apply to the cluster resource, not topics, groups and transactional IDs", "type": "String" } ], - "prefix": "kms", + "prefix": "kafka-cluster", "privileges": [ { "access_level": "Write", - "description": "Controls permission to cancel the scheduled deletion of an AWS KMS key", - "privilege": "CancelKeyDeletion", + "description": "Grants permission to alter various aspects of the cluster, equivalent to Apache Kafka's ALTER CLUSTER ACL", + "privilege": "AlterCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeCluster" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster", - "privilege": "ConnectCustomKeyStore", + "description": "Grants permission to alter the dynamic configuration of a cluster, equivalent to Apache Kafka's ALTER_CONFIGS CLUSTER ACL", + "privilege": "AlterClusterDynamicConfiguration", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" + "condition_keys": [], + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeClusterDynamicConfiguration" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys", - "privilege": "CreateAlias", + "description": "Grants permission to join groups on a cluster, equivalent to Apache Kafka's READ GROUP ACL", + "privilege": "AlterGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "alias*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeGroup" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage", - "privilege": "CreateCustomKeyStore", + "description": "Grants permission to alter topics on a cluster, equivalent to Apache Kafka's ALTER TOPIC ACL", + "privilege": "AlterTopic", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" - ], + "condition_keys": [], "dependent_actions": [ - "cloudhsm:DescribeClusters", - "iam:CreateServiceLinkedRole" + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" ], - "resource_type": "" + "resource_type": "topic*" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy", - "privilege": "CreateGrant", + "access_level": "Write", + "description": "Grants permission to alter the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's ALTER_CONFIGS TOPIC ACL", + "privilege": "AlterTopicDynamicConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:GrantConstraintType", - "kms:GrantIsForAWSResource", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopicDynamicConfiguration" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information", - "privilege": "CreateKey", + "description": "Grants permission to alter transactional IDs on a cluster, equivalent to Apache Kafka's WRITE TRANSACTIONAL_ID ACL", + "privilege": "AlterTransactionalId", "resource_types": [ { - "condition_keys": [ - "kms:BypassPolicyLockoutSafetyCheck", - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "kms:PutKeyPolicy", - "kms:TagResource" + "kafka-cluster:Connect", + "kafka-cluster:DescribeTransactionalId", + "kafka-cluster:WriteData" ], - "resource_type": "" + "resource_type": "transactional-id*" } ] }, { "access_level": "Write", - "description": "Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key", - "privilege": "Decrypt", + "description": "Grants permission to connect and authenticate to the cluster", + "privilege": "Connect", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys", - "privilege": "DeleteAlias", + "description": "Grants permission to create topics on a cluster, equivalent to Apache Kafka's CREATE CLUSTER/TOPIC ACL", + "privilege": "CreateTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "alias*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Controls permission to delete a custom key store", - "privilege": "DeleteCustomKeyStore", + "description": "Grants permission to delete groups on a cluster, equivalent to Apache Kafka's DELETE GROUP ACL", + "privilege": "DeleteGroup", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" + "condition_keys": [], + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeGroup" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable", - "privilege": "DeleteImportedKeyMaterial", + "description": "Grants permission to delete topics on a cluster, equivalent to Apache Kafka's DELETE TOPIC ACL", + "privilege": "DeleteTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { - "access_level": "Read", - "description": "Controls permission to view detailed information about custom key stores in the account and region", - "privilege": "DescribeCustomKeyStores", + "access_level": "List", + "description": "Grants permission to describe various aspects of the cluster, equivalent to Apache Kafka's DESCRIBE CLUSTER ACL", + "privilege": "DescribeCluster", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" + "condition_keys": [], + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "Read", - "description": "Controls permission to view detailed information about an AWS KMS key", - "privilege": "DescribeKey", + "access_level": "List", + "description": "Grants permission to describe the dynamic configuration of a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS CLUSTER ACL", + "privilege": "DescribeClusterDynamicConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:RequestAlias", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "Write", - "description": "Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations", - "privilege": "DisableKey", + "access_level": "List", + "description": "Grants permission to describe groups on a cluster, equivalent to Apache Kafka's DESCRIBE GROUP ACL", + "privilege": "DescribeGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { - "access_level": "Write", - "description": "Controls permission to disable automatic rotation of a customer managed AWS KMS key", - "privilege": "DisableKeyRotation", + "access_level": "List", + "description": "Grants permission to describe topics on a cluster, equivalent to Apache Kafka's DESCRIBE TOPIC ACL", + "privilege": "DescribeTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { - "access_level": "Write", - "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster", - "privilege": "DisconnectCustomKeyStore", + "access_level": "List", + "description": "Grants permission to describe the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS TOPIC ACL", + "privilege": "DescribeTopicDynamicConfiguration", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" + "condition_keys": [], + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { - "access_level": "Write", - "description": "Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations", - "privilege": "EnableKey", + "access_level": "List", + "description": "Grants permission to describe transactional IDs on a cluster, equivalent to Apache Kafka's DESCRIBE TRANSACTIONAL_ID ACL", + "privilege": "DescribeTransactionalId", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "transactional-id*" } ] }, { - "access_level": "Write", - "description": "Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key", - "privilege": "EnableKeyRotation", + "access_level": "Read", + "description": "Grants permission to read data from topics on a cluster, equivalent to Apache Kafka's READ TOPIC ACL", + "privilege": "ReadData", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:AlterGroup", + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Controls permission to use the specified AWS KMS key to encrypt data and data keys", - "privilege": "Encrypt", + "description": "Grants permission to write data to topics on a cluster, equivalent to Apache Kafka's WRITE TOPIC ACL", + "privilege": "WriteData", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS", - "privilege": "GenerateDataKey", + "description": "Grants permission to write data idempotently on a cluster, equivalent to Apache Kafka's IDEMPOTENT_WRITE CLUSTER ACL", + "privilege": "WriteDataIdempotently", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:WriteData" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${ClusterUuid}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:topic/${ClusterName}/${ClusterUuid}/${TopicName}", + "condition_keys": [], + "resource": "topic" }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:group/${ClusterName}/${ClusterUuid}/${GroupName}", + "condition_keys": [], + "resource": "group" + }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:transactional-id/${ClusterName}/${ClusterUuid}/${TransactionalId}", + "condition_keys": [], + "resource": "transactional-id" + } + ], + "service_name": "Apache Kafka APIs for Amazon MSK clusters" + }, + { + "conditions": [], + "prefix": "kafkaconnect", + "privileges": [ { "access_level": "Write", - "description": "Controls permission to use the AWS KMS key to generate data key pairs", - "privilege": "GenerateDataKeyPair", + "description": "Grants permission to create an MSK Connect connector", + "privilege": "CreateConnector", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:DataKeyPairSpec", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "firehose:TagDeliveryStream", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PassRole", + "iam:PutRolePolicy", + "logs:CreateLogDelivery", + "logs:DescribeLogGroups", + "logs:DescribeResourcePolicies", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:PutResourcePolicy", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy", - "privilege": "GenerateDataKeyPairWithoutPlaintext", + "description": "Grants permission to create an MSK Connect custom plugin", + "privilege": "CreateCustomPlugin", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:DataKeyPairSpec", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" + "dependent_actions": [ + "s3:GetObject" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key", - "privilege": "GenerateDataKeyWithoutPlaintext", + "description": "Grants permission to create an MSK Connect worker configuration", + "privilege": "CreateWorkerConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:RequestAlias", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS", - "privilege": "GenerateRandom", + "description": "Grants permission to delete an MSK Connect connector", + "privilege": "DeleteConnector", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries" + ], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Controls permission to view the key policy for the specified AWS KMS key", - "privilege": "GetKeyPolicy", + "access_level": "Write", + "description": "Grants permission to delete an MSK Connect custom plugin", + "privilege": "DeleteCustomPlugin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Controls permission to determine whether automatic key rotation is enabled on the AWS KMS key", - "privilege": "GetKeyRotationStatus", + "description": "Grants permission to describe an MSK Connect connector", + "privilege": "DescribeConnector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connector*" } ] }, { "access_level": "Read", - "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token", - "privilege": "GetParametersForImport", + "description": "Grants permission to describe an MSK Connect custom plugin", + "privilege": "DescribeCustomPlugin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService", - "kms:WrappingAlgorithm", - "kms:WrappingKeySpec" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "custom plugin*" } ] }, { "access_level": "Read", - "description": "Controls permission to download the public key of an asymmetric AWS KMS key", - "privilege": "GetPublicKey", + "description": "Grants permission to describe an MSK Connect worker configuration", + "privilege": "DescribeWorkerConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:RequestAlias", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "worker configuration*" } ] }, { - "access_level": "Write", - "description": "Controls permission to import cryptographic material into an AWS KMS key", - "privilege": "ImportKeyMaterial", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect connectors in this account", + "privilege": "ListConnectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ExpirationModel", - "kms:ValidTo", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys", - "privilege": "ListAliases", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect custom plugins in this account", + "privilege": "ListCustomPlugins", "resource_types": [ { "condition_keys": [], @@ -107594,179 +121824,165 @@ ] }, { - "access_level": "List", - "description": "Controls permission to view all grants for an AWS KMS key", - "privilege": "ListGrants", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect worker configurations in this account", + "privilege": "ListWorkerConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:GrantIsForAWSResource", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Controls permission to view the names of key policies for an AWS KMS key", - "privilege": "ListKeyPolicies", + "access_level": "Write", + "description": "Grants permission to update an MSK Connect connector", + "privilege": "UpdateConnector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:connector/${ConnectorName}/${UUID}", + "condition_keys": [], + "resource": "connector" }, { - "access_level": "List", - "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account", - "privilege": "ListKeys", + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:custom-plugin/${CustomPluginName}/${UUID}", + "condition_keys": [], + "resource": "custom plugin" + }, + { + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:worker-configuration/${WorkerConfigurationName}/${UUID}", + "condition_keys": [], + "resource": "worker configuration" + } + ], + "service_name": "Amazon Managed Streaming for Kafka Connect" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "kendra", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to put principal mapping in index", + "privilege": "AssociateEntitiesToExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experience*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Controls permission to view all tags that are attached to an AWS KMS key", - "privilege": "ListResourceTags", + "access_level": "Write", + "description": "Defines the specific permissions of users or groups in your AWS SSO identity source with access to your Amazon Kendra experience", + "privilege": "AssociatePersonasToEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "experience*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants", - "privilege": "ListRetirableGrants", + "access_level": "Write", + "description": "Grants permission to batch delete document", + "privilege": "BatchDeleteDocument", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to replace the key policy for the specified AWS KMS key", - "privilege": "PutKeyPolicy", + "access_level": "Read", + "description": "Grants permission to do batch get document status", + "privilege": "BatchGetDocumentStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:BypassPolicyLockoutSafetyCheck", - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", - "privilege": "ReEncryptFrom", + "description": "Grants permission to batch put document", + "privilege": "BatchPutDocument", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ReEncryptOnSameKey", - "kms:RequestAlias", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", - "privilege": "ReEncryptTo", + "description": "Grants permission to clear out the suggestions for a given index, generated so far", + "privilege": "ClearQuerySuggestions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ReEncryptOnSameKey", - "kms:RequestAlias", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to replicate a multi-Region primary key", - "privilege": "ReplicateKey", + "description": "Grants permission to create a data source", + "privilege": "CreateDataSource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "kms:CreateKey", - "kms:PutKeyPolicy", - "kms:TagResource" - ], - "resource_type": "key*" + "dependent_actions": [], + "resource_type": "index*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ReplicaRegion", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -107774,32 +121990,31 @@ ] }, { - "access_level": "Permissions management", - "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform", - "privilege": "RetireGrant", + "access_level": "Write", + "description": "Creates an Amazon Kendra experience such as a search application", + "privilege": "CreateExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant", - "privilege": "RevokeGrant", + "access_level": "Write", + "description": "Grants permission to create an Faq", + "privilege": "CreateFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:GrantIsForAWSResource", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -107808,18 +122023,13 @@ }, { "access_level": "Write", - "description": "Controls permission to schedule deletion of an AWS KMS key", - "privilege": "ScheduleKeyDeletion", + "description": "Grants permission to create an Index", + "privilege": "CreateIndex", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -107828,21 +122038,18 @@ }, { "access_level": "Write", - "description": "Controls permission to produce a digital signature for a message", - "privilege": "Sign", + "description": "Grants permission to create a QuerySuggestions BlockList", + "privilege": "CreateQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:MessageType", - "kms:RequestAlias", - "kms:SigningAlgorithm", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -107851,434 +122058,430 @@ }, { "access_level": "Write", - "description": "Controls access to internal APIs that synchronize multi-Region keys", - "privilege": "SynchronizeMultiRegionKey", + "description": "Grants permission to create a Thesaurus", + "privilege": "CreateThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Controls permission to create or update tags that are attached to an AWS KMS key", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "data-source*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Tagging", - "description": "Controls permission to delete tags that are attached to an AWS KMS key", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Deletes your Amazon Kendra experience such as a search application", + "privilege": "DeleteExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "experience*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key", - "privilege": "UpdateAlias", + "description": "Grants permission to delete an Faq", + "privilege": "DeleteFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "faq*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to change the properties of a custom key store", - "privilege": "UpdateCustomKeyStore", + "description": "Grants permission to delete an Index", + "privilege": "DeleteIndex", "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Controls permission to delete or change the description of an AWS KMS key", - "privilege": "UpdateKeyDescription", + "description": "Grants permission to delete principal mapping from index", + "privilege": "DeletePrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "data-source" } ] }, { "access_level": "Write", - "description": "Controls permission to update the primary Region of a multi-Region primary key", - "privilege": "UpdatePrimaryRegion", + "description": "Grants permission to delete a QuerySuggestions BlockList", + "privilege": "DeleteQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:PrimaryRegion", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "query-suggestions-block-list*" } ] }, { "access_level": "Write", - "description": "Controls permission to use the specified AWS KMS key to verify digital signatures", - "privilege": "Verify", + "description": "Grants permission to delete a Thesaurus", + "privilege": "DeleteThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "index*" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:MessageType", - "kms:RequestAlias", - "kms:SigningAlgorithm", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thesaurus*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}", - "condition_keys": [], - "resource": "alias" }, { - "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", - "condition_keys": [], - "resource": "key" - } - ], - "service_name": "AWS Key Management Service" - }, - { - "conditions": [], - "prefix": "lakeformation", - "privileges": [ - { - "access_level": "Tagging", - "description": "Grants permission to attach lakeformation tags to catalog resources", - "privilege": "AddLFTagsToResource", + "access_level": "Read", + "description": "Grants permission to describe a data source", + "privilege": "DescribeDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to data lake permissions to one or more principals in a batch", - "privilege": "BatchGrantPermissions", - "resource_types": [ + "resource_type": "data-source*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke data lake permissions from one or more principals in a batch", - "privilege": "BatchRevokePermissions", + "access_level": "Read", + "description": "Gets information about your Amazon Kendra experience such as a search application", + "privilege": "DescribeExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a Lakeformation tag", - "privilege": "CreateLFTag", - "resource_types": [ + "resource_type": "experience*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Lakeformation tag", - "privilege": "DeleteLFTag", + "access_level": "Read", + "description": "Grants permission to describe an Faq", + "privilege": "DescribeFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "faq*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister a registered location", - "privilege": "DeregisterResource", + "access_level": "Read", + "description": "Grants permission to describe an Index", + "privilege": "DescribeIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a registered location", - "privilege": "DescribeResource", + "description": "Grants permission to describe principal mapping from index", + "privilege": "DescribePrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "Write", - "description": "Grants permission to virtual data lake access", - "privilege": "GetDataAccess", + "access_level": "Read", + "description": "Grants permission to describe a QuerySuggestions BlockList", + "privilege": "DescribeQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve data lake settings such as the list of data lake administrators and database and table default permissions", - "privilege": "GetDataLakeSettings", + "description": "Grants permission to describe the query suggestions configuration for an index", + "privilege": "DescribeQuerySuggestionsConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrive permissions attached to resources in the given path", - "privilege": "GetEffectivePermissionsForPath", + "description": "Grants permission to describe a Thesaurus", + "privilege": "DescribeThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrive a Lakeformation tag", - "privilege": "GetLFTag", + "access_level": "Write", + "description": "Prevents users or groups in your AWS SSO identity source from accessing your Amazon Kendra experience", + "privilege": "DisassociateEntitiesFromExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experience*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve lakeformation tags on a catalog resource", - "privilege": "GetResourceLFTags", + "access_level": "Write", + "description": "Removes the specific permissions of users or groups in your AWS SSO identity source with access to your Amazon Kendra experience", + "privilege": "DisassociatePersonasFromEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experience*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to data lake permissions to a principal", - "privilege": "GrantPermissions", + "access_level": "Read", + "description": "Grants permission to get suggestions for a query prefix", + "privilege": "GetQuerySuggestions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Grants permission to list Lakeformation tags", - "privilege": "ListLFTags", + "description": "Retrieves search metrics data", + "privilege": "GetSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "List", - "description": "Grants permission to list permissions filtered by principal or resource", - "privilege": "ListPermissions", + "description": "Grants permission to get Data Source sync job history", + "privilege": "ListDataSourceSyncJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "List", - "description": "Grants permission to List registered locations", - "privilege": "ListResources", + "description": "Grants permission to list the data sources", + "privilege": "ListDataSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to overwrite data lake settings such as the list of data lake administrators and database and table default permissions", - "privilege": "PutDataLakeSettings", + "access_level": "List", + "description": "Lists specific permissions of users and groups with access to your Amazon Kendra experience", + "privilege": "ListEntityPersonas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experience*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Grants permission to register a new location to be managed by Lake Formation", - "privilege": "RegisterResource", + "access_level": "List", + "description": "Lists users or groups in your AWS SSO identity source that are granted access to your Amazon Kendra experience", + "privilege": "ListExperienceEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experience*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove lakeformation tags from catalog resources", - "privilege": "RemoveLFTagsFromResource", + "access_level": "List", + "description": "Lists one or more Amazon Kendra experiences. You can create an Amazon Kendra experience such as a search application", + "privilege": "ListExperiences", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke data lake permissions from a principal", - "privilege": "RevokePermissions", + "access_level": "List", + "description": "Grants permission to list the Faqs", + "privilege": "ListFaqs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list catalog databases with lakeformation tags", - "privilege": "SearchDatabasesByLFTags", + "access_level": "List", + "description": "Grants permission to list groups that are older than an ordering id", + "privilege": "ListGroupsOlderThanOrderingId", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "Read", - "description": "Grants permission to list catalog tables with lakeformation tags", - "privilege": "SearchTablesByLFTags", + "access_level": "List", + "description": "Grants permission to list the indexes", + "privilege": "ListIndices", "resource_types": [ { "condition_keys": [], @@ -108288,202 +122491,170 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a Lakeformation tag", - "privilege": "UpdateLFTag", + "access_level": "List", + "description": "Grants permission to list the QuerySuggestions BlockLists", + "privilege": "ListQuerySuggestionsBlockLists", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a registered location", - "privilege": "UpdateResource", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "AWS Lake Formation" - }, - { - "conditions": [ - { - "condition": "lambda:CodeSigningConfigArn", - "description": "Filters access by the ARN of an AWS Lambda code signing config", - "type": "String" - }, - { - "condition": "lambda:FunctionArn", - "description": "Filters access by the ARN of an AWS Lambda function", - "type": "ARN" - }, - { - "condition": "lambda:Layer", - "description": "Filters access by the ARN of a version of an AWS Lambda layer", - "type": "ArrayOfString" - }, - { - "condition": "lambda:Principal", - "description": "Filters access by restricting the AWS service or account that can invoke a function", - "type": "String" - }, - { - "condition": "lambda:SecurityGroupIds", - "description": "Filters access by the ID of security groups configured for the AWS Lambda function", - "type": "String" - }, - { - "condition": "lambda:SubnetIds", - "description": "Filters access by the ID of subnets configured for the AWS Lambda function", - "type": "String" - }, - { - "condition": "lambda:VpcIds", - "description": "Filters access by the ID of the VPC configured for the AWS Lambda function", - "type": "String" - } - ], - "prefix": "lambda", - "privileges": [ - { - "access_level": "Permissions management", - "description": "Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer", - "privilege": "AddLayerVersionPermission", - "resource_types": [ + "resource_type": "data-source" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to give an AWS service or another account permission to use an AWS Lambda function", - "privilege": "AddPermission", - "resource_types": [ + "resource_type": "faq" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "index" }, { - "condition_keys": [ - "lambda:Principal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "query-suggestions-block-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an alias for a Lambda function version", - "privilege": "CreateAlias", + "access_level": "List", + "description": "Grants permission to list the Thesauri", + "privilege": "ListThesauri", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Lambda code signing config", - "privilege": "CreateCodeSigningConfig", + "description": "Grants permission to put principal mapping in index", + "privilege": "PutPrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a mapping between an event source and an AWS Lambda function", - "privilege": "CreateEventSourceMapping", + "access_level": "Read", + "description": "Grants permission to query documents and faqs", + "privilege": "Query", "resource_types": [ { - "condition_keys": [ - "lambda:FunctionArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Lambda function", - "privilege": "CreateFunction", + "description": "Grants permission to start Data Source sync job", + "privilege": "StartDataSourceSyncJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "data-source*" }, { - "condition_keys": [ - "lambda:Layer", - "lambda:VpcIds", - "lambda:SubnetIds", - "lambda:SecurityGroupIds", - "lambda:CodeSigningConfigArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda function alias", - "privilege": "DeleteAlias", + "description": "Grants permission to stop Data Source sync job", + "privilege": "StopDataSourceSyncJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda code signing config", - "privilege": "DeleteCodeSigningConfig", + "description": "Grants permission to send feedback about a query results", + "privilege": "SubmitFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda event source mapping", - "privilege": "DeleteEventSourceMapping", + "access_level": "Tagging", + "description": "Grants permission to tag a resource with given key value pairs", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventSourceMapping*" + "resource_type": "data-source" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "faq" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus" }, { "condition_keys": [ - "lambda:FunctionArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -108491,350 +122662,352 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda function", - "privilege": "DeleteFunction", + "access_level": "Tagging", + "description": "Grants permission to remove the tag with the given key from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to detach a code signing config from an AWS Lambda function", - "privilege": "DeleteFunctionCodeSigningConfig", - "resource_types": [ + "resource_type": "data-source" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to remove a concurrent execution limit from an AWS Lambda function", - "privilege": "DeleteFunctionConcurrency", - "resource_types": [ + "resource_type": "faq" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", - "privilege": "DeleteFunctionEventInvokeConfig", - "resource_types": [ + "resource_type": "index" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a version of an AWS Lambda layer", - "privilege": "DeleteLayerVersion", - "resource_types": [ + "resource_type": "query-suggestions-block-list" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "thesaurus" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function", - "privilege": "DeleteProvisionedConcurrencyConfig", + "description": "Grants permission to update a data source", + "privilege": "UpdateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" + "resource_type": "data-source*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function version" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to disable replication for a Lambda@Edge function", - "privilege": "DisableReplication", + "access_level": "Write", + "description": "Updates your Amazon Kendra experience such as a search application", + "privilege": "UpdateExperience", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "index*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to enable replication for a Lambda@Edge function", - "privilege": "EnableReplication", + "access_level": "Write", + "description": "Grants permission to update an Index", + "privilege": "UpdateIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an account's limits and usage in an AWS Region", - "privilege": "GetAccountSettings", + "access_level": "Write", + "description": "Grants permission to update a QuerySuggestions BlockList", + "privilege": "UpdateQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda function alias", - "privilege": "GetAlias", - "resource_types": [ + "resource_type": "index*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "query-suggestions-block-list*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda code signing config", - "privilege": "GetCodeSigningConfig", + "access_level": "Write", + "description": "Grants permission to update the query suggestions configuration for an index", + "privilege": "UpdateQuerySuggestionsConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda event source mapping", - "privilege": "GetEventSourceMapping", + "access_level": "Write", + "description": "Grants permission to update a thesaurus", + "privilege": "UpdateThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventSourceMapping*" + "resource_type": "index*" }, { - "condition_keys": [ - "lambda:FunctionArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thesaurus*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "index" }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda function", - "privilege": "GetFunction", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function*" - } - ] + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/data-source/${DataSourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "data-source" }, { - "access_level": "Read", - "description": "Grants permission to view the code signing config arn attached to an AWS Lambda function", - "privilege": "GetFunctionCodeSigningConfig", + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/faq/${FaqId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "faq" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/experience/${ExperienceId}", + "condition_keys": [], + "resource": "experience" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "thesaurus" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/query-suggestions-block-list/${QuerySuggestionsBlockListId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "query-suggestions-block-list" + } + ], + "service_name": "Amazon Kendra" + }, + { + "conditions": [], + "prefix": "kinesis", + "privileges": [ + { + "access_level": "Tagging", + "description": "Grants permission to add or update tags for the specified Amazon Kinesis stream. Each stream can have up to 10 tags", + "privilege": "AddTagsToStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about the reserved concurrency configuration for a function", - "privilege": "GetFunctionConcurrency", + "access_level": "Write", + "description": "Grants permission to create a Amazon Kinesis stream", + "privilege": "CreateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about the version-specific settings of an AWS Lambda function or version", - "privilege": "GetFunctionConfiguration", + "access_level": "Write", + "description": "Grants permission to decrease the stream's retention period, which is the length of time data records are accessible after they are added to the stream", + "privilege": "DecreaseStreamRetentionPeriod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the configuration for asynchronous invocation for a function, version, or alias", - "privilege": "GetFunctionEventInvokeConfig", + "access_level": "Write", + "description": "Grants permission to delete a stream and all its shards and data", + "privilege": "DeleteStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API", - "privilege": "GetLayerVersion", + "access_level": "Write", + "description": "Grants permission to deregister a stream consumer with a Kinesis data stream", + "privilege": "DeregisterStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "consumer*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the resource-based policy for a version of an AWS Lambda layer", - "privilege": "GetLayerVersionPolicy", + "description": "Grants permission to describe the shard limits and usage for the account", + "privilege": "DescribeLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias", - "privilege": "GetPolicy", + "description": "Grants permission to describe the specified stream", + "privilege": "DescribeStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version", - "privilege": "GetProvisionedConcurrencyConfig", + "description": "Grants permission to get the description of a registered stream consumer", + "privilege": "DescribeStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function version" + "resource_type": "consumer*" } ] }, { - "access_level": "Write", - "description": "(Deprecated) Grants permission to invoke a function asynchronously", - "privilege": "InvokeAsync", + "access_level": "Read", + "description": "Grants permission to provide a summarized description of the specified Kinesis data stream without the shard list", + "privilege": "DescribeStreamSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to invoke an AWS Lambda function", - "privilege": "InvokeFunction", + "description": "Grants permission to disables enhanced monitoring", + "privilege": "DisableEnhancedMonitoring", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of aliases for an AWS Lambda function", - "privilege": "ListAliases", + "access_level": "Write", + "description": "Grants permission to enable enhanced Kinesis data stream monitoring for shard-level metrics", + "privilege": "EnableEnhancedMonitoring", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda code signing configs", - "privilege": "ListCodeSigningConfigs", + "access_level": "Read", + "description": "Grants permission to get data records from a shard", + "privilege": "GetRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda event source mappings", - "privilege": "ListEventSourceMappings", + "access_level": "Read", + "description": "Grants permission to get a shard iterator. A shard iterator expires five minutes after it is returned to the requester", + "privilege": "GetShardIterator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of configurations for asynchronous invocation for a function", - "privilege": "ListFunctionEventInvokeConfigs", + "access_level": "Write", + "description": "Grants permission to increase the stream's retention period, which is the length of time data records are accessible after they are added to the stream", + "privilege": "IncreaseStreamRetentionPeriod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function", - "privilege": "ListFunctions", + "description": "Grants permission to list the shards in a stream and provides information about each shard", + "privilege": "ListShards", "resource_types": [ { "condition_keys": [], @@ -108845,20 +123018,20 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned", - "privilege": "ListFunctionsByCodeSigningConfig", + "description": "Grants permission to list the stream consumers registered to receive data from a Kinesis stream using enhanced fan-out, and provides information about each consumer", + "privilege": "ListStreamConsumers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "stream*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of versions of an AWS Lambda layer", - "privilege": "ListLayerVersions", + "description": "Grants permission to list your streams", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], @@ -108868,234 +123041,244 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer", - "privilege": "ListLayers", + "access_level": "Read", + "description": "Grants permission to list the tags for the specified Amazon Kinesis stream", + "privilege": "ListTagsForStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function", - "privilege": "ListProvisionedConcurrencyConfigs", + "access_level": "Write", + "description": "Grants permission to merge two adjacent shards in a stream and combines them into a single shard to reduce the stream's capacity to ingest and transport data", + "privilege": "MergeShards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of tags for an AWS Lambda function", - "privilege": "ListTags", + "access_level": "Write", + "description": "Grants permission to write a single data record from a producer into an Amazon Kinesis stream", + "privilege": "PutRecord", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of versions for an AWS Lambda function", - "privilege": "ListVersionsByFunction", + "access_level": "Write", + "description": "Grants permission to write multiple data records from a producer into an Amazon Kinesis stream in a single call (also referred to as a PutRecords request)", + "privilege": "PutRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Lambda layer", - "privilege": "PublishLayerVersion", + "description": "Grants permission to register a stream consumer with a Kinesis data stream", + "privilege": "RegisterStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layer*" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Lambda function version", - "privilege": "PublishVersion", + "access_level": "Tagging", + "description": "Grants permission to remove tags from the specified Kinesis data stream. Removed tags are deleted and cannot be recovered after this operation successfully completes", + "privilege": "RemoveTagsFromStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to attach a code signing config to an AWS Lambda function", - "privilege": "PutFunctionCodeSigningConfig", + "description": "Grants permission to split a shard into two new shards in the Kinesis data stream, to increase the stream's capacity to ingest and transport data", + "privilege": "SplitShard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function*" - }, - { - "condition_keys": [ - "lambda:CodeSigningConfigArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to configure reserved concurrency for an AWS Lambda function", - "privilege": "PutFunctionConcurrency", + "description": "Grants permission to enable or update server-side encryption using an AWS KMS key for a specified stream", + "privilege": "StartStreamEncryption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias", - "privilege": "PutFunctionEventInvokeConfig", - "resource_types": [ + "resource_type": "kmsKey*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version", - "privilege": "PutProvisionedConcurrencyConfig", + "description": "Grants permission to disable server-side encryption for a specified stream", + "privilege": "StopStreamEncryption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" + "resource_type": "kmsKey*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function version" + "resource_type": "stream*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer", - "privilege": "RemoveLayerVersionPermission", + "access_level": "Read", + "description": "Grants permission to listen to a specific shard with enhanced fan-out", + "privilege": "SubscribeToShard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "consumer*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke function-use permission from an AWS service or another account", - "privilege": "RemovePermission", + "access_level": "Write", + "description": "Grants permission to update the shard count of the specified stream to the specified number of shards", + "privilege": "UpdateShardCount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - }, - { - "condition_keys": [ - "lambda:Principal" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to an AWS Lambda function", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to update the capacity mode of the data stream", + "privilege": "UpdateStreamMode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesis:${Region}:${Account}:stream/${StreamName}", + "condition_keys": [], + "resource": "stream" }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an AWS Lambda function", - "privilege": "UntagResource", + "arn": "arn:${Partition}:kinesis:${Region}:${Account}:${StreamType}/${StreamName}/consumer/${ConsumerName}:${ConsumerCreationTimpstamp}", + "condition_keys": [], + "resource": "consumer" + }, + { + "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", + "condition_keys": [], + "resource": "kmsKey" + } + ], + "service_name": "Amazon Kinesis" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag-value assoicated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of mandatory tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "kinesisanalytics", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to add input to the application", + "privilege": "AddApplicationInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the configuration of an AWS Lambda function's alias", - "privilege": "UpdateAlias", + "description": "Grants permission to add output to the application", + "privilege": "AddApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an AWS Lambda code signing config", - "privilege": "UpdateCodeSigningConfig", + "description": "Grants permission to add reference data source to the application", + "privilege": "AddApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the configuration of an AWS Lambda event source mapping", - "privilege": "UpdateEventSourceMapping", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventSourceMapping*" - }, { "condition_keys": [ - "lambda:FunctionArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -109104,115 +123287,56 @@ }, { "access_level": "Write", - "description": "Grants permission to update the code of an AWS Lambda function", - "privilege": "UpdateFunctionCode", + "description": "Grants permission to delete the application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the code signing config of an AWS Lambda function", - "privilege": "UpdateFunctionCodeSigningConfig", + "description": "Grants permission to delete the specified output of the application", + "privilege": "DeleteApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the version-specific settings of an AWS Lambda function", - "privilege": "UpdateFunctionConfiguration", + "description": "Grants permission to delete the specified reference data source of the application", + "privilege": "DeleteApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - }, - { - "condition_keys": [ - "lambda:Layer", - "lambda:VpcIds", - "lambda:SubnetIds", - "lambda:SecurityGroupIds" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", - "privilege": "UpdateFunctionEventInvokeConfig", + "access_level": "Read", + "description": "Grants permission to describe the specified application", + "privilege": "DescribeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "application*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:code-signing-config:${CodeSigningConfigId}", - "condition_keys": [], - "resource": "code signing config" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}", - "condition_keys": [], - "resource": "eventSourceMapping" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}", - "condition_keys": [], - "resource": "function" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}", - "condition_keys": [], - "resource": "function alias" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}", - "condition_keys": [], - "resource": "function version" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}", - "condition_keys": [], - "resource": "layer" }, { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}", - "condition_keys": [], - "resource": "layerVersion" - } - ], - "service_name": "AWS Lambda" - }, - { - "conditions": [], - "prefix": "launchwizard", - "privileges": [ - { - "access_level": "Write", - "description": "Delete an application", - "privilege": "DeleteApp", + "access_level": "Read", + "description": "Grants permission to discover the input schema for the application", + "privilege": "DiscoverInputSchema", "resource_types": [ { "condition_keys": [], @@ -109223,20 +123347,20 @@ }, { "access_level": "Read", - "description": "Describe provisioning applications", - "privilege": "DescribeProvisionedApp", + "description": "Grants permission to Kinesis Data Analytics console to display stream results for Kinesis Data Analytics SQL runtime applications", + "privilege": "GetApplicationState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Describe provisioning events", - "privilege": "DescribeProvisioningEvents", + "access_level": "List", + "description": "Grants permission to list applications for the account", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], @@ -109247,345 +123371,358 @@ }, { "access_level": "Read", - "description": "Get infrastructure suggestion", - "privilege": "GetInfrastructureSuggestion", + "description": "Grants permission to fetch the tags associated with the application", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Get customer's ip address", - "privilege": "GetIpAddress", + "access_level": "Write", + "description": "Grants permission to start the application", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Get resource cost estimate", - "privilege": "GetResourceCostEstimate", + "access_level": "Write", + "description": "Grants permission to stop the application", + "privilege": "StopApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to the application", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "List provisioning applications", - "privilege": "ListProvisionedApps", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the application", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Start a provisioning", - "privilege": "StartProvisioning", + "description": "Grants permission to update the application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] } ], - "resources": [], - "service_name": "Launch Wizard" + "resources": [ + { + "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + } + ], + "service_name": "Amazon Kinesis Analytics" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags in the request.", + "description": "Filters access by set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to a Lex resource.", + "description": "Filters access by tag-value assoicated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the set of tag keys in the request.", - "type": "String" - }, - { - "condition": "lex:associatedIntents", - "description": "Enables you to control access based on the intents included in the request.", - "type": "String" - }, - { - "condition": "lex:associatedSlotTypes", - "description": "Enables you to control access based on the slot types included in the request.", - "type": "String" - }, - { - "condition": "lex:channelType", - "description": "Enables you to control access based on the channel type included in the request.", - "type": "String" + "description": "Filters access by the presence of mandatory tag keys in the request", + "type": "ArrayOfString" } ], - "prefix": "lex", + "prefix": "kinesisanalytics", "privileges": [ { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified bot.", - "privilege": "CreateBotVersion", + "description": "Grants permission to add cloudwatch logging option to the application", + "privilege": "AddApplicationCloudWatchLoggingOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified intent.", - "privilege": "CreateIntentVersion", + "description": "Grants permission to add input to the application", + "privilege": "AddApplicationInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified slot type.", - "privilege": "CreateSlotTypeVersion", + "description": "Grants permission to add input processing configuration to the application", + "privilege": "AddApplicationInputProcessingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes all versions of a bot.", - "privilege": "DeleteBot", + "description": "Grants permission to add output to the application", + "privilege": "AddApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes an alias for a specific bot.", - "privilege": "DeleteBotAlias", + "description": "Grants permission to add reference data source to the application", + "privilege": "AddApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes the association between a Amazon Lex bot alias and a messaging platform.", - "privilege": "DeleteBotChannelAssociation", + "description": "Grants permission to add VPC configuration to the application", + "privilege": "AddApplicationVpcConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of a bot.", - "privilege": "DeleteBotVersion", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes all versions of an intent.", - "privilege": "DeleteIntent", + "access_level": "Read", + "description": "Grants permission to create and return a URL that you can use to connect to an application's extension", + "privilege": "CreateApplicationPresignedUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of an intent.", - "privilege": "DeleteIntentVersion", + "description": "Grants permission to create a snapshot for an application", + "privilege": "CreateApplicationSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Removes session information for a specified bot, alias, and user ID.", - "privilege": "DeleteSession", + "description": "Grants permission to delete the application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes all versions of a slot type.", - "privilege": "DeleteSlotType", + "description": "Grants permission to delete the specified cloudwatch logging option of the application", + "privilege": "DeleteApplicationCloudWatchLoggingOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of a slot type.", - "privilege": "DeleteSlotTypeVersion", + "description": "Grants permission to delete the specified input processing configuration of the application", + "privilege": "DeleteApplicationInputProcessingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes the information Amazon Lex maintains for utterances on a specific bot and userId.", - "privilege": "DeleteUtterances", + "description": "Grants permission to delete the specified output of the application", + "privilege": "DeleteApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns information for a specific bot. In addition to the bot name, the bot version or alias is required.", - "privilege": "GetBot", + "access_level": "Write", + "description": "Grants permission to delete the specified reference data source of the application", + "privilege": "DeleteApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns information about a Amazon Lex bot alias.", - "privilege": "GetBotAlias", + "access_level": "Write", + "description": "Grants permission to delete a snapshot for an application", + "privilege": "DeleteApplicationSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns a list of aliases for a given Amazon Lex bot.", - "privilege": "GetBotAliases", + "access_level": "Write", + "description": "Grants permission to delete the specified VPC configuration of the application", + "privilege": "DeleteApplicationVpcConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Returns information about the association between a Amazon Lex bot and a messaging platform.", - "privilege": "GetBotChannelAssociation", + "description": "Grants permission to describe the specified application", + "privilege": "DescribeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns a list of all of the channels associated with a single bot.", - "privilege": "GetBotChannelAssociations", + "access_level": "Read", + "description": "Grants permission to describe an application snapshot", + "privilege": "DescribeApplicationSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns information for all versions of a specific bot.", - "privilege": "GetBotVersions", + "access_level": "Read", + "description": "Grants permission to describe the application version of an application", + "privilege": "DescribeApplicationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns information for the $LATEST version of all bots, subject to filters provided by the client.", - "privilege": "GetBots", + "access_level": "Read", + "description": "Grants permission to discover the input schema for the application", + "privilege": "DiscoverInputSchema", "resource_types": [ { "condition_keys": [], @@ -109596,32 +123733,32 @@ }, { "access_level": "Read", - "description": "Returns information about a built-in intent.", - "privilege": "GetBuiltinIntent", + "description": "Grants permission to list the snapshots for an application", + "privilege": "ListApplicationSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Gets a list of built-in intents that meet the specified criteria.", - "privilege": "GetBuiltinIntents", + "description": "Grants permission to list application versions of an application", + "privilege": "ListApplicationVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets a list of built-in slot types that meet the specified criteria.", - "privilege": "GetBuiltinSlotTypes", + "access_level": "List", + "description": "Grants permission to list applications for the account", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], @@ -109632,338 +123769,519 @@ }, { "access_level": "Read", - "description": "Exports Amazon Lex Resource in a requested format.", - "privilege": "GetExport", + "description": "Grants permission to fetch the tags associated with the application", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets information about an import job started with StartImport.", - "privilege": "GetImport", + "access_level": "Write", + "description": "Grants permission to perform rollback operation on an application", + "privilege": "RollbackApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns information for a specific intent. In addition to the intent name, you must also specify the intent version.", - "privilege": "GetIntent", + "access_level": "Write", + "description": "Grants permission to start the application", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns information for all versions of a specific intent.", - "privilege": "GetIntentVersions", + "access_level": "Write", + "description": "Grants permission to stop the application", + "privilege": "StopApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns information for the $LATEST version of all intents, subject to filters provided by the client.", - "privilege": "GetIntents", + "access_level": "Tagging", + "description": "Grants permission to add tags to the application", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view an ongoing or completed migration", - "privilege": "GetMigration", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the application", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to view list of migrations from Amazon Lex v1 to Amazon Lex v2", - "privilege": "GetMigrations", + "access_level": "Write", + "description": "Grants permission to update the application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns session information for a specified bot, alias, and user ID.", - "privilege": "GetSession", + "access_level": "Write", + "description": "Grants permission to update the maintenance configuration of an application", + "privilege": "UpdateApplicationMaintenanceConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "application*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + } + ], + "service_name": "Amazon Kinesis Analytics V2" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters requests based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value assoicated with the stream", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters requests based on the presence of mandatory tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "kinesisvideo", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to connect as a master to the signaling channel specified by the endpoint", + "privilege": "ConnectAsMaster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to connect as a viewer to the signaling channel specified by the endpoint", + "privilege": "ConnectAsViewer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a signaling channel", + "privilege": "CreateSignalingChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Kinesis video stream", + "privilege": "CreateStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing signaling channel", + "privilege": "DeleteSignalingChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing Kinesis video stream", + "privilege": "DeleteStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Returns information about a specific version of a slot type. In addition to specifying the slot type name, you must also specify the slot type version.", - "privilege": "GetSlotType", + "description": "Grants permission to describe the image generation configuration of your Kinesis video stream", + "privilege": "DescribeImageGenerationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Returns information for all versions of a specific slot type.", - "privilege": "GetSlotTypeVersions", + "access_level": "Read", + "description": "Grants permission to describe the notification configuration of your Kinesis video stream", + "privilege": "DescribeNotificationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "stream*" } ] }, { "access_level": "List", - "description": "Returns information for the $LATEST version of all slot types, subject to filters provided by the client.", - "privilege": "GetSlotTypes", + "description": "Grants permission to describe the specified signaling channel", + "privilege": "DescribeSignalingChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "List", - "description": "Returns a view of aggregate utterance data for versions of a bot for a recent time period.", - "privilege": "GetUtterancesView", + "description": "Grants permission to describe the specified Kinesis video stream", + "privilege": "DescribeStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Lists tags for a Lex resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to get a media clip from a video stream", + "privilege": "GetClip", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to create a URL for MPEG-DASH video streaming", + "privilege": "GetDASHStreamingSessionURL", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an endpoint for a specified stream for either reading or writing media data to Kinesis Video Streams", + "privilege": "GetDataEndpoint", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Sends user input (text or speech) to Amazon Lex.", - "privilege": "PostContent", + "access_level": "Read", + "description": "Grants permission to create a URL for HLS video streaming", + "privilege": "GetHLSStreamingSessionURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the ICE server configuration", + "privilege": "GetIceServerConfig", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Sends user input (text-only) to Amazon Lex.", - "privilege": "PostText", + "access_level": "Read", + "description": "Grants permission to get generated images from your Kinesis video stream", + "privilege": "GetImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return media content of a Kinesis video stream", + "privilege": "GetMedia", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Creates or updates the $LATEST version of a Amazon Lex conversational bot.", - "privilege": "PutBot", + "access_level": "Read", + "description": "Grants permission to read and return media data only from persisted storage", + "privilege": "GetMediaForFragmentList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get endpoints for a specified combination of protocol and role for a signaling channel", + "privilege": "GetSignalingChannelEndpoint", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Creates or updates an alias for the specific bot.", - "privilege": "PutBotAlias", + "access_level": "List", + "description": "Grants permission to list the fragments from archival storage based on the pagination token or selector type with range specified", + "privilege": "ListFragments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" - }, + "resource_type": "stream*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list your signaling channels", + "privilege": "ListSignalingChannels", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates or updates the $LATEST version of an intent.", - "privilege": "PutIntent", + "access_level": "List", + "description": "Grants permission to list your Kinesis video streams", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a new session or modifies an existing session with an Amazon Lex bot.", - "privilege": "PutSession", + "access_level": "Read", + "description": "Grants permission to fetch the tags associated with your resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "stream" } ] }, { - "access_level": "Write", - "description": "Creates or updates the $LATEST version of a slot type.", - "privilege": "PutSlotType", + "access_level": "Read", + "description": "Grants permission to fetch the tags associated with Kinesis video stream", + "privilege": "ListTagsForStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Starts a job to import a resource to Amazon Lex.", - "privilege": "StartImport", + "description": "Grants permission to send media data to a Kinesis video stream", + "privilege": "PutMedia", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to migrate a bot from Amazon Lex v1 to Amazon Lex v2", - "privilege": "StartMigration", + "description": "Grants permission to send the Alexa SDP offer to the master", + "privilege": "SendAlexaOfferToMaster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "channel*" } ] }, { "access_level": "Tagging", - "description": "Adds or overwrites tags to a Lex resource", + "description": "Grants permission to attach set of tags to your resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "stream" }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to attach set of tags to your Kinesis video streams", + "privilege": "TagStream", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "stream*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -109972,128 +124290,334 @@ }, { "access_level": "Tagging", - "description": "Removes tags from a Lex resource", + "description": "Grants permission to remove one or more tags from your resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "stream" }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from your Kinesis video streams", + "privilege": "UntagStream", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "stream*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ + }, { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot" + "access_level": "Write", + "description": "Grants permission to update the data retention period of your Kinesis video stream", + "privilege": "UpdateDataRetention", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] }, { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot version" + "access_level": "Write", + "description": "Grants permission to update the image generation configuration of your Kinesis video stream", + "privilege": "UpdateImageGenerationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] }, { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotAlias}", + "access_level": "Write", + "description": "Grants permission to update the notification configuration of your Kinesis video stream", + "privilege": "UpdateNotificationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing signaling channel", + "privilege": "UpdateSignalingChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Kinesis video stream", + "privilege": "UpdateStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "bot alias" + "resource": "stream" }, { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-channel:${BotName}:${BotAlias}:${ChannelName}", + "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:channel/${ChannelName}/${CreationTime}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "channel" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:intent:${IntentName}:${IntentVersion}", - "condition_keys": [], - "resource": "intent version" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:slottype:${SlotName}:${SlotVersion}", - "condition_keys": [], - "resource": "slottype version" } ], - "service_name": "Amazon Lex" + "service_name": "Amazon Kinesis Video Streams" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tags in the request", + "description": "Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to a Lex resource", + "description": "Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by the set of tag keys in the request.", + "description": "Filters access to the specified AWS KMS operations based on tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "kms:BypassPolicyLockoutSafetyCheck", + "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request", + "type": "Bool" + }, + { + "condition": "kms:CallerAccount", + "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement", + "type": "String" + }, + { + "condition": "kms:CustomerMasterKeySpec", + "description": "The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key", + "type": "String" + }, + { + "condition": "kms:CustomerMasterKeyUsage", + "description": "The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key", + "type": "String" + }, + { + "condition": "kms:DataKeyPairSpec", + "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request", + "type": "String" + }, + { + "condition": "kms:EncryptionAlgorithm", + "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request", + "type": "String" + }, + { + "condition": "kms:EncryptionContext:${EncryptionContextKey}", + "description": "Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair", + "type": "String" + }, + { + "condition": "kms:EncryptionContextKeys", + "description": "Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair", + "type": "ArrayOfString" + }, + { + "condition": "kms:ExpirationModel", + "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request", + "type": "String" + }, + { + "condition": "kms:GrantConstraintType", + "description": "Filters access to the CreateGrant operation based on the grant constraint in the request", + "type": "String" + }, + { + "condition": "kms:GrantIsForAWSResource", + "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service", + "type": "Bool" + }, + { + "condition": "kms:GrantOperations", + "description": "Filters access to the CreateGrant operation based on the operations in the grant", + "type": "ArrayOfString" + }, + { + "condition": "kms:GranteePrincipal", + "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant", + "type": "String" + }, + { + "condition": "kms:KeyOrigin", + "description": "Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key", + "type": "String" + }, + { + "condition": "kms:KeySpec", + "description": "Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:KeyUsage", + "description": "Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:MacAlgorithm", + "description": "Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request", + "type": "String" + }, + { + "condition": "kms:MessageType", + "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request", + "type": "String" + }, + { + "condition": "kms:MultiRegion", + "description": "Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "Bool" + }, + { + "condition": "kms:MultiRegionKeyType", + "description": "Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:PrimaryRegion", + "description": "Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request", + "type": "String" + }, + { + "condition": "kms:ReEncryptOnSameKey", + "description": "Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation", + "type": "Bool" + }, + { + "condition": "kms:RecipientAttestation:ImageSha384", + "description": "Filters access to the Decrypt, GenerateDataKey, and GenerateRandom operations based on the image hash in the attestation document in the request", + "type": "String" + }, + { + "condition": "kms:ReplicaRegion", + "description": "Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request", + "type": "String" + }, + { + "condition": "kms:RequestAlias", + "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request", + "type": "String" + }, + { + "condition": "kms:ResourceAliases", + "description": "Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key", + "type": "ArrayOfString" + }, + { + "condition": "kms:RetiringPrincipal", + "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant", + "type": "String" + }, + { + "condition": "kms:SigningAlgorithm", + "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request", + "type": "String" + }, + { + "condition": "kms:ValidTo", + "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date", + "type": "Date" + }, + { + "condition": "kms:ViaService", + "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service", + "type": "String" + }, + { + "condition": "kms:WrappingAlgorithm", + "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request", + "type": "String" + }, + { + "condition": "kms:WrappingKeySpec", + "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request", "type": "String" } ], - "prefix": "lex", + "prefix": "kms", "privileges": [ { "access_level": "Write", - "description": "Grants permission to build an existing bot locale in a bot", - "privilege": "BuildBotLocale", + "description": "Controls permission to cancel the scheduled deletion of an AWS KMS key", + "privilege": "CancelKeyDeletion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new bot and a test bot alias pointing to the DRAFT bot version", - "privilege": "CreateBot", + "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster", + "privilege": "ConnectCustomKeyStore", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias*" - }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "kms:CallerAccount" ], "dependent_actions": [], "resource_type": "" @@ -110102,18 +124626,23 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new bot alias in a bot", - "privilege": "CreateBotAlias", + "description": "Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys", + "privilege": "CreateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "alias*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "kms:CallerAccount", + "kms:ViaService" ], "dependent_actions": [], "resource_type": "" @@ -110122,685 +124651,851 @@ }, { "access_level": "Write", - "description": "Grants permission to create a bot channel in an existing bot", - "privilege": "CreateBotChannel", + "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage", + "privilege": "CreateCustomKeyStore", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot*" + "condition_keys": [ + "kms:CallerAccount" + ], + "dependent_actions": [ + "cloudhsm:DescribeClusters", + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new bot locale in an existing bot", - "privilege": "CreateBotLocale", + "access_level": "Permissions management", + "description": "Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy", + "privilege": "CreateGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new version of an existing bot", - "privilege": "CreateBotVersion", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:GrantConstraintType", + "kms:GranteePrincipal", + "kms:GrantIsForAWSResource", + "kms:GrantOperations", + "kms:RetiringPrincipal", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an export for an existing resource", - "privilege": "CreateExport", + "description": "Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information", + "privilege": "CreateKey", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot*" + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "kms:BypassPolicyLockoutSafetyCheck", + "kms:CallerAccount", + "kms:KeySpec", + "kms:KeyUsage", + "kms:KeyOrigin", + "kms:MultiRegion", + "kms:MultiRegionKeyType", + "kms:ViaService" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:PutKeyPolicy", + "kms:TagResource" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new intent in an existing bot locale", - "privilege": "CreateIntent", + "description": "Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key", + "privilege": "Decrypt", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RecipientAttestation:ImageSha384", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new resource policy for a Lex resource", - "privilege": "CreateResourcePolicy", + "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys", + "privilege": "DeleteAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "alias*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new slot in an intent", - "privilege": "CreateSlot", + "description": "Controls permission to delete a custom key store", + "privilege": "DeleteCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new slot type in an existing bot locale", - "privilege": "CreateSlotType", + "description": "Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable", + "privilege": "DeleteImportedKeyMaterial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an upload url for import file", - "privilege": "CreateUploadUrl", + "access_level": "Read", + "description": "Controls permission to view detailed information about custom key stores in the account and region", + "privilege": "DescribeCustomKeyStores", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an existing bot", - "privilege": "DeleteBot", + "access_level": "Read", + "description": "Controls permission to view detailed information about an AWS KMS key", + "privilege": "DescribeKey", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "lex:DeleteBotAlias", - "lex:DeleteBotChannel", - "lex:DeleteBotLocale", - "lex:DeleteBotVersion", - "lex:DeleteIntent", - "lex:DeleteSlot", - "lex:DeleteSlotType" - ], - "resource_type": "bot*" + "dependent_actions": [], + "resource_type": "key*" }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:RequestAlias", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing bot alias in a bot", - "privilege": "DeleteBotAlias", + "description": "Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations", + "privilege": "DisableKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing bot channel", - "privilege": "DeleteBotChannel", + "description": "Controls permission to disable automatic rotation of a customer managed AWS KMS key", + "privilege": "DisableKeyRotation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing bot locale in a bot", - "privilege": "DeleteBotLocale", + "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster", + "privilege": "DisconnectCustomKeyStore", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "lex:DeleteIntent", - "lex:DeleteSlot", - "lex:DeleteSlotType" + "condition_keys": [ + "kms:CallerAccount" ], - "resource_type": "bot*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing bot version", - "privilege": "DeleteBotVersion", + "description": "Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations", + "privilege": "EnableKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing export", - "privilege": "DeleteExport", + "description": "Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key", + "privilege": "EnableKeyRotation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing import", - "privilege": "DeleteImport", + "description": "Controls permission to use the specified AWS KMS key to encrypt data and data keys", + "privilege": "Encrypt", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing intent in a bot locale", - "privilege": "DeleteIntent", + "description": "Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS", + "privilege": "GenerateDataKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RecipientAttestation:ImageSha384", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing resource policy for a Lex resource", - "privilege": "DeleteResourcePolicy", + "description": "Controls permission to use the AWS KMS key to generate data key pairs", + "privilege": "GenerateDataKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "key*" }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:DataKeyPairSpec", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete session information for a bot alias and user ID", - "privilege": "DeleteSession", + "description": "Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy", + "privilege": "GenerateDataKeyPairWithoutPlaintext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:DataKeyPairSpec", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing slot in an intent", - "privilege": "DeleteSlot", + "description": "Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key", + "privilege": "GenerateDataKeyWithoutPlaintext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing slot type in a bot locale", - "privilege": "DeleteSlotType", + "description": "Controls permission to use the AWS KMS key to generate message authentication codes", + "privilege": "GenerateMac", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:MacAlgorithm", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an existing bot", - "privilege": "DescribeBot", + "access_level": "Write", + "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS", + "privilege": "GenerateRandom", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:RecipientAttestation:ImageSha384" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an existing bot alias", - "privilege": "DescribeBotAlias", + "description": "Controls permission to view the key policy for the specified AWS KMS key", + "privilege": "GetKeyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an existing bot channel", - "privilege": "DescribeBotChannel", + "description": "Controls permission to determine whether automatic key rotation is enabled on the AWS KMS key", + "privilege": "GetKeyRotationStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an existing bot locale", - "privilege": "DescribeBotLocale", + "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token", + "privilege": "GetParametersForImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService", + "kms:WrappingAlgorithm", + "kms:WrappingKeySpec" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an existing bot version.", - "privilege": "DescribeBotVersion", + "description": "Controls permission to download the public key of an asymmetric AWS KMS key", + "privilege": "GetPublicKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an existing export", - "privilege": "DescribeExport", + "access_level": "Write", + "description": "Controls permission to import cryptographic material into an AWS KMS key", + "privilege": "ImportKeyMaterial", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "lex:DescribeBot", - "lex:DescribeBotLocale", - "lex:DescribeIntent", - "lex:DescribeSlot", - "lex:DescribeSlotType", - "lex:ListBotLocales", - "lex:ListIntents", - "lex:ListSlotTypes", - "lex:ListSlots" - ], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve an existing import", - "privilege": "DescribeImport", - "resource_types": [ + "dependent_actions": [], + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ExpirationModel", + "kms:ValidTo", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an existing intent", - "privilege": "DescribeIntent", + "access_level": "List", + "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys", + "privilege": "ListAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an existing resource policy for a Lex resource", - "privilege": "DescribeResourcePolicy", + "access_level": "List", + "description": "Controls permission to view all grants for an AWS KMS key", + "privilege": "ListGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "key*" }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:GrantIsForAWSResource", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an existing slot", - "privilege": "DescribeSlot", + "access_level": "List", + "description": "Controls permission to view the names of key policies for an AWS KMS key", + "privilege": "ListKeyPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve an existing slot type", - "privilege": "DescribeSlotType", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve session information for a bot alias and user ID", - "privilege": "GetSession", + "access_level": "List", + "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account", + "privilege": "ListKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list bot aliases in an bot", - "privilege": "ListBotAliases", + "description": "Controls permission to view all tags that are attached to an AWS KMS key", + "privilege": "ListResourceTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list bot channels", - "privilege": "ListBotChannels", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list bot locales in a bot", - "privilege": "ListBotLocales", + "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants", + "privilege": "ListRetirableGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" } ] }, { - "access_level": "List", - "description": "Grants permission to list existing bot versions", - "privilege": "ListBotVersions", + "access_level": "Permissions management", + "description": "Controls permission to replace the key policy for the specified AWS KMS key", + "privilege": "PutKeyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list existing bots", - "privilege": "ListBots", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:BypassPolicyLockoutSafetyCheck", + "kms:CallerAccount", + "kms:ViaService" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list built-in intents", - "privilege": "ListBuiltInIntents", + "access_level": "Write", + "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", + "privilege": "ReEncryptFrom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list built-in slot types", - "privilege": "ListBuiltInSlotTypes", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:ReEncryptOnSameKey", + "kms:RequestAlias", + "kms:ViaService" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list existing exports", - "privilege": "ListExports", + "access_level": "Write", + "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", + "privilege": "ReEncryptTo", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list existing imports", - "privilege": "ListImports", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContext:${EncryptionContextKey}", + "kms:EncryptionContextKeys", + "kms:ReEncryptOnSameKey", + "kms:RequestAlias", + "kms:ViaService" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list intents in a bot", - "privilege": "ListIntents", + "access_level": "Write", + "description": "Controls permission to replicate a multi-Region primary key", + "privilege": "ReplicateKey", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list slot types in a bot", - "privilege": "ListSlotTypes", - "resource_types": [ + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:CreateKey", + "kms:PutKeyPolicy", + "kms:TagResource" + ], + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ReplicaRegion", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list slots in an intent", - "privilege": "ListSlots", + "access_level": "Permissions management", + "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform", + "privilege": "RetireGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "key*" } ] }, { - "access_level": "Read", - "description": "Grants permission to lists tags for a Lex resource", - "privilege": "ListTagsForResource", + "access_level": "Permissions management", + "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant", + "privilege": "RevokeGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "key*" }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:GrantIsForAWSResource", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new session or modify an existing session for a bot alias and user ID", - "privilege": "PutSession", + "description": "Controls permission to schedule deletion of an AWS KMS key", + "privilege": "ScheduleKeyDeletion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to send user input (text-only) to an bot alias", - "privilege": "RecognizeText", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send user input (text or speech) to an bot alias", - "privilege": "RecognizeUtterance", + "description": "Controls permission to produce a digital signature for a message", + "privilege": "Sign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:MessageType", + "kms:RequestAlias", + "kms:SigningAlgorithm", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stream user input (speech/text/DTMF) to a bot alias", - "privilege": "StartConversation", + "description": "Controls access to internal APIs that synchronize multi-Region keys", + "privilege": "SynchronizeMultiRegionKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "key*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a new import with the uploaded import file", - "privilege": "StartImport", + "access_level": "Tagging", + "description": "Controls permission to create or update tags that are attached to an AWS KMS key", + "privilege": "TagResource", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "lex:CreateBot", - "lex:CreateBotLocale", - "lex:CreateIntent", - "lex:CreateSlot", - "lex:CreateSlotType", - "lex:DeleteBotLocale", - "lex:DeleteIntent", - "lex:DeleteSlot", - "lex:DeleteSlotType", - "lex:UpdateBot", - "lex:UpdateBotLocale", - "lex:UpdateIntent", - "lex:UpdateSlot", - "lex:UpdateSlotType" - ], - "resource_type": "bot" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "key*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "kms:CallerAccount", + "kms:ViaService" ], "dependent_actions": [], "resource_type": "" @@ -110809,23 +125504,19 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add or overwrite tags of a Lex resource", - "privilege": "TagResource", + "description": "Controls permission to delete tags that are attached to an AWS KMS key", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "key*" }, { "condition_keys": [ "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "kms:CallerAccount", + "kms:ViaService" ], "dependent_actions": [], "resource_type": "" @@ -110833,24 +125524,24 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a Lex resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key", + "privilege": "UpdateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "alias*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "key*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "kms:CallerAccount", + "kms:ViaService" ], "dependent_actions": [], "resource_type": "" @@ -110859,160 +125550,135 @@ }, { "access_level": "Write", - "description": "Grants permission to update an existing bot", - "privilege": "UpdateBot", + "description": "Controls permission to change the properties of a custom key store", + "privilege": "UpdateCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing bot alias", - "privilege": "UpdateBotAlias", + "description": "Controls permission to delete or change the description of an AWS KMS key", + "privilege": "UpdateKeyDescription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an existing bot locale", - "privilege": "UpdateBotLocale", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing export", - "privilege": "UpdateExport", + "description": "Controls permission to update the primary Region of a multi-Region primary key", + "privilege": "UpdatePrimaryRegion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an existing intent", - "privilege": "UpdateIntent", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:PrimaryRegion", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing resource policy for a Lex resource", - "privilege": "UpdateResourcePolicy", + "description": "Controls permission to use the specified AWS KMS key to verify digital signatures", + "privilege": "Verify", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" + "resource_type": "key*" }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:MessageType", + "kms:RequestAlias", + "kms:SigningAlgorithm", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing slot", - "privilege": "UpdateSlot", + "description": "Controls permission to use the AWS KMS key to verify message authentication codes", + "privilege": "VerifyMac", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an existing slot type", - "privilege": "UpdateSlotType", - "resource_types": [ + "resource_type": "key*" + }, { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount", + "kms:MacAlgorithm", + "kms:RequestAlias", + "kms:ViaService" + ], "dependent_actions": [], - "resource_type": "bot*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot/${BotId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot" + "arn": "arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}", + "condition_keys": [], + "resource": "alias" }, { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-alias/${BotId}/${BotAliasId}", + "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "kms:KeyOrigin", + "kms:KeySpec", + "kms:KeyUsage", + "kms:MultiRegion", + "kms:MultiRegionKeyType", + "kms:ResourceAliases" ], - "resource": "bot alias" + "resource": "key" } ], - "service_name": "Amazon Lex V2" + "service_name": "AWS Key Management Service" }, { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "license-manager:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", - "type": "String" - } - ], - "prefix": "license-manager", + "conditions": [], + "prefix": "lakeformation", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to accept a grant", - "privilege": "AcceptGrant", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "grant*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to check in license entitlements back to pool", - "privilege": "CheckInLicense", + "access_level": "Tagging", + "description": "Grants permission to attach Lake Formation tags to catalog resources", + "privilege": "AddLFTagsToResource", "resource_types": [ { "condition_keys": [], @@ -111022,21 +125688,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to check out license entitlements for borrow use case", - "privilege": "CheckoutBorrowLicense", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "license*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to check out license entitlements", - "privilege": "CheckoutLicense", + "access_level": "Permissions management", + "description": "Grants permission to data lake permissions to one or more principals in a batch", + "privilege": "BatchGrantPermissions", "resource_types": [ { "condition_keys": [], @@ -111046,33 +125700,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a new grant for license", - "privilege": "CreateGrant", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "license*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create new version of grant", - "privilege": "CreateGrantVersion", + "access_level": "Permissions management", + "description": "Grants permission to revoke data lake permissions from one or more principals in a batch", + "privilege": "BatchRevokePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new license", - "privilege": "CreateLicense", + "description": "Grants permission to cancel the given transaction", + "privilege": "CancelTransaction", "resource_types": [ { "condition_keys": [], @@ -111083,14 +125725,11 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new license configuration", - "privilege": "CreateLicenseConfiguration", + "description": "Grants permission to commit the given transaction", + "privilege": "CommitTransaction", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -111098,8 +125737,8 @@ }, { "access_level": "Write", - "description": "Grants permission to create a license conversion task for a resource", - "privilege": "CreateLicenseConversionTaskForResource", + "description": "Grants permission to create a Lake Formation data cell filter", + "privilege": "CreateDataCellsFilter", "resource_types": [ { "condition_keys": [], @@ -111110,8 +125749,8 @@ }, { "access_level": "Write", - "description": "Grants permission to create a report generator for a license configuration", - "privilege": "CreateLicenseManagerReportGenerator", + "description": "Grants permission to create a Lake Formation tag", + "privilege": "CreateLFTag", "resource_types": [ { "condition_keys": [], @@ -111122,80 +125761,80 @@ }, { "access_level": "Write", - "description": "Grants permission to create new version of license.", - "privilege": "CreateLicenseVersion", + "description": "Grants permission to delete a Lake Formation data cell filter", + "privilege": "DeleteDataCellsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new token for license", - "privilege": "CreateToken", + "description": "Grants permission to delete a Lake Formation tag", + "privilege": "DeleteLFTag", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a grant", - "privilege": "DeleteGrant", + "description": "Grants permission to delete the specified objects if the transaction is canceled", + "privilege": "DeleteObjectsOnCancel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a license", - "privilege": "DeleteLicense", + "description": "Grants permission to deregister a registered location", + "privilege": "DeregisterResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to permanently delete a license configuration", - "privilege": "DeleteLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to describe a registered location", + "privilege": "DescribeResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a report generator", - "privilege": "DeleteLicenseManagerReportGenerator", + "access_level": "Read", + "description": "Grants permission to get status of the given transaction", + "privilege": "DescribeTransaction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "report-generator*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete token", - "privilege": "DeleteToken", + "description": "Grants permission to extend the timeout of the given transaction", + "privilege": "ExtendTransaction", "resource_types": [ { "condition_keys": [], @@ -111206,8 +125845,8 @@ }, { "access_level": "Write", - "description": "Grants permission to extend consumption period of already checkout license entitlements", - "privilege": "ExtendLicenseConsumption", + "description": "Grants permission to virtual data lake access", + "privilege": "GetDataAccess", "resource_types": [ { "condition_keys": [], @@ -111218,8 +125857,8 @@ }, { "access_level": "Read", - "description": "Grants permission to get access token", - "privilege": "GetAccessToken", + "description": "Grants permission to retrieve data lake settings such as the list of data lake administrators and database and table default permissions", + "privilege": "GetDataLakeSettings", "resource_types": [ { "condition_keys": [], @@ -111230,104 +125869,113 @@ }, { "access_level": "Read", - "description": "Grants permission to get a grant", - "privilege": "GetGrant", + "description": "Grants permission to retrieve permissions attached to resources in the given path", + "privilege": "GetEffectivePermissionsForPath", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a license", - "privilege": "GetLicense", + "description": "Grants permission to retrieve a Lake Formation tag", + "privilege": "GetLFTag", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a license configuration", - "privilege": "GetLicenseConfiguration", + "description": "Grants permission to retrieve the state of the given query", + "privilege": "GetQueryState", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "license-configuration*" + "dependent_actions": [ + "lakeformation:StartQueryPlanning" + ], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a license conversion task", - "privilege": "GetLicenseConversionTask", + "description": "Grants permission to retrieve the statistics for the given query", + "privilege": "GetQueryStatistics", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "lakeformation:StartQueryPlanning" + ], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a report generator", - "privilege": "GetLicenseManagerReportGenerator", + "description": "Grants permission to retrieve lakeformation tags on a catalog resource", + "privilege": "GetResourceLFTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "report-generator*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a license usage", - "privilege": "GetLicenseUsage", + "description": "Grants permission to retrieve objects from a table", + "privilege": "GetTableObjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to get service settings", - "privilege": "GetServiceSettings", + "access_level": "Read", + "description": "Grants permission to retrieve the results for the given work units", + "privilege": "GetWorkUnitResults", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "lakeformation:GetWorkUnits", + "lakeformation:StartQueryPlanning" + ], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list associations for a selected license configuration", - "privilege": "ListAssociationsForLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to retrieve the work units for the given query", + "privilege": "GetWorkUnits", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "license-configuration*" + "dependent_actions": [ + "lakeformation:StartQueryPlanning" + ], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list distributed grants", - "privilege": "ListDistributedGrants", + "access_level": "Permissions management", + "description": "Grants permission to data lake permissions to a principal", + "privilege": "GrantPermissions", "resource_types": [ { "condition_keys": [], @@ -111338,20 +125986,20 @@ }, { "access_level": "List", - "description": "Grants permission to list the license configuration operations that failed", - "privilege": "ListFailuresForLicenseConfigurationOperations", + "description": "Grants permission to list cell filters", + "privilege": "ListDataCellsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list license configurations", - "privilege": "ListLicenseConfigurations", + "description": "Grants permission to list Lake Formation tags", + "privilege": "ListLFTags", "resource_types": [ { "condition_keys": [], @@ -111362,8 +126010,8 @@ }, { "access_level": "List", - "description": "Grants permission to list license conversion tasks", - "privilege": "ListLicenseConversionTasks", + "description": "Grants permission to list permissions filtered by principal or resource", + "privilege": "ListPermissions", "resource_types": [ { "condition_keys": [], @@ -111374,20 +126022,20 @@ }, { "access_level": "List", - "description": "Grants permission to list report generators", - "privilege": "ListLicenseManagerReportGenerators", + "description": "Grants permission to List registered locations", + "privilege": "ListResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list license specifications associated with a selected resource", - "privilege": "ListLicenseSpecificationsForResource", + "description": "Grants permission to list all the storage optimizers for the Governed table", + "privilege": "ListTableStorageOptimizers", "resource_types": [ { "condition_keys": [], @@ -111398,20 +126046,20 @@ }, { "access_level": "List", - "description": "Grants permission to list license versions", - "privilege": "ListLicenseVersions", + "description": "Grants permission to list all transactions in the system", + "privilege": "ListTransactions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list licenses", - "privilege": "ListLicenses", + "access_level": "Permissions management", + "description": "Grants permission to overwrite data lake settings such as the list of data lake administrators and database and table default permissions", + "privilege": "PutDataLakeSettings", "resource_types": [ { "condition_keys": [], @@ -111421,9 +126069,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list received grants", - "privilege": "ListReceivedGrants", + "access_level": "Write", + "description": "Grants permission to register a new location to be managed by Lake Formation", + "privilege": "RegisterResource", "resource_types": [ { "condition_keys": [], @@ -111433,9 +126081,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list received licenses", - "privilege": "ListReceivedLicenses", + "access_level": "Tagging", + "description": "Grants permission to remove lakeformation tags from catalog resources", + "privilege": "RemoveLFTagsFromResource", "resource_types": [ { "condition_keys": [], @@ -111445,9 +126093,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list resource inventory", - "privilege": "ListResourceInventory", + "access_level": "Permissions management", + "description": "Grants permission to revoke data lake permissions from a principal", + "privilege": "RevokePermissions", "resource_types": [ { "condition_keys": [], @@ -111458,20 +126106,8 @@ }, { "access_level": "Read", - "description": "Grants permission to list tags for a selected resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "license-configuration*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list tokens", - "privilege": "ListTokens", + "description": "Grants permission to list catalog databases with Lake Formation tags", + "privilege": "SearchDatabasesByLFTags", "resource_types": [ { "condition_keys": [], @@ -111481,101 +126117,81 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list usage records for selected license configuration", - "privilege": "ListUsageForLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to list catalog tables with Lake Formation tags", + "privilege": "SearchTablesByLFTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to reject a grant", - "privilege": "RejectGrant", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "grant*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag a selected resource", - "privilege": "TagResource", + "description": "Grants permission to initiate the planning of the given query", + "privilege": "StartQueryPlanning", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a selected resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to start a new transaction", + "privilege": "StartTransaction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing license configuration", - "privilege": "UpdateLicenseConfiguration", + "description": "Grants permission to update a Lake Formation tag", + "privilege": "UpdateLFTag", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a report generator for a license configuration", - "privilege": "UpdateLicenseManagerReportGenerator", + "description": "Grants permission to update a registered location", + "privilege": "UpdateResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "report-generator*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to updates license specifications for a selected resource", - "privilege": "UpdateLicenseSpecificationsForResource", + "description": "Grants permission to add or delete the specified objects to or from a table", + "privilege": "UpdateTableObjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to updates service settings", - "privilege": "UpdateServiceSettings", + "access_level": "Write", + "description": "Grants permission to update the configuration of the storage optimizer for the Governed table", + "privilege": "UpdateTableStorageOptimizer", "resource_types": [ { "condition_keys": [], @@ -111585,189 +126201,183 @@ ] } ], - "resources": [ - { - "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}", - "condition_keys": [ - "license-manager:ResourceTag/${TagKey}" - ], - "resource": "license-configuration" - }, - { - "arn": "arn:${Partition}:license-manager::${Account}:license:${LicenseId}", - "condition_keys": [], - "resource": "license" - }, - { - "arn": "arn:${Partition}:license-manager::${Account}:grant:${GrantId}", - "condition_keys": [], - "resource": "grant" - }, - { - "arn": "arn:${Partition}:license-manager:${Region}:${Account}:report-generator:${ReportGeneratorId}", - "condition_keys": [ - "license-manager:ResourceTag/${TagKey}" - ], - "resource": "report-generator" - } - ], - "service_name": "AWS License Manager" + "resources": [], + "service_name": "AWS Lake Formation" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "lambda:CodeSigningConfigArn", + "description": "Filters access by the ARN of an AWS Lambda code signing config", "type": "String" - } - ], - "prefix": "lightsail", - "privileges": [ + }, { - "access_level": "Write", - "description": "Grants permission to create a static IP address that can be attached to an instance", - "privilege": "AllocateStaticIp", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp*" - } - ] + "condition": "lambda:FunctionArn", + "description": "Filters access by the ARN of an AWS Lambda function", + "type": "ARN" }, { - "access_level": "Write", - "description": "Grants permission to attach an SSL/TLS certificate to your Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "AttachCertificateToDistribution", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Certificate*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Distribution*" - } - ] + "condition": "lambda:FunctionUrlAuthType", + "description": "Filters access by authorization type specified in request. Available during CreateFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, GetFunctionUrlConfig, ListFunctionUrlConfig, AddPermission and RemovePermission operations", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to attach a disk to an instance", - "privilege": "AttachDisk", + "condition": "lambda:Layer", + "description": "Filters access by the ARN of a version of an AWS Lambda layer", + "type": "ArrayOfString" + }, + { + "condition": "lambda:Principal", + "description": "Filters access by restricting the AWS service or account that can invoke a function", + "type": "String" + }, + { + "condition": "lambda:SecurityGroupIds", + "description": "Filters access by the ID of security groups configured for the AWS Lambda function", + "type": "ArrayOfString" + }, + { + "condition": "lambda:SourceFunctionArn", + "description": "Filters access by the ARN of the AWS Lambda function from which the request originated", + "type": "ARN" + }, + { + "condition": "lambda:SubnetIds", + "description": "Filters access by the ID of subnets configured for the AWS Lambda function", + "type": "ArrayOfString" + }, + { + "condition": "lambda:VpcIds", + "description": "Filters access by the ID of the VPC configured for the AWS Lambda function", + "type": "String" + } + ], + "prefix": "lambda", + "privileges": [ + { + "access_level": "Permissions management", + "description": "Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer", + "privilege": "AddLayerVersionPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to attach one or more instances to a load balancer", - "privilege": "AttachInstancesToLoadBalancer", + "access_level": "Permissions management", + "description": "Grants permission to give an AWS service or another account permission to use an AWS Lambda function", + "privilege": "AddPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "function*" }, { - "condition_keys": [], + "condition_keys": [ + "lambda:Principal", + "lambda:FunctionUrlAuthType" + ], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to attach a TLS certificate to a load balancer", - "privilege": "AttachLoadBalancerTlsCertificate", + "description": "Grants permission to create an alias for a Lambda function version", + "privilege": "CreateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to attach a static IP address to an instance", - "privilege": "AttachStaticIp", + "description": "Grants permission to create an AWS Lambda code signing config", + "privilege": "CreateCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to close a public port of an instance", - "privilege": "CloseInstancePublicPorts", + "description": "Grants permission to create a mapping between an event source and an AWS Lambda function", + "privilege": "CreateEventSourceMapping", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "lambda:FunctionArn" + ], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to copy a snapshot from one AWS Region to another in Amazon Lightsail", - "privilege": "CopySnapshot", + "description": "Grants permission to create an AWS Lambda function", + "privilege": "CreateFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DiskSnapshot" + "resource_type": "function*" }, { - "condition_keys": [], + "condition_keys": [ + "lambda:Layer", + "lambda:VpcIds", + "lambda:SubnetIds", + "lambda:SecurityGroupIds", + "lambda:CodeSigningConfigArn", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "InstanceSnapshot" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Lightsail bucket", - "privilege": "CreateBucket", + "description": "Grants permission to create a function url configuration for a Lambda function", + "privilege": "CreateFunctionUrlConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "function*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionUrlAuthType", + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -111776,102 +126386,109 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new access key for the specified bucket", - "privilege": "CreateBucketAccessKey", + "description": "Grants permission to delete an AWS Lambda function alias", + "privilege": "DeleteAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an SSL/TLS certificate", - "privilege": "CreateCertificate", + "description": "Grants permission to delete an AWS Lambda code signing config", + "privilege": "DeleteCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Certificate*" + "resource_type": "code signing config*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new Amazon EC2 instance from an exported Amazon Lightsail snapshot", - "privilege": "CreateCloudFormationStack", + "description": "Grants permission to delete an AWS Lambda event source mapping", + "privilege": "DeleteEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ExportSnapshotRecord*" + "resource_type": "eventSourceMapping*" + }, + { + "condition_keys": [ + "lambda:FunctionArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an email or SMS text message contact method", - "privilege": "CreateContactMethod", + "description": "Grants permission to delete an AWS Lambda function", + "privilege": "DeleteFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Lightsail container service", - "privilege": "CreateContainerService", + "description": "Grants permission to detach a code signing config from an AWS Lambda function", + "privilege": "DeleteFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a deployment for your Amazon Lightsail container service", - "privilege": "CreateContainerServiceDeployment", + "description": "Grants permission to remove a concurrent execution limit from an AWS Lambda function", + "privilege": "DeleteFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a temporary set of log in credentials that you can use to log in to the Docker process on your local machine", - "privilege": "CreateContainerServiceRegistryLogin", + "description": "Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", + "privilege": "DeleteFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a disk", - "privilege": "CreateDisk", + "description": "Grants permission to delete function url configuration for a Lambda function", + "privilege": "DeleteFunctionUrlConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "function*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionUrlAuthType", + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -111880,127 +126497,106 @@ }, { "access_level": "Write", - "description": "Grants permission to create a disk from snapshot", - "privilege": "CreateDiskFromSnapshot", + "description": "Grants permission to delete a version of an AWS Lambda layer", + "privilege": "DeleteLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "layerVersion*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a disk snapshot", - "privilege": "CreateDiskSnapshot", + "description": "Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function", + "privilege": "DeleteProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "function alias" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function version" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "CreateDistribution", + "access_level": "Permissions management", + "description": "Grants permission to disable replication for a Lambda@Edge function", + "privilege": "DisableReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a domain resource for the specified domain name", - "privilege": "CreateDomain", + "access_level": "Permissions management", + "description": "Grants permission to enable replication for a Lambda@Edge function", + "privilege": "EnableReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT)", - "privilege": "CreateDomainEntry", + "access_level": "Read", + "description": "Grants permission to view details about an account's limits and usage in an AWS Region", + "privilege": "GetAccountSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an instance snapshot", - "privilege": "CreateInstanceSnapshot", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda function alias", + "privilege": "GetAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, + "resource_type": "function*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda code signing config", + "privilege": "GetCodeSigningConfig", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "code signing config*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create one or more instances", - "privilege": "CreateInstances", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda event source mapping", + "privilege": "GetEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "eventSourceMapping*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -112008,96 +126604,79 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create one or more instances based on an instance snapshot", - "privilege": "CreateInstancesFromSnapshot", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda function", + "privilege": "GetFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, + "resource_type": "function*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the code signing config arn attached to an AWS Lambda function", + "privilege": "GetFunctionCodeSigningConfig", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a key pair used to authenticate and connect to an instance", - "privilege": "CreateKeyPair", + "access_level": "Read", + "description": "Grants permission to view details about the reserved concurrency configuration for a function", + "privilege": "GetFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a load balancer", - "privilege": "CreateLoadBalancer", + "access_level": "Read", + "description": "Grants permission to view details about the version-specific settings of an AWS Lambda function or version", + "privilege": "GetFunctionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a load balancer TLS certificate", - "privilege": "CreateLoadBalancerTlsCertificate", + "access_level": "Read", + "description": "Grants permission to view the configuration for asynchronous invocation for a function, version, or alias", + "privilege": "GetFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new relational database", - "privilege": "CreateRelationalDatabase", + "access_level": "Read", + "description": "Grants permission to read function url configuration for a Lambda function", + "privilege": "GetFunctionUrlConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "function*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionUrlAuthType", + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -112105,518 +126684,593 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a new relational database from a snapshot", - "privilege": "CreateRelationalDatabaseFromSnapshot", + "access_level": "Read", + "description": "Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API", + "privilege": "GetLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a relational database snapshot", - "privilege": "CreateRelationalDatabaseSnapshot", + "access_level": "Read", + "description": "Grants permission to view the resource-based policy for a version of an AWS Lambda layer", + "privilege": "GetLayerVersionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an alarm", - "privilege": "DeleteAlarm", + "access_level": "Read", + "description": "Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias", + "privilege": "GetPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alarm*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an automatic snapshot of an instance or disk", - "privilege": "DeleteAutoSnapshot", + "access_level": "Read", + "description": "Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version", + "privilege": "GetProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk" + "resource_type": "function alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance" + "resource_type": "function version" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an Amazon Lightsail bucket", - "privilege": "DeleteBucket", + "description": "Grants permission to invoke a function asynchronously (Deprecated)", + "privilege": "InvokeAsync", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an access key for the specified Amazon Lightsail bucket", - "privilege": "DeleteBucketAccessKey", + "description": "Grants permission to invoke an AWS Lambda function", + "privilege": "InvokeFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an SSL/TLS certificate", - "privilege": "DeleteCertificate", + "description": "Grants permission to invoke an AWS Lambda function through url", + "privilege": "InvokeFunctionUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Certificate*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:FunctionUrlAuthType", + "lambda:FunctionArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a contact method", - "privilege": "DeleteContactMethod", + "access_level": "List", + "description": "Grants permission to retrieve a list of aliases for an AWS Lambda function", + "privilege": "ListAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContactMethod*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a container image that is registered to your Amazon Lightsail container service", - "privilege": "DeleteContainerImage", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda code signing configs", + "privilege": "ListCodeSigningConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete your Amazon Lightsail container service", - "privilege": "DeleteContainerService", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda event source mappings", + "privilege": "ListEventSourceMappings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a disk", - "privilege": "DeleteDisk", + "access_level": "List", + "description": "Grants permission to retrieve a list of configurations for asynchronous invocation for a function", + "privilege": "ListFunctionEventInvokeConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a disk snapshot", - "privilege": "DeleteDiskSnapshot", + "access_level": "List", + "description": "Grants permission to read function url configurations for a function", + "privilege": "ListFunctionUrlConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:FunctionUrlAuthType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete your Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "DeleteDistribution", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function", + "privilege": "ListFunctions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a domain resource and all of its DNS records", - "privilege": "DeleteDomain", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned", + "privilege": "ListFunctionsByCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "code signing config*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a DNS record entry for a domain resource", - "privilege": "DeleteDomainEntry", + "access_level": "List", + "description": "Grants permission to retrieve a list of versions of an AWS Lambda layer", + "privilege": "ListLayerVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an instance", - "privilege": "DeleteInstance", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer", + "privilege": "ListLayers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an instance snapshot", - "privilege": "DeleteInstanceSnapshot", + "access_level": "List", + "description": "Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function", + "privilege": "ListProvisionedConcurrencyConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a key pair used to authenticate and connect to an instance", - "privilege": "DeleteKeyPair", + "access_level": "Read", + "description": "Grants permission to retrieve a list of tags for an AWS Lambda function", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance", - "privilege": "DeleteKnownHostKeys", + "access_level": "List", + "description": "Grants permission to retrieve a list of versions for an AWS Lambda function", + "privilege": "ListVersionsByFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a load balancer", - "privilege": "DeleteLoadBalancer", + "description": "Grants permission to create an AWS Lambda layer", + "privilege": "PublishLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "layer*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a load balancer TLS certificate", - "privilege": "DeleteLoadBalancerTlsCertificate", + "description": "Grants permission to create an AWS Lambda function version", + "privilege": "PublishVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a relational database", - "privilege": "DeleteRelationalDatabase", + "description": "Grants permission to attach a code signing config to an AWS Lambda function", + "privilege": "PutFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a relational database snapshot", - "privilege": "DeleteRelationalDatabaseSnapshot", - "resource_types": [ + "resource_type": "code signing config*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:CodeSigningConfigArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to detach an SSL/TLS certificate from your Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "DetachCertificateFromDistribution", + "description": "Grants permission to configure reserved concurrency for an AWS Lambda function", + "privilege": "PutFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to detach a disk from an instance", - "privilege": "DetachDisk", + "description": "Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias", + "privilege": "PutFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to detach one or more instances from a load balancer", - "privilege": "DetachInstancesFromLoadBalancer", + "description": "Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version", + "privilege": "PutProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "function alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "function version" } ] }, { - "access_level": "Write", - "description": "Grants permission to detach a static IP from an instance to which it is attached", - "privilege": "DetachStaticIp", + "access_level": "Permissions management", + "description": "Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer", + "privilege": "RemoveLayerVersionPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable an add-on for an Amazon Lightsail resource", - "privilege": "DisableAddOn", + "access_level": "Permissions management", + "description": "Grants permission to revoke function-use permission from an AWS service or another account", + "privilege": "RemovePermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk" + "resource_type": "function*" }, { - "condition_keys": [], + "condition_keys": [ + "lambda:Principal", + "lambda:FunctionUrlAuthType" + ], "dependent_actions": [], - "resource_type": "Instance" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region", - "privilege": "DownloadDefaultKeyPair", + "access_level": "Tagging", + "description": "Grants permission to add tags to an AWS Lambda function", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to enable or modify an add-on for an Amazon Lightsail resource", - "privilege": "EnableAddOn", + "access_level": "Tagging", + "description": "Grants permission to remove tags from an AWS Lambda function", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk" + "resource_type": "function*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Instance" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to export an Amazon Lightsail snapshot to Amazon EC2", - "privilege": "ExportSnapshot", + "description": "Grants permission to update the configuration of an AWS Lambda function's alias", + "privilege": "UpdateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the names of all active (not deleted) resources", - "privilege": "GetActiveNames", + "access_level": "Write", + "description": "Grants permission to update an AWS Lambda code signing config", + "privilege": "UpdateCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "code signing config*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view information about the configured alarms", - "privilege": "GetAlarms", + "access_level": "Write", + "description": "Grants permission to update the configuration of an AWS Lambda event source mapping", + "privilege": "UpdateEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "eventSourceMapping*" + }, + { + "condition_keys": [ + "lambda:FunctionArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the available automatic snapshots for an instance or disk", - "privilege": "GetAutoSnapshots", + "access_level": "Write", + "description": "Grants permission to update the code of an AWS Lambda function", + "privilege": "UpdateFunctionCode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance", - "privilege": "GetBlueprints", + "access_level": "Write", + "description": "Grants permission to update the code signing config of an AWS Lambda function", + "privilege": "UpdateFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket", - "privilege": "GetBucketAccessKeys", - "resource_types": [ + "resource_type": "code signing config*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the bundles that can be applied to an Amazon Lightsail bucket", - "privilege": "GetBucketBundles", + "access_level": "Write", + "description": "Grants permission to modify the version-specific settings of an AWS Lambda function", + "privilege": "UpdateFunctionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:Layer", + "lambda:VpcIds", + "lambda:SubnetIds", + "lambda:SecurityGroupIds" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the data points of a specific metric for an Amazon Lightsail bucket", - "privilege": "GetBucketMetricData", + "access_level": "Write", + "description": "Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", + "privilege": "UpdateFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about one or more Amazon Lightsail buckets", - "privilege": "GetBuckets", + "access_level": "Write", + "description": "Grants permission to update a function url configuration for a Lambda function", + "privilege": "UpdateFunctionUrlConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:FunctionUrlAuthType", + "lambda:FunctionArn" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:code-signing-config:${CodeSigningConfigId}", + "condition_keys": [], + "resource": "code signing config" }, { - "access_level": "Read", - "description": "Grants permission to get a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance", - "privilege": "GetBundles", + "arn": "arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}", + "condition_keys": [], + "resource": "eventSourceMapping" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "function" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "function alias" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "function version" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}", + "condition_keys": [], + "resource": "layer" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}", + "condition_keys": [], + "resource": "layerVersion" + } + ], + "service_name": "AWS Lambda" + }, + { + "conditions": [], + "prefix": "launchwizard", + "privileges": [ + { + "access_level": "Write", + "description": "Delete an application", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], @@ -112627,8 +127281,8 @@ }, { "access_level": "Read", - "description": "Grants permission to view information about one or more Amazon Lightsail SSL/TLS certificates", - "privilege": "GetCertificates", + "description": "Describe provisioning applications", + "privilege": "DescribeProvisionedApp", "resource_types": [ { "condition_keys": [], @@ -112639,20 +127293,20 @@ }, { "access_level": "Read", - "description": "Grants permission to get information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots", - "privilege": "GetCloudFormationStackRecords", + "description": "Describe provisioning events", + "privilege": "DescribeProvisioningEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CloudFormationStackRecord*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view information about the configured contact methods", - "privilege": "GetContactMethods", + "description": "Get infrastructure suggestion", + "privilege": "GetInfrastructureSuggestion", "resource_types": [ { "condition_keys": [], @@ -112663,8 +127317,8 @@ }, { "access_level": "Read", - "description": "Grants permission to view information about Amazon Lightsail containers, such as the current version of the Lightsail Control (lightsailctl) plugin", - "privilege": "GetContainerAPIMetadata", + "description": "Get customer's ip address", + "privilege": "GetIpAddress", "resource_types": [ { "condition_keys": [], @@ -112675,8 +127329,8 @@ }, { "access_level": "Read", - "description": "Grants permission to view the container images that are registered to your Amazon Lightsail container service", - "privilege": "GetContainerImages", + "description": "Get resource cost estimate", + "privilege": "GetResourceCostEstimate", "resource_types": [ { "condition_keys": [], @@ -112686,9 +127340,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to view the log events of a container of your Amazon Lightsail container service", - "privilege": "GetContainerLog", + "access_level": "List", + "description": "List provisioning applications", + "privilege": "ListProvisionedApps", "resource_types": [ { "condition_keys": [], @@ -112698,9 +127352,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to view the deployments for your Amazon Lightsail container service", - "privilege": "GetContainerServiceDeployments", + "access_level": "Write", + "description": "Start a provisioning", + "privilege": "StartProvisioning", "resource_types": [ { "condition_keys": [], @@ -112708,347 +127362,396 @@ "resource_type": "" } ] + } + ], + "resources": [], + "service_name": "Launch Wizard" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags in the request", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to view the data points of a specific metric of your Amazon Lightsail container service", - "privilege": "GetContainerServiceMetricData", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to a Lex resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the set of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "lex:associatedIntents", + "description": "Enables you to control access based on the intents included in the request", + "type": "String" + }, + { + "condition": "lex:associatedSlotTypes", + "description": "Enables you to control access based on the slot types included in the request", + "type": "String" + }, + { + "condition": "lex:channelType", + "description": "Enables you to control access based on the channel type included in the request", + "type": "String" + } + ], + "prefix": "lex", + "privileges": [ + { + "access_level": "Write", + "description": "Creates a new version based on the $LATEST version of the specified bot", + "privilege": "CreateBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the list of powers that can be specified for your Amazon Lightsail container services", - "privilege": "GetContainerServicePowers", + "access_level": "Write", + "description": "Creates a new version based on the $LATEST version of the specified intent", + "privilege": "CreateIntentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view information about one or more of your Amazon Lightsail container services", - "privilege": "GetContainerServices", + "access_level": "Write", + "description": "Creates a new version based on the $LATEST version of the specified slot type", + "privilege": "CreateSlotTypeVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "slottype version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a disk", - "privilege": "GetDisk", + "access_level": "Write", + "description": "Deletes all versions of a bot", + "privilege": "DeleteBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "bot version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a disk snapshot", - "privilege": "GetDiskSnapshot", + "access_level": "Write", + "description": "Deletes an alias for a specific bot", + "privilege": "DeleteBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all disk snapshots", - "privilege": "GetDiskSnapshots", + "access_level": "Write", + "description": "Deletes the association between a Amazon Lex bot alias and a messaging platform", + "privilege": "DeleteBotChannelAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all disks", - "privilege": "GetDisks", + "access_level": "Write", + "description": "Deletes a specific version of a bot", + "privilege": "DeleteBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the list of bundles that can be applied to you Amazon Lightsail content delivery network (CDN) distributions", - "privilege": "GetDistributionBundles", + "access_level": "Write", + "description": "Deletes all versions of an intent", + "privilege": "DeleteIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the timestamp and status of the last cache reset of a specific Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "GetDistributionLatestCacheReset", + "access_level": "Write", + "description": "Deletes a specific version of an intent", + "privilege": "DeleteIntentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the data points of a specific metric for an Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "GetDistributionMetricData", + "access_level": "Write", + "description": "Removes session information for a specified bot, alias, and user ID", + "privilege": "DeleteSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { - "access_level": "Read", - "description": "Grants permission to view information about one or more of your Amazon Lightsail content delivery network (CDN) distributions", - "privilege": "GetDistributions", + "access_level": "Write", + "description": "Deletes all versions of a slot type", + "privilege": "DeleteSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "slottype version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get DNS records for a domain resource", - "privilege": "GetDomain", + "access_level": "Write", + "description": "Deletes a specific version of a slot type", + "privilege": "DeleteSlotTypeVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "slottype version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get DNS records for all domain resources", - "privilege": "GetDomains", + "access_level": "Write", + "description": "Deletes the information Amazon Lex maintains for utterances on a specific bot and userId", + "privilege": "DeleteUtterances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "bot version*" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about all records of exported Amazon Lightsail snapshots to Amazon EC2", - "privilege": "GetExportSnapshotRecords", + "description": "Returns information for a specific bot. In addition to the bot name, the bot version or alias is required", + "privilege": "GetBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ExportSnapshotRecord*" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about an instance", - "privilege": "GetInstance", + "description": "Returns information about a Amazon Lex bot alias", + "privilege": "GetBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Write", - "description": "Grants permission to get temporary keys you can use to authenticate and connect to an instance", - "privilege": "GetInstanceAccessDetails", + "access_level": "List", + "description": "Returns a list of aliases for a given Amazon Lex bot", + "privilege": "GetBotAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the data points for the specified metric of an instance", - "privilege": "GetInstanceMetricData", + "description": "Returns information about the association between a Amazon Lex bot and a messaging platform", + "privilege": "GetBotChannelAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the port states of an instance", - "privilege": "GetInstancePortStates", + "access_level": "List", + "description": "Returns a list of all of the channels associated with a single bot", + "privilege": "GetBotChannelAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about an instance snapshot", - "privilege": "GetInstanceSnapshot", + "access_level": "List", + "description": "Returns information for all versions of a specific bot", + "privilege": "GetBotVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "resource_type": "bot version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all instance snapshots", - "privilege": "GetInstanceSnapshots", + "access_level": "List", + "description": "Returns information for the $LATEST version of all bots, subject to filters provided by the client", + "privilege": "GetBots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the state of an instance", - "privilege": "GetInstanceState", + "description": "Returns information about a built-in intent", + "privilege": "GetBuiltinIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about all instances", - "privilege": "GetInstances", + "description": "Gets a list of built-in intents that meet the specified criteria", + "privilege": "GetBuiltinIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about a key pair", - "privilege": "GetKeyPair", + "description": "Gets a list of built-in slot types that meet the specified criteria", + "privilege": "GetBuiltinSlotTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about all key pairs", - "privilege": "GetKeyPairs", + "description": "Exports Amazon Lex Resource in a requested format", + "privilege": "GetExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "bot version*" } ] }, { "access_level": "Read", - "description": "Grants permision to get information about a load balancer", - "privilege": "GetLoadBalancer", + "description": "Gets information about an import job started with StartImport", + "privilege": "GetImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the data points for the specified metric of a load balancer", - "privilege": "GetLoadBalancerMetricData", + "description": "Returns information for a specific intent. In addition to the intent name, you must also specify the intent version", + "privilege": "GetIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a load balancer's TLS certificates", - "privilege": "GetLoadBalancerTlsCertificates", + "access_level": "List", + "description": "Returns information for all versions of a specific intent", + "privilege": "GetIntentVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about load balancers", - "privilege": "GetLoadBalancers", + "access_level": "List", + "description": "Returns information for the $LATEST version of all intents, subject to filters provided by the client", + "privilege": "GetIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", - "privilege": "GetOperation", + "description": "Grants permission to view an ongoing or completed migration", + "privilege": "GetMigration", "resource_types": [ { "condition_keys": [], @@ -113058,9 +127761,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", - "privilege": "GetOperations", + "access_level": "List", + "description": "Grants permission to view list of migrations from Amazon Lex v1 to Amazon Lex v2", + "privilege": "GetMigrations", "resource_types": [ { "condition_keys": [], @@ -113071,64 +127774,49 @@ }, { "access_level": "Read", - "description": "Grants permission to get operations for a resource", - "privilege": "GetOperationsForResource", + "description": "Returns session information for a specified bot, alias, and user ID", + "privilege": "GetSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "KeyPair" + "resource_type": "bot alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp" + "resource_type": "bot version" } ] }, { "access_level": "Read", - "description": "Grants permission to get a list of all valid AWS Regions for Amazon Lightsail", - "privilege": "GetRegions", + "description": "Returns information about a specific version of a slot type. In addition to specifying the slot type name, you must also specify the slot type version", + "privilege": "GetSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "slottype version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a relational database", - "privilege": "GetRelationalDatabase", + "access_level": "List", + "description": "Returns information for all versions of a specific slot type", + "privilege": "GetSlotTypeVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "slottype version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database", - "privilege": "GetRelationalDatabaseBlueprints", + "access_level": "List", + "description": "Returns information for the $LATEST version of all slot types, subject to filters provided by the client", + "privilege": "GetSlotTypes", "resource_types": [ { "condition_keys": [], @@ -113138,189 +127826,158 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database", - "privilege": "GetRelationalDatabaseBundles", + "access_level": "List", + "description": "Returns a view of aggregate utterance data for versions of a bot for a recent time period", + "privilege": "GetUtterancesView", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version*" } ] }, { "access_level": "Read", - "description": "Grants permission to get events for a relational database", - "privilege": "GetRelationalDatabaseEvents", + "description": "Lists tags for a Lex resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get events for the specified log stream of a relational database", - "privilege": "GetRelationalDatabaseLogEvents", - "resource_types": [ + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get the log streams available for a relational database", - "privilege": "GetRelationalDatabaseLogStreams", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel" } ] }, { "access_level": "Write", - "description": "Grants permission to get the master user password of a relational database", - "privilege": "GetRelationalDatabaseMasterUserPassword", + "description": "Sends user input (text or speech) to Amazon Lex", + "privilege": "PostContent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get the data points for the specified metric of a relational database", - "privilege": "GetRelationalDatabaseMetricData", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the parameters of a relational database", - "privilege": "GetRelationalDatabaseParameters", + "access_level": "Write", + "description": "Sends user input (text-only) to Amazon Lex", + "privilege": "PostText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about a relational database snapshot", - "privilege": "GetRelationalDatabaseSnapshot", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "bot version" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all relational database snapshots", - "privilege": "GetRelationalDatabaseSnapshots", + "access_level": "Write", + "description": "Creates or updates the $LATEST version of a Amazon Lex conversational bot", + "privilege": "PutBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about all relational databases", - "privilege": "GetRelationalDatabases", - "resource_types": [ + "resource_type": "bot version*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a static IP", - "privilege": "GetStaticIp", + "access_level": "Write", + "description": "Creates or updates an alias for the specific bot", + "privilege": "PutBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "bot alias*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about all static IPs", - "privilege": "GetStaticIps", + "access_level": "Write", + "description": "Creates or updates the $LATEST version of an intent", + "privilege": "PutIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "intent version*" } ] }, { "access_level": "Write", - "description": "Grants permission to import a public key from a key pair", - "privilege": "ImportKeyPair", + "description": "Creates a new session or modifies an existing session with an Amazon Lex bot", + "privilege": "PutSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered", - "privilege": "IsVpcPeered", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version" } ] }, { "access_level": "Write", - "description": "Grants permission to add, or open a public port of an instance", - "privilege": "OpenInstancePublicPorts", + "description": "Creates or updates the $LATEST version of a slot type", + "privilege": "PutSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "slottype version*" } ] }, { "access_level": "Write", - "description": "Grants permission to try to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC", - "privilege": "PeerVpc", + "description": "Starts a job to import a resource to Amazon Lex", + "privilege": "StartImport", "resource_types": [ { "condition_keys": [], @@ -113331,957 +127988,782 @@ }, { "access_level": "Write", - "description": "Grants permission to creates or update an alarm, and associate it with the specified metric", - "privilege": "PutAlarm", + "description": "Grants permission to migrate a bot from Amazon Lex v1 to Amazon Lex v2", + "privilege": "StartMigration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alarm*" + "resource_type": "bot version*" } ] }, { - "access_level": "Write", - "description": "Grants permission to set the specified open ports for an instance, and closes all ports for every protocol not included in the request", - "privilege": "PutInstancePublicPorts", + "access_level": "Tagging", + "description": "Adds or overwrites tags to a Lex resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to reboot an instance that is in a running state", - "privilege": "RebootInstance", - "resource_types": [ + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to reboot a relational database that is in a running state", - "privilege": "RebootRelationalDatabase", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "channel" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to register a container image to your Amazon Lightsail container service", - "privilege": "RegisterContainerImage", + "access_level": "Tagging", + "description": "Removes tags from a Lex resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a static IP", - "privilege": "ReleaseStaticIp", - "resource_types": [ + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete currently cached content from your Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "ResetDistributionCache", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "channel" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot version" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotAlias}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot alias" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-channel:${BotName}:${BotAlias}:${ChannelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channel" }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:intent:${IntentName}:${IntentVersion}", + "condition_keys": [], + "resource": "intent version" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:slottype:${SlotName}:${SlotVersion}", + "condition_keys": [], + "resource": "slottype version" + } + ], + "service_name": "Amazon Lex" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to a Lex resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the set of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "lex", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to send a verification request to an email contact method to ensure it's owned by the requester", - "privilege": "SendContactMethodVerification", + "description": "Grants permission to build an existing bot locale in a bot", + "privilege": "BuildBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContactMethod*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to set the IP address type for a Amazon Lightsail resource", - "privilege": "SetIpAddressType", + "description": "Grants permission to create a new bot and a test bot alias pointing to the DRAFT bot version", + "privilege": "CreateBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution" + "resource_type": "bot*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance" + "resource_type": "bot alias*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "LoadBalancer" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to set the Amazon Lightsail resources that can access the specified Amazon Lightsail bucket", - "privilege": "SetResourceAccessForBucket", + "description": "Grants permission to create a new bot alias in a bot", + "privilege": "CreateBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "bot alias*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to start an instance that is in a stopped state", - "privilege": "StartInstance", + "description": "Grants permission to create a bot channel in an existing bot", + "privilege": "CreateBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to start a relational database that is in a stopped state", - "privilege": "StartRelationalDatabase", + "description": "Grants permission to create a new bot locale in an existing bot", + "privilege": "CreateBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop an instance that is in a running state", - "privilege": "StopInstance", + "description": "Grants permission to create a new version of an existing bot", + "privilege": "CreateBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a relational database that is in a running state", - "privilege": "StopRelationalDatabase", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "description": "Grants permission to create a new custom vocabulary in an existing bot locale", + "privilege": "CreateCustomVocabulary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DiskSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Domain" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "KeyPair" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to test an alarm by displaying a banner on the Amazon Lightsail console or if a notification trigger is configured for the specified alarm, by sending a notification to the notification protocol", - "privilege": "TestAlarm", + "description": "Grants permission to create an export for an existing resource", + "privilege": "CreateExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alarm*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to try to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC", - "privilege": "UnpeerVpc", + "description": "Grants permission to create a new intent in an existing bot locale", + "privilege": "CreateIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a new resource policy for a Lex resource", + "privilege": "CreateResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DiskSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Domain" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "KeyPair" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot" + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Amazon Lightsail bucket", - "privilege": "UpdateBucket", + "description": "Grants permission to create a new slot in an intent", + "privilege": "CreateSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the bundle, or storage plan, of an existing Amazon Lightsail bucket", - "privilege": "UpdateBucketBundle", + "description": "Grants permission to create a new slot type in an existing bot locale", + "privilege": "CreateSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Bucket*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the configuration of your Amazon Lightsail container service, such as its power, scale, and public domain names", - "privilege": "UpdateContainerService", + "description": "Grants permission to create an upload url for import file", + "privilege": "CreateUploadUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ContainerService*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Amazon Lightsail content delivery network (CDN) distribution or its configuration", - "privilege": "UpdateDistribution", + "description": "Grants permission to delete an existing bot", + "privilege": "DeleteBot", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "lex:DeleteBotAlias", + "lex:DeleteBotChannel", + "lex:DeleteBotLocale", + "lex:DeleteBotVersion", + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType" + ], + "resource_type": "bot*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the bundle of your Amazon Lightsail content delivery network (CDN) distribution", - "privilege": "UpdateDistributionBundle", + "description": "Grants permission to delete an existing bot alias in a bot", + "privilege": "DeleteBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Distribution*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a domain recordset after it is created", - "privilege": "UpdateDomainEntry", + "description": "Grants permission to delete an existing bot channel", + "privilege": "DeleteBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a load balancer attribute, such as the health check path and session stickiness", - "privilege": "UpdateLoadBalancerAttribute", + "description": "Grants permission to delete an existing bot locale in a bot", + "privilege": "DeleteBotLocale", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer*" + "dependent_actions": [ + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType" + ], + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a relational database", - "privilege": "UpdateRelationalDatabase", + "description": "Grants permission to delete an existing bot version", + "privilege": "DeleteBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the parameters of a relational database", - "privilege": "UpdateRelationalDatabaseParameters", + "description": "Grants permission to delete an existing custom vocabulary in a bot locale", + "privilege": "DeleteCustomVocabulary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Domain" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Instance" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "InstanceSnapshot" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "KeyPair" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "StaticIp" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Disk" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "DiskSnapshot" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "LoadBalancer" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}", - "condition_keys": [], - "resource": "LoadBalancerTlsCertificate" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}", - "condition_keys": [], - "resource": "ExportSnapshotRecord" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}", - "condition_keys": [], - "resource": "CloudFormationStackRecord" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "RelationalDatabase" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "RelationalDatabaseSnapshot" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Alarm/${Id}", - "condition_keys": [], - "resource": "Alarm" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Certificate/${Id}", - "condition_keys": [], - "resource": "Certificate" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContactMethod/${Id}", - "condition_keys": [], - "resource": "ContactMethod" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContainerService/${Id}", - "condition_keys": [], - "resource": "ContainerService" }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Distribution/${Id}", - "condition_keys": [], - "resource": "Distribution" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Bucket/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Bucket" - } - ], - "service_name": "Amazon Lightsail" - }, - { - "conditions": [ - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", - "type": "String" - } - ], - "prefix": "logs", - "privileges": [ { "access_level": "Write", - "description": "Grants permissions to associate the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group", - "privilege": "AssociateKmsKey", + "description": "Grants permission to delete an existing export", + "privilege": "DeleteExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to cancel an export task if it is in PENDING or RUNNING state", - "privilege": "CancelExportTask", + "description": "Grants permission to delete an existing import", + "privilege": "DeleteImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to create an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket", - "privilege": "CreateExportTask", + "description": "Grants permission to delete an existing intent in a bot locale", + "privilege": "DeleteIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to create the log delivery", - "privilege": "CreateLogDelivery", + "description": "Grants permission to delete an existing resource policy for a Lex resource", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permissions to create a new log group with the specified name", - "privilege": "CreateLogGroup", - "resource_types": [ + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias" } ] }, { "access_level": "Write", - "description": "Grants permissions to create a new log stream with the specified name", - "privilege": "CreateLogStream", + "description": "Grants permission to delete session information for a bot alias and user ID", + "privilege": "DeleteSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete the destination with the specified name", - "privilege": "DeleteDestination", + "description": "Grants permission to delete an existing slot in an intent", + "privilege": "DeleteSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete the log delivery information for specified log delivery", - "privilege": "DeleteLogDelivery", + "description": "Grants permission to delete an existing slot type in a bot locale", + "privilege": "DeleteSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete the log group with the specified name", - "privilege": "DeleteLogGroup", + "description": "Grants permission to delete utterance data for a bot", + "privilege": "DeleteUtterances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a log stream", - "privilege": "DeleteLogStream", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot", + "privilege": "DescribeBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a metric filter associated with the specified log group", - "privilege": "DeleteMetricFilter", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot alias", + "privilege": "DescribeBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a saved CloudWatch Logs Insights query definition", - "privilege": "DeleteQueryDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot channel", + "privilege": "DescribeBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permissions to delete a resource policy from this account", - "privilege": "DeleteResourcePolicy", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot locale", + "privilege": "DescribeBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete the retention policy of the specified log group", - "privilege": "DeleteRetentionPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve metadata information about a bot recommendation", + "privilege": "DescribeBotRecommendation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a subscription filter associated with the specified log group", - "privilege": "DeleteSubscriptionFilter", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot version", + "privilege": "DescribeBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the destinations that are associated with the AWS account making the request", - "privilege": "DescribeDestinations", + "access_level": "Read", + "description": "Grants permission to retrieve an existing custom vocabulary", + "privilege": "DescribeCustomVocabulary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the export tasks that are associated with the AWS account making the request", - "privilege": "DescribeExportTasks", + "access_level": "Read", + "description": "Grants permission to retrieve metadata of an existing custom vocabulary", + "privilege": "DescribeCustomVocabularyMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the log groups that are associated with the AWS account making the request", - "privilege": "DescribeLogGroups", + "access_level": "Read", + "description": "Grants permission to retrieve an existing export", + "privilege": "DescribeExport", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "log-group*" + "dependent_actions": [ + "lex:DescribeBot", + "lex:DescribeBotLocale", + "lex:DescribeIntent", + "lex:DescribeSlot", + "lex:DescribeSlotType", + "lex:ListBotLocales", + "lex:ListIntents", + "lex:ListSlotTypes", + "lex:ListSlots" + ], + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the log streams that are associated with the specified log group", - "privilege": "DescribeLogStreams", + "access_level": "Read", + "description": "Grants permission to retrieve an existing import", + "privilege": "DescribeImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the metrics filters associated with the specified log group", - "privilege": "DescribeMetricFilters", + "access_level": "Read", + "description": "Grants permission to retrieve an existing intent", + "privilege": "DescribeIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account", - "privilege": "DescribeQueries", + "access_level": "Read", + "description": "Grants permission to retrieve an existing resource policy for a Lex resource", + "privilege": "DescribeResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permissions to return a paginated list of your saved CloudWatch Logs Insights query definitions", - "privilege": "DescribeQueryDefinitions", - "resource_types": [ + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the resource policies in this account", - "privilege": "DescribeResourcePolicies", + "access_level": "Read", + "description": "Grants permission to retrieve an existing slot", + "privilege": "DescribeSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permissions to return all the subscription filters associated with the specified log group", - "privilege": "DescribeSubscriptionFilters", + "access_level": "Read", + "description": "Grants permission to retrieve an existing slot type", + "privilege": "DescribeSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to disassociate the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group", - "privilege": "DisassociateKmsKey", + "access_level": "Read", + "description": "Grants permission to retrieve session information for a bot alias and user ID", + "privilege": "GetSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve log events, optionally filtered by a filter pattern from the specified log group", - "privilege": "FilterLogEvents", + "access_level": "List", + "description": "Grants permission to list utterances and statistics for a bot", + "privilege": "ListAggregatedUtterances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to get the log delivery information for specified log delivery", - "privilege": "GetLogDelivery", + "access_level": "List", + "description": "Grants permission to list bot aliases in an bot", + "privilege": "ListBotAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve log events from the specified log stream", - "privilege": "GetLogEvents", + "access_level": "List", + "description": "Grants permission to list bot channels", + "privilege": "ListBotChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to return a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field", - "privilege": "GetLogGroupFields", + "access_level": "List", + "description": "Grants permission to list bot locales in a bot", + "privilege": "ListBotLocales", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve all the fields and values of a single log event", - "privilege": "GetLogRecord", + "access_level": "List", + "description": "Grants permission to get a list of bot recommendations that meet the specified criteria", + "privilege": "ListBotRecommendations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to return the results from the specified query", - "privilege": "GetQueryResults", + "access_level": "List", + "description": "Grants permission to list existing bot versions", + "privilege": "ListBotVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "List", - "description": "Grants permissions to list all the log deliveries for specified account and/or log source", - "privilege": "ListLogDeliveries", + "description": "Grants permission to list existing bots", + "privilege": "ListBots", "resource_types": [ { "condition_keys": [], @@ -114292,34 +128774,32 @@ }, { "access_level": "List", - "description": "Grants permissions to list the tags for the specified log group", - "privilege": "ListTagsLogGroup", + "description": "Grants permission to list built-in intents", + "privilege": "ListBuiltInIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create or update a Destination", - "privilege": "PutDestination", + "access_level": "List", + "description": "Grants permission to list built-in slot types", + "privilege": "ListBuiltInSlotTypes", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create or update an access policy associated with an existing Destination", - "privilege": "PutDestinationPolicy", + "access_level": "List", + "description": "Grants permission to list existing exports", + "privilege": "ListExports", "resource_types": [ { "condition_keys": [], @@ -114329,212 +128809,188 @@ ] }, { - "access_level": "Write", - "description": "Grants permissions to upload a batch of log events to the specified log stream", - "privilege": "PutLogEvents", + "access_level": "List", + "description": "Grants permission to list existing imports", + "privilege": "ListImports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create or update a metric filter and associates it with the specified log group", - "privilege": "PutMetricFilter", + "access_level": "List", + "description": "Grants permission to list intents in a bot", + "privilege": "ListIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create or update a query definition", - "privilege": "PutQueryDefinition", + "access_level": "List", + "description": "Grants permission to get a list of recommended intents provided by the bot recommendation", + "privilege": "ListRecommendedIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permissions to create or update a resource policy allowing other AWS services to put log events to this account", - "privilege": "PutResourcePolicy", + "access_level": "List", + "description": "Grants permission to list slot types in a bot", + "privilege": "ListSlotTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to set the retention of the specified log group", - "privilege": "PutRetentionPolicy", + "access_level": "List", + "description": "Grants permission to list slots in an intent", + "privilege": "ListSlots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create or update a subscription filter and associates it with the specified log group", - "privilege": "PutSubscriptionFilter", + "access_level": "Read", + "description": "Grants permission to lists tags for a Lex resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "log-group*" + "dependent_actions": [], + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "destination" + "resource_type": "bot alias" } ] }, { - "access_level": "Read", - "description": "Grants permissions to schedules a query of a log group using CloudWatch Logs Insights", - "privilege": "StartQuery", + "access_level": "Write", + "description": "Grants permission to create a new session or modify an existing session for a bot alias and user ID", + "privilege": "PutSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to stop a CloudWatch Logs Insights query that is in progress", - "privilege": "StopQuery", + "access_level": "Write", + "description": "Grants permission to send user input (text-only) to an bot alias", + "privilege": "RecognizeText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "Tagging", - "description": "Grants permissions to add or update the specified tags for the specified log group", - "privilege": "TagLogGroup", + "access_level": "Write", + "description": "Grants permission to send user input (text or speech) to an bot alias", + "privilege": "RecognizeUtterance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to test the filter pattern of a metric filter against a sample of log event messages", - "privilege": "TestMetricFilter", + "access_level": "List", + "description": "Grants permission to search for associated transcripts that meet the specified criteria", + "privilege": "SearchAssociatedTranscripts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Grants permissions to remove the specified tags from the specified log group", - "privilege": "UntagLogGroup", + "access_level": "Write", + "description": "Grants permission to start a bot recommendation for an existing bot locale", + "privilege": "StartBotRecommendation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permissions to update the log delivery information for specified log delivery", - "privilege": "UpdateLogDelivery", + "description": "Grants permission to stream user input (speech/text/DTMF) to a bot alias", + "privilege": "StartConversation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "log-group" - }, - { - "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}", - "condition_keys": [], - "resource": "log-stream" - }, - { - "arn": "arn:${Partition}:logs:${Region}:${Account}:destination:${DestinationName}", - "condition_keys": [], - "resource": "destination" - } - ], - "service_name": "Amazon CloudWatch Logs" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "lookoutequipment", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataset", + "description": "Grants permission to start a new import with the uploaded import file", + "privilege": "StartImport", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "lex:CreateBot", + "lex:CreateBotLocale", + "lex:CreateIntent", + "lex:CreateSlot", + "lex:CreateSlotType", + "lex:DeleteBotLocale", + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType", + "lex:UpdateBot", + "lex:UpdateBotLocale", + "lex:UpdateIntent", + "lex:UpdateSlot", + "lex:UpdateSlotType" + ], + "resource_type": "bot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "bot alias" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -114543,23 +128999,35 @@ }, { "access_level": "Write", - "description": "Grants permission to create an inference scheduler for a trained model", - "privilege": "CreateInferenceScheduler", + "description": "Grants permission to stop a bot recommendation for an existing bot locale", + "privilege": "StopBotRecommendation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "bot*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add or overwrite tags of a Lex resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "bot alias" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -114567,24 +129035,24 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a model that is trained on a dataset", - "privilege": "CreateModel", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a Lex resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "bot alias" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -114593,140 +129061,184 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "description": "Grants permission to update an existing bot", + "privilege": "UpdateBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an inference scheduler", - "privilege": "DeleteInferenceScheduler", + "description": "Grants permission to update an existing bot alias", + "privilege": "UpdateBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a model", - "privilege": "DeleteModel", + "description": "Grants permission to update an existing bot locale", + "privilege": "UpdateBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a data ingestion job", - "privilege": "DescribeDataIngestionJob", + "access_level": "Write", + "description": "Grants permission to update an existing bot recommendation request", + "privilege": "UpdateBotRecommendation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset", - "privilege": "DescribeDataset", + "access_level": "Write", + "description": "Grants permission to update an existing custom vocabulary", + "privilege": "UpdateCustomVocabulary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an inference scheduler", - "privilege": "DescribeInferenceScheduler", + "access_level": "Write", + "description": "Grants permission to update an existing export", + "privilege": "UpdateExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a model", - "privilege": "DescribeModel", + "access_level": "Write", + "description": "Grants permission to update an existing intent", + "privilege": "UpdateIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the data ingestion jobs in your account or for a particular dataset", - "privilege": "ListDataIngestionJobs", + "access_level": "Write", + "description": "Grants permission to update an existing resource policy for a Lex resource", + "privilege": "UpdateResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] }, { - "access_level": "List", - "description": "Grants permission to list the datasets in your account", - "privilege": "ListDatasets", + "access_level": "Write", + "description": "Grants permission to update an existing slot", + "privilege": "UpdateSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list the inference executions for an inference scheduler", - "privilege": "ListInferenceExecutions", + "access_level": "Write", + "description": "Grants permission to update an existing slot type", + "privilege": "UpdateSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "bot*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot/${BotId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot" }, { - "access_level": "List", - "description": "Grants permission to list the inference schedulers in your account", - "privilege": "ListInferenceSchedulers", + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-alias/${BotId}/${BotAliasId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot alias" + } + ], + "service_name": "Amazon Lex V2" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "license-manager:ResourceTag/${TagKey}", + "description": "Filters access by the tag key-value pairs attached to the resource", + "type": "String" + } + ], + "prefix": "license-manager", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept a grant", + "privilege": "AcceptGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "grant*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the models in your account", - "privilege": "ListModels", + "access_level": "Write", + "description": "Grants permission to check in license entitlements back to pool", + "privilege": "CheckInLicense", "resource_types": [ { "condition_keys": [], @@ -114736,115 +129248,73 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list the tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to check out license entitlements for borrow use case", + "privilege": "CheckoutBorrowLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "inference-scheduler" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Grants permission to start a data ingestion job for a dataset", - "privilege": "StartDataIngestionJob", + "description": "Grants permission to check out license entitlements", + "privilege": "CheckoutLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to start an inference scheduler", - "privilege": "StartInferenceScheduler", + "description": "Grants permission to create a new grant for license", + "privilege": "CreateGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop an inference scheduler", - "privilege": "StopInferenceScheduler", + "description": "Grants permission to create new version of grant", + "privilege": "CreateGrantVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "grant*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a new license", + "privilege": "CreateLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "inference-scheduler" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a new license configuration", + "privilege": "CreateLicenseConfiguration", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "inference-scheduler" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" - }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -114854,292 +129324,215 @@ }, { "access_level": "Write", - "description": "Grants permission to update an inference scheduler", - "privilege": "UpdateInferenceScheduler", + "description": "Grants permission to create a license conversion task for a resource", + "privilege": "CreateLicenseConversionTaskForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "inference-scheduler*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lookoutequipment:${Region}:${AccountId}:dataset/${DatasetName}/${DatasetId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:model/${ModelName}/${ModelId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model" - }, - { - "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:inference-scheduler/${InferenceSchedulerName}/${InferenceSchedulerId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "inference-scheduler" - } - ], - "service_name": "Amazon Lookout for Equipment" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "lookoutmetrics", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to activate an anomaly detector", - "privilege": "ActivateAnomalyDetector", + "description": "Grants permission to create a report generator for a license configuration", + "privilege": "CreateLicenseManagerReportGenerator", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to run a backtest with an anomaly detector", - "privilege": "BackTestAnomalyDetector", + "description": "Grants permission to create new version of license", + "privilege": "CreateLicenseVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an alert for an anomaly detector", - "privilege": "CreateAlert", + "description": "Grants permission to create a new token for license", + "privilege": "CreateToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AnomalyDetector*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an anomaly detector", - "privilege": "CreateAnomalyDetector", + "description": "Grants permission to delete a grant", + "privilege": "DeleteGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "grant*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateMetricSet", + "description": "Grants permission to delete a license", + "privilege": "DeleteLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "MetricSet*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an alert", - "privilege": "DeleteAlert", + "description": "Grants permission to permanently delete a license configuration", + "privilege": "DeleteLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an anomaly detector", - "privilege": "DeleteAnomalyDetector", + "description": "Grants permission to delete a report generator", + "privilege": "DeleteLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "report-generator*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about an alert", - "privilege": "DescribeAlert", + "access_level": "Write", + "description": "Grants permission to delete token", + "privilege": "DeleteToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about an anomaly detection job", - "privilege": "DescribeAnomalyDetectionExecutions", + "access_level": "Write", + "description": "Grants permission to extend consumption period of already checkout license entitlements", + "privilege": "ExtendLicenseConsumption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get details about an anomaly detector", - "privilege": "DescribeAnomalyDetector", + "description": "Grants permission to get access token", + "privilege": "GetAccessToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get details about a dataset", - "privilege": "DescribeMetricSet", + "description": "Grants permission to get a grant", + "privilege": "GetGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MetricSet*" + "resource_type": "grant*" } ] }, { "access_level": "Read", - "description": "Grants permission to get details about a group of affected metrics", - "privilege": "GetAnomalyGroup", + "description": "Grants permission to get a license", + "privilege": "GetLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "license*" } ] }, { "access_level": "Read", - "description": "Grants permission to get data quality metrics for an anomaly detector", - "privilege": "GetDataQualityMetrics", + "description": "Grants permission to get a license configuration", + "privilege": "GetLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Read", - "description": "Grants permission to get feedback on affected metrics for an anomaly group", - "privilege": "GetFeedback", + "description": "Grants permission to retrieve a license conversion task", + "privilege": "GetLicenseConversionTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a selection of sample records from an Amazon S3 datasource", - "privilege": "GetSampleData", + "description": "Grants permission to get a report generator", + "privilege": "GetLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "report-generator*" } ] }, { - "access_level": "List", - "description": "Grants permission to get a list of alerts for a detector", - "privilege": "ListAlerts", + "access_level": "Read", + "description": "Grants permission to get a license usage", + "privilege": "GetLicenseUsage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector" + "resource_type": "license*" } ] }, { "access_level": "List", - "description": "Grants permission to get a list of anomaly detectors", - "privilege": "ListAnomalyDetectors", + "description": "Grants permission to get service settings", + "privilege": "GetServiceSettings", "resource_types": [ { "condition_keys": [], @@ -115150,208 +129543,128 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of anomaly groups", - "privilege": "ListAnomalyGroupSummaries", + "description": "Grants permission to list associations for a selected license configuration", + "privilege": "ListAssociationsForLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "license-configuration*" } ] }, { "access_level": "List", - "description": "Grants permission to get a list of affected metrics for a measure in an anomaly group", - "privilege": "ListAnomalyGroupTimeSeries", + "description": "Grants permission to list distributed grants", + "privilege": "ListDistributedGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to get a list of datasets", - "privilege": "ListMetricSets", + "description": "Grants permission to list the license configuration operations that failed", + "privilege": "ListFailuresForLicenseConfigurationOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector" + "resource_type": "license-configuration*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a list of tags for a detector, dataset, or alert", - "privilege": "ListTagsForResource", + "description": "Grants permission to list license configurations", + "privilege": "ListLicenseConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AnomalyDetector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "MetricSet" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add feedback for an affected metric in an anomaly group", - "privilege": "PutFeedback", + "access_level": "List", + "description": "Grants permission to list license conversion tasks", + "privilege": "ListLicenseConversionTasks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a detector, dataset, or alert", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to list report generators", + "privilege": "ListLicenseManagerReportGenerators", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AnomalyDetector" - }, + "resource_type": "license-configuration" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list license specifications associated with a selected resource", + "privilege": "ListLicenseSpecificationsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MetricSet" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a detector, dataset, or alert", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to list license versions", + "privilege": "ListLicenseVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Alert" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AnomalyDetector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "MetricSet" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an anomaly detector", - "privilege": "UpdateAnomalyDetector", + "access_level": "Read", + "description": "Grants permission to list licenses", + "privilege": "ListLicenses", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AnomalyDetector*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a dataset", - "privilege": "UpdateMetricSet", + "access_level": "List", + "description": "Grants permission to list received grants", + "privilege": "ListReceivedGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MetricSet*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:AnomalyDetector:${AnomalyDetectorName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "AnomalyDetector" - }, - { - "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:MetricSet/${AnomalyDetectorName}/${MetricSetName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "MetricSet" - }, - { - "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:Alert:${AlertName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Alert" - } - ], - "service_name": "Amazon Lookout for Metrics" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "lookoutvision", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a dataset manifest", - "privilege": "CreateDataset", + "access_level": "List", + "description": "Grants permission to list received licenses", + "privilege": "ListReceivedLicenses", "resource_types": [ { "condition_keys": [], @@ -115361,41 +129674,33 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a new anomaly detection model", - "privilege": "CreateModel", + "access_level": "List", + "description": "Grants permission to list resource inventory", + "privilege": "ListResourceInventory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new project", - "privilege": "CreateProject", + "access_level": "Read", + "description": "Grants permission to list tags for a selected resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "access_level": "List", + "description": "Grants permission to list tokens", + "privilege": "ListTokens", "resource_types": [ { "condition_keys": [], @@ -115405,93 +129710,101 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete a model and all associated assets", - "privilege": "DeleteModel", + "access_level": "List", + "description": "Grants permission to list usage records for selected license configuration", + "privilege": "ListUsageForLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Write", - "description": "Grants permission to permanently remove a project", - "privilege": "DeleteProject", + "description": "Grants permission to reject a grant", + "privilege": "RejectGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "grant*" } ] }, { - "access_level": "Read", - "description": "Grants permission to show detailed information about dataset manifest", - "privilege": "DescribeDataset", + "access_level": "Tagging", + "description": "Grants permission to tag a selected resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "license-configuration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to show detailed information about a model", - "privilege": "DescribeModel", + "access_level": "Tagging", + "description": "Grants permission to untag a selected resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Read", - "description": "Grants permission to show detailed information about a project", - "privilege": "DescribeProject", + "access_level": "Write", + "description": "Grants permission to update an existing license configuration", + "privilege": "UpdateLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Read", - "description": "Grants permission to provides state information about a running anomaly detection job", - "privilege": "DescribeTrialDetection", + "access_level": "Write", + "description": "Grants permission to update a report generator for a license configuration", + "privilege": "UpdateLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "report-generator*" } ] }, { "access_level": "Write", - "description": "Grants permission to invoke detection of anomalies", - "privilege": "DetectAnomalies", + "description": "Grants permission to updates license specifications for a selected resource", + "privilege": "UpdateLicenseSpecificationsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list the contents of dataset manifest", - "privilege": "ListDatasetEntries", + "access_level": "Permissions management", + "description": "Grants permission to updates service settings", + "privilege": "UpdateServiceSettings", "resource_types": [ { "condition_keys": [], @@ -115499,11 +129812,44 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}", + "condition_keys": [ + "license-manager:ResourceTag/${TagKey}" + ], + "resource": "license-configuration" }, { - "access_level": "List", - "description": "Grants permission to list all models associated with a project", - "privilege": "ListModels", + "arn": "arn:${Partition}:license-manager::${Account}:license:${LicenseId}", + "condition_keys": [], + "resource": "license" + }, + { + "arn": "arn:${Partition}:license-manager::${Account}:grant:${GrantId}", + "condition_keys": [], + "resource": "grant" + }, + { + "arn": "arn:${Partition}:license-manager:${Region}:${Account}:report-generator:${ReportGeneratorId}", + "condition_keys": [ + "license-manager:ResourceTag/${TagKey}" + ], + "resource": "report-generator" + } + ], + "service_name": "AWS License Manager" + }, + { + "conditions": [], + "prefix": "license-manager-user-subscriptions", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate a subscribed user to an instance launched with license manager user subscriptions products", + "privilege": "AssociateUser", "resource_types": [ { "condition_keys": [], @@ -115513,9 +129859,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all projects", - "privilege": "ListProjects", + "access_level": "Write", + "description": "Grants permission to deregister Microsoft Active Directory with license-manager-user-subscriptions for a product", + "privilege": "DeregisterIdentityProvider", "resource_types": [ { "condition_keys": [], @@ -115525,21 +129871,21 @@ ] }, { - "access_level": "Read", - "description": "Grant permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to disassociate a subscribed user from an instance launched with license manager user subscriptions products", + "privilege": "DisassociateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all anomaly detection jobs", - "privilege": "ListTrialDetections", + "description": "Grants permission to list all the Identity Providers on license manager user subscriptions", + "privilege": "ListIdentityProviders", "resource_types": [ { "condition_keys": [], @@ -115549,21 +129895,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to start anomaly detection model", - "privilege": "StartModel", + "access_level": "List", + "description": "Grants permission to list all the instances launched with license manager user subscription products", + "privilege": "ListInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to start bulk detection of anomalies for a set of images stored in an S3 bucket", - "privilege": "StartTrialDetection", + "access_level": "List", + "description": "Grants permission to lists all the product subscriptions for a product and identity provider", + "privilege": "ListProductSubscriptions", "resource_types": [ { "condition_keys": [], @@ -115573,60 +129919,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to stop anomaly detection model", - "privilege": "StopModel", + "access_level": "List", + "description": "Grants permission to list all the users associated to an instance launched for a product", + "privilege": "ListUserAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grant permission to tag a resource with given key value pairs", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to registers Microsoft Active Directory with license-manager-user-subscriptions for a product", + "privilege": "RegisterIdentityProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grant permission to remove the tag with the given key from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to start product subscription for a user on a registered active directory for a product", + "privilege": "StartProductSubscription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a training or test dataset manifest", - "privilege": "UpdateDatasetEntries", + "description": "Grants permission to stop product subscription for a user on a registered active directory for a product", + "privilege": "StopProductSubscription", "resource_types": [ { "condition_keys": [], @@ -115636,265 +129967,232 @@ ] } ], - "resources": [ + "resources": [], + "service_name": "AWS License Manager User Subscriptions" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:model/${ProjectName}/${ModelVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model" + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key and value pair that is allowed in the request", + "type": "String" }, { - "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:project/${ProjectName}", - "condition_keys": [], - "resource": "project" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair of a resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "ArrayOfString" } ], - "service_name": "Amazon Lookout for Vision" - }, - { - "conditions": [], - "prefix": "machinelearning", + "prefix": "lightsail", "privileges": [ { - "access_level": "Tagging", - "description": "Adds one or more tags to an object, up to a limit of 10. Each tag consists of a key and an optional value", - "privilege": "AddTags", + "access_level": "Write", + "description": "Grants permission to create a static IP address that can be attached to an instance", + "privilege": "AllocateStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Generates predictions for a group of observations", - "privilege": "CreateBatchPrediction", + "description": "Grants permission to attach an SSL/TLS certificate to your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "AttachCertificateToDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "Certificate*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Creates a DataSource object from an Amazon RDS", - "privilege": "CreateDataSourceFromRDS", + "description": "Grants permission to attach a disk to an instance", + "privilege": "AttachDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Creates a DataSource from a database hosted on an Amazon Redshift cluster", - "privilege": "CreateDataSourceFromRedshift", + "description": "Grants permission to attach one or more instances to a load balancer", + "privilege": "AttachInstancesToLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Creates a DataSource object from S3", - "privilege": "CreateDataSourceFromS3", + "description": "Grants permission to attach a TLS certificate to a load balancer", + "privilege": "AttachLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Creates a new Evaluation of an MLModel", - "privilege": "CreateEvaluation", + "description": "Grants permission to attach a static IP address to an instance", + "privilege": "AttachStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "Instance*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "StaticIp*" } ] }, { "access_level": "Write", - "description": "Creates a new MLModel", - "privilege": "CreateMLModel", + "description": "Grants permission to close a public port of an instance", + "privilege": "CloseInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Creates a real-time endpoint for the MLModel", - "privilege": "CreateRealtimeEndpoint", + "description": "Grants permission to copy a snapshot from one AWS Region to another in Amazon Lightsail", + "privilege": "CopySnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to a BatchPrediction, rendering it unusable", - "privilege": "DeleteBatchPrediction", + "description": "Grants permission to create an Amazon Lightsail bucket", + "privilege": "CreateBucket", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "batchprediction*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to a DataSource, rendering it unusable", - "privilege": "DeleteDataSource", + "description": "Grants permission to create a new access key for the specified bucket", + "privilege": "CreateBucketAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "Bucket*" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to an Evaluation, rendering it unusable", - "privilege": "DeleteEvaluation", + "description": "Grants permission to create an SSL/TLS certificate", + "privilege": "CreateCertificate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to an MLModel, rendering it unusable", - "privilege": "DeleteMLModel", + "description": "Grants permission to create a new Amazon EC2 instance from an exported Amazon Lightsail snapshot", + "privilege": "CreateCloudFormationStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a real time endpoint of an MLModel", - "privilege": "DeleteRealtimeEndpoint", + "description": "Grants permission to create an email or SMS text message contact method", + "privilege": "CreateContactMethod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified tags associated with an ML object. After this operation is complete, you can't recover deleted tags", - "privilege": "DeleteTags", + "access_level": "Write", + "description": "Grants permission to create an Amazon Lightsail container service", + "privilege": "CreateContainerService", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation" - }, - { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns a list of BatchPrediction operations that match the search criteria in the request", - "privilege": "DescribeBatchPredictions", + "access_level": "Write", + "description": "Grants permission to create a deployment for your Amazon Lightsail container service", + "privilege": "CreateContainerServiceDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ContainerService*" } ] }, { - "access_level": "List", - "description": "Returns a list of DataSource that match the search criteria in the request", - "privilege": "DescribeDataSources", + "access_level": "Write", + "description": "Grants permission to create a temporary set of log in credentials that you can use to log in to the Docker process on your local machine", + "privilege": "CreateContainerServiceRegistryLogin", "resource_types": [ { "condition_keys": [], @@ -115904,219 +130202,213 @@ ] }, { - "access_level": "List", - "description": "Returns a list of DescribeEvaluations that match the search criteria in the request", - "privilege": "DescribeEvaluations", + "access_level": "Write", + "description": "Grants permission to create a disk", + "privilege": "CreateDisk", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns a list of MLModel that match the search criteria in the request", - "privilege": "DescribeMLModels", + "access_level": "Write", + "description": "Grants permission to create a disk from snapshot", + "privilege": "CreateDiskFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "DiskSnapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Describes one or more of the tags for your Amazon ML object", - "privilege": "DescribeTags", + "access_level": "Write", + "description": "Grants permission to create a disk snapshot", + "privilege": "CreateDiskSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" + "resource_type": "Disk" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "evaluation" + "resource_type": "Instance" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns a BatchPrediction that includes detailed metadata, status, and data file information", - "privilege": "GetBatchPrediction", + "access_level": "Write", + "description": "Grants permission to create an Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "CreateDistribution", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "batchprediction*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns a DataSource that includes metadata and data file information, as well as the current status of the DataSource", - "privilege": "GetDataSource", + "access_level": "Write", + "description": "Grants permission to create a domain resource for the specified domain name", + "privilege": "CreateDomain", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns an Evaluation that includes metadata as well as the current status of the Evaluation", - "privilege": "GetEvaluation", + "access_level": "Write", + "description": "Grants permission to create one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT)", + "privilege": "CreateDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Returns an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel", - "privilege": "GetMLModel", + "access_level": "Write", + "description": "Grants permission to create an instance snapshot", + "privilege": "CreateInstanceSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "Instance*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Generates a prediction for the observation using the specified ML Model", - "privilege": "Predict", + "description": "Grants permission to create one or more instances", + "privilege": "CreateInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the BatchPredictionName of a BatchPrediction", - "privilege": "UpdateBatchPrediction", + "description": "Grants permission to create one or more instances based on an instance snapshot", + "privilege": "CreateInstancesFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the DataSourceName of a DataSource", - "privilege": "UpdateDataSource", - "resource_types": [ + "resource_type": "InstanceSnapshot*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the EvaluationName of an Evaluation", - "privilege": "UpdateEvaluation", + "description": "Grants permission to create a key pair used to authenticate and connect to an instance", + "privilege": "CreateKeyPair", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the MLModelName and the ScoreThreshold of an MLModel", - "privilege": "UpdateMLModel", + "description": "Grants permission to create a load balancer", + "privilege": "CreateLoadBalancer", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:batchprediction/${BatchPredictionId}", - "condition_keys": [], - "resource": "batchprediction" - }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:datasource/${DatasourceId}", - "condition_keys": [], - "resource": "datasource" - }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:evaluation/${EvaluationId}", - "condition_keys": [], - "resource": "evaluation" }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:mlmodel/${MlModelId}", - "condition_keys": [], - "resource": "mlmodel" - } - ], - "service_name": "Amazon Machine Learning" - }, - { - "conditions": [ - { - "condition": "aws:SourceArn", - "description": "Allow access to the specified actions only when the request operates on the specified aws resource", - "type": "Arn" - } - ], - "prefix": "macie", - "privileges": [ { "access_level": "Write", - "description": "Enables the user to associate a specified AWS account with Amazon Macie as a member account.", - "privilege": "AssociateMemberAccount", + "description": "Grants permission to create a load balancer TLS certificate", + "privilege": "CreateLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Enables the user to associate specified S3 resources with Amazon Macie for monitoring and data classification.", - "privilege": "AssociateS3Resources", + "description": "Grants permission to create a new relational database", + "privilege": "CreateRelationalDatabase", "resource_types": [ { "condition_keys": [ - "aws:SourceArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -116125,24 +130417,33 @@ }, { "access_level": "Write", - "description": "Enables the user to remove the specified member account from Amazon Macie.", - "privilege": "DisassociateMemberAccount", + "description": "Grants permission to create a new relational database from a snapshot", + "privilege": "CreateRelationalDatabaseFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "RelationalDatabaseSnapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enables the user to remove specified S3 resources from being monitored by Amazon Macie.", - "privilege": "DisassociateS3Resources", + "description": "Grants permission to create a relational database snapshot", + "privilege": "CreateRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [ - "aws:SourceArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -116150,21 +130451,21 @@ ] }, { - "access_level": "List", - "description": "Enables the user to list all Amazon Macie member accounts for the current Macie master account.", - "privilege": "ListMemberAccounts", + "access_level": "Write", + "description": "Grants permission to delete an alarm", + "privilege": "DeleteAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Alarm*" } ] }, { - "access_level": "List", - "description": "Enables the user to list all the S3 resources associated with Amazon Macie.", - "privilege": "ListS3Resources", + "access_level": "Write", + "description": "Grants permission to delete an automatic snapshot of an instance or disk", + "privilege": "DeleteAutoSnapshot", "resource_types": [ { "condition_keys": [], @@ -116175,342 +130476,284 @@ }, { "access_level": "Write", - "description": "Enables the user to update the classification types for the specified S3 resources.", - "privilege": "UpdateS3Resources", + "description": "Grants permission to delete an Amazon Lightsail bucket", + "privilege": "DeleteBucket", "resource_types": [ { - "condition_keys": [ - "aws:SourceArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Bucket*" } ] - } - ], - "resources": [], - "service_name": "Amazon Macie Classic" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs that are associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "macie2", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept an Amazon Macie membership invitation", - "privilege": "AcceptInvitation", + "description": "Grants permission to delete an access key for the specified Amazon Lightsail bucket", + "privilege": "DeleteBucketAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Bucket*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about one or more custom data identifiers", - "privilege": "BatchGetCustomDataIdentifiers", + "access_level": "Write", + "description": "Grants permission to delete an SSL/TLS certificate", + "privilege": "DeleteCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "Certificate*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a sensitive data discovery job", - "privilege": "CreateClassificationJob", + "description": "Grants permission to delete a contact method", + "privilege": "DeleteContactMethod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a custom data identifier", - "privilege": "CreateCustomDataIdentifier", + "description": "Grants permission to delete a container image that is registered to your Amazon Lightsail container service", + "privilege": "DeleteContainerImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "ContainerService*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a findings filter", - "privilege": "CreateFindingsFilter", + "description": "Grants permission to delete your Amazon Lightsail container service", + "privilege": "DeleteContainerService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "ContainerService*" } ] }, { "access_level": "Write", - "description": "Grants permission to send an Amazon Macie membership invitation", - "privilege": "CreateInvitations", + "description": "Grants permission to delete a disk", + "privilege": "DeleteDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an account with an Amazon Macie administrator account", - "privilege": "CreateMember", + "description": "Grants permission to delete a disk snapshot", + "privilege": "DeleteDiskSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "DiskSnapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to create sample findings", - "privilege": "CreateSampleFindings", + "description": "Grants permission to delete your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "DeleteDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Grants permission to decline Amazon Macie membership invitations", - "privilege": "DeclineInvitations", + "description": "Grants permission to delete a domain resource and all of its DNS records", + "privilege": "DeleteDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a custom data identifier", - "privilege": "DeleteCustomDataIdentifier", + "description": "Grants permission to delete a DNS record entry for a domain resource", + "privilege": "DeleteDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a findings filter", - "privilege": "DeleteFindingsFilter", + "description": "Grants permission to delete an instance", + "privilege": "DeleteInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete Amazon Macie membership invitations", - "privilege": "DeleteInvitations", + "description": "Grants permission to delete an instance snapshot", + "privilege": "DeleteInstanceSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "InstanceSnapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the association between an Amazon Macie administrator account and an account", - "privilege": "DeleteMember", + "description": "Grants permission to delete a key pair used to authenticate and connect to an instance", + "privilege": "DeleteKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "KeyPair*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve statistical data and other information about S3 buckets that Amazon Macie monitors and analyzes", - "privilege": "DescribeBuckets", + "access_level": "Write", + "description": "Grants permission to delete the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance", + "privilege": "DeleteKnownHostKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the status and settings for a sensitive data discovery job", - "privilege": "DescribeClassificationJob", + "access_level": "Write", + "description": "Grants permission to delete a load balancer", + "privilege": "DeleteLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the Amazon Macie configuration settings for an AWS organization", - "privilege": "DescribeOrganizationConfiguration", + "access_level": "Write", + "description": "Grants permission to delete a load balancer TLS certificate", + "privilege": "DeleteLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable an Amazon Macie account, which also deletes Macie resources for the account", - "privilege": "DisableMacie", + "description": "Grants permission to delete a relational database", + "privilege": "DeleteRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable an account as the delegated Amazon Macie administrator account for an AWS organization", - "privilege": "DisableOrganizationAdminAccount", + "description": "Grants permission to delete a relational database snapshot", + "privilege": "DeleteRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabaseSnapshot*" } ] }, { "access_level": "Write", - "description": "Grants an Amazon Macie member account with permission to disassociate from its Macie administrator account", - "privilege": "DisassociateFromAdministratorAccount", + "description": "Grants permission to detach an SSL/TLS certificate from your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "DetachCertificateFromDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "(Deprecated) Grants an Amazon Macie member account with permission to disassociate from its Macie administrator account", - "privilege": "DisassociateFromMasterAccount", + "description": "Grants permission to detach a disk from an instance", + "privilege": "DetachDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Grants an Amazon Macie administrator account with permission to disassociate from a Macie member account", - "privilege": "DisassociateMember", + "description": "Grants permission to detach one or more instances from a load balancer", + "privilege": "DetachInstancesFromLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable and specify the configuration settings for a new Amazon Macie account", - "privilege": "EnableMacie", + "description": "Grants permission to detach a static IP from an instance to which it is attached", + "privilege": "DetachStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StaticIp*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable an account as the delegated Amazon Macie administrator account for an AWS organization", - "privilege": "EnableOrganizationAdminAccount", + "description": "Grants permission to disable an add-on for an Amazon Lightsail resource", + "privilege": "DisableAddOn", "resource_types": [ { "condition_keys": [], @@ -116520,9 +130763,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the Amazon Macie administrator account for an account", - "privilege": "GetAdministratorAccount", + "access_level": "Write", + "description": "Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region", + "privilege": "DownloadDefaultKeyPair", "resource_types": [ { "condition_keys": [], @@ -116532,9 +130775,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes", - "privilege": "GetBucketStatistics", + "access_level": "Write", + "description": "Grants permission to enable or modify an add-on for an Amazon Lightsail resource", + "privilege": "EnableAddOn", "resource_types": [ { "condition_keys": [], @@ -116544,33 +130787,41 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the settings for exporting sensitive data discovery results", - "privilege": "GetClassificationExportConfiguration", + "access_level": "Write", + "description": "Grants permission to export an Amazon Lightsail snapshot to Amazon EC2", + "privilege": "ExportSnapshot", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy" + ], + "resource_type": "DiskSnapshot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "InstanceSnapshot" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the settings for a custom data identifier", - "privilege": "GetCustomDataIdentifier", + "description": "Grants permission to get the names of all active (not deleted) resources", + "privilege": "GetActiveNames", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve aggregated statistical data about findings", - "privilege": "GetFindingStatistics", + "description": "Grants permission to view information about the configured alarms", + "privilege": "GetAlarms", "resource_types": [ { "condition_keys": [], @@ -116581,8 +130832,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the details of one or more findings", - "privilege": "GetFindings", + "description": "Grants permission to view the available automatic snapshots for an instance or disk", + "privilege": "GetAutoSnapshots", "resource_types": [ { "condition_keys": [], @@ -116593,20 +130844,20 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the settings for a findings filter", - "privilege": "GetFindingsFilter", + "description": "Grants permission to get a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance", + "privilege": "GetBlueprints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the configuration settings for publishing findings to AWS Security Hub", - "privilege": "GetFindingsPublicationConfiguration", + "description": "Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket", + "privilege": "GetBucketAccessKeys", "resource_types": [ { "condition_keys": [], @@ -116617,8 +130868,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the count of Amazon Macie membership invitations that were received by an account", - "privilege": "GetInvitationsCount", + "description": "Grants permission to get the bundles that can be applied to an Amazon Lightsail bucket", + "privilege": "GetBucketBundles", "resource_types": [ { "condition_keys": [], @@ -116629,8 +130880,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the status and configuration settings for an Amazon Macie account", - "privilege": "GetMacieSession", + "description": "Grants permission to get the data points of a specific metric for an Amazon Lightsail bucket", + "privilege": "GetBucketMetricData", "resource_types": [ { "condition_keys": [], @@ -116641,8 +130892,8 @@ }, { "access_level": "Read", - "description": "(Deprecated) Grants permission to retrieve information about the Amazon Macie administrator account for an account", - "privilege": "GetMasterAccount", + "description": "Grants permission to get information about one or more Amazon Lightsail buckets", + "privilege": "GetBuckets", "resource_types": [ { "condition_keys": [], @@ -116653,20 +130904,20 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about an account that's associated with an Amazon Macie administrator account", - "privilege": "GetMember", + "description": "Grants permission to get a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance", + "privilege": "GetBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve quotas and aggregated usage data for one or more accounts", - "privilege": "GetUsageStatistics", + "description": "Grants permission to view information about one or more Amazon Lightsail SSL/TLS certificates", + "privilege": "GetCertificates", "resource_types": [ { "condition_keys": [], @@ -116677,8 +130928,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve aggregated usage data for an account", - "privilege": "GetUsageTotals", + "description": "Grants permission to get information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots", + "privilege": "GetCloudFormationStackRecords", "resource_types": [ { "condition_keys": [], @@ -116688,9 +130939,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a subset of information about the status and settings for one or more sensitive data discovery jobs", - "privilege": "ListClassificationJobs", + "access_level": "Read", + "description": "Grants permission to view information about the configured contact methods", + "privilege": "GetContactMethods", "resource_types": [ { "condition_keys": [], @@ -116700,9 +130951,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all custom data identifiers", - "privilege": "ListCustomDataIdentifiers", + "access_level": "Read", + "description": "Grants permission to view information about Amazon Lightsail containers, such as the current version of the Lightsail Control (lightsailctl) plugin", + "privilege": "GetContainerAPIMetadata", "resource_types": [ { "condition_keys": [], @@ -116712,9 +130963,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a subset of information about one or more findings", - "privilege": "ListFindings", + "access_level": "Read", + "description": "Grants permission to view the container images that are registered to your Amazon Lightsail container service", + "privilege": "GetContainerImages", "resource_types": [ { "condition_keys": [], @@ -116724,9 +130975,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all findings filters", - "privilege": "ListFindingsFilters", + "access_level": "Read", + "description": "Grants permission to view the log events of a container of your Amazon Lightsail container service", + "privilege": "GetContainerLog", "resource_types": [ { "condition_keys": [], @@ -116736,9 +130987,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all the Amazon Macie membership invitations that were received by an account", - "privilege": "ListInvitations", + "access_level": "Read", + "description": "Grants permission to view the deployments for your Amazon Lightsail container service", + "privilege": "GetContainerServiceDeployments", "resource_types": [ { "condition_keys": [], @@ -116748,9 +130999,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about managed data identifiers", - "privilege": "ListManagedDataIdentifiers", + "access_level": "Read", + "description": "Grants permission to view the data points of a specific metric of your Amazon Lightsail container service", + "privilege": "GetContainerServiceMetricData", "resource_types": [ { "condition_keys": [], @@ -116760,9 +131011,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about the Amazon Macie member accounts that are associated with a Macie administrator account", - "privilege": "ListMembers", + "access_level": "Read", + "description": "Grants permission to view the list of powers that can be specified for your Amazon Lightsail container services", + "privilege": "GetContainerServicePowers", "resource_types": [ { "condition_keys": [], @@ -116772,9 +131023,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about the delegated, Amazon Macie administrator account for an AWS organization", - "privilege": "ListOrganizationAdminAccounts", + "access_level": "Read", + "description": "Grants permission to view information about one or more of your Amazon Lightsail container services", + "privilege": "GetContainerServices", "resource_types": [ { "condition_keys": [], @@ -116785,8 +131036,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the tags for an Amazon Macie resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to get information about a disk", + "privilege": "GetDisk", "resource_types": [ { "condition_keys": [], @@ -116796,9 +131047,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create or update the settings for storing sensitive data discovery results", - "privilege": "PutClassificationExportConfiguration", + "access_level": "Read", + "description": "Grants permission to get information about a disk snapshot", + "privilege": "GetDiskSnapshot", "resource_types": [ { "condition_keys": [], @@ -116808,9 +131059,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update the configuration settings for publishing findings to AWS Security Hub", - "privilege": "PutFindingsPublicationConfiguration", + "access_level": "Read", + "description": "Grants permission to get information about all disk snapshots", + "privilege": "GetDiskSnapshots", "resource_types": [ { "condition_keys": [], @@ -116821,8 +131072,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve statistical data and other information about AWS resources that Amazon Macie monitors and analyzes", - "privilege": "SearchResources", + "description": "Grants permission to get information about all disks", + "privilege": "GetDisks", "resource_types": [ { "condition_keys": [], @@ -116832,24 +131083,21 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to add or update the tags for an Amazon Macie resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to view the list of bundles that can be applied to you Amazon Lightsail content delivery network (CDN) distributions", + "privilege": "GetDistributionBundles", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to test a custom data identifier", - "privilege": "TestCustomDataIdentifier", + "access_level": "Read", + "description": "Grants permission to view the timestamp and status of the last cache reset of a specific Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "GetDistributionLatestCacheReset", "resource_types": [ { "condition_keys": [], @@ -116859,63 +131107,45 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an Amazon Macie resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to view the data points of a specific metric for an Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "GetDistributionMetricData", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to change the status of a sensitive data discovery job", - "privilege": "UpdateClassificationJob", + "access_level": "Read", + "description": "Grants permission to view information about one or more of your Amazon Lightsail content delivery network (CDN) distributions", + "privilege": "GetDistributions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the settings for a findings filter", - "privilege": "UpdateFindingsFilter", + "access_level": "Read", + "description": "Grants permission to get DNS records for a domain resource", + "privilege": "GetDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to suspend or re-enable an Amazon Macie account, or update the configuration settings for a Macie account", - "privilege": "UpdateMacieSession", + "access_level": "Read", + "description": "Grants permission to get DNS records for all domain resources", + "privilege": "GetDomains", "resource_types": [ { "condition_keys": [], @@ -116925,9 +131155,9 @@ ] }, { - "access_level": "Write", - "description": "Grants an Amazon Macie administrator account with permission to suspend or re-enable a Macie member account", - "privilege": "UpdateMemberSession", + "access_level": "Read", + "description": "Grants permission to get information about all records of exported Amazon Lightsail snapshots to Amazon EC2", + "privilege": "GetExportSnapshotRecords", "resource_types": [ { "condition_keys": [], @@ -116937,9 +131167,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update Amazon Macie configuration settings for an AWS organization", - "privilege": "UpdateOrganizationConfiguration", + "access_level": "Read", + "description": "Grants permission to get information about an instance", + "privilege": "GetInstance", "resource_types": [ { "condition_keys": [], @@ -116947,222 +131177,131 @@ "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:classification-job/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ClassificationJob" - }, - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:custom-data-identifier/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "CustomDataIdentifier" - }, - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:findings-filter/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "FindingsFilter" - }, - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:member/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Member" - } - ], - "service_name": "Amazon Macie" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with an Amazon Managed Blockchain resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "managedblockchain", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a member of an Amazon Managed Blockchain network", - "privilege": "CreateMember", + "description": "Grants permission to get temporary keys you can use to authenticate and connect to an instance", + "privilege": "GetInstanceAccessDetails", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "network*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an Amazon Managed Blockchain network", - "privilege": "CreateNetwork", + "access_level": "Read", + "description": "Grants permission to get the data points for the specified metric of an instance", + "privilege": "GetInstanceMetricData", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a node within a member of an Amazon Managed Blockchain network", - "privilege": "CreateNode", + "access_level": "Read", + "description": "Grants permission to get the port states of an instance", + "privilege": "GetInstancePortStates", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a proposal that other blockchain network members can vote on to add or remove a member in an Amazon Managed Blockchain network", - "privilege": "CreateProposal", + "access_level": "Read", + "description": "Grants permission to get information about an instance snapshot", + "privilege": "GetInstanceSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a member and all associated resources from an Amazon Managed Blockchain network", - "privilege": "DeleteMember", + "access_level": "Read", + "description": "Grants permission to get information about all instance snapshots", + "privilege": "GetInstanceSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "member*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a node from a member of an Amazon Managed Blockchain network", - "privilege": "DeleteNode", + "access_level": "Read", + "description": "Grants permission to get the state of an instance", + "privilege": "GetInstanceState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "node*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return detailed information about a member of an Amazon Managed Blockchain network", - "privilege": "GetMember", + "description": "Grants permission to get information about all instances", + "privilege": "GetInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "member*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return detailed information about an Amazon Managed Blockchain network", - "privilege": "GetNetwork", + "description": "Grants permission to get information about a key pair", + "privilege": "GetKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return detailed information about a node within a member of an Amazon Managed Blockchain network", - "privilege": "GetNode", + "description": "Grants permission to get information about all key pairs", + "privilege": "GetKeyPairs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "node*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return detailed information about a proposal of an Amazon Managed Blockchain network", - "privilege": "GetProposal", + "description": "Grants permission to get information about a load balancer", + "privilege": "GetLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proposal*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the invitations extended to the active AWS account from any Managed Blockchain network", - "privilege": "ListInvitations", + "access_level": "Read", + "description": "Grants permission to get the data points for the specified metric of a load balancer", + "privilege": "GetLoadBalancerMetricData", "resource_types": [ { "condition_keys": [], @@ -117172,21 +131311,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the members of an Amazon Managed Blockchain network and the properties of their memberships", - "privilege": "ListMembers", + "access_level": "Read", + "description": "Grants permission to get information about a load balancer's TLS certificates", + "privilege": "GetLoadBalancerTlsCertificates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Amazon Managed Blockchain networks in which the current AWS account participates", - "privilege": "ListNetworks", + "access_level": "Read", + "description": "Grants permission to get a list of TLS security policies that you can apply to Lightsail load balancers", + "privilege": "GetLoadBalancerTlsPolicies", "resource_types": [ { "condition_keys": [], @@ -117196,257 +131335,129 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the nodes within a member of an Amazon Managed Blockchain network", - "privilege": "ListNodes", + "access_level": "Read", + "description": "Grants permission to get information about load balancers", + "privilege": "GetLoadBalancers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list all votes for a proposal, including the value of the vote and the unique identifier of the member that cast the vote for the given Amazon Managed Blockchain network", - "privilege": "ListProposalVotes", + "description": "Grants permission to get information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", + "privilege": "GetOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proposal*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list proposals for the given Amazon Managed Blockchain network", - "privilege": "ListProposals", + "access_level": "Read", + "description": "Grants permission to get information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", + "privilege": "GetOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view tags associated with an Amazon Managed Blockchain resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to get operations for a resource", + "privilege": "GetOperationsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "invitation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "node" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proposal" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to reject the invitation to join the blockchain network", - "privilege": "RejectInvitation", + "access_level": "Read", + "description": "Grants permission to get a list of all valid AWS Regions for Amazon Lightsail", + "privilege": "GetRegions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "invitation*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to an Amazon Managed Blockchain resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to get information about a relational database", + "privilege": "GetRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "invitation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "node" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proposal" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an Amazon Managed Blockchain resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to get a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database", + "privilege": "GetRelationalDatabaseBlueprints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "invitation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "node" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proposal" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a member of an Amazon Managed Blockchain network", - "privilege": "UpdateMember", + "access_level": "Read", + "description": "Grants permission to get a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database", + "privilege": "GetRelationalDatabaseBundles", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "member*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a node from a member of an Amazon Managed Blockchain network", - "privilege": "UpdateNode", + "access_level": "Read", + "description": "Grants permission to get events for a relational database", + "privilege": "GetRelationalDatabaseEvents", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "node*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cast a vote for a proposal on behalf of the blockchain network member specified", - "privilege": "VoteOnProposal", + "access_level": "Read", + "description": "Grants permission to get events for the specified log stream of a relational database", + "privilege": "GetRelationalDatabaseLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proposal*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:managedblockchain:${Region}::networks/${NetworkId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "network" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:members/${MemberId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "member" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:nodes/${NodeId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "node" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}::proposals/${ProposalId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "proposal" }, { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:invitations/${InvitationId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "invitation" - } - ], - "service_name": "Amazon Managed Blockchain" - }, - { - "conditions": [], - "prefix": "marketplacecommerceanalytics", - "privileges": [ - { - "access_level": "Write", - "description": "Request a data set to be published to your Amazon S3 bucket.", - "privilege": "GenerateDataSet", + "access_level": "Read", + "description": "Grants permission to get the log streams available for a relational database", + "privilege": "GetRelationalDatabaseLogStreams", "resource_types": [ { "condition_keys": [], @@ -117457,28 +131468,20 @@ }, { "access_level": "Write", - "description": "Request a support data set to be published to your Amazon S3 bucket.", - "privilege": "StartSupportDataExport", + "description": "Grants permission to get the master user password of a relational database", + "privilege": "GetRelationalDatabaseMasterUserPassword", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] - } - ], - "resources": [], - "service_name": "AWS Marketplace Commerce Analytics Service" - }, - { - "conditions": [], - "prefix": "mechanicalturk", - "privileges": [ + }, { - "access_level": "Write", - "description": "The AcceptQualificationRequest operation grants a Worker's request for a Qualification", - "privilege": "AcceptQualificationRequest", + "access_level": "Read", + "description": "Grants permission to get the data points for the specified metric of a relational database", + "privilege": "GetRelationalDatabaseMetricData", "resource_types": [ { "condition_keys": [], @@ -117488,9 +131491,9 @@ ] }, { - "access_level": "Write", - "description": "The ApproveAssignment operation approves the results of a completed assignment", - "privilege": "ApproveAssignment", + "access_level": "Read", + "description": "Grants permission to get the parameters of a relational database", + "privilege": "GetRelationalDatabaseParameters", "resource_types": [ { "condition_keys": [], @@ -117500,9 +131503,9 @@ ] }, { - "access_level": "Write", - "description": "The AssociateQualificationWithWorker operation gives a Worker a Qualification", - "privilege": "AssociateQualificationWithWorker", + "access_level": "Read", + "description": "Grants permission to get information about a relational database snapshot", + "privilege": "GetRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [], @@ -117512,9 +131515,9 @@ ] }, { - "access_level": "Write", - "description": "The CreateAdditionalAssignmentsForHIT operation increases the maximum number of assignments of an existing HIT", - "privilege": "CreateAdditionalAssignmentsForHIT", + "access_level": "Read", + "description": "Grants permission to get information about all relational database snapshots", + "privilege": "GetRelationalDatabaseSnapshots", "resource_types": [ { "condition_keys": [], @@ -117524,9 +131527,9 @@ ] }, { - "access_level": "Write", - "description": "The CreateHIT operation creates a new HIT (Human Intelligence Task)", - "privilege": "CreateHIT", + "access_level": "Read", + "description": "Grants permission to get information about all relational databases", + "privilege": "GetRelationalDatabases", "resource_types": [ { "condition_keys": [], @@ -117536,9 +131539,9 @@ ] }, { - "access_level": "Write", - "description": "The CreateHITType operation creates a new HIT type", - "privilege": "CreateHITType", + "access_level": "Read", + "description": "Grants permission to get information about a static IP", + "privilege": "GetStaticIp", "resource_types": [ { "condition_keys": [], @@ -117548,9 +131551,9 @@ ] }, { - "access_level": "Write", - "description": "The CreateHITWithHITType operation creates a new Human Intelligence Task (HIT) using an existing HITTypeID generated by the CreateHITType operation", - "privilege": "CreateHITWithHITType", + "access_level": "Read", + "description": "Grants permission to get information about all static IPs", + "privilege": "GetStaticIps", "resource_types": [ { "condition_keys": [], @@ -117561,8 +131564,8 @@ }, { "access_level": "Write", - "description": "The CreateQualificationType operation creates a new Qualification type, which is represented by a QualificationType data structure", - "privilege": "CreateQualificationType", + "description": "Grants permission to import a public key from a key pair", + "privilege": "ImportKeyPair", "resource_types": [ { "condition_keys": [], @@ -117572,9 +131575,9 @@ ] }, { - "access_level": "Write", - "description": "The CreateWorkerBlock operation allows you to prevent a Worker from working on your HITs", - "privilege": "CreateWorkerBlock", + "access_level": "Read", + "description": "Grants permission to get a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered", + "privilege": "IsVpcPeered", "resource_types": [ { "condition_keys": [], @@ -117585,20 +131588,20 @@ }, { "access_level": "Write", - "description": "The DeleteHIT operation disposes of a HIT that is no longer needed", - "privilege": "DeleteHIT", + "description": "Grants permission to add, or open a public port of an instance", + "privilege": "OpenInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "The DeleteQualificationType disposes a Qualification type and disposes any HIT types that are associated with the Qualification type", - "privilege": "DeleteQualificationType", + "description": "Grants permission to try to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC", + "privilege": "PeerVpc", "resource_types": [ { "condition_keys": [], @@ -117609,92 +131612,92 @@ }, { "access_level": "Write", - "description": "The DeleteWorkerBlock operation allows you to reinstate a blocked Worker to work on your HITs", - "privilege": "DeleteWorkerBlock", + "description": "Grants permission to creates or update an alarm, and associate it with the specified metric", + "privilege": "PutAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Alarm*" } ] }, { "access_level": "Write", - "description": "The DisassociateQualificationFromWorker revokes a previously granted Qualification from a user", - "privilege": "DisassociateQualificationFromWorker", + "description": "Grants permission to set the specified open ports for an instance, and closes all ports for every protocol not included in the request", + "privilege": "PutInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "The GetAccountBalance operation retrieves the amount of money in your Amazon Mechanical Turk account", - "privilege": "GetAccountBalance", + "access_level": "Write", + "description": "Grants permission to reboot an instance that is in a running state", + "privilege": "RebootInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "The GetAssignment retrieves an assignment with an AssignmentStatus value of Submitted, Approved, or Rejected, using the assignment's ID", - "privilege": "GetAssignment", + "access_level": "Write", + "description": "Grants permission to reboot a relational database that is in a running state", + "privilege": "RebootRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "Read", - "description": "The GetFileUploadURL operation generates and returns a temporary URL", - "privilege": "GetFileUploadURL", + "access_level": "Write", + "description": "Grants permission to register a container image to your Amazon Lightsail container service", + "privilege": "RegisterContainerImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ContainerService*" } ] }, { - "access_level": "Read", - "description": "The GetHIT operation retrieves the details of the specified HIT", - "privilege": "GetHIT", + "access_level": "Write", + "description": "Grants permission to delete a static IP", + "privilege": "ReleaseStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StaticIp*" } ] }, { - "access_level": "Read", - "description": "The GetQualificationScore operation returns the value of a Worker's Qualification for a given Qualification type", - "privilege": "GetQualificationScore", + "access_level": "Write", + "description": "Grants permission to delete currently cached content from your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "ResetDistributionCache", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution*" } ] }, { - "access_level": "Read", - "description": "The GetQualificationType operation retrieves information about a Qualification type using its ID", - "privilege": "GetQualificationType", + "access_level": "Write", + "description": "Grants permission to send a verification request to an email contact method to ensure it's owned by the requester", + "privilege": "SendContactMethodVerification", "resource_types": [ { "condition_keys": [], @@ -117704,105 +131707,193 @@ ] }, { - "access_level": "List", - "description": "The ListAssignmentsForHIT operation retrieves completed assignments for a HIT", - "privilege": "ListAssignmentsForHIT", + "access_level": "Write", + "description": "Grants permission to set the IP address type for a Amazon Lightsail resource", + "privilege": "SetIpAddressType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "LoadBalancer" } ] }, { - "access_level": "List", - "description": "The ListBonusPayments operation retrieves the amounts of bonuses you have paid to Workers for a given HIT or assignment", - "privilege": "ListBonusPayments", + "access_level": "Write", + "description": "Grants permission to set the Amazon Lightsail resources that can access the specified Amazon Lightsail bucket", + "privilege": "SetResourceAccessForBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Bucket*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" } ] }, { - "access_level": "List", - "description": "The ListHITs operation returns all of a Requester's HITs", - "privilege": "ListHITs", + "access_level": "Write", + "description": "Grants permission to start an instance that is in a stopped state", + "privilege": "StartInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "List", - "description": "The ListHITsForQualificationType operation returns the HITs that use the given QualififcationType for a QualificationRequirement", - "privilege": "ListHITsForQualificationType", + "access_level": "Write", + "description": "Grants permission to start a relational database that is in a stopped state", + "privilege": "StartRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "List", - "description": "The ListQualificationRequests operation retrieves requests for Qualifications of a particular Qualification type", - "privilege": "ListQualificationRequests", + "access_level": "Write", + "description": "Grants permission to stop an instance that is in a running state", + "privilege": "StopInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { - "access_level": "List", - "description": "The ListQualificationTypes operation searches for Qualification types using the specified search query, and returns a list of Qualification types", - "privilege": "ListQualificationTypes", + "access_level": "Write", + "description": "Grants permission to stop a relational database that is in a running state", + "privilege": "StopRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "List", - "description": "The ListReviewPolicyResultsForHIT operation retrieves the computed results and the actions taken in the course of executing your Review Policies during a CreateHIT operation", - "privilege": "ListReviewPolicyResultsForHIT", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Bucket" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Certificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ContainerService" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Disk" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DiskSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Distribution" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Domain" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "InstanceSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "KeyPair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "LoadBalancer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabase" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabaseSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StaticIp" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "The ListReviewableHITs operation returns all of a Requester's HITs that have not been approved or rejected", - "privilege": "ListReviewableHITs", + "access_level": "Write", + "description": "Grants permission to test an alarm by displaying a banner on the Amazon Lightsail console or if a notification trigger is configured for the specified alarm, by sending a notification to the notification protocol", + "privilege": "TestAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Alarm*" } ] }, { - "access_level": "List", - "description": "The ListWorkersBlocks operation retrieves a list of Workers who are blocked from working on your HITs", - "privilege": "ListWorkerBlocks", + "access_level": "Write", + "description": "Grants permission to try to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC", + "privilege": "UnpeerVpc", "resource_types": [ { "condition_keys": [], @@ -117812,129 +131903,352 @@ ] }, { - "access_level": "List", - "description": "The ListWorkersWithQualificationType operation returns all of the Workers with a given Qualification type", - "privilege": "ListWorkersWithQualificationType", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Bucket" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Certificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ContainerService" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Disk" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DiskSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Distribution" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Domain" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "InstanceSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "KeyPair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "LoadBalancer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabase" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabaseSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StaticIp" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The NotifyWorkers operation sends an email to one or more Workers that you specify with the Worker ID", - "privilege": "NotifyWorkers", + "description": "Grants permission to update an existing Amazon Lightsail bucket", + "privilege": "UpdateBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Bucket*" } ] }, { "access_level": "Write", - "description": "The RejectAssignment operation rejects the results of a completed assignment", - "privilege": "RejectAssignment", + "description": "Grants permission to update the bundle, or storage plan, of an existing Amazon Lightsail bucket", + "privilege": "UpdateBucketBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Bucket*" } ] }, { "access_level": "Write", - "description": "The RejectQualificationRequest operation rejects a user's request for a Qualification", - "privilege": "RejectQualificationRequest", + "description": "Grants permission to update the configuration of your Amazon Lightsail container service, such as its power, scale, and public domain names", + "privilege": "UpdateContainerService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ContainerService*" } ] }, { "access_level": "Write", - "description": "The SendBonus operation issues a payment of money from your account to a Worker", - "privilege": "SendBonus", + "description": "Grants permission to update an existing Amazon Lightsail content delivery network (CDN) distribution or its configuration", + "privilege": "UpdateDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "The SendTestEventNotification operation causes Amazon Mechanical Turk to send a notification message as if a HIT event occurred, according to the provided notification specification", - "privilege": "SendTestEventNotification", + "description": "Grants permission to update the bundle of your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "UpdateDistributionBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "The UpdateExpirationForHIT operation allows you extend the expiration time of a HIT beyond is current expiration or expire a HIT immediately", - "privilege": "UpdateExpirationForHIT", + "description": "Grants permission to update a domain recordset after it is created", + "privilege": "UpdateDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "The UpdateHITReviewStatus operation toggles the status of a HIT", - "privilege": "UpdateHITReviewStatus", + "description": "Grants permission to update a load balancer attribute, such as the health check path and session stickiness", + "privilege": "UpdateLoadBalancerAttribute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "The UpdateHITTypeOfHIT operation allows you to change the HITType properties of a HIT", - "privilege": "UpdateHITTypeOfHIT", + "description": "Grants permission to update a relational database", + "privilege": "UpdateRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { "access_level": "Write", - "description": "The UpdateNotificationSettings operation creates, updates, disables or re-enables notifications for a HIT type", - "privilege": "UpdateNotificationSettings", + "description": "Grants permission to update the parameters of a relational database", + "privilege": "UpdateRelationalDatabaseParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Domain" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Instance" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "InstanceSnapshot" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "KeyPair" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StaticIp" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Disk" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DiskSnapshot" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "LoadBalancer" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}", + "condition_keys": [], + "resource": "LoadBalancerTlsCertificate" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}", + "condition_keys": [], + "resource": "ExportSnapshotRecord" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}", + "condition_keys": [], + "resource": "CloudFormationStackRecord" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "RelationalDatabase" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "RelationalDatabaseSnapshot" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Alarm/${Id}", + "condition_keys": [], + "resource": "Alarm" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Certificate/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Certificate" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContactMethod/${Id}", + "condition_keys": [], + "resource": "ContactMethod" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContainerService/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ContainerService" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Distribution/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Distribution" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Bucket/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Bucket" + } + ], + "service_name": "Amazon Lightsail" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + } + ], + "prefix": "logs", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permissions to associate the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group", + "privilege": "AssociateKmsKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "The UpdateQualificationType operation modifies the attributes of an existing Qualification type, which is represented by a QualificationType data structure", - "privilege": "UpdateQualificationType", + "description": "Grants permissions to cancel an export task if it is in PENDING or RUNNING state", + "privilege": "CancelExportTask", "resource_types": [ { "condition_keys": [], @@ -117942,31 +132256,23 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Amazon Mechanical Turk" - }, - { - "conditions": [], - "prefix": "mediaconnect", - "privileges": [ + }, { "access_level": "Write", - "description": "Grants permission to add media streams to any flow", - "privilege": "AddFlowMediaStreams", + "description": "Grants permissions to create an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket", + "privilege": "CreateExportTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to add outputs to any flow", - "privilege": "AddFlowOutputs", + "description": "Grants permissions to create the log delivery", + "privilege": "CreateLogDelivery", "resource_types": [ { "condition_keys": [], @@ -117977,32 +132283,32 @@ }, { "access_level": "Write", - "description": "Grants permission to add sources to any flow", - "privilege": "AddFlowSources", + "description": "Grants permissions to create a new log group with the specified name", + "privilege": "CreateLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to add VPC interfaces to any flow", - "privilege": "AddFlowVpcInterfaces", + "description": "Grants permissions to create a new log stream with the specified name", + "privilege": "CreateLogStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create flows", - "privilege": "CreateFlow", + "description": "Grants permissions to delete the destination with the specified name", + "privilege": "DeleteDestination", "resource_types": [ { "condition_keys": [], @@ -118013,8 +132319,8 @@ }, { "access_level": "Write", - "description": "Grants permission to delete flows", - "privilege": "DeleteFlow", + "description": "Grants permissions to delete the log delivery information for specified log delivery", + "privilege": "DeleteLogDelivery", "resource_types": [ { "condition_keys": [], @@ -118024,21 +132330,45 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to display the details of a flow including the flow ARN, name, and Availability Zone, as well as details about the source, outputs, and entitlements", - "privilege": "DescribeFlow", + "access_level": "Write", + "description": "Grants permissions to delete the log group with the specified name", + "privilege": "DeleteLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to display the details of an offering", - "privilege": "DescribeOffering", + "access_level": "Write", + "description": "Grants permissions to delete a log stream", + "privilege": "DeleteLogStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a metric filter associated with the specified log group", + "privilege": "DeleteMetricFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a saved CloudWatch Logs Insights query definition", + "privilege": "DeleteQueryDefinition", "resource_types": [ { "condition_keys": [], @@ -118048,9 +132378,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to display the details of a reservation", - "privilege": "DescribeReservation", + "access_level": "Permissions management", + "description": "Grants permissions to delete a resource policy from this account", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -118061,20 +132391,32 @@ }, { "access_level": "Write", - "description": "Grants permission to grant entitlements on any flow", - "privilege": "GrantFlowEntitlements", + "description": "Grants permissions to delete the retention policy of the specified log group", + "privilege": "DeleteRetentionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a subscription filter associated with the specified log group", + "privilege": "DeleteSubscriptionFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-group*" } ] }, { "access_level": "List", - "description": "Grants permission to display a list of all entitlements that have been granted to the account", - "privilege": "ListEntitlements", + "description": "Grants permissions to return all the destinations that are associated with the AWS account making the request", + "privilege": "DescribeDestinations", "resource_types": [ { "condition_keys": [], @@ -118085,8 +132427,8 @@ }, { "access_level": "List", - "description": "Grants permission to display a list of flows that are associated with this account", - "privilege": "ListFlows", + "description": "Grants permissions to return all the export tasks that are associated with the AWS account making the request", + "privilege": "DescribeExportTasks", "resource_types": [ { "condition_keys": [], @@ -118097,44 +132439,44 @@ }, { "access_level": "List", - "description": "Grants permission to display a list of all offerings that are available to the account in the current AWS Region", - "privilege": "ListOfferings", + "description": "Grants permissions to return all the log groups that are associated with the AWS account making the request", + "privilege": "DescribeLogGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "List", - "description": "Grants permission to display a list of all reservations that have been purchased by the account in the current AWS Region", - "privilege": "ListReservations", + "description": "Grants permissions to return all the log streams that are associated with the specified log group", + "privilege": "DescribeLogStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to display a list of all tags associated with a resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permissions to return all the metrics filters associated with the specified log group", + "privilege": "DescribeMetricFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to purchase an offering", - "privilege": "PurchaseOffering", + "access_level": "List", + "description": "Grants permissions to return a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account", + "privilege": "DescribeQueries", "resource_types": [ { "condition_keys": [], @@ -118144,9 +132486,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove media streams from any flow", - "privilege": "RemoveFlowMediaStream", + "access_level": "List", + "description": "Grants permissions to return a paginated list of your saved CloudWatch Logs Insights query definitions", + "privilege": "DescribeQueryDefinitions", "resource_types": [ { "condition_keys": [], @@ -118156,9 +132498,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove outputs from any flow", - "privilege": "RemoveFlowOutput", + "access_level": "List", + "description": "Grants permissions to return all the resource policies in this account", + "privilege": "DescribeResourcePolicies", "resource_types": [ { "condition_keys": [], @@ -118168,45 +132510,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove sources from any flow", - "privilege": "RemoveFlowSource", + "access_level": "List", + "description": "Grants permissions to return all the subscription filters associated with the specified log group", + "privilege": "DescribeSubscriptionFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove VPC interfaces from any flow", - "privilege": "RemoveFlowVpcInterface", + "description": "Grants permissions to disassociate the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group", + "privilege": "DisassociateKmsKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to revoke entitlements on any flow", - "privilege": "RevokeFlowEntitlement", + "access_level": "Read", + "description": "Grants permissions to retrieve log events, optionally filtered by a filter pattern from the specified log group", + "privilege": "FilterLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start flows", - "privilege": "StartFlow", + "access_level": "Read", + "description": "Grants permissions to get the log delivery information for specified log delivery", + "privilege": "GetLogDelivery", "resource_types": [ { "condition_keys": [], @@ -118216,33 +132558,33 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to stop flows", - "privilege": "StopFlow", + "access_level": "Read", + "description": "Grants permissions to retrieve log events from the specified log stream", + "privilege": "GetLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-stream*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to associate tags with resources", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permissions to return a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field", + "privilege": "GetLogGroupFields", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from resources", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permissions to retrieve all the fields and values of a single log event", + "privilege": "GetLogRecord", "resource_types": [ { "condition_keys": [], @@ -118252,9 +132594,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update flows", - "privilege": "UpdateFlow", + "access_level": "Read", + "description": "Grants permissions to return the results from the specified query", + "privilege": "GetQueryResults", "resource_types": [ { "condition_keys": [], @@ -118264,9 +132606,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update entitlements on any flow", - "privilege": "UpdateFlowEntitlement", + "access_level": "List", + "description": "Grants permissions to list all the log deliveries for specified account and/or log source", + "privilege": "ListLogDeliveries", "resource_types": [ { "condition_keys": [], @@ -118276,33 +132618,35 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update media streams on any flow", - "privilege": "UpdateFlowMediaStream", + "access_level": "List", + "description": "Grants permissions to list the tags for the specified log group", + "privilege": "ListTagsLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to update outputs on any flow", - "privilege": "UpdateFlowOutput", + "description": "Grants permissions to create or update a Destination", + "privilege": "PutDestination", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the source of any flow", - "privilege": "UpdateFlowSource", + "description": "Grants permissions to create or update an access policy associated with an existing Destination", + "privilege": "PutDestinationPolicy", "resource_types": [ { "condition_keys": [], @@ -118310,56 +132654,47 @@ "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${FlowId}:${EntitlementName}", - "condition_keys": [], - "resource": "Entitlement" - }, - { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${FlowId}:${FlowName}", - "condition_keys": [], - "resource": "Flow" }, { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:output:${OutputId}:${OutputName}", - "condition_keys": [], - "resource": "Output" + "access_level": "Write", + "description": "Grants permissions to upload a batch of log events to the specified log stream", + "privilege": "PutLogEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-stream*" + } + ] }, { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:source:${SourceId}:${SourceName}", - "condition_keys": [], - "resource": "Source" - } - ], - "service_name": "AWS Elemental MediaConnect" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" + "access_level": "Write", + "description": "Grants permissions to create or update a metric filter and associates it with the specified log group", + "privilege": "PutMetricFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "log-group*" + } + ] }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" + "access_level": "Write", + "description": "Grants permissions to create or update a query definition", + "privilege": "PutQueryDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "mediaconvert", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to associate an AWS Certificate Manager (ACM) Amazon Resource Name (ARN) with AWS Elemental MediaConvert", - "privilege": "AssociateCertificate", + "access_level": "Permissions management", + "description": "Grants permissions to create or update a resource policy allowing other AWS services to put log events to this account", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -118370,91 +132705,159 @@ }, { "access_level": "Write", - "description": "Grants permission to cancel an AWS Elemental MediaConvert job that is waiting in queue", - "privilege": "CancelJob", + "description": "Grants permissions to set the retention of the specified log group", + "privilege": "PutRetentionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and submit an AWS Elemental MediaConvert job", - "privilege": "CreateJob", + "description": "Grants permissions to create or update a subscription filter and associates it with the specified log group", + "privilege": "PutSubscriptionFilter", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "JobTemplate" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "log-group*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" - }, + "resource_type": "destination" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to schedules a query of a log group using CloudWatch Logs Insights", + "privilege": "StartQuery", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to stop a CloudWatch Logs Insights query that is in progress", + "privilege": "StopQuery", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert custom job template", - "privilege": "CreateJobTemplate", + "access_level": "Tagging", + "description": "Grants permissions to add or update the specified tags for the specified log group", + "privilege": "TagLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to test the filter pattern of a metric filter against a sample of log event messages", + "privilege": "TestMetricFilter", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permissions to remove the specified tags from the specified log group", + "privilege": "UntagLogGroup", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert custom output preset", - "privilege": "CreatePreset", + "description": "Grants permissions to update the log delivery information for specified log delivery", + "privilege": "UpdateLogDelivery", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "log-group" + }, + { + "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}", + "condition_keys": [], + "resource": "log-stream" + }, + { + "arn": "arn:${Partition}:logs:${Region}:${Account}:destination:${DestinationName}", + "condition_keys": [], + "resource": "destination" + } + ], + "service_name": "Amazon CloudWatch Logs" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "lookoutequipment", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert job queue", - "privilege": "CreateQueue", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -118467,68 +132870,94 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert custom job template", - "privilege": "DeleteJobTemplate", + "description": "Grants permission to create an inference scheduler for a trained model", + "privilege": "CreateInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" + "resource_type": "inference-scheduler*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert policy", - "privilege": "DeletePolicy", + "description": "Grants permission to create a model that is trained on a dataset", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert custom output preset", - "privilege": "DeletePreset", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert job queue", - "privilege": "DeleteQueue", + "description": "Grants permission to delete an inference scheduler", + "privilege": "DeleteInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "inference-scheduler*" } ] }, { - "access_level": "List", - "description": "Grants permission to subscribe to the AWS Elemental MediaConvert service, by sending a request for an account-specific endpoint. All transcoding requests must be sent to the endpoint that the service returns", - "privilege": "DescribeEndpoints", + "access_level": "Write", + "description": "Grants permission to delete a model", + "privilege": "DeleteModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove an association between the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate and an AWS Elemental MediaConvert resource", - "privilege": "DisassociateCertificate", + "access_level": "Read", + "description": "Grants permission to describe a data ingestion job", + "privilege": "DescribeDataIngestionJob", "resource_types": [ { "condition_keys": [], @@ -118539,92 +132968,92 @@ }, { "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job", - "privilege": "GetJob", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "dataset*" } ] }, { "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job template", - "privilege": "GetJobTemplate", + "description": "Grants permission to describe an inference scheduler", + "privilege": "DescribeInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" + "resource_type": "inference-scheduler*" } ] }, { "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert policy", - "privilege": "GetPolicy", + "description": "Grants permission to describe a model", + "privilege": "DescribeModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert output preset", - "privilege": "GetPreset", + "access_level": "List", + "description": "Grants permission to list the data ingestion jobs in your account or for a particular dataset", + "privilege": "ListDataIngestionJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "dataset*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job queue", - "privilege": "GetQueue", + "access_level": "List", + "description": "Grants permission to list the datasets in your account", + "privilege": "ListDatasets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert job templates", - "privilege": "ListJobTemplates", + "access_level": "Read", + "description": "Grants permission to list the inference executions for an inference scheduler", + "privilege": "ListInferenceExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "inference-scheduler*" } ] }, { "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert jobs", - "privilege": "ListJobs", + "description": "Grants permission to list the inference schedulers in your account", + "privilege": "ListInferenceSchedulers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert output presets", - "privilege": "ListPresets", + "description": "Grants permission to list the models in your account", + "privilege": "ListModels", "resource_types": [ { "condition_keys": [], @@ -118635,102 +133064,97 @@ }, { "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert job queues", - "privilege": "ListQueues", + "description": "Grants permission to list the sensor statistics for a particular dataset or an ingestion job", + "privilege": "ListSensorStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the tags for a MediaConvert queue, preset, or job template", + "description": "Grants permission to list the tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" + "resource_type": "dataset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" + "resource_type": "inference-scheduler" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "model" } ] }, { "access_level": "Write", - "description": "Grants permission to put an AWS Elemental MediaConvert policy", - "privilege": "PutPolicy", + "description": "Grants permission to start a data ingestion job for a dataset", + "privilege": "StartDataIngestionJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a MediaConvert queue, preset, or job template", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to start an inference scheduler", + "privilege": "StartInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, + "resource_type": "inference-scheduler*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an inference scheduler", + "privilege": "StopInferenceScheduler", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "inference-scheduler*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a MediaConvert queue, preset, or job template", - "privilege": "UntagResource", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" + "resource_type": "dataset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" + "resource_type": "inference-scheduler" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "model" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -118739,240 +133163,150 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert custom job template", - "privilege": "UpdateJobTemplate", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" + "resource_type": "dataset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" + "resource_type": "inference-scheduler" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert custom output preset", - "privilege": "UpdatePreset", - "resource_types": [ + "resource_type": "model" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert job queue", - "privilege": "UpdateQueue", + "description": "Grants permission to update an inference scheduler", + "privilege": "UpdateInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "inference-scheduler*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobs/${JobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Job" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:queues/${QueueName}", + "arn": "arn:${Partition}:lookoutequipment:${Region}:${AccountId}:dataset/${DatasetName}/${DatasetId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Queue" + "resource": "dataset" }, { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:presets/${PresetName}", + "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:model/${ModelName}/${ModelId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Preset" + "resource": "model" }, { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobTemplates/${JobTemplateName}", + "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:inference-scheduler/${InferenceSchedulerName}/${InferenceSchedulerId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "JobTemplate" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:certificates/${CertificateArn}", - "condition_keys": [], - "resource": "CertificateAssociation" - } - ], - "service_name": "AWS Elemental MediaConvert" - }, - { - "conditions": [], - "prefix": "mediaimport", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a database binary snapshot on the customer's aws account", - "privilege": "CreateDatabaseBinarySnapshot", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "resource": "inference-scheduler" } ], - "resources": [], - "service_name": "AmazonMediaImport" + "service_name": "Amazon Lookout for Equipment" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "The tag for a MediaLive request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag for a MediaLive resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "The tag keys for a MediaLive resource or request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], - "prefix": "medialive", + "prefix": "lookoutmetrics", "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept an input device transfer", - "privilege": "AcceptInputDeviceTransfer", + "description": "Grants permission to activate an anomaly detector", + "privilege": "ActivateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes", - "privilege": "BatchDelete", + "description": "Grants permission to run a backtest with an anomaly detector", + "privilege": "BackTestAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Write", - "description": "Grants permission to start channels and multiplexes", - "privilege": "BatchStart", + "description": "Grants permission to create an alert for an anomaly detector", + "privilege": "CreateAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "Alert*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to stop channels and multiplexes", - "privilege": "BatchStop", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel" + "resource_type": "AnomalyDetector*" }, { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add and remove actions from a channel's schedule", - "privilege": "BatchUpdateSchedule", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to cancel an input device transfer", - "privilege": "CancelInputDeviceTransfer", - "resource_types": [ - { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a channel", - "privilege": "CreateChannel", + "description": "Grants permission to create an anomaly detector", + "privilege": "CreateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input*" + "resource_type": "AnomalyDetector*" }, { "condition_keys": [ @@ -118986,18 +133320,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create an input", - "privilege": "CreateInput", + "description": "Grants permission to create a dataset", + "privilege": "CreateMetricSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "AnomalyDetector*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "MetricSet*" }, { "condition_keys": [ @@ -119011,375 +133345,400 @@ }, { "access_level": "Write", - "description": "Grants permission to create an input security group", - "privilege": "CreateInputSecurityGroup", + "description": "Grants permission to deactivate an anomaly detector", + "privilege": "DeactivateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a multiplex", - "privilege": "CreateMultiplex", + "description": "Grants permission to delete an alert", + "privilege": "DeleteAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Alert*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a multiplex program", - "privilege": "CreateMultiplexProgram", + "description": "Grants permission to delete an anomaly detector", + "privilege": "DeleteAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a partner input", - "privilege": "CreatePartnerInput", + "access_level": "Read", + "description": "Grants permission to get details about an alert", + "privilege": "DescribeAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Alert*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "CreateTags", + "access_level": "Read", + "description": "Grants permission to get information about an anomaly detection job", + "privilege": "DescribeAnomalyDetectionExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "reservation" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a channel", - "privilege": "DeleteChannel", + "access_level": "Read", + "description": "Grants permission to get details about an anomaly detector", + "privilege": "DescribeAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an input", - "privilege": "DeleteInput", + "access_level": "Read", + "description": "Grants permission to get details about a dataset", + "privilege": "DescribeMetricSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "MetricSet*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an input security group", - "privilege": "DeleteInputSecurityGroup", + "description": "Grants permission to detect metric set config from data source", + "privilege": "DetectMetricSetConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a multiplex", - "privilege": "DeleteMultiplex", + "access_level": "Read", + "description": "Grants permission to get details about a group of affected metrics", + "privilege": "GetAnomalyGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a multiplex program", - "privilege": "DeleteMultiplexProgram", + "access_level": "Read", + "description": "Grants permission to get data quality metrics for an anomaly detector", + "privilege": "GetDataQualityMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an expired reservation", - "privilege": "DeleteReservation", + "access_level": "Read", + "description": "Grants permission to get feedback on affected metrics for an anomaly group", + "privilege": "GetFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete all schedule actions for a channel", - "privilege": "DeleteSchedule", + "access_level": "Read", + "description": "Grants permission to get a selection of sample records from an Amazon S3 datasource", + "privilege": "GetSampleData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "DeleteTags", + "access_level": "List", + "description": "Grants permission to get a list of alerts for a detector", + "privilege": "ListAlerts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - }, + "resource_type": "AnomalyDetector" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of anomaly detectors", + "privilege": "ListAnomalyDetectors", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a channel", - "privilege": "DescribeChannel", + "access_level": "List", + "description": "Grants permission to get a list of related measures in an anomaly group", + "privilege": "ListAnomalyGroupRelatedMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input", - "privilege": "DescribeInput", + "access_level": "List", + "description": "Grants permission to get a list of anomaly groups", + "privilege": "ListAnomalyGroupSummaries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input device", - "privilege": "DescribeInputDevice", + "access_level": "List", + "description": "Grants permission to get a list of affected metrics for a measure in an anomaly group", + "privilege": "ListAnomalyGroupTimeSeries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input device thumbnail", - "privilege": "DescribeInputDeviceThumbnail", + "access_level": "List", + "description": "Grants permission to get a list of datasets", + "privilege": "ListMetricSets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "AnomalyDetector" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an input security group", - "privilege": "DescribeInputSecurityGroup", + "description": "Grants permission to get a list of tags for a detector, dataset, or alert", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "Alert" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AnomalyDetector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MetricSet" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a multiplex", - "privilege": "DescribeMultiplex", + "access_level": "Write", + "description": "Grants permission to add feedback for an affected metric in an anomaly group", + "privilege": "PutFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a multiplex program", - "privilege": "DescribeMultiplexProgram", + "access_level": "Tagging", + "description": "Grants permission to add tags to a detector, dataset, or alert", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "Alert" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AnomalyDetector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MetricSet" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a reservation offering", - "privilege": "DescribeOffering", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a detector, dataset, or alert", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "offering*" + "resource_type": "Alert" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AnomalyDetector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MetricSet" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a reservation", - "privilege": "DescribeReservation", + "access_level": "Write", + "description": "Grants permission to update an alert for an anomaly detector", + "privilege": "UpdateAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "Alert*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view a list of actions scheduled on a channel", - "privilege": "DescribeSchedule", + "access_level": "Write", + "description": "Grants permission to update an anomaly detector", + "privilege": "UpdateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "List", - "description": "Grants permission to list channels", - "privilege": "ListChannels", + "access_level": "Write", + "description": "Grants permission to update a dataset", + "privilege": "UpdateMetricSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "MetricSet*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:AnomalyDetector:${AnomalyDetectorName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "AnomalyDetector" }, { - "access_level": "List", - "description": "Grants permission to list input device transfers", - "privilege": "ListInputDeviceTransfers", + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:MetricSet/${AnomalyDetectorName}/${MetricSetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "MetricSet" + }, + { + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:Alert:${AlertName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Alert" + } + ], + "service_name": "Amazon Lookout for Metrics" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "lookoutvision", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a dataset manifest", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], @@ -119389,33 +133748,41 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list input devices", - "privilege": "ListInputDevices", + "access_level": "Write", + "description": "Grants permission to create a new anomaly detection model", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list input security groups", - "privilege": "ListInputSecurityGroups", + "access_level": "Write", + "description": "Grants permission to create a new project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list inputs", - "privilege": "ListInputs", + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], @@ -119425,33 +133792,33 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list multiplex programs", - "privilege": "ListMultiplexPrograms", + "access_level": "Write", + "description": "Grants permission to delete a model and all associated assets", + "privilege": "DeleteModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "List", - "description": "Grants permission to list multiplexes", - "privilege": "ListMultiplexes", + "access_level": "Write", + "description": "Grants permission to permanently remove a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list reservation offerings", - "privilege": "ListOfferings", + "access_level": "Read", + "description": "Grants permission to show detailed information about dataset manifest", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], @@ -119461,696 +133828,609 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list reservations", - "privilege": "ListReservations", + "access_level": "Read", + "description": "Grants permission to show detailed information about a model", + "privilege": "DescribeModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to show detailed information about a model packaging job", + "privilege": "DescribeModelPackagingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "reservation" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to purchase a reservation offering", - "privilege": "PurchaseOffering", + "access_level": "Read", + "description": "Grants permission to show detailed information about a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "offering*" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to provides state information about a running anomaly detection job", + "privilege": "DescribeTrialDetection", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to reject an input device transfer", - "privilege": "RejectInputDeviceTransfer", + "description": "Grants permission to invoke detection of anomalies", + "privilege": "DetectAnomalies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a channel", - "privilege": "StartChannel", + "access_level": "Read", + "description": "Grants permission to list the contents of dataset manifest", + "privilege": "ListDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a multiplex", - "privilege": "StartMultiplex", + "access_level": "List", + "description": "Grants permission to list all model packaging jobs associated with a project", + "privilege": "ListModelPackagingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop a channel", - "privilege": "StopChannel", + "access_level": "List", + "description": "Grants permission to list all models associated with a project", + "privilege": "ListModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop a multiplex", - "privilege": "StopMultiplex", + "access_level": "List", + "description": "Grants permission to list all projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to transfer an input device", - "privilege": "TransferInputDevice", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "model" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a channel", - "privilege": "UpdateChannel", + "access_level": "List", + "description": "Grants permission to list all anomaly detection jobs", + "privilege": "ListTrialDetections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the class of a channel", - "privilege": "UpdateChannelClass", + "description": "Grants permission to start anomaly detection model", + "privilege": "StartModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input", - "privilege": "UpdateInput", + "description": "Grants permission to start a model packaging job", + "privilege": "StartModelPackagingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input device", - "privilege": "UpdateInputDevice", + "description": "Grants permission to start bulk detection of anomalies for a set of images stored in an S3 bucket", + "privilege": "StartTrialDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input security group", - "privilege": "UpdateInputSecurityGroup", + "description": "Grants permission to stop anomaly detection model", + "privilege": "StopModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a multiplex", - "privilege": "UpdateMultiplex", + "access_level": "Tagging", + "description": "Grants permission to tag a resource with given key value pairs", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a multiplex program", - "privilege": "UpdateMultiplexProgram", + "access_level": "Tagging", + "description": "Grants permission to remove the tag with the given key from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a reservation", - "privilege": "UpdateReservation", + "description": "Grants permission to update a training or test dataset manifest", + "privilege": "UpdateDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:channel:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channel" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:input:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "input" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputDevice:*", - "condition_keys": [], - "resource": "input-device" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputSecurityGroup:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "input-security-group" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:multiplex:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "multiplex" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:reservation:*", + "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:model/${ProjectName}/${ModelVersion}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "reservation" + "resource": "model" }, { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:offering:*", + "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:project/${ProjectName}", "condition_keys": [], - "resource": "offering" + "resource": "project" } ], - "service_name": "AWS Elemental MediaLive" + "service_name": "Amazon Lookout for Vision" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag for a MediaPackage request", + "description": "Filters access by a tag key and value pair that is allowed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tag for a MediaPackage resource", + "description": "Filters access by a tag key and value pair of a resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by the tag keys for a MediaPackage resource or request", - "type": "String" + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "ArrayOfString" } ], - "prefix": "mediapackage", + "prefix": "m2", "privileges": [ { "access_level": "Write", - "description": "Grants permission to configure access logs for a Channel", - "privilege": "ConfigureLogs", + "description": "Grants permission to cancel the execution of a batch job", + "privilege": "CancelBatchJobExecution", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "channels*" + "dependent_actions": [], + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a channel in AWS Elemental MediaPackage", - "privilege": "CreateChannel", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "s3:GetObject", + "s3:ListBucket" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a harvest job in AWS Elemental MediaPackage", - "privilege": "CreateHarvestJob", + "description": "Grants permission to create a data set import task", + "privilege": "CreateDataSetImportTask", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "Application*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a deployment", + "privilege": "CreateDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:RegisterTargets" ], + "resource_type": "Application*" + }, + { + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Environment" } ] }, { "access_level": "Write", - "description": "Grants permission to create an endpoint in AWS Elemental MediaPackage", - "privilege": "CreateOriginEndpoint", + "description": "Grants permission to Create an environment", + "privilege": "CreateEnvironment", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcs", + "ec2:ModifyNetworkInterfaceAttribute", + "elasticfilesystem:DescribeMountTargets", + "elasticloadbalancing:CreateLoadBalancer", + "fsx:DescribeFileSystems", + "iam:CreateServiceLinkedRole" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a channel in AWS Elemental MediaPackage", - "privilege": "DeleteChannel", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "channels*" + "dependent_actions": [ + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup" + ], + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an endpoint in AWS Elemental MediaPackage", - "privilege": "DeleteOriginEndpoint", + "description": "Grants permission to delete an application from a runtime environment", + "privilege": "DeleteApplicationFromEnvironment", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "origin_endpoints*" + "dependent_actions": [ + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup" + ], + "resource_type": "Application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of a channel in AWS Elemental MediaPackage", - "privilege": "DescribeChannel", + "access_level": "Write", + "description": "Grants permission to delete a runtime environment", + "privilege": "DeleteEnvironment", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "channels*" + "dependent_actions": [ + "elasticloadbalancing:DeleteLoadBalancer" + ], + "resource_type": "Environment*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the details of a harvest job in AWS Elemental MediaPackage", - "privilege": "DescribeHarvestJob", + "description": "Grants permission to retrieve an application", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "harvest_jobs*" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the details of an endpoint in AWS Elemental MediaPackage", - "privilege": "DescribeOriginEndpoint", + "description": "Grants permission to retrieve an application version", + "privilege": "GetApplicationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints*" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view a list of channels in AWS Elemental MediaPackage", - "privilege": "ListChannels", + "description": "Grants permission to retrieve a batch job execution", + "privilege": "GetBatchJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view a list of harvest jobs in AWS Elemental MediaPackage", - "privilege": "ListHarvestJobs", + "description": "Grants permission to retrieve data set details", + "privilege": "GetDataSetDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to view a list of endpoints in AWS Elemental MediaPackage", - "privilege": "ListOriginEndpoints", + "description": "Grants permission to retrieve a data set import task", + "privilege": "GetDataSetImportTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to list the tags assigned to a Channel or OriginEndpoint", - "privilege": "ListTagsForResource", + "description": "Grants permission to retrieve a deployment", + "privilege": "GetDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "harvest_jobs" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "origin_endpoints" + "resource_type": "Application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to rotate credentials for the first IngestEndpoint of a Channel in AWS Elemental MediaPackage", - "privilege": "RotateChannelCredentials", + "access_level": "Read", + "description": "Grants permission to retrieve a runtime environment", + "privilege": "GetEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "Environment*" } ] }, { - "access_level": "Write", - "description": "Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage", - "privilege": "RotateIngestEndpointCredentials", + "access_level": "Read", + "description": "Grants permission to list the versions of an application", + "privilege": "ListApplicationVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "Application*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a MediaPackage resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to list applications", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, + "resource_type": "Environment" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list batch job definitions", + "privilege": "ListBatchJobDefinitions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "harvest_jobs" - }, + "resource_type": "Application*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list executions for a batch job", + "privilege": "ListBatchJobExecutions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Application*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete tags to a Channel or OriginEndpoint", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to list data set import history", + "privilege": "ListDataSetImportHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "harvest_jobs" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "origin_endpoints" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to make changes to a channel in AWS Elemental MediaPackage", - "privilege": "UpdateChannel", + "access_level": "Read", + "description": "Grants permission to list data sets", + "privilege": "ListDataSets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "Application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to make changes to an endpoint in AWS Elemental MediaPackage", - "privilege": "UpdateOriginEndpoint", + "access_level": "Read", + "description": "Grants permission to list deployments", + "privilege": "ListDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints*" + "resource_type": "Application*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:channels/${ChannelIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channels" - }, - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:origin_endpoints/${OriginEndpointIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "origin_endpoints" - }, - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:harvest_jobs/${HarvestJobIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "harvest_jobs" - } - ], - "service_name": "AWS Elemental MediaPackage" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "mediapackage-vod", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to configure egress access logs for a PackagingGroup", - "privilege": "ConfigureLogs", + "access_level": "Read", + "description": "Grants permission to list engine versions", + "privilege": "ListEngineVersions", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "packaging-groups*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an asset in AWS Elemental MediaPackage", - "privilege": "CreateAsset", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a packaging configuration in AWS Elemental MediaPackage", - "privilege": "CreatePackagingConfiguration", + "access_level": "List", + "description": "Grants permission to list runtime environments", + "privilege": "ListEnvironments", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a packaging group in AWS Elemental MediaPackage", - "privilege": "CreatePackagingGroup", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -120158,383 +134438,366 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an asset in AWS Elemental MediaPackage", - "privilege": "DeleteAsset", + "description": "Grants permission to start an application", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets*" + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a packaging configuration in AWS Elemental MediaPackage", - "privilege": "DeletePackagingConfiguration", + "description": "Grants permission to start a batch job", + "privilege": "StartBatchJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations*" + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a packaging group in AWS Elemental MediaPackage", - "privilege": "DeletePackagingGroup", + "description": "Grants permission to stop an application", + "privilege": "StopApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups*" + "resource_type": "Application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of an asset in AWS Elemental MediaPackage", - "privilege": "DescribeAsset", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view the details of a packaging configuration in AWS Elemental MediaPackage", - "privilege": "DescribePackagingConfiguration", - "resource_types": [ + "resource_type": "Application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view the details of a packaging group in AWS Elemental MediaPackage", - "privilege": "DescribePackagingGroup", - "resource_types": [ + "resource_type": "Environment" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "packaging-groups*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to view a list of assets in AWS Elemental MediaPackage", - "privilege": "ListAssets", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to view a list of packaging configurations in AWS Elemental MediaPackage", - "privilege": "ListPackagingConfigurations", - "resource_types": [ + "resource_type": "Application" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Environment" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to view a list of packaging groups in AWS Elemental MediaPackage", - "privilege": "ListPackagingGroups", + "access_level": "Write", + "description": "Grants permission to update an application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "s3:GetObject", + "s3:ListBucket" + ], + "resource_type": "Application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list the tags assigned to a PackagingGroup, PackagingConfiguration, or Asset.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to update a runtime environment", + "privilege": "UpdateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "packaging-configurations" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "packaging-groups" + "resource_type": "Environment*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:m2:${Region}:${Account}:app/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Application" }, + { + "arn": "arn:${Partition}:m2:${Region}:${Account}:env/${EnvironmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Environment" + } + ], + "service_name": "AWS Mainframe Modernization Service" + }, + { + "conditions": [], + "prefix": "machinelearning", + "privileges": [ { "access_level": "Tagging", - "description": "Grants permission to assign tags to a PackagingGroup, PackagingConfiguration, or Asset.", - "privilege": "TagResource", + "description": "Adds one or more tags to an object, up to a limit of 10. Each tag consists of a key and an optional value", + "privilege": "AddTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" + "resource_type": "batchprediction" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations" + "resource_type": "datasource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups" + "resource_type": "evaluation" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete tags from a PackagingGroup, PackagingConfiguration, or Asset.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Generates predictions for a group of observations", + "privilege": "CreateBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" + "resource_type": "batchprediction*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations" + "resource_type": "datasource*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a packaging group in AWS Elemental MediaPackage", - "privilege": "UpdatePackagingGroup", + "description": "Creates a DataSource object from an Amazon RDS", + "privilege": "CreateDataSourceFromRDS", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups*" + "resource_type": "datasource*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:assets/${AssetIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "assets" - }, - { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-configurations/${PackagingConfigurationIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "packaging-configurations" }, - { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-groups/${PackagingGroupIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "packaging-groups" - } - ], - "service_name": "AWS Elemental MediaPackage VOD" - }, - { - "conditions": [], - "prefix": "mediastore", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create containers.", - "privilege": "CreateContainer", + "description": "Creates a DataSource from a database hosted on an Amazon Redshift cluster", + "privilege": "CreateDataSourceFromRedshift", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete any container in the current account.", - "privilege": "DeleteContainer", + "description": "Creates a DataSource object from S3", + "privilege": "CreateDataSourceFromS3", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the access policy of any container in the current account.", - "privilege": "DeleteContainerPolicy", + "access_level": "Write", + "description": "Creates a new Evaluation of an MLModel", + "privilege": "CreateEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the CORS policy from any container in the current account.", - "privilege": "DeleteCorsPolicy", + "description": "Creates a new MLModel", + "privilege": "CreateMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the lifecycle policy from any container in the current account.", - "privilege": "DeleteLifecyclePolicy", + "description": "Creates a real-time endpoint for the MLModel", + "privilege": "CreateRealtimeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the metric policy from any container in the current account.", - "privilege": "DeleteMetricPolicy", + "description": "Assigns the DELETED status to a BatchPrediction, rendering it unusable", + "privilege": "DeleteBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batchprediction*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete objects.", - "privilege": "DeleteObject", + "description": "Assigns the DELETED status to a DataSource, rendering it unusable", + "privilege": "DeleteDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve details on any container in the current account.", - "privilege": "DescribeContainer", + "access_level": "Write", + "description": "Assigns the DELETED status to an Evaluation, rendering it unusable", + "privilege": "DeleteEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "evaluation*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve object metadata.", - "privilege": "DescribeObject", + "access_level": "Write", + "description": "Assigns the DELETED status to an MLModel, rendering it unusable", + "privilege": "DeleteMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the access policy of any container in the current account.", - "privilege": "GetContainerPolicy", + "access_level": "Write", + "description": "Deletes a real time endpoint of an MLModel", + "privilege": "DeleteRealtimeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the CORS policy of any container in the current account.", - "privilege": "GetCorsPolicy", + "access_level": "Tagging", + "description": "Deletes the specified tags associated with an ML object. After this operation is complete, you can't recover deleted tags", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the lifecycle policy that is assigned to any container in the current account.", - "privilege": "GetLifecyclePolicy", - "resource_types": [ + "resource_type": "batchprediction" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the metric policy that is assigned to any container in the current account.", - "privilege": "GetMetricPolicy", + "access_level": "List", + "description": "Returns a list of BatchPrediction operations that match the search criteria in the request", + "privilege": "DescribeBatchPredictions", "resource_types": [ { "condition_keys": [], @@ -120544,9 +134807,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve objects.", - "privilege": "GetObject", + "access_level": "List", + "description": "Returns a list of DataSource that match the search criteria in the request", + "privilege": "DescribeDataSources", "resource_types": [ { "condition_keys": [], @@ -120557,8 +134820,8 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of containers in the current account.", - "privilege": "ListContainers", + "description": "Returns a list of DescribeEvaluations that match the search criteria in the request", + "privilege": "DescribeEvaluations", "resource_types": [ { "condition_keys": [], @@ -120569,8 +134832,8 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of objects and folders in the current account.", - "privilege": "ListItems", + "description": "Returns a list of MLModel that match the search criteria in the request", + "privilege": "DescribeMLModels", "resource_types": [ { "condition_keys": [], @@ -120580,186 +134843,213 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list tags on any container in the current account.", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Describes one or more of the tags for your Amazon ML object", + "privilege": "DescribeTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batchprediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create or replace the access policy of any container in the current account.", - "privilege": "PutContainerPolicy", + "access_level": "Read", + "description": "Returns a BatchPrediction that includes detailed metadata, status, and data file information", + "privilege": "GetBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batchprediction*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add or modify the CORS policy of any container in the current account.", - "privilege": "PutCorsPolicy", + "access_level": "Read", + "description": "Returns a DataSource that includes metadata and data file information, as well as the current status of the DataSource", + "privilege": "GetDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add or modify the lifecycle policy that is assigned to any container in the current account.", - "privilege": "PutLifecyclePolicy", + "access_level": "Read", + "description": "Returns an Evaluation that includes metadata as well as the current status of the Evaluation", + "privilege": "GetEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add or modify the metric policy that is assigned to any container in the current account.", - "privilege": "PutMetricPolicy", + "access_level": "Read", + "description": "Returns an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel", + "privilege": "GetMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to upload objects.", - "privilege": "PutObject", + "description": "Generates a prediction for the observation using the specified ML Model", + "privilege": "Predict", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable access logging on any container in the current account.", - "privilege": "StartAccessLogging", + "description": "Updates the BatchPredictionName of a BatchPrediction", + "privilege": "UpdateBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batchprediction*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable access logging on any container in the current account.", - "privilege": "StopAccessLogging", + "description": "Updates the DataSourceName of a DataSource", + "privilege": "UpdateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to any container in the current account.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Updates the EvaluationName of an Evaluation", + "privilege": "UpdateEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "evaluation*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from any container in the current account.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Updates the MLModelName and the ScoreThreshold of an MLModel", + "privilege": "UpdateMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlmodel*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}", + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:batchprediction/${BatchPredictionId}", "condition_keys": [], - "resource": "container" + "resource": "batchprediction" + }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:datasource/${DatasourceId}", + "condition_keys": [], + "resource": "datasource" + }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:evaluation/${EvaluationId}", + "condition_keys": [], + "resource": "evaluation" + }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:mlmodel/${MlModelId}", + "condition_keys": [], + "resource": "mlmodel" } ], - "service_name": "AWS Elemental MediaStore" + "service_name": "Amazon Machine Learning" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by a tag key and value pair that is allowed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by a tag key and value pair of a resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], - "prefix": "mediatailor", + "prefix": "macie2", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a new channel", - "privilege": "CreateChannel", + "description": "Grants permission to accept an Amazon Macie membership invitation", + "privilege": "AcceptInvitation", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new program on the channel with the specified channel name", - "privilege": "CreateProgram", + "access_level": "Read", + "description": "Grants permission to retrieve information about one or more custom data identifiers", + "privilege": "BatchGetCustomDataIdentifiers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "CustomDataIdentifier*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new source location", - "privilege": "CreateSourceLocation", + "description": "Grants permission to create and define the settings for an allow list", + "privilege": "CreateAllowList", "resource_types": [ { "condition_keys": [ @@ -120773,13 +135063,13 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new VOD source on the source location with the specified source location name", - "privilege": "CreateVodSource", + "description": "Grants permission to create and define the settings for a sensitive data discovery job", + "privilege": "CreateClassificationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" + "resource_type": "ClassificationJob*" }, { "condition_keys": [ @@ -120793,184 +135083,188 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the channel with the specified channel name", - "privilege": "DeleteChannel", + "description": "Grants permission to create and define the settings for a custom data identifier", + "privilege": "CreateCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "CustomDataIdentifier*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the IAM policy on the channel with the specified channel name", - "privilege": "DeleteChannelPolicy", + "access_level": "Write", + "description": "Grants permission to create and define the settings for a findings filter", + "privilege": "CreateFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "FindingsFilter*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the playback configuration for the specified name", - "privilege": "DeletePlaybackConfiguration", + "description": "Grants permission to send an Amazon Macie membership invitation", + "privilege": "CreateInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "playbackConfiguration*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the program with the specified program name on the channel with the specified channel name", - "privilege": "DeleteProgram", + "description": "Grants permission to associate an account with an Amazon Macie administrator account", + "privilege": "CreateMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "Member*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "program*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the source location with the specified source location name", - "privilege": "DeleteSourceLocation", + "description": "Grants permission to create sample findings", + "privilege": "CreateSampleFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the VOD source with the specified VOD source name on the source location with the specified source location name", - "privilege": "DeleteVodSource", + "description": "Grants permission to decline Amazon Macie membership invitations", + "privilege": "DeclineInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "vodSource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the channel with the specified channel name", - "privilege": "DescribeChannel", + "access_level": "Write", + "description": "Grants permission to delete an allow list", + "privilege": "DeleteAllowList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "AllowList*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the program with the specified program name on the channel with the specified channel name", - "privilege": "DescribeProgram", + "access_level": "Write", + "description": "Grants permission to delete a custom data identifier", + "privilege": "DeleteCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "program*" + "resource_type": "CustomDataIdentifier*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the source location with the specified source location name", - "privilege": "DescribeSourceLocation", + "access_level": "Write", + "description": "Grants permission to delete a findings filter", + "privilege": "DeleteFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" + "resource_type": "FindingsFilter*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the VOD source with the specified VOD source name on the source location with the specified source location name", - "privilege": "DescribeVodSource", + "access_level": "Write", + "description": "Grants permission to delete Amazon Macie membership invitations", + "privilege": "DeleteInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "vodSource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to read the IAM policy on the channel with the specified channel name", - "privilege": "GetChannelPolicy", + "access_level": "Write", + "description": "Grants permission to delete the association between an Amazon Macie administrator account and an account", + "privilege": "DeleteMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "Member*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the schedule of programs on the channel with the specified channel name", - "privilege": "GetChannelSchedule", + "description": "Grants permission to retrieve statistical data and other information about S3 buckets that Amazon Macie monitors and analyzes", + "privilege": "DescribeBuckets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the configuration for the specified name", - "privilege": "GetPlaybackConfiguration", + "description": "Grants permission to retrieve information about the status and settings for a sensitive data discovery job", + "privilege": "DescribeClassificationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "playbackConfiguration*" + "resource_type": "ClassificationJob*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the list of alerts on a resource", - "privilege": "ListAlerts", + "description": "Grants permission to retrieve information about the Amazon Macie configuration settings for an AWS organization", + "privilege": "DescribeOrganizationConfiguration", "resource_types": [ { "condition_keys": [], @@ -120980,9 +135274,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the list of existing channels", - "privilege": "ListChannels", + "access_level": "Write", + "description": "Grants permission to disable an Amazon Macie account, which also deletes Macie resources for the account", + "privilege": "DisableMacie", "resource_types": [ { "condition_keys": [], @@ -120992,9 +135286,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the list of available configurations", - "privilege": "ListPlaybackConfigurations", + "access_level": "Write", + "description": "Grants permission to disable an account as the delegated Amazon Macie administrator account for an AWS organization", + "privilege": "DisableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], @@ -121004,9 +135298,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the list of existing source locations", - "privilege": "ListSourceLocations", + "access_level": "Write", + "description": "Grants permission to an Amazon Macie member account to disassociate from its Macie administrator account", + "privilege": "DisassociateFromAdministratorAccount", "resource_types": [ { "condition_keys": [], @@ -121016,9 +135310,9 @@ ] }, { - "access_level": "Read", - "description": "Returns a list of the tags assigned to the specified playback configuration resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to an Amazon Macie member account to disassociate from its Macie administrator account", + "privilege": "DisassociateFromMasterAccount", "resource_types": [ { "condition_keys": [], @@ -121028,568 +135322,321 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the list of existing VOD sources on the source location with the specified source location name", - "privilege": "ListVodSources", + "access_level": "Write", + "description": "Grants permission to an Amazon Macie administrator account to disassociate from a Macie member account", + "privilege": "DisassociateMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" + "resource_type": "Member*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to set the IAM policy on the channel with the specified channel name", - "privilege": "PutChannelPolicy", + "access_level": "Write", + "description": "Grants permission to enable and specify the configuration settings for a new Amazon Macie account", + "privilege": "EnableMacie", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to add a new configuration", - "privilege": "PutPlaybackConfiguration", + "description": "Grants permission to enable an account as the delegated Amazon Macie administrator account for an AWS organization", + "privilege": "EnableOrganizationAdminAccount", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to start the channel with the specified channel name", - "privilege": "StartChannel", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Macie administrator account for an account", + "privilege": "GetAdministratorAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop the channel with the specified channel name", - "privilege": "StopChannel", + "access_level": "Read", + "description": "Grants permission to retrieve the settings and status of an allow list", + "privilege": "GetAllowList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "AllowList*" } ] }, { - "access_level": "Tagging", - "description": "Adds tags to the specified playback configuration resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes", + "privilege": "GetBucketStatistics", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Removes tags from the specified playback configuration resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve the settings for exporting sensitive data discovery results", + "privilege": "GetClassificationExportConfiguration", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the channel with the specified channel name", - "privilege": "UpdateChannel", + "access_level": "Read", + "description": "Grants permission to retrieve information about the settings for a custom data identifier", + "privilege": "GetCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "CustomDataIdentifier*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the source location with the specified source location name", - "privilege": "UpdateSourceLocation", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated statistical data about findings", + "privilege": "GetFindingStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the VOD source with the specified VOD source name on the source location with the specified source location name", - "privilege": "UpdateVodSource", + "access_level": "Read", + "description": "Grants permission to retrieve the details of one or more findings", + "privilege": "GetFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "sourceLocation*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "vodSource*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:playbackConfiguration/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "playbackConfiguration" - }, - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:channel/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channel" - }, - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:program/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "program" - }, - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:sourceLocation/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "sourceLocation" - }, - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:vodSource/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "vodSource" - } - ], - "service_name": "AWS Elemental MediaTailor" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "memorydb", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permissions to apply service updates", - "privilege": "BatchUpdateClusters", + "access_level": "Read", + "description": "Grants permission to retrieve information about the settings for a findings filter", + "privilege": "GetFindingsFilter", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "s3:GetObject" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "FindingsFilter*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to make a copy of an existing snapshot", - "privilege": "CopySnapshot", + "access_level": "Read", + "description": "Grants permission to retrieve the configuration settings for publishing findings to AWS Security Hub", + "privilege": "GetFindingsPublicationConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "memorydb:TagResource", - "s3:DeleteObject", - "s3:GetBucketAcl", - "s3:PutObject" - ], - "resource_type": "snapshot*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a new access control list", - "privilege": "CreateAcl", + "access_level": "Read", + "description": "Grants permission to retrieve the count of Amazon Macie membership invitations that were received by an account", + "privilege": "GetInvitationsCount", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "memorydb:TagResource" - ], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a cluster", - "privilege": "CreateCluster", + "access_level": "Read", + "description": "Grants permission to retrieve information about the status and configuration settings for an Amazon Macie account", + "privilege": "GetMacieSession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "memorydb:TagResource", - "s3:GetObject" - ], - "resource_type": "acl*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subnetgroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a new parameter group", - "privilege": "CreateParameterGroup", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Macie administrator account for an account", + "privilege": "GetMasterAccount", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "memorydb:TagResource" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a backup of a cluster at the current point in time", - "privilege": "CreateSnapshot", + "access_level": "Read", + "description": "Grants permission to retrieve information about an account that's associated with an Amazon Macie administrator account", + "privilege": "GetMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "memorydb:TagResource", - "s3:DeleteObject", - "s3:GetBucketAcl", - "s3:PutObject" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "Member*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a new subnet group", - "privilege": "CreateSubnetGroup", + "access_level": "Read", + "description": "Grants permission to retrieve the status and configuration settings for retrieving occurrences of sensitive data reported by findings", + "privilege": "GetRevealConfiguration", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "memorydb:TagResource" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a new user", - "privilege": "CreateUser", + "access_level": "Read", + "description": "Grants permission to retrieve occurrences of sensitive data reported by a finding", + "privilege": "GetSensitiveDataOccurrences", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "memorydb:TagResource" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete an access control list", - "privilege": "DeleteAcl", + "access_level": "Read", + "description": "Grants permission to check whether occurrences of sensitive data can be retrieved for a finding", + "privilege": "GetSensitiveDataOccurrencesAvailability", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a previously provisioned cluster", - "privilege": "DeleteCluster", + "access_level": "Read", + "description": "Grants permission to retrieve quotas and aggregated usage data for one or more accounts", + "privilege": "GetUsageStatistics", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a parameter group", - "privilege": "DeleteParameterGroup", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated usage data for an account", + "privilege": "GetUsageTotals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a snapshot", - "privilege": "DeleteSnapshot", + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about all the allow lists for an account", + "privilege": "ListAllowLists", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a subnet group", - "privilege": "DeleteSubnetGroup", + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about the status and settings for one or more sensitive data discovery jobs", + "privilege": "ListClassificationJobs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "resource_type": "subnetgroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a user", - "privilege": "DeleteUser", + "access_level": "List", + "description": "Grants permission to retrieve information about all custom data identifiers", + "privilege": "ListCustomDataIdentifiers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve information about access control lists", - "privilege": "DescribeAcls", + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about one or more findings", + "privilege": "ListFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve information about all provisioned clusters if no cluster identifier is specified, or about a specific cluster if a cluster identifier is supplied", - "privilege": "DescribeClusters", + "access_level": "List", + "description": "Grants permission to retrieve information about all findings filters", + "privilege": "ListFindingsFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to list of the available engines and their versions", - "privilege": "DescribeEngineVersions", + "access_level": "List", + "description": "Grants permission to retrieve information about all the Amazon Macie membership invitations that were received by an account", + "privilege": "ListInvitations", "resource_types": [ { "condition_keys": [], @@ -121599,9 +135646,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve events related to clusters, subnet groups, and parameter groups", - "privilege": "DescribeEvents", + "access_level": "List", + "description": "Grants permission to retrieve information about managed data identifiers", + "privilege": "ListManagedDataIdentifiers", "resource_types": [ { "condition_keys": [], @@ -121611,132 +135658,80 @@ ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve information about parameter groups", - "privilege": "DescribeParameterGroups", + "access_level": "List", + "description": "Grants permission to retrieve information about the Amazon Macie member accounts that are associated with a Macie administrator account", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve a detailed parameter list for a particular parameter group", - "privilege": "DescribeParameters", + "access_level": "List", + "description": "Grants permission to retrieve information about the delegated, Amazon Macie administrator account for an AWS organization", + "privilege": "ListOrganizationAdminAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to retrieve details of the service updates", - "privilege": "DescribeServiceUpdates", + "description": "Grants permission to retrieve the tags for an Amazon Macie resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permissions to retrieve information about cluster snapshots", - "privilege": "DescribeSnapshots", - "resource_types": [ + "resource_type": "AllowList" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "ClassificationJob" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permissions to retrieve a list of subnet group", - "privilege": "DescribeSubnetGroups", - "resource_types": [ + "resource_type": "CustomDataIdentifier" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "FindingsFilter" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Member" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve information about users", - "privilege": "DescribeUsers", + "access_level": "Write", + "description": "Grants permission to create or update the settings for storing sensitive data discovery results", + "privilege": "PutClassificationExportConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to test automatic failover on a specified shard in a cluster", - "privilege": "FailoverShard", + "description": "Grants permission to update the configuration settings for publishing findings to AWS Security Hub", + "privilege": "PutFindingsPublicationConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } @@ -121744,61 +135739,50 @@ }, { "access_level": "Read", - "description": "Grants permissions to list available node type updates", - "privilege": "ListNodeTypeUpdates", + "description": "Grants permission to retrieve statistical data and other information about AWS resources that Amazon Macie monitors and analyzes", + "privilege": "SearchResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to list cost allocation tags", - "privilege": "ListTags", + "access_level": "Tagging", + "description": "Grants permission to add or update the tags for an Amazon Macie resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "AllowList" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup" + "resource_type": "ClassificationJob" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "CustomDataIdentifier" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "FindingsFilter" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" + "resource_type": "Member" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121807,63 +135791,49 @@ }, { "access_level": "Write", - "description": "Grants permissions to modify the parameters of a parameter group to the engine or system default value", - "privilege": "ResetParameterGroup", + "description": "Grants permission to test a custom data identifier", + "privilege": "TestCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permissions to add up to 10 cost allocation tags to the named resource", - "privilege": "TagResource", + "description": "Grants permission to remove tags from an Amazon Macie resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "AllowList" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup" + "resource_type": "ClassificationJob" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "CustomDataIdentifier" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "FindingsFilter" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" + "resource_type": "Member" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121871,44 +135841,31 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permissions to remove the tags identified by the TagKeys list from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update the settings for an allow list", + "privilege": "UpdateAllowList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subnetgroup" - }, + "resource_type": "AllowList*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change the status of a sensitive data discovery job", + "privilege": "UpdateClassificationJob", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" + "resource_type": "ClassificationJob*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121917,22 +135874,18 @@ }, { "access_level": "Write", - "description": "Grants permissions to update an access control list", - "privilege": "UpdateAcl", + "description": "Grants permission to update the settings for a findings filter", + "privilege": "UpdateFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" + "resource_type": "FindingsFilter*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121941,92 +135894,48 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the settings for a cluster", - "privilege": "UpdateCluster", + "description": "Grants permission to suspend or re-enable an Amazon Macie account, or update the configuration settings for a Macie account", + "privilege": "UpdateMacieSession", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "acl" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update parameters in a parameter group", - "privilege": "UpdateParameterGroup", + "description": "Grants permission to an Amazon Macie administrator account to suspend or re-enable a Macie member account", + "privilege": "UpdateMemberSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update a subnet group", - "privilege": "UpdateSubnetGroup", + "description": "Grants permission to update Amazon Macie configuration settings for an AWS organization", + "privilege": "UpdateOrganizationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update a user", - "privilege": "UpdateUser", + "description": "Grants permission to update the status and configuration settings for retrieving occurrences of sensitive data reported by findings", + "privilege": "UpdateRevealConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] @@ -122034,85 +135943,124 @@ ], "resources": [ { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:parametergroup/${ParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "parametergroup" - }, - { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:subnetgroup/${SubnetGroupName}", + "arn": "arn:${Partition}:macie2:${Region}:${Account}:allow-list/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "subnetgroup" + "resource": "AllowList" }, { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:cluster/${ClusterName}", + "arn": "arn:${Partition}:macie2:${Region}:${Account}:classification-job/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cluster" + "resource": "ClassificationJob" }, { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:snapshot/${SnapshotName}", + "arn": "arn:${Partition}:macie2:${Region}:${Account}:custom-data-identifier/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "snapshot" + "resource": "CustomDataIdentifier" }, { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:user/${UserName}", + "arn": "arn:${Partition}:macie2:${Region}:${Account}:findings-filter/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "user" + "resource": "FindingsFilter" }, { - "arn": "arn:${Partition}:memorydb:${Region}:${Account}:acl/${AclName}", + "arn": "arn:${Partition}:macie2:${Region}:${Account}:member/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "acl" + "resource": "Member" } ], - "service_name": "Amazon MemoryDB" + "service_name": "Amazon Macie" }, { - "conditions": [], - "prefix": "mgh", + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with an Amazon Managed Blockchain resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "managedblockchain", "privileges": [ { "access_level": "Write", - "description": "Associate a given AWS artifact to a MigrationTask", - "privilege": "AssociateCreatedArtifact", + "description": "Grants permission to create a member of an Amazon Managed Blockchain network", + "privilege": "CreateMember", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "network*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Associate a given ADS resource to a MigrationTask", - "privilege": "AssociateDiscoveredResource", + "description": "Grants permission to create an Amazon Managed Blockchain network", + "privilege": "CreateNetwork", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "migrationTask*" + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a Migration Hub Home Region Control", - "privilege": "CreateHomeRegionControl", + "description": "Grants permission to create a node within a member of an Amazon Managed Blockchain network", + "privilege": "CreateNode", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "member" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -122120,92 +136068,100 @@ }, { "access_level": "Write", - "description": "Create a ProgressUpdateStream", - "privilege": "CreateProgressUpdateStream", + "description": "Grants permission to create a proposal that other blockchain network members can vote on to add or remove a member in an Amazon Managed Blockchain network", + "privilege": "CreateProposal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "progressUpdateStream*" + "resource_type": "network*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Delete a ProgressUpdateStream", - "privilege": "DeleteProgressUpdateStream", + "description": "Grants permission to delete a member and all associated resources from an Amazon Managed Blockchain network", + "privilege": "DeleteMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "progressUpdateStream*" + "resource_type": "member*" } ] }, { - "access_level": "Read", - "description": "Get an Application Discovery Service Application's state", - "privilege": "DescribeApplicationState", + "access_level": "Write", + "description": "Grants permission to delete a node from a member of an Amazon Managed Blockchain network", + "privilege": "DeleteNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "node*" } ] }, { - "access_level": "List", - "description": "List Home Region Controls", - "privilege": "DescribeHomeRegionControls", + "access_level": "Read", + "description": "Grants permission to return detailed information about a member of an Amazon Managed Blockchain network", + "privilege": "GetMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "member*" } ] }, { "access_level": "Read", - "description": "Describe a MigrationTask", - "privilege": "DescribeMigrationTask", + "description": "Grants permission to return detailed information about an Amazon Managed Blockchain network", + "privilege": "GetNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "network*" } ] }, { - "access_level": "Write", - "description": "Disassociate a given AWS artifact from a MigrationTask", - "privilege": "DisassociateCreatedArtifact", + "access_level": "Read", + "description": "Grants permission to return detailed information about a node within a member of an Amazon Managed Blockchain network", + "privilege": "GetNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "node*" } ] }, { - "access_level": "Write", - "description": "Disassociate a given ADS resource from a MigrationTask", - "privilege": "DisassociateDiscoveredResource", + "access_level": "Read", + "description": "Grants permission to return detailed information about a proposal of an Amazon Managed Blockchain network", + "privilege": "GetProposal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "proposal*" } ] }, { - "access_level": "Read", - "description": "Get the Migration Hub Home Region", - "privilege": "GetHomeRegion", + "access_level": "List", + "description": "Grants permission to list the invitations extended to the active AWS account from any Managed Blockchain network", + "privilege": "ListInvitations", "resource_types": [ { "condition_keys": [], @@ -122215,21 +136171,21 @@ ] }, { - "access_level": "Write", - "description": "Import a MigrationTask", - "privilege": "ImportMigrationTask", + "access_level": "List", + "description": "Grants permission to list the members of an Amazon Managed Blockchain network and the properties of their memberships", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "network*" } ] }, { "access_level": "List", - "description": "List Application statuses", - "privilege": "ListApplicationStates", + "description": "Grants permission to list the Amazon Managed Blockchain networks in which the current AWS account participates", + "privilege": "ListNetworks", "resource_types": [ { "condition_keys": [], @@ -122240,139 +136196,268 @@ }, { "access_level": "List", - "description": "List associated created artifacts for a MigrationTask", - "privilege": "ListCreatedArtifacts", + "description": "Grants permission to list the nodes within a member of an Amazon Managed Blockchain network", + "privilege": "ListNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "member" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network" } ] }, { - "access_level": "List", - "description": "List associated ADS resources from MigrationTask", - "privilege": "ListDiscoveredResources", + "access_level": "Read", + "description": "Grants permission to list all votes for a proposal, including the value of the vote and the unique identifier of the member that cast the vote for the given Amazon Managed Blockchain network", + "privilege": "ListProposalVotes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "proposal*" } ] }, { "access_level": "List", - "description": "List MigrationTasks", - "privilege": "ListMigrationTasks", + "description": "Grants permission to list proposals for the given Amazon Managed Blockchain network", + "privilege": "ListProposals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "network*" } ] }, { - "access_level": "List", - "description": "List ProgressUpdateStreams", - "privilege": "ListProgressUpdateStreams", + "access_level": "Read", + "description": "Grants permission to view tags associated with an Amazon Managed Blockchain resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "invitation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "member" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "node" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proposal" } ] }, { "access_level": "Write", - "description": "Update an Application Discovery Service Application's state", - "privilege": "NotifyApplicationState", + "description": "Grants permission to reject the invitation to join the blockchain network", + "privilege": "RejectInvitation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "invitation*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to an Amazon Managed Blockchain resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "invitation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "member" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "node" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proposal" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from an Amazon Managed Blockchain resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "invitation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "member" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "node" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proposal" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Notify latest MigrationTask state", - "privilege": "NotifyMigrationTaskState", + "description": "Grants permission to update a member of an Amazon Managed Blockchain network", + "privilege": "UpdateMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "migrationTask*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "member*" } ] }, { "access_level": "Write", - "description": "Put ResourceAttributes", - "privilege": "PutResourceAttributes", + "description": "Grants permission to update a node from a member of an Amazon Managed Blockchain network", + "privilege": "UpdateNode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "node*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cast a vote for a proposal on behalf of the blockchain network member specified", + "privilege": "VoteOnProposal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "proposal*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}", - "condition_keys": [], - "resource": "progressUpdateStream" + "arn": "arn:${Partition}:managedblockchain:${Region}::networks/${NetworkId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "network" }, { - "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}/migrationTask/${Task}", - "condition_keys": [], - "resource": "migrationTask" - } - ], - "service_name": "AWS Migration Hub" - }, - { - "conditions": [ + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:members/${MemberId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "member" + }, { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", - "type": "String" + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:nodes/${NodeId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "node" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", - "type": "String" + "arn": "arn:${Partition}:managedblockchain:${Region}::proposals/${ProposalId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proposal" }, { - "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:invitations/${InvitationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "invitation" } ], - "prefix": "mgn", + "service_name": "Amazon Managed Blockchain" + }, + { + "conditions": [], + "prefix": "marketplacecommerceanalytics", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create volume snapshot group", - "privilege": "BatchCreateVolumeSnapshotGroupForMgn", + "description": "Request a data set to be published to your Amazon S3 bucket.", + "privilege": "GenerateDataSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to batch delete snapshot request", - "privilege": "BatchDeleteSnapshotRequestForMgn", + "description": "Request a support data set to be published to your Amazon S3 bucket.", + "privilege": "StartSupportDataExport", "resource_types": [ { "condition_keys": [], @@ -122380,29 +136465,34 @@ "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS Marketplace Commerce Analytics Service" + }, + { + "conditions": [], + "prefix": "mechanicalturk", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to change source server life cycle state", - "privilege": "ChangeServerLifeCycleState", + "description": "The AcceptQualificationRequest operation grants a Worker's request for a Qualification", + "privilege": "AcceptQualificationRequest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create replication configuration template", - "privilege": "CreateReplicationConfigurationTemplate", + "description": "The ApproveAssignment operation approves the results of a completed assignment", + "privilege": "ApproveAssignment", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -122410,56 +136500,56 @@ }, { "access_level": "Write", - "description": "Grants permission to delete job", - "privilege": "DeleteJob", + "description": "The AssociateQualificationWithWorker operation gives a Worker a Qualification", + "privilege": "AssociateQualificationWithWorker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete replication configuration template", - "privilege": "DeleteReplicationConfigurationTemplate", + "description": "The CreateAdditionalAssignmentsForHIT operation increases the maximum number of assignments of an existing HIT", + "privilege": "CreateAdditionalAssignmentsForHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ReplicationConfigurationTemplateResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete source server", - "privilege": "DeleteSourceServer", + "description": "The CreateHIT operation creates a new HIT (Human Intelligence Task)", + "privilege": "CreateHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe job log items", - "privilege": "DescribeJobLogItems", + "access_level": "Write", + "description": "The CreateHITType operation creates a new HIT type", + "privilege": "CreateHITType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobResource*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe jobs", - "privilege": "DescribeJobs", + "access_level": "Write", + "description": "The CreateHITWithHITType operation creates a new Human Intelligence Task (HIT) using an existing HITTypeID generated by the CreateHITType operation", + "privilege": "CreateHITWithHITType", "resource_types": [ { "condition_keys": [], @@ -122469,9 +136559,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to describe replication configuration template", - "privilege": "DescribeReplicationConfigurationTemplates", + "access_level": "Write", + "description": "The CreateQualificationType operation creates a new Qualification type, which is represented by a QualificationType data structure", + "privilege": "CreateQualificationType", "resource_types": [ { "condition_keys": [], @@ -122481,9 +136571,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe replication server associations", - "privilege": "DescribeReplicationServerAssociationsForMgn", + "access_level": "Write", + "description": "The CreateWorkerBlock operation allows you to prevent a Worker from working on your HITs", + "privilege": "CreateWorkerBlock", "resource_types": [ { "condition_keys": [], @@ -122493,9 +136583,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe snapshots requests", - "privilege": "DescribeSnapshotRequestsForMgn", + "access_level": "Write", + "description": "The DeleteHIT operation disposes of a HIT that is no longer needed", + "privilege": "DeleteHIT", "resource_types": [ { "condition_keys": [], @@ -122505,9 +136595,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to describe source servers", - "privilege": "DescribeSourceServers", + "access_level": "Write", + "description": "The DeleteQualificationType disposes a Qualification type and disposes any HIT types that are associated with the Qualification type", + "privilege": "DeleteQualificationType", "resource_types": [ { "condition_keys": [], @@ -122518,56 +136608,56 @@ }, { "access_level": "Write", - "description": "Grants permission to disconnect source server from service", - "privilege": "DisconnectFromService", + "description": "The DeleteWorkerBlock operation allows you to reinstate a blocked Worker to work on your HITs", + "privilege": "DeleteWorkerBlock", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to finalize cutover", - "privilege": "FinalizeCutover", + "description": "The DisassociateQualificationFromWorker revokes a previously granted Qualification from a user", + "privilege": "DisassociateQualificationFromWorker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get agent command", - "privilege": "GetAgentCommandForMgn", + "description": "The GetAccountBalance operation retrieves the amount of money in your Amazon Mechanical Turk account", + "privilege": "GetAccountBalance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get agent confirmed resume info", - "privilege": "GetAgentConfirmedResumeInfoForMgn", + "description": "The GetAssignment retrieves an assignment with an AssignmentStatus value of Submitted, Approved, or Rejected, using the assignment's ID", + "privilege": "GetAssignment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get agent installation assets", - "privilege": "GetAgentInstallationAssetsForMgn", + "description": "The GetFileUploadURL operation generates and returns a temporary URL", + "privilege": "GetFileUploadURL", "resource_types": [ { "condition_keys": [], @@ -122578,44 +136668,44 @@ }, { "access_level": "Read", - "description": "Grants permission to get agent replication info", - "privilege": "GetAgentReplicationInfoForMgn", + "description": "The GetHIT operation retrieves the details of the specified HIT", + "privilege": "GetHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get agent runtime configuration", - "privilege": "GetAgentRuntimeConfigurationForMgn", + "description": "The GetQualificationScore operation returns the value of a Worker's Qualification for a given Qualification type", + "privilege": "GetQualificationScore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get agent snapshots credits", - "privilege": "GetAgentSnapshotCreditsForMgn", + "description": "The GetQualificationType operation retrieves information about a Qualification type using its ID", + "privilege": "GetQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get channel commands", - "privilege": "GetChannelCommandsForMgn", + "access_level": "List", + "description": "The ListAssignmentsForHIT operation retrieves completed assignments for a HIT", + "privilege": "ListAssignmentsForHIT", "resource_types": [ { "condition_keys": [], @@ -122625,50 +136715,45 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get launch configuration", - "privilege": "GetLaunchConfiguration", + "access_level": "List", + "description": "The ListBonusPayments operation retrieves the amounts of bonuses you have paid to Workers for a given HIT or assignment", + "privilege": "ListBonusPayments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get replication configuration", - "privilege": "GetReplicationConfiguration", + "access_level": "List", + "description": "The ListHITs operation returns all of a Requester's HITs", + "privilege": "ListHITs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to initialize service", - "privilege": "InitializeService", + "access_level": "List", + "description": "The ListHITsForQualificationType operation returns the HITs that use the given QualififcationType for a QualificationRequirement", + "privilege": "ListHITsForQualificationType", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:CreateServiceLinkedRole", - "iam:GetInstanceProfile" - ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "The ListQualificationRequests operation retrieves requests for Qualifications of a particular Qualification type", + "privilege": "ListQualificationRequests", "resource_types": [ { "condition_keys": [], @@ -122678,75 +136763,72 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to mark source server as archived", - "privilege": "MarkAsArchived", + "access_level": "List", + "description": "The ListQualificationTypes operation searches for Qualification types using the specified search query, and returns a list of Qualification types", + "privilege": "ListQualificationTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to notify agent authentication", - "privilege": "NotifyAgentAuthenticationForMgn", + "access_level": "List", + "description": "The ListReviewPolicyResultsForHIT operation retrieves the computed results and the actions taken in the course of executing your Review Policies during a CreateHIT operation", + "privilege": "ListReviewPolicyResultsForHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to notify agent is connected", - "privilege": "NotifyAgentConnectedForMgn", + "access_level": "List", + "description": "The ListReviewableHITs operation returns all of a Requester's HITs that have not been approved or rejected", + "privilege": "ListReviewableHITs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to notify agent is disconnected", - "privilege": "NotifyAgentDisconnectedForMgn", + "access_level": "List", + "description": "The ListWorkersBlocks operation retrieves a list of Workers who are blocked from working on your HITs", + "privilege": "ListWorkerBlocks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to notify agent replication progress", - "privilege": "NotifyAgentReplicationProgressForMgn", + "access_level": "List", + "description": "The ListWorkersWithQualificationType operation returns all of the Workers with a given Qualification type", + "privilege": "ListWorkersWithQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to register agent", - "privilege": "RegisterAgentForMgn", + "description": "The NotifyWorkers operation sends an email to one or more Workers that you specify with the Worker ID", + "privilege": "NotifyWorkers", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -122754,44 +136836,44 @@ }, { "access_level": "Write", - "description": "Grants permission to retry replication", - "privilege": "RetryDataReplication", + "description": "The RejectAssignment operation rejects the results of a completed assignment", + "privilege": "RejectAssignment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send agent logs", - "privilege": "SendAgentLogsForMgn", + "description": "The RejectQualificationRequest operation rejects a user's request for a Qualification", + "privilege": "RejectQualificationRequest", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send agent metrics", - "privilege": "SendAgentMetricsForMgn", + "description": "The SendBonus operation issues a payment of money from your account to a Worker", + "privilege": "SendBonus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send channel command result", - "privilege": "SendChannelCommandResultForMgn", + "description": "The SendTestEventNotification operation causes Amazon Mechanical Turk to send a notification message as if a HIT event occurred, according to the provided notification specification", + "privilege": "SendTestEventNotification", "resource_types": [ { "condition_keys": [], @@ -122802,8 +136884,8 @@ }, { "access_level": "Write", - "description": "Grants permission to send client logs", - "privilege": "SendClientLogsForMgn", + "description": "The UpdateExpirationForHIT operation allows you extend the expiration time of a HIT beyond is current expiration or expire a HIT immediately", + "privilege": "UpdateExpirationForHIT", "resource_types": [ { "condition_keys": [], @@ -122814,8 +136896,8 @@ }, { "access_level": "Write", - "description": "Grants permission to send client metrics", - "privilege": "SendClientMetricsForMgn", + "description": "The UpdateHITReviewStatus operation toggles the status of a HIT", + "privilege": "UpdateHITReviewStatus", "resource_types": [ { "condition_keys": [], @@ -122826,56 +136908,11 @@ }, { "access_level": "Write", - "description": "Grants permission to start cutover", - "privilege": "StartCutover", + "description": "The UpdateHITTypeOfHIT operation allows you to change the HITType properties of a HIT", + "privilege": "UpdateHITTypeOfHIT", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DeleteSnapshot", - "ec2:DeleteVolume", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstanceAttribute", - "ec2:DescribeInstanceStatus", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSnapshots", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyLaunchTemplate", - "ec2:ReportInstanceStatus", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "iam:PassRole", - "mgn:ListTagsForResource" - ], - "resource_type": "SourceServerResource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -122883,71 +136920,11 @@ }, { "access_level": "Write", - "description": "Grants permission to start test", - "privilege": "StartTest", + "description": "The UpdateNotificationSettings operation creates, updates, disables or re-enables notifications for a HIT type", + "privilege": "UpdateNotificationSettings", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DeleteSnapshot", - "ec2:DeleteVolume", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeImages", - "ec2:DescribeInstanceAttribute", - "ec2:DescribeInstanceStatus", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstances", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSnapshots", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyLaunchTemplate", - "ec2:ReportInstanceStatus", - "ec2:RevokeSecurityGroupEgress", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "iam:PassRole", - "mgn:ListTagsForResource" - ], - "resource_type": "SourceServerResource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to assign a resource tag", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -122955,173 +136932,124 @@ }, { "access_level": "Write", - "description": "Grants permission to terminate target instances", - "privilege": "TerminateTargetInstances", + "description": "The UpdateQualificationType operation modifies the attributes of an existing Qualification type, which is represented by a QualificationType data structure", + "privilege": "UpdateQualificationType", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteVolume", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:TerminateInstances" - ], - "resource_type": "SourceServerResource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [ - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "Amazon Mechanical Turk" + }, + { + "conditions": [], + "prefix": "mediaconnect", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to update agent backlog", - "privilege": "UpdateAgentBacklogForMgn", + "description": "Grants permission to add media streams to any flow", + "privilege": "AddFlowMediaStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update agent conversion info", - "privilege": "UpdateAgentConversionInfoForMgn", + "description": "Grants permission to add outputs to any flow", + "privilege": "AddFlowOutputs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update agent replication info", - "privilege": "UpdateAgentReplicationInfoForMgn", + "description": "Grants permission to add sources to any flow", + "privilege": "AddFlowSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update agent replication process state", - "privilege": "UpdateAgentReplicationProcessStateForMgn", + "description": "Grants permission to add VPC interfaces to any flow", + "privilege": "AddFlowVpcInterfaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update agent source properties", - "privilege": "UpdateAgentSourcePropertiesForMgn", + "description": "Grants permission to create flows", + "privilege": "CreateFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update launch configuration", - "privilege": "UpdateLaunchConfiguration", + "description": "Grants permission to delete flows", + "privilege": "DeleteFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update replication configuration", - "privilege": "UpdateReplicationConfiguration", + "access_level": "Read", + "description": "Grants permission to display the details of a flow including the flow ARN, name, and Availability Zone, as well as details about the source, outputs, and entitlements", + "privilege": "DescribeFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SourceServerResource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update replication configuration template", - "privilege": "UpdateReplicationConfigurationTemplate", + "access_level": "Read", + "description": "Grants permission to display the details of an offering", + "privilege": "DescribeOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ReplicationConfigurationTemplateResource*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mgn:${Region}:${Account}:job/${jobID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "JobResource" - }, - { - "arn": "arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${replicationConfigurationTemplateID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ReplicationConfigurationTemplateResource" }, - { - "arn": "arn:${Partition}:mgn:${Region}:${Account}:source-server/${sourceServerID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "SourceServerResource" - } - ], - "service_name": "AWS Application Migration Service" - }, - { - "conditions": [], - "prefix": "migrationhub-strategy", - "privileges": [ { "access_level": "Read", - "description": "Grants permission to get details of each anti pattern that collector should look at in a customer's environment", - "privilege": "GetAntiPattern", + "description": "Grants permission to display the details of a reservation", + "privilege": "DescribeReservation", "resource_types": [ { "condition_keys": [], @@ -123131,9 +137059,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get details of an application", - "privilege": "GetApplicationComponentDetails", + "access_level": "Write", + "description": "Grants permission to grant entitlements on any flow", + "privilege": "GrantFlowEntitlements", "resource_types": [ { "condition_keys": [], @@ -123143,9 +137071,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get a list of all recommended strategies and tools for an application running in a server", - "privilege": "GetApplicationComponentStrategies", + "access_level": "List", + "description": "Grants permission to display a list of all entitlements that have been granted to the account", + "privilege": "ListEntitlements", "resource_types": [ { "condition_keys": [], @@ -123155,9 +137083,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve status of an on-going assessment", - "privilege": "GetAssessment", + "access_level": "List", + "description": "Grants permission to display a list of flows that are associated with this account", + "privilege": "ListFlows", "resource_types": [ { "condition_keys": [], @@ -123167,9 +137095,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get details of a specific import task", - "privilege": "GetImportFileTask", + "access_level": "List", + "description": "Grants permission to display a list of all offerings that are available to the account in the current AWS Region", + "privilege": "ListOfferings", "resource_types": [ { "condition_keys": [], @@ -123179,9 +137107,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to the collector to receive information from the service", - "privilege": "GetMessage", + "access_level": "List", + "description": "Grants permission to display a list of all reservations that have been purchased by the account in the current AWS Region", + "privilege": "ListReservations", "resource_types": [ { "condition_keys": [], @@ -123192,8 +137120,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve customer migration/Modernization preferences", - "privilege": "GetPortfolioPreferences", + "description": "Grants permission to display a list of all tags associated with a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -123203,9 +137131,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve overall summary (number-of servers to rehost etc as well as overall number of anti patterns)", - "privilege": "GetPortfolioSummary", + "access_level": "Write", + "description": "Grants permission to purchase an offering", + "privilege": "PurchaseOffering", "resource_types": [ { "condition_keys": [], @@ -123215,9 +137143,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve detailed information about a recommendation report", - "privilege": "GetRecommendationReportDetails", + "access_level": "Write", + "description": "Grants permission to remove media streams from any flow", + "privilege": "RemoveFlowMediaStream", "resource_types": [ { "condition_keys": [], @@ -123227,9 +137155,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get info about a specific server", - "privilege": "GetServerDetails", + "access_level": "Write", + "description": "Grants permission to remove outputs from any flow", + "privilege": "RemoveFlowOutput", "resource_types": [ { "condition_keys": [], @@ -123239,9 +137167,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get recommended strategies and tools for a specific server", - "privilege": "GetServerStrategies", + "access_level": "Write", + "description": "Grants permission to remove sources from any flow", + "privilege": "RemoveFlowSource", "resource_types": [ { "condition_keys": [], @@ -123251,9 +137179,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of all anti patterns that collector should look for in a customer's environment", - "privilege": "ListAntiPatterns", + "access_level": "Write", + "description": "Grants permission to remove VPC interfaces from any flow", + "privilege": "RemoveFlowVpcInterface", "resource_types": [ { "condition_keys": [], @@ -123263,9 +137191,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of all applications running on servers on customer's servers", - "privilege": "ListApplicationComponents", + "access_level": "Write", + "description": "Grants permission to revoke entitlements on any flow", + "privilege": "RevokeFlowEntitlement", "resource_types": [ { "condition_keys": [], @@ -123275,9 +137203,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of all collectors installed by the customer", - "privilege": "ListCollectors", + "access_level": "Write", + "description": "Grants permission to start flows", + "privilege": "StartFlow", "resource_types": [ { "condition_keys": [], @@ -123287,9 +137215,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get list of all imports performed by the customer", - "privilege": "ListImportFileTask", + "access_level": "Write", + "description": "Grants permission to stop flows", + "privilege": "StopFlow", "resource_types": [ { "condition_keys": [], @@ -123299,9 +137227,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of binaries that collector should assess", - "privilege": "ListJarArtifacts", + "access_level": "Tagging", + "description": "Grants permission to associate tags with resources", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], @@ -123311,9 +137239,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of all servers in a customer's environment", - "privilege": "ListServers", + "access_level": "Tagging", + "description": "Grants permission to remove tags from resources", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], @@ -123324,8 +137252,8 @@ }, { "access_level": "Write", - "description": "Grants permission to save customer's Migration/Modernization preferences", - "privilege": "PutPortfolioPreferences", + "description": "Grants permission to update flows", + "privilege": "UpdateFlow", "resource_types": [ { "condition_keys": [], @@ -123336,8 +137264,8 @@ }, { "access_level": "Write", - "description": "Grants permission to register the collector to receive an ID and to start receiving messages from the service", - "privilege": "RegisterCollector", + "description": "Grants permission to update entitlements on any flow", + "privilege": "UpdateFlowEntitlement", "resource_types": [ { "condition_keys": [], @@ -123348,8 +137276,8 @@ }, { "access_level": "Write", - "description": "Grants permission to the collector to send information to the service", - "privilege": "SendMessage", + "description": "Grants permission to update media streams on any flow", + "privilege": "UpdateFlowMediaStream", "resource_types": [ { "condition_keys": [], @@ -123360,8 +137288,8 @@ }, { "access_level": "Write", - "description": "Grants permission to start assessment in a customer's environment (collect data from all servers and provide recommendations)", - "privilege": "StartAssessment", + "description": "Grants permission to update outputs on any flow", + "privilege": "UpdateFlowOutput", "resource_types": [ { "condition_keys": [], @@ -123372,8 +137300,8 @@ }, { "access_level": "Write", - "description": "Grants permission to start importing data from a file provided by customer", - "privilege": "StartImportFileTask", + "description": "Grants permission to update the source of any flow", + "privilege": "UpdateFlowSource", "resource_types": [ { "condition_keys": [], @@ -123381,11 +137309,56 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${FlowId}:${EntitlementName}", + "condition_keys": [], + "resource": "Entitlement" + }, + { + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${FlowId}:${FlowName}", + "condition_keys": [], + "resource": "Flow" + }, + { + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:output:${OutputId}:${OutputName}", + "condition_keys": [], + "resource": "Output" + }, + { + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:source:${SourceId}:${SourceName}", + "condition_keys": [], + "resource": "Source" + } + ], + "service_name": "AWS Elemental MediaConnect" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "mediaconvert", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to start generating a recommendation report", - "privilege": "StartRecommendationReportGeneration", + "description": "Grants permission to associate an AWS Certificate Manager (ACM) Amazon Resource Name (ARN) with AWS Elemental MediaConvert", + "privilege": "AssociateCertificate", "resource_types": [ { "condition_keys": [], @@ -123396,67 +137369,81 @@ }, { "access_level": "Write", - "description": "Grants permission to stop an on-going assessment", - "privilege": "StopAssessment", + "description": "Grants permission to cancel an AWS Elemental MediaConvert job that is waiting in queue", + "privilege": "CancelJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Job*" } ] }, { "access_level": "Write", - "description": "Grants permission to update details for an application", - "privilege": "UpdateApplicationComponentConfig", + "description": "Grants permission to create and submit an AWS Elemental MediaConvert job", + "privilege": "CreateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "JobTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update info on a server along with the recommended strategy", - "privilege": "UpdateServerConfig", + "description": "Grants permission to create an AWS Elemental MediaConvert custom job template", + "privilege": "CreateJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "AWS Migration Hub Strategy Recommendations." - }, - { - "conditions": [], - "prefix": "mobileanalytics", - "privileges": [ - { - "access_level": "Read", - "description": "Grant access to financial metrics for an app", - "privilege": "GetFinancialReports", - "resource_types": [ + "resource_type": "Preset" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grant access to standard metrics for an app", - "privilege": "GetReports", + "access_level": "Write", + "description": "Grants permission to create an AWS Elemental MediaConvert custom output preset", + "privilege": "CreatePreset", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -123464,40 +137451,35 @@ }, { "access_level": "Write", - "description": "The PutEvents operation records one or more events", - "privilege": "PutEvents", + "description": "Grants permission to create an AWS Elemental MediaConvert job queue", + "privilege": "CreateQueue", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Amazon Mobile Analytics" - }, - { - "conditions": [], - "prefix": "mobilehub", - "privileges": [ + }, { "access_level": "Write", - "description": "Create a project", - "privilege": "CreateProject", + "description": "Grants permission to delete an AWS Elemental MediaConvert custom job template", + "privilege": "DeleteJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "JobTemplate*" } ] }, { "access_level": "Write", - "description": "Enable AWS Mobile Hub in the account by creating the required service role", - "privilege": "CreateServiceRole", + "description": "Grants permission to delete an AWS Elemental MediaConvert policy", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], @@ -123508,32 +137490,32 @@ }, { "access_level": "Write", - "description": "Delete the specified project", - "privilege": "DeleteProject", + "description": "Grants permission to delete an AWS Elemental MediaConvert custom output preset", + "privilege": "DeletePreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "Preset*" } ] }, { "access_level": "Write", - "description": "Delete a saved snapshot of project configuration", - "privilege": "DeleteProjectSnapshot", + "description": "Grants permission to delete an AWS Elemental MediaConvert job queue", + "privilege": "DeleteQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue*" } ] }, { - "access_level": "Write", - "description": "Deploy changes to the specified stage", - "privilege": "DeployToStage", + "access_level": "List", + "description": "Grants permission to subscribe to the AWS Elemental MediaConvert service, by sending a request for an account-specific endpoint. All transcoding requests must be sent to the endpoint that the service returns", + "privilege": "DescribeEndpoints", "resource_types": [ { "condition_keys": [], @@ -123543,9 +137525,9 @@ ] }, { - "access_level": "Read", - "description": "Describe the download bundle", - "privilege": "DescribeBundle", + "access_level": "Write", + "description": "Grants permission to remove an association between the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate and an AWS Elemental MediaConvert resource", + "privilege": "DisassociateCertificate", "resource_types": [ { "condition_keys": [], @@ -123556,68 +137538,68 @@ }, { "access_level": "Read", - "description": "Export the download bundle", - "privilege": "ExportBundle", + "description": "Grants permission to get an AWS Elemental MediaConvert job", + "privilege": "GetJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Job*" } ] }, { "access_level": "Read", - "description": "Export the project configuration", - "privilege": "ExportProject", + "description": "Grants permission to get an AWS Elemental MediaConvert job template", + "privilege": "GetJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "JobTemplate*" } ] }, { "access_level": "Read", - "description": "Generate project parameters required for code generation", - "privilege": "GenerateProjectParameters", + "description": "Grants permission to get an AWS Elemental MediaConvert policy", + "privilege": "GetPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Get project configuration and resources", - "privilege": "GetProject", + "description": "Grants permission to get an AWS Elemental MediaConvert output preset", + "privilege": "GetPreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "Preset*" } ] }, { "access_level": "Read", - "description": "Fetch the previously exported project configuration snapshot", - "privilege": "GetProjectSnapshot", + "description": "Grants permission to get an AWS Elemental MediaConvert job queue", + "privilege": "GetQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue*" } ] }, { - "access_level": "Write", - "description": "Create a new project from the previously exported project configuration", - "privilege": "ImportProject", + "access_level": "List", + "description": "Grants permission to list AWS Elemental MediaConvert job templates", + "privilege": "ListJobTemplates", "resource_types": [ { "condition_keys": [], @@ -123627,21 +137609,21 @@ ] }, { - "access_level": "Write", - "description": "Install a bundle in the project deployments S3 bucket", - "privilege": "InstallBundle", + "access_level": "List", + "description": "Grants permission to list AWS Elemental MediaConvert jobs", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue" } ] }, { "access_level": "List", - "description": "List the available SaaS (Software as a Service) connectors", - "privilege": "ListAvailableConnectors", + "description": "Grants permission to list AWS Elemental MediaConvert output presets", + "privilege": "ListPresets", "resource_types": [ { "condition_keys": [], @@ -123652,8 +137634,8 @@ }, { "access_level": "List", - "description": "List available features", - "privilege": "ListAvailableFeatures", + "description": "Grants permission to list AWS Elemental MediaConvert job queues", + "privilege": "ListQueues", "resource_types": [ { "condition_keys": [], @@ -123663,21 +137645,31 @@ ] }, { - "access_level": "List", - "description": "List available regions for projects", - "privilege": "ListAvailableRegions", + "access_level": "Read", + "description": "Grants permission to retrieve the tags for a MediaConvert queue, preset, or job template", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "JobTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" } ] }, { - "access_level": "List", - "description": "List the available download bundles", - "privilege": "ListBundles", + "access_level": "Write", + "description": "Grants permission to put an AWS Elemental MediaConvert policy", + "privilege": "PutPolicy", "resource_types": [ { "condition_keys": [], @@ -123687,69 +137679,156 @@ ] }, { - "access_level": "List", - "description": "List saved snapshots of project configuration", - "privilege": "ListProjectSnapshots", + "access_level": "Tagging", + "description": "Grants permission to add tags to a MediaConvert queue, preset, or job template", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "JobTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "List projects", - "privilege": "ListProjects", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a MediaConvert queue, preset, or job template", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "JobTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Synchronize state of resources into project", - "privilege": "SynchronizeProject", + "description": "Grants permission to update an AWS Elemental MediaConvert custom job template", + "privilege": "UpdateJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "JobTemplate*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" } ] }, { "access_level": "Write", - "description": "Update project", - "privilege": "UpdateProject", + "description": "Grants permission to update an AWS Elemental MediaConvert custom output preset", + "privilege": "UpdatePreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "Preset*" } ] }, { - "access_level": "Read", - "description": "Validate a mobile hub project.", - "privilege": "ValidateProject", + "access_level": "Write", + "description": "Grants permission to update an AWS Elemental MediaConvert job queue", + "privilege": "UpdateQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobs/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Job" }, { - "access_level": "Read", - "description": "Verify AWS Mobile Hub is enabled in the account", - "privilege": "VerifyServiceRole", + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:queues/${QueueName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Queue" + }, + { + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:presets/${PresetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Preset" + }, + { + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobTemplates/${JobTemplateName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "JobTemplate" + }, + { + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:certificates/${CertificateArn}", + "condition_keys": [], + "resource": "CertificateAssociation" + } + ], + "service_name": "AWS Elemental MediaConvert" + }, + { + "conditions": [], + "prefix": "mediaimport", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a database binary snapshot on the customer's aws account", + "privilege": "CreateDatabaseBinarySnapshot", "resource_types": [ { "condition_keys": [], @@ -123759,67 +137838,60 @@ ] } ], - "resources": [ - { - "arn": "arn:${Partition}:mobilehub:${Region}:${Account}:project/${ProjectId}", - "condition_keys": [], - "resource": "project" - } - ], - "service_name": "AWS Mobile Hub" + "resources": [], + "service_name": "AmazonMediaImport" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the pinpoint service.", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service.", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], - "prefix": "mobiletargeting", + "prefix": "medialive", "privileges": [ { "access_level": "Write", - "description": "Create an app.", - "privilege": "CreateApp", + "description": "Grants permission to accept an input device transfer", + "privilege": "AcceptInputDeviceTransfer", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input-device*" } ] }, { "access_level": "Write", - "description": "Create a campaign for an app.", - "privilege": "CreateCampaign", + "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes", + "privilege": "BatchDelete", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start channels and multiplexes", + "privilege": "BatchStart", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -123827,15 +137899,11 @@ }, { "access_level": "Write", - "description": "Create an email template.", - "privilege": "CreateEmailTemplate", + "description": "Grants permission to stop channels and multiplexes", + "privilege": "BatchStop", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -123843,43 +137911,59 @@ }, { "access_level": "Write", - "description": "Create an export job that exports endpoint definitions to Amazon S3.", - "privilege": "CreateExportJob", + "description": "Grants permission to add and remove actions from a channel's schedule", + "privilege": "BatchUpdateSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Import endpoint definitions from to create a segment.", - "privilege": "CreateImportJob", + "description": "Grants permission to cancel an input device transfer", + "privilege": "CancelInputDeviceTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" } ] }, { "access_level": "Write", - "description": "Create a Journey for an app.", - "privilege": "CreateJourney", + "description": "Grants permission to claim an input device", + "privilege": "ClaimDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a channel", + "privilege": "CreateChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -123888,14 +137972,23 @@ }, { "access_level": "Write", - "description": "Create a push notification template.", - "privilege": "CreatePushTemplate", + "description": "Grants permission to create an input", + "privilege": "CreateInput", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -123904,31 +137997,38 @@ }, { "access_level": "Write", - "description": "Create an Amazon Pinpoint configuration for a recommender model.", - "privilege": "CreateRecommenderConfiguration", + "description": "Grants permission to create an input security group", + "privilege": "CreateInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "input-security-group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a segment that is based on endpoint data reported to Pinpoint by your app. To allow a user to create a segment by importing endpoint data from outside of Pinpoint, allow the mobiletargeting:CreateImportJob action.", - "privilege": "CreateSegment", + "description": "Grants permission to create a multiplex", + "privilege": "CreateMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "multiplex*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -123937,14 +138037,30 @@ }, { "access_level": "Write", - "description": "Create an sms message template.", - "privilege": "CreateSmsTemplate", + "description": "Grants permission to create a multiplex program", + "privilege": "CreateMultiplexProgram", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a partner input", + "privilege": "CreatePartnerInput", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -123952,15 +138068,39 @@ ] }, { - "access_level": "Write", - "description": "Create a voice message template.", - "privilege": "CreateVoiceTemplate", + "access_level": "Tagging", + "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "CreateTags", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -123969,716 +138109,817 @@ }, { "access_level": "Write", - "description": "Delete the ADM channel for an app.", - "privilege": "DeleteAdmChannel", + "description": "Grants permission to delete a channel", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Delete the APNs channel for an app.", - "privilege": "DeleteApnsChannel", + "description": "Grants permission to delete an input", + "privilege": "DeleteInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Delete the APNs sandbox channel for an app.", - "privilege": "DeleteApnsSandboxChannel", + "description": "Grants permission to delete an input security group", + "privilege": "DeleteInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-security-group*" } ] }, { "access_level": "Write", - "description": "Delete the APNs VoIP channel for an app.", - "privilege": "DeleteApnsVoipChannel", + "description": "Grants permission to delete a multiplex", + "privilege": "DeleteMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Delete the APNs VoIP sandbox channel for an app.", - "privilege": "DeleteApnsVoipSandboxChannel", + "description": "Grants permission to delete a multiplex program", + "privilege": "DeleteMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Delete a specific campaign.", - "privilege": "DeleteApp", + "description": "Grants permission to delete an expired reservation", + "privilege": "DeleteReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "reservation*" } ] }, { "access_level": "Write", - "description": "Delete the Baidu channel for an app.", - "privilege": "DeleteBaiduChannel", + "description": "Grants permission to delete all schedule actions for a channel", + "privilege": "DeleteSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Delete a specific campaign.", - "privilege": "DeleteCampaign", + "access_level": "Tagging", + "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the email channel for an app.", - "privilege": "DeleteEmailChannel", + "access_level": "Read", + "description": "Grants permission to get details about a channel", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Delete an email template or an email template version.", - "privilege": "DeleteEmailTemplate", + "access_level": "Read", + "description": "Grants permission to describe an input", + "privilege": "DescribeInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "input*" } ] }, { - "access_level": "Write", - "description": "Delete an endpoint.", - "privilege": "DeleteEndpoint", + "access_level": "Read", + "description": "Grants permission to describe an input device", + "privilege": "DescribeInputDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" } ] }, { - "access_level": "Write", - "description": "Delete the event stream for an app.", - "privilege": "DeleteEventStream", + "access_level": "Read", + "description": "Grants permission to describe an input device thumbnail", + "privilege": "DescribeInputDeviceThumbnail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" } ] }, { - "access_level": "Write", - "description": "Delete the GCM channel for an app.", - "privilege": "DeleteGcmChannel", + "access_level": "Read", + "description": "Grants permission to describe an input security group", + "privilege": "DescribeInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-security-group*" } ] }, { - "access_level": "Write", - "description": "Delete a specific journey.", - "privilege": "DeleteJourney", + "access_level": "Read", + "description": "Grants permission to describe a multiplex", + "privilege": "DescribeMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "multiplex*" } ] }, { - "access_level": "Write", - "description": "Delete a push notification template or a push notification template version.", - "privilege": "DeletePushTemplate", + "access_level": "Read", + "description": "Grants permission to describe a multiplex program", + "privilege": "DescribeMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "multiplex*" } ] }, { - "access_level": "Write", - "description": "Delete an Amazon Pinpoint configuration for a recommender model.", - "privilege": "DeleteRecommenderConfiguration", + "access_level": "Read", + "description": "Grants permission to get details about a reservation offering", + "privilege": "DescribeOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" + "resource_type": "offering*" } ] }, { - "access_level": "Write", - "description": "Delete a specific segment.", - "privilege": "DeleteSegment", + "access_level": "Read", + "description": "Grants permission to get details about a reservation", + "privilege": "DescribeReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "reservation*" } ] }, { - "access_level": "Write", - "description": "Delete the SMS channel for an app.", - "privilege": "DeleteSmsChannel", + "access_level": "Read", + "description": "Grants permission to view a list of actions scheduled on a channel", + "privilege": "DescribeSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Delete an sms message template or an sms message template version.", - "privilege": "DeleteSmsTemplate", + "access_level": "List", + "description": "Grants permission to list channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete all of the endpoints that are associated with a user ID.", - "privilege": "DeleteUserEndpoints", + "access_level": "List", + "description": "Grants permission to list input device transfers", + "privilege": "ListInputDeviceTransfers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the Voice channel for an app.", - "privilege": "DeleteVoiceChannel", + "access_level": "List", + "description": "Grants permission to list input devices", + "privilege": "ListInputDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete a voice message template or a voice message template version.", - "privilege": "DeleteVoiceTemplate", + "access_level": "List", + "description": "Grants permission to list input security groups", + "privilege": "ListInputSecurityGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the Amazon Device Messaging (ADM) channel for an app.", - "privilege": "GetAdmChannel", + "access_level": "List", + "description": "Grants permission to list inputs", + "privilege": "ListInputs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs channel for an app.", - "privilege": "GetApnsChannel", + "access_level": "List", + "description": "Grants permission to list multiplex programs", + "privilege": "ListMultiplexPrograms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs sandbox channel for an app.", - "privilege": "GetApnsSandboxChannel", + "access_level": "List", + "description": "Grants permission to list multiplexes", + "privilege": "ListMultiplexes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs VoIP channel for an app.", - "privilege": "GetApnsVoipChannel", + "access_level": "List", + "description": "Grants permission to list reservation offerings", + "privilege": "ListOfferings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs VoIP sandbox channel for an app.", - "privilege": "GetApnsVoipSandboxChannel", + "access_level": "List", + "description": "Grants permission to list reservations", + "privilege": "ListReservations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific app in your Amazon Pinpoint account.", - "privilege": "GetApp", + "access_level": "List", + "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation" } ] }, { - "access_level": "Read", - "description": "Retrieves (queries) pre-aggregated data for a standard metric that applies to an application.", - "privilege": "GetApplicationDateRangeKpi", + "access_level": "Write", + "description": "Grants permission to purchase a reservation offering", + "privilege": "PurchaseOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "offering*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve the default settings for an app.", - "privilege": "GetApplicationSettings", + "access_level": "Write", + "description": "Grants permission to reboot an input device", + "privilege": "RebootInputDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" } ] }, { - "access_level": "Read", - "description": "Retrieve a list of apps in your Amazon Pinpoint account.", - "privilege": "GetApps", + "access_level": "Write", + "description": "Grants permission to reject an input device transfer", + "privilege": "RejectInputDeviceTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-device*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the Baidu channel for an app.", - "privilege": "GetBaiduChannel", + "access_level": "Write", + "description": "Grants permission to start a channel", + "privilege": "StartChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific campaign.", - "privilege": "GetCampaign", + "access_level": "Write", + "description": "Grants permission to start a maintenance window for an input device", + "privilege": "StartInputDeviceMaintenanceWindow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "input-device*" } ] }, { - "access_level": "List", - "description": "Retrieve information about the activities performed by a campaign.", - "privilege": "GetCampaignActivities", + "access_level": "Write", + "description": "Grants permission to start a multiplex", + "privilege": "StartMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "multiplex*" } ] }, { - "access_level": "Read", - "description": "Retrieves (queries) pre-aggregated data for a standard metric that applies to a campaign.", - "privilege": "GetCampaignDateRangeKpi", + "access_level": "Write", + "description": "Grants permission to stop a channel", + "privilege": "StopChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific campaign version.", - "privilege": "GetCampaignVersion", + "access_level": "Write", + "description": "Grants permission to stop a multiplex", + "privilege": "StopMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "multiplex*" } ] }, { - "access_level": "List", - "description": "Retrieve information about the current and prior versions of a campaign.", - "privilege": "GetCampaignVersions", + "access_level": "Write", + "description": "Grants permission to transfer an input device", + "privilege": "TransferInputDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "input-device*" } ] }, { - "access_level": "List", - "description": "Retrieve information about all campaigns for an app.", - "privilege": "GetCampaigns", + "access_level": "Write", + "description": "Grants permission to update a channel", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "List", - "description": "Get all channels information for your app.", - "privilege": "GetChannels", + "access_level": "Write", + "description": "Grants permission to update the class of a channel", + "privilege": "UpdateChannelClass", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Obtain information about the email channel in an app.", - "privilege": "GetEmailChannel", + "access_level": "Write", + "description": "Grants permission to update an input", + "privilege": "UpdateInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an email template.", - "privilege": "GetEmailTemplate", + "access_level": "Write", + "description": "Grants permission to update an input device", + "privilege": "UpdateInputDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "input-device*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific endpoint.", - "privilege": "GetEndpoint", + "access_level": "Write", + "description": "Grants permission to update an input security group", + "privilege": "UpdateInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "input-security-group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the event stream for an app.", - "privilege": "GetEventStream", + "access_level": "Write", + "description": "Grants permission to update a multiplex", + "privilege": "UpdateMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "multiplex*" } ] }, { - "access_level": "Read", - "description": "Obtain information about a specific export job.", - "privilege": "GetExportJob", + "access_level": "Write", + "description": "Grants permission to update a multiplex program", + "privilege": "UpdateMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "multiplex*" } ] }, { - "access_level": "List", - "description": "Retrieve a list of all of the export jobs for an app.", - "privilege": "GetExportJobs", + "access_level": "Write", + "description": "Grants permission to update a reservation", + "privilege": "UpdateReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "reservation*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:channel:${ChannelId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channel" }, { - "access_level": "Read", - "description": "Retrieve information about the GCM channel for an app.", - "privilege": "GetGcmChannel", + "arn": "arn:${Partition}:medialive:${Region}:${Account}:input:${InputId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "input" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputDevice:${DeviceId}", + "condition_keys": [], + "resource": "input-device" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputSecurityGroup:${InputSecurityGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "input-security-group" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:multiplex:${MultiplexId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "multiplex" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:reservation:${ReservationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "reservation" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:offering:${OfferingId}", + "condition_keys": [], + "resource": "offering" + } + ], + "service_name": "AWS Elemental MediaLive" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag for a MediaPackage request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tag for a MediaPackage resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys for a MediaPackage resource or request", + "type": "ArrayOfString" + } + ], + "prefix": "mediapackage", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to configure access logs for a Channel", + "privilege": "ConfigureLogs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "apps*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "channels*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific import job.", - "privilege": "GetImportJob", + "access_level": "Write", + "description": "Grants permission to create a channel in AWS Elemental MediaPackage", + "privilege": "CreateChannel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about all import jobs for an app.", - "privilege": "GetImportJobs", + "access_level": "Write", + "description": "Grants permission to create a harvest job in AWS Elemental MediaPackage", + "privilege": "CreateHarvestJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific journey.", - "privilege": "GetJourney", + "access_level": "Write", + "description": "Grants permission to create an endpoint in AWS Elemental MediaPackage", + "privilege": "CreateOriginEndpoint", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves (queries) pre-aggregated data for a standard engagement metric that applies to a journey.", - "privilege": "GetJourneyDateRangeKpi", + "access_level": "Write", + "description": "Grants permission to delete a channel in AWS Elemental MediaPackage", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "channels*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an endpoint in AWS Elemental MediaPackage", + "privilege": "DeleteOriginEndpoint", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "origin_endpoints*" } ] }, { "access_level": "Read", - "description": "Retrieves (queries) pre-aggregated data for a standard execution metric that applies to a journey activity.", - "privilege": "GetJourneyExecutionActivityMetrics", + "description": "Grants permission to view the details of a channel in AWS Elemental MediaPackage", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "channels*" } ] }, { "access_level": "Read", - "description": "Retrieves (queries) pre-aggregated data for a standard execution metric that applies to a journey.", - "privilege": "GetJourneyExecutionMetrics", + "description": "Grants permission to view the details of a harvest job in AWS Elemental MediaPackage", + "privilege": "DescribeHarvestJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "harvest_jobs*" } ] }, { "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an push notification template.", - "privilege": "GetPushTemplate", + "description": "Grants permission to view the details of an endpoint in AWS Elemental MediaPackage", + "privilege": "DescribeOriginEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "origin_endpoints*" } ] }, { "access_level": "Read", - "description": "Retrieve information about an Amazon Pinpoint configuration for a recommender model.", - "privilege": "GetRecommenderConfiguration", + "description": "Grants permission to view a list of channels in AWS Elemental MediaPackage", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about all the recommender model configurations that are associated with an Amazon Pinpoint account.", - "privilege": "GetRecommenderConfigurations", + "access_level": "Read", + "description": "Grants permission to view a list of harvest jobs in AWS Elemental MediaPackage", + "privilege": "ListHarvestJobs", "resource_types": [ { "condition_keys": [], @@ -124689,8 +138930,8 @@ }, { "access_level": "Read", - "description": "Grants permission to mobiletargeting:GetReports", - "privilege": "GetReports", + "description": "Grants permission to view a list of endpoints in AWS Elemental MediaPackage", + "privilege": "ListOriginEndpoints", "resource_types": [ { "condition_keys": [], @@ -124701,310 +138942,387 @@ }, { "access_level": "Read", - "description": "Retrieve information about a specific segment.", - "privilege": "GetSegment", + "description": "Grants permission to list the tags assigned to a Channel or OriginEndpoint", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channels" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "harvest_jobs" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "origin_endpoints" } ] }, { - "access_level": "List", - "description": "Retrieve information about jobs that export endpoint definitions from segments to Amazon S3.", - "privilege": "GetSegmentExportJobs", + "access_level": "Write", + "description": "Grants permission to rotate credentials for the first IngestEndpoint of a Channel in AWS Elemental MediaPackage", + "privilege": "RotateChannelCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "channels*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage", + "privilege": "RotateIngestEndpointCredentials", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "channels*" } ] }, { - "access_level": "List", - "description": "Retrieve information about jobs that create segments by importing endpoint definitions from .", - "privilege": "GetSegmentImportJobs", + "access_level": "Tagging", + "description": "Grants permission to tag a MediaPackage resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channels" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieve information about a specific segment version.", - "privilege": "GetSegmentVersion", - "resource_types": [ + "resource_type": "harvest_jobs" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "origin_endpoints" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about the current and prior versions of a segment.", - "privilege": "GetSegmentVersions", + "access_level": "Tagging", + "description": "Grants permission to delete tags to a Channel or OriginEndpoint", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channels" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "harvest_jobs" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "origin_endpoints" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about the segments for an app.", - "privilege": "GetSegments", + "access_level": "Write", + "description": "Grants permission to make changes to a channel in AWS Elemental MediaPackage", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "channels*" } ] }, { - "access_level": "Read", - "description": "Obtain information about the SMS channel in an app.", - "privilege": "GetSmsChannel", + "access_level": "Write", + "description": "Grants permission to make changes to an endpoint in AWS Elemental MediaPackage", + "privilege": "UpdateOriginEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "origin_endpoints*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:channels/${ChannelIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channels" }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an sms message template.", - "privilege": "GetSmsTemplate", + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:origin_endpoints/${OriginEndpointIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "origin_endpoints" + }, + { + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:harvest_jobs/${HarvestJobIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "harvest_jobs" + } + ], + "service_name": "AWS Elemental MediaPackage" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "mediapackage-vod", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to configure egress access logs for a PackagingGroup", + "privilege": "ConfigureLogs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "templates*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "packaging-groups*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the endpoints that are associated with a user ID.", - "privilege": "GetUserEndpoints", + "access_level": "Write", + "description": "Grants permission to create an asset in AWS Elemental MediaPackage", + "privilege": "CreateAsset", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Obtain information about the Voice channel in an app.", - "privilege": "GetVoiceChannel", + "access_level": "Write", + "description": "Grants permission to create a packaging configuration in AWS Elemental MediaPackage", + "privilege": "CreatePackagingConfiguration", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of a voice message template.", - "privilege": "GetVoiceTemplate", + "access_level": "Write", + "description": "Grants permission to create a packaging group in AWS Elemental MediaPackage", + "privilege": "CreatePackagingGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about all journeys for an app.", - "privilege": "ListJourneys", + "access_level": "Write", + "description": "Grants permission to delete an asset in AWS Elemental MediaPackage", + "privilege": "DeleteAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "assets*" } ] }, { - "access_level": "Read", - "description": "List tags for a resource.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete a packaging configuration in AWS Elemental MediaPackage", + "privilege": "DeletePackagingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments" + "resource_type": "packaging-configurations*" } ] }, { - "access_level": "List", - "description": "Retrieve all versions about a specific template.", - "privilege": "ListTemplateVersions", + "access_level": "Write", + "description": "Grants permission to delete a packaging group in AWS Elemental MediaPackage", + "privilege": "DeletePackagingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "packaging-groups*" } ] }, { - "access_level": "List", - "description": "Retrieve metadata about the queried templates.", - "privilege": "ListTemplates", + "access_level": "Read", + "description": "Grants permission to view the details of an asset in AWS Elemental MediaPackage", + "privilege": "DescribeAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "assets*" } ] }, { "access_level": "Read", - "description": "Obtain metadata for a phone number, such as the number type (mobile, landline, or VoIP), location, and provider.", - "privilege": "PhoneNumberValidate", + "description": "Grants permission to view the details of a packaging configuration in AWS Elemental MediaPackage", + "privilege": "DescribePackagingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "phone-number-validate*" + "resource_type": "packaging-configurations*" } ] }, { - "access_level": "Write", - "description": "Create or update an event stream for an app.", - "privilege": "PutEventStream", + "access_level": "Read", + "description": "Grants permission to view the details of a packaging group in AWS Elemental MediaPackage", + "privilege": "DescribePackagingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "packaging-groups*" } ] }, { - "access_level": "Write", - "description": "Create or update events for an app.", - "privilege": "PutEvents", + "access_level": "List", + "description": "Grants permission to view a list of assets in AWS Elemental MediaPackage", + "privilege": "ListAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Used to remove the attributes for an app.", - "privilege": "RemoveAttributes", + "access_level": "List", + "description": "Grants permission to view a list of packaging configurations in AWS Elemental MediaPackage", + "privilege": "ListPackagingConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Send an SMS message or push notification to specific endpoints.", - "privilege": "SendMessages", + "access_level": "List", + "description": "Grants permission to view a list of packaging groups in AWS Elemental MediaPackage", + "privilege": "ListPackagingGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Send an SMS message or push notification to all endpoints that are associated with a specific user ID.", - "privilege": "SendUsersMessages", + "access_level": "Read", + "description": "Grants permission to list the tags assigned to a PackagingGroup, PackagingConfiguration, or Asset", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "assets" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-configurations" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-groups" } ] }, { "access_level": "Tagging", - "description": "Adds tags to a resource.", + "description": "Grants permission to assign tags to a PackagingGroup, PackagingConfiguration, or Asset", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" + "resource_type": "assets" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns" + "resource_type": "packaging-configurations" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments" + "resource_type": "packaging-groups" }, { "condition_keys": [ @@ -125018,27 +139336,26 @@ }, { "access_level": "Tagging", - "description": "Removes tags from a resource.", + "description": "Grants permission to delete tags from a PackagingGroup, PackagingConfiguration, or Asset", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" + "resource_type": "assets" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns" + "resource_type": "packaging-configurations" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments" + "resource_type": "packaging-groups" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -125048,358 +139365,389 @@ }, { "access_level": "Write", - "description": "Update the Amazon Device Messaging (ADM) channel for an app.", - "privilege": "UpdateAdmChannel", + "description": "Grants permission to update a packaging group in AWS Elemental MediaPackage", + "privilege": "UpdatePackagingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "packaging-groups*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:assets/${AssetIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "assets" + }, + { + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-configurations/${PackagingConfigurationIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "packaging-configurations" + }, + { + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-groups/${PackagingGroupIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "packaging-groups" + } + ], + "service_name": "AWS Elemental MediaPackage VOD" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "mediastore", + "privileges": [ { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) channel for an app.", - "privilege": "UpdateApnsChannel", + "description": "Grants permission to create a container", + "privilege": "CreateContainer", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) sandbox channel for an app.", - "privilege": "UpdateApnsSandboxChannel", + "description": "Grants permission to delete a container", + "privilege": "DeleteContainer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) VoIP channel for an app.", - "privilege": "UpdateApnsVoipChannel", + "access_level": "Permissions management", + "description": "Grants permission to delete the access policy of a container", + "privilege": "DeleteContainerPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) VoIP sandbox channel for an app.", - "privilege": "UpdateApnsVoipSandboxChannel", + "description": "Grants permission to delete the CORS policy from a container", + "privilege": "DeleteCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update the default settings for an app.", - "privilege": "UpdateApplicationSettings", + "description": "Grants permission to delete the lifecycle policy from a container", + "privilege": "DeleteLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update the Baidu channel for an app.", - "privilege": "UpdateBaiduChannel", + "description": "Grants permission to delete the metric policy from a container", + "privilege": "DeleteMetricPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update a specific campaign.", - "privilege": "UpdateCampaign", + "description": "Grants permission to delete an object", + "privilege": "DeleteObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "object*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve details on a container", + "privilege": "DescribeContainer", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Update the email channel for an app.", - "privilege": "UpdateEmailChannel", + "access_level": "List", + "description": "Grants permission to retrieve metadata for an object", + "privilege": "DescribeObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "object*" } ] }, { - "access_level": "Write", - "description": "Update a specific email template under the same version or generate a new version.", - "privilege": "UpdateEmailTemplate", + "access_level": "Read", + "description": "Grants permission to retrieve the access policy of a container", + "privilege": "GetContainerPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Create an endpoint or update the information for an endpoint.", - "privilege": "UpdateEndpoint", + "access_level": "Read", + "description": "Grants permission to retrieve the CORS policy of a container", + "privilege": "GetCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Create or update endpoints as a batch operation.", - "privilege": "UpdateEndpointsBatch", + "access_level": "Read", + "description": "Grants permission to retrieve the lifecycle policy that is assigned to a container", + "privilege": "GetLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key that allows to send push notifications to your Android app.", - "privilege": "UpdateGcmChannel", + "access_level": "Read", + "description": "Grants permission to retrieve the metric policy that is assigned to a container", + "privilege": "GetMetricPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Update a specific journey.", - "privilege": "UpdateJourney", + "access_level": "Read", + "description": "Grants permission to retrieve an object", + "privilege": "GetObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "object*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of containers in the current account", + "privilege": "ListContainers", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "journeys*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific journey state.", - "privilege": "UpdateJourneyState", + "access_level": "List", + "description": "Grants permission to retrieve a list of objects and subfolders that are stored in a folder", + "privilege": "ListItems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "folder" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags on a container", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "journeys*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container" } ] }, { - "access_level": "Write", - "description": "Update a specific push notification template under the same version or generate a new version.", - "privilege": "UpdatePushTemplate", + "access_level": "Permissions management", + "description": "Grants permission to create or replace the access policy of a container", + "privilege": "PutContainerPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update an Amazon Pinpoint configuration for a recommender model.", - "privilege": "UpdateRecommenderConfiguration", + "description": "Grants permission to add or modify the CORS policy of a container", + "privilege": "PutCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update a specific segment.", - "privilege": "UpdateSegment", + "description": "Grants permission to add or modify the lifecycle policy that is assigned to a container", + "privilege": "PutLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, + "resource_type": "container*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add or modify the metric policy that is assigned to a container", + "privilege": "PutMetricPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "segments*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Update the SMS channel for an app.", - "privilege": "UpdateSmsChannel", + "description": "Grants permission to upload an object", + "privilege": "PutObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "object*" } ] }, { "access_level": "Write", - "description": "Update a specific sms message template under the same version or generate a new version.", - "privilege": "UpdateSmsTemplate", + "description": "Grants permission to start access logging on a container", + "privilege": "StartAccessLogging", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "iam:PassRole" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "container*" } ] }, { "access_level": "Write", - "description": "Upate the active version parameter of a specific template.", - "privilege": "UpdateTemplateActiveVersion", + "description": "Grants permission to stop access logging on a container", + "privilege": "StopAccessLogging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "container*" } ] }, { - "access_level": "Write", - "description": "Update the Voice channel for an app.", - "privilege": "UpdateVoiceChannel", + "access_level": "Tagging", + "description": "Grants permission to add tags to a container", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "container" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific voice message template under the same version or generate a new version.", - "privilege": "UpdateVoiceTemplate", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a container", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "container" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -125409,251 +139757,87 @@ ], "resources": [ { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}", + "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "apps" + "resource": "container" }, { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/campaigns/${CampaignId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "campaigns" + "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}/${ObjectPath}", + "condition_keys": [], + "resource": "object" }, { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/journeys/${JourneyId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "journeys" - }, + "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}/${FolderPath}", + "condition_keys": [], + "resource": "folder" + } + ], + "service_name": "AWS Elemental MediaStore" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/segments/${SegmentId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "segments" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/${ChannelType}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "templates" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:recommenders/${RecommenderId}", - "condition_keys": [], - "resource": "recommenders" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:phone/number/validate", - "condition_keys": [], - "resource": "phone-number-validate" - } - ], - "service_name": "Amazon Pinpoint" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], - "prefix": "monitron", + "prefix": "mediatailor", "privileges": [ { - "access_level": "Permissions management", - "description": "Grants permission to associate a user with the project as an administrator", - "privilege": "AssociateProjectAdminUser", + "access_level": "Write", + "description": "Grants permission to configure logs for a playback configuration", + "privilege": "ConfigureLogsForPlaybackConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:AssociateProfile", - "sso:GetManagedApplicationInstance", - "sso:GetProfile", - "sso:ListDirectoryAssociations", - "sso:ListProfiles" + "iam:CreateServiceLinkedRole" ], - "resource_type": "project*" + "resource_type": "playbackConfiguration*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a project", - "privilege": "CreateProject", + "description": "Grants permission to create a new channel", + "privilege": "CreateChannel", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "kms:CreateGrant", - "sso:CreateManagedApplicationInstance", - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a project", - "privilege": "DeleteProject", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "project*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to disassociate an administrator from the project", - "privilege": "DisassociateProjectAdminUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:DisassociateProfile", - "sso:GetManagedApplicationInstance", - "sso:GetProfile", - "sso:ListDirectoryAssociations", - "sso:ListProfiles" - ], - "resource_type": "project*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about a project", - "privilege": "GetProject", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an administrator who is associated with the project", - "privilege": "GetProjectAdminUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:GetManagedApplicationInstance" - ], - "resource_type": "project*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to list all administrators associated with the project", - "privilege": "ListProjectAdminUsers", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:GetManagedApplicationInstance" - ], - "resource_type": "project*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all projects", - "privilege": "ListProjects", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a new live source on the source location with the specified source location name", + "privilege": "CreateLiveSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" + "resource_type": "sourceLocation*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -125663,90 +139847,32 @@ }, { "access_level": "Write", - "description": "Grants permission to update a project", - "privilege": "UpdateProject", + "description": "Grants permission to create a prefetch schedule for the playback configuration with the specified playback configuration name", + "privilege": "CreatePrefetchSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "playbackConfiguration*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:monitron:${Region}:${Account}:project/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "project" - } - ], - "service_name": "Amazon Monitron" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "mq", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a broker", - "privilege": "CreateBroker", + "description": "Grants permission to create a new program on the channel with the specified channel name", + "privilege": "CreateProgram", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreateSecurityGroup", - "ec2:CreateVpcEndpoint", - "ec2:DescribeInternetGateways", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:ModifyNetworkInterfaceAttribute", - "iam:CreateServiceLinkedRole", - "route53:AssociateVPCWithHostedZone" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and engine version)", - "privilege": "CreateConfiguration", + "description": "Grants permission to create a new source location", + "privilege": "CreateSourceLocation", "resource_types": [ { "condition_keys": [ @@ -125759,19 +139885,14 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to create tags", - "privilege": "CreateTags", + "access_level": "Write", + "description": "Grants permission to create a new VOD source on the source location with the specified source location name", + "privilege": "CreateVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "configurations" + "resource_type": "sourceLocation*" }, { "condition_keys": [ @@ -125785,699 +139906,444 @@ }, { "access_level": "Write", - "description": "Grants permission to create an ActiveMQ user", - "privilege": "CreateUser", + "description": "Grants permission to delete the channel with the specified channel name", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a broker", - "privilege": "DeleteBroker", + "access_level": "Permissions management", + "description": "Grants permission to delete the IAM policy on the channel with the specified channel name", + "privilege": "DeleteChannelPolicy", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DeleteVpcEndpoints", - "ec2:DetachNetworkInterface" - ], - "resource_type": "brokers*" + "dependent_actions": [], + "resource_type": "channel*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete tags", - "privilege": "DeleteTags", + "access_level": "Write", + "description": "Grants permission to delete the live source with the specified live source name on the source location with the specified source location name", + "privilege": "DeleteLiveSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" + "resource_type": "liveSource*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "sourceLocation*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an ActiveMQ user", - "privilege": "DeleteUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "brokers*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return information about the specified broker", - "privilege": "DescribeBroker", + "description": "Grants permission to delete the specified playback configuration", + "privilege": "DeletePlaybackConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "playbackConfiguration*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about broker engines", - "privilege": "DescribeBrokerEngineTypes", + "access_level": "Write", + "description": "Grants permission to delete a prefetch schedule for a playback configuration with the specified prefetch schedule name", + "privilege": "DeletePrefetchSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return information about the broker instance options", - "privilege": "DescribeBrokerInstanceOptions", - "resource_types": [ + "resource_type": "playbackConfiguration*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "prefetchSchedule*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about the specified configuration", - "privilege": "DescribeConfiguration", + "access_level": "Write", + "description": "Grants permission to delete the program with the specified program name on the channel with the specified channel name", + "privilege": "DeleteProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return the specified configuration revision for the specified configuration", - "privilege": "DescribeConfigurationRevision", - "resource_types": [ + "resource_type": "channel*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "program*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about an ActiveMQ user", - "privilege": "DescribeUser", + "access_level": "Write", + "description": "Grants permission to delete the source location with the specified source location name", + "privilege": "DeleteSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all brokers", - "privilege": "ListBrokers", + "access_level": "Write", + "description": "Grants permission to delete the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "DeleteVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return a list of all existing revisions for the specified configuration", - "privilege": "ListConfigurationRevisions", - "resource_types": [ + "resource_type": "sourceLocation*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "vodSource*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all configurations", - "privilege": "ListConfigurations", + "access_level": "Read", + "description": "Grants permission to retrieve the channel with the specified channel name", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of tags", - "privilege": "ListTags", + "access_level": "Read", + "description": "Grants permission to retrieve the live source with the specified live source name on the source location with the specified source location name", + "privilege": "DescribeLiveSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" + "resource_type": "liveSource*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return a list of all ActiveMQ users", - "privilege": "ListUsers", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "Write", - "description": "Grants permission to reboot a broker", - "privilege": "RebootBroker", + "access_level": "Read", + "description": "Grants permission to retrieve the program with the specified program name on the channel with the specified channel name", + "privilege": "DescribeProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add a pending configuration change to a broker", - "privilege": "UpdateBroker", - "resource_types": [ + "resource_type": "channel*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "program*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the specified configuration", - "privilege": "UpdateConfiguration", + "access_level": "Read", + "description": "Grants permission to retrieve the source location with the specified source location name", + "privilege": "DescribeSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the information for an ActiveMQ user", - "privilege": "UpdateUser", + "access_level": "Read", + "description": "Grants permission to retrieve the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "DescribeVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mq:${Region}:${Account}:broker:${broker-id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "brokers" - }, - { - "arn": "arn:${Partition}:mq:${Region}:${Account}:configuration:${configuration-id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "configurations" - } - ], - "service_name": "Amazon MQ" - }, - { - "conditions": [], - "prefix": "neptune-db", - "privileges": [ - { - "access_level": "Write", - "description": "Connect to database", - "privilege": "connect", - "resource_types": [ + "resource_type": "sourceLocation*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "vodSource*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database", - "condition_keys": [], - "resource": "database" - } - ], - "service_name": "Amazon Neptune" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "network-firewall", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create an association between a firewall policy and a firewall", - "privilege": "AssociateFirewallPolicy", + "access_level": "Read", + "description": "Grants permission to read the IAM policy on the channel with the specified channel name", + "privilege": "GetChannelPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate VPC subnets to a firewall", - "privilege": "AssociateSubnets", + "access_level": "Read", + "description": "Grants permission to retrieve the schedule of programs on the channel with the specified channel name", + "privilege": "GetChannelSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall", - "privilege": "CreateFirewall", + "access_level": "Read", + "description": "Grants permission to retrieve the configuration for the specified name", + "privilege": "GetPlaybackConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "playbackConfiguration*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall policy", - "privilege": "CreateFirewallPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve prefetch schedule for a playback configuration with the specified prefetch schedule name", + "privilege": "GetPrefetchSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "playbackConfiguration*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "prefetchSchedule*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall rule group", - "privilege": "CreateRuleGroup", + "access_level": "Read", + "description": "Grants permission to retrieve the list of alerts on a resource", + "privilege": "ListAlerts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a firewall", - "privilege": "DeleteFirewall", + "access_level": "Read", + "description": "Grants permission to retrieve the list of existing channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a firewall policy", - "privilege": "DeleteFirewallPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve the list of existing live sources on the source location with the specified source location name", + "privilege": "ListLiveSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a resource policy for a firewall policy or rule group", - "privilege": "DeleteResourcePolicy", + "access_level": "List", + "description": "Grants permission to retrieve the list of available configurations", + "privilege": "ListPlaybackConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a rule group", - "privilege": "DeleteRuleGroup", + "access_level": "List", + "description": "Grants permission to retrieve the list of prefetch schedules for a playback configuration", + "privilege": "ListPrefetchSchedules", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "playbackConfiguration*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall", - "privilege": "DescribeFirewall", + "description": "Grants permission to retrieve the list of existing source locations", + "privilege": "ListSourceLocations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall policy", - "privilege": "DescribeFirewallPolicy", + "description": "Grants permission to list the tags assigned to the specified playback configuration resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "liveSource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe the logging configuration of a firewall", - "privilege": "DescribeLoggingConfiguration", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a resource policy for a firewall policy or rule group", - "privilege": "DescribeResourcePolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy" + "resource_type": "playbackConfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "sourceLocation" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "vodSource" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a rule group", - "privilege": "DescribeRuleGroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disassociate VPC subnets from a firewall", - "privilege": "DisassociateSubnets", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewall policies", - "privilege": "ListFirewallPolicies", + "description": "Grants permission to retrieve the list of existing VOD sources on the source location with the specified source location name", + "privilege": "ListVodSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewalls", - "privilege": "ListFirewalls", + "access_level": "Permissions management", + "description": "Grants permission to set the IAM policy on the channel with the specified channel name", + "privilege": "PutChannelPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "channel*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for rule groups", - "privilege": "ListRuleGroups", + "access_level": "Write", + "description": "Grants permission to add a new configuration", + "privilege": "PutPlaybackConfiguration", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to start the channel with the specified channel name", + "privilege": "StartChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to put a resource policy for a firewall policy or rule group", - "privilege": "PutResourcePolicy", + "description": "Grants permission to stop the channel with the specified channel name", + "privilege": "StopChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "channel*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to attach tags to a resource", + "description": "Grants permission to add tags to the specified playback configuration resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "liveSource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "playbackConfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "sourceLocation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vodSource" }, { "condition_keys": [ @@ -126491,31 +140357,37 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", + "description": "Grants permission to remove tags from the specified playback configuration resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "liveSource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "playbackConfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "sourceLocation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vodSource" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -126525,204 +140397,199 @@ }, { "access_level": "Write", - "description": "Grants permission to add or remove delete protection for a firewall", - "privilege": "UpdateFirewallDeleteProtection", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the description for a firewall", - "privilege": "UpdateFirewallDescription", + "description": "Grants permission to update the channel with the specified channel name", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a firewall policy", - "privilege": "UpdateFirewallPolicy", + "description": "Grants permission to update the live source with the specified live source name on the source location with the specified source location name", + "privilege": "UpdateLiveSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "liveSource*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add or remove firewall policy change protection for a firewall", - "privilege": "UpdateFirewallPolicyChangeProtection", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "sourceLocation*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the logging configuration of a firewall", - "privilege": "UpdateLoggingConfiguration", + "description": "Grants permission to update the source location with the specified source location name", + "privilege": "UpdateSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "sourceLocation*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a rule group", - "privilege": "UpdateRuleGroup", + "description": "Grants permission to update the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "UpdateVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "sourceLocation*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add or remove subnet change protection for a firewall", - "privilege": "UpdateSubnetChangeProtection", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "vodSource*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:playbackConfiguration/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Firewall" + "resource": "playbackConfiguration" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:prefetchSchedule/${ResourceId}", + "condition_keys": [], + "resource": "prefetchSchedule" + }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:channel/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "FirewallPolicy" + "resource": "channel" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:program/${ResourceId}", + "condition_keys": [], + "resource": "program" + }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:sourceLocation/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatefulRuleGroup" + "resource": "sourceLocation" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:vodSource/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatelessRuleGroup" + "resource": "vodSource" + }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:liveSource/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "liveSource" } ], - "service_name": "AWS Network Firewall" + "service_name": "AWS Elemental MediaTailor" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" } ], - "prefix": "network-firewall", + "prefix": "memorydb", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an association between a firewall policy and a firewall", - "privilege": "AssociateFirewallPolicy", + "description": "Grants permissions to apply service updates", + "privilege": "BatchUpdateCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "s3:GetObject" + ], + "resource_type": "cluster*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate VPC subnets to a firewall", - "privilege": "AssociateSubnets", + "description": "Grants permissions to make a copy of an existing snapshot", + "privilege": "CopySnapshot", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "memorydb:TagResource", + "s3:DeleteObject", + "s3:GetBucketAcl", + "s3:PutObject" + ], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall", - "privilege": "CreateFirewall", + "description": "Grants permissions to create a new access control list", + "privilege": "CreateAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "memorydb:TagResource" ], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "user*" }, { "condition_keys": [ + "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -126733,26 +140600,40 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall policy", - "privilege": "CreateFirewallPolicy", + "description": "Grants permissions to create a cluster", + "privilege": "CreateCluster", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "memorydb:TagResource", + "s3:GetObject" + ], + "resource_type": "acl*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "parametergroup*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "subnetgroup*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "snapshot" }, { "condition_keys": [ + "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -126763,303 +140644,528 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall rule group", - "privilege": "CreateRuleGroup", + "description": "Grants permissions to create a new parameter group", + "privilege": "CreateParameterGroup", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "memorydb:TagResource" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall", - "privilege": "DeleteFirewall", + "description": "Grants permissions to create a backup of a cluster at the current point in time", + "privilege": "CreateSnapshot", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "memorydb:TagResource", + "s3:DeleteObject", + "s3:GetBucketAcl", + "s3:PutObject" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall policy", - "privilege": "DeleteFirewallPolicy", + "description": "Grants permissions to create a new subnet group", + "privilege": "CreateSubnetGroup", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - } - ] + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "" + } + ] }, { "access_level": "Write", - "description": "Grants permission to delete a resource policy for a firewall policy or rule group", - "privilege": "DeleteResourcePolicy", + "description": "Grants permissions to create a new user", + "privilege": "CreateUser", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete an access control list", + "privilege": "DeleteAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" + "resource_type": "acl*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a previously provisioned cluster", + "privilege": "DeleteCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "snapshot" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a parameter group", + "privilege": "DeleteParameterGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a rule group", - "privilege": "DeleteRuleGroup", + "description": "Grants permissions to delete a snapshot", + "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "snapshot*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a subnet group", + "privilege": "DeleteSubnetGroup", + "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall", - "privilege": "DescribeFirewall", + "access_level": "Write", + "description": "Grants permissions to delete a user", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall policy", - "privilege": "DescribeFirewallPolicy", + "description": "Grants permissions to retrieve information about access control lists", + "privilege": "DescribeAcls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "acl*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve information about all provisioned clusters if no cluster identifier is specified, or about a specific cluster if a cluster identifier is supplied", + "privilege": "DescribeClusters", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "cluster*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to list of the available engines and their versions", + "privilege": "DescribeEngineVersions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the logging configuration of a firewall", - "privilege": "DescribeLoggingConfiguration", + "description": "Grants permissions to retrieve events related to clusters, subnet groups, and parameter groups", + "privilege": "DescribeEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a resource policy for a firewall policy or rule group", - "privilege": "DescribeResourcePolicy", + "description": "Grants permissions to retrieve information about parameter groups", + "privilege": "DescribeParameterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" + "resource_type": "parametergroup*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve a detailed parameter list for a particular parameter group", + "privilege": "DescribeParameters", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "parametergroup*" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve details of the service updates", + "privilege": "DescribeServiceUpdates", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a rule group", - "privilege": "DescribeRuleGroup", + "description": "Grants permissions to retrieve information about cluster snapshots", + "privilege": "DescribeSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "snapshot*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate VPC subnets from a firewall", - "privilege": "DisassociateSubnets", + "access_level": "Read", + "description": "Grants permissions to retrieve a list of subnet group", + "privilege": "DescribeSubnetGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewall policies", - "privilege": "ListFirewallPolicies", + "access_level": "Read", + "description": "Grants permissions to retrieve information about users", + "privilege": "DescribeUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewalls", - "privilege": "ListFirewalls", + "access_level": "Write", + "description": "Grants permissions to test automatic failover on a specified shard in a cluster", + "privilege": "FailoverShard", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for rule groups", - "privilege": "ListRuleGroups", + "access_level": "Read", + "description": "Grants permissions to list available node type updates", + "privilege": "ListAllowedNodeTypeUpdates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permissions to list cost allocation tags", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "acl" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "cluster" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "parametergroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to put a resource policy for a firewall policy or rule group", - "privilege": "PutResourcePolicy", + "description": "Grants permissions to modify the parameters of a parameter group to the engine or system default value", + "privilege": "ResetParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "parametergroup*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to attach tags to a resource", + "description": "Grants permissions to add up to 10 cost allocation tags to the named resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "acl" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "cluster" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "parametergroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" }, { "condition_keys": [ + "aws:TagKeys", "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -127068,32 +141174,43 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", + "description": "Grants permissions to remove the tags identified by the TagKeys list from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "acl" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "cluster" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "parametergroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -127102,446 +141219,496 @@ }, { "access_level": "Write", - "description": "Grants permission to add or remove delete protection for a firewall", - "privilege": "UpdateFirewallDeleteProtection", + "description": "Grants permissions to update an access control list", + "privilege": "UpdateAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the description for a firewall", - "privilege": "UpdateFirewallDescription", - "resource_types": [ + "resource_type": "acl*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a firewall policy", - "privilege": "UpdateFirewallPolicy", + "description": "Grants permissions to update the settings for a cluster", + "privilege": "UpdateCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "acl" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add or remove firewall policy change protection for a firewall", - "privilege": "UpdateFirewallPolicyChangeProtection", - "resource_types": [ + "resource_type": "parametergroup" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the logging configuration of a firewall", - "privilege": "UpdateLoggingConfiguration", + "description": "Grants permissions to update parameters in a parameter group", + "privilege": "UpdateParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a rule group", - "privilege": "UpdateRuleGroup", + "description": "Grants permissions to update a subnet group", + "privilege": "UpdateSubnetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "subnetgroup*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to add or remove subnet change protection for a firewall", - "privilege": "UpdateSubnetChangeProtection", + "description": "Grants permissions to update a user", + "privilege": "UpdateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:parametergroup/${ParameterGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Firewall" + "resource": "parametergroup" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:subnetgroup/${SubnetGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "FirewallPolicy" + "resource": "subnetgroup" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:cluster/${ClusterName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatefulRuleGroup" + "resource": "cluster" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:snapshot/${SnapshotName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatelessRuleGroup" - } - ], - "service_name": "Network Firewall" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "networkmanager:cgwArn", - "description": "Filters access by which customer gateways can be associated or disassociated", - "type": "String" + "resource": "snapshot" }, { - "condition": "networkmanager:tgwArn", - "description": "Filters access by which transit gateways can be registered or deregistered", - "type": "String" + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:user/${UserName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "user" }, { - "condition": "networkmanager:tgwConnectPeerArn", - "description": "Filters access by which transit gateway connect peers can be associated or disassociated", - "type": "String" + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:acl/${AclName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "acl" } ], - "prefix": "networkmanager", + "service_name": "Amazon MemoryDB" + }, + { + "conditions": [], + "prefix": "mgh", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a customer gateway to a device", - "privilege": "AssociateCustomerGateway", + "description": "Associate a given AWS artifact to a MigrationTask", + "privilege": "AssociateCreatedArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "Write", + "description": "Associate a given ADS resource to a MigrationTask", + "privilege": "AssociateDiscoveredResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a Migration Hub Home Region Control", + "privilege": "CreateHomeRegionControl", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, - { - "condition_keys": [ - "networkmanager:cgwArn" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a link to a device", - "privilege": "AssociateLink", + "description": "Create a ProgressUpdateStream", + "privilege": "CreateProgressUpdateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link*" + "resource_type": "progressUpdateStream*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a transit gateway connect peer to a device", - "privilege": "AssociateTransitGatewayConnectPeer", + "description": "Delete a ProgressUpdateStream", + "privilege": "DeleteProgressUpdateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "progressUpdateStream*" + } + ] + }, + { + "access_level": "Read", + "description": "Get an Application Discovery Service Application's state", + "privilege": "DescribeApplicationState", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, - { - "condition_keys": [ - "networkmanager:tgwConnectPeerArn" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new connection", - "privilege": "CreateConnection", + "access_level": "List", + "description": "List Home Region Controls", + "privilege": "DescribeHomeRegionControls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new device", - "privilege": "CreateDevice", + "access_level": "Read", + "description": "Describe a MigrationTask", + "privilege": "DescribeMigrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "migrationTask*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new global network", - "privilege": "CreateGlobalNetwork", + "description": "Disassociate a given AWS artifact from a MigrationTask", + "privilege": "DisassociateCreatedArtifact", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "migrationTask*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new link", - "privilege": "CreateLink", + "description": "Disassociate a given ADS resource from a MigrationTask", + "privilege": "DisassociateDiscoveredResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "Read", + "description": "Get the Migration Hub Home Region", + "privilege": "GetHomeRegion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new site", - "privilege": "CreateSite", + "description": "Import a MigrationTask", + "privilege": "ImportMigrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "List", + "description": "List Application statuses", + "privilege": "ListApplicationStates", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a connection", - "privilege": "DeleteConnection", + "access_level": "List", + "description": "List associated created artifacts for a MigrationTask", + "privilege": "ListCreatedArtifacts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "List", + "description": "List associated ADS resources from MigrationTask", + "privilege": "ListDiscoveredResources", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "migrationTask*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a device", - "privilege": "DeleteDevice", + "access_level": "List", + "description": "List MigrationTasks", + "privilege": "ListMigrationTasks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List ProgressUpdateStreams", + "privilege": "ListProgressUpdateStreams", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a global network", - "privilege": "DeleteGlobalNetwork", + "description": "Update an Application Discovery Service Application's state", + "privilege": "NotifyApplicationState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a link", - "privilege": "DeleteLink", + "description": "Notify latest MigrationTask state", + "privilege": "NotifyMigrationTaskState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "Write", + "description": "Put ResourceAttributes", + "privilege": "PutResourceAttributes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "migrationTask*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}", + "condition_keys": [], + "resource": "progressUpdateStream" + }, + { + "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}/migrationTask/${Task}", + "condition_keys": [], + "resource": "migrationTask" + } + ], + "service_name": "AWS Migration Hub" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by presence of tag keys in the request", + "type": "ArrayOfString" }, + { + "condition": "mgn:CreateAction", + "description": "Filters access by the name of a resource-creating API action", + "type": "String" + } + ], + "prefix": "mgn", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete a site", - "privilege": "DeleteSite", + "description": "Grants permission to create volume snapshot group", + "privilege": "BatchCreateVolumeSnapshotGroupForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to batch delete snapshot request", + "privilege": "BatchDeleteSnapshotRequestForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to deregister a transit gateway from a global network", - "privilege": "DeregisterTransitGateway", + "description": "Grants permission to change source server life cycle state", + "privilege": "ChangeServerLifeCycleState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create launch configuration template", + "privilege": "CreateLaunchConfigurationTemplate", + "resource_types": [ { "condition_keys": [ - "networkmanager:tgwArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -127549,30 +141716,29 @@ ] }, { - "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "DescribeGlobalNetworks", + "access_level": "Write", + "description": "Grants permission to create replication configuration template", + "privilege": "CreateReplicationConfigurationTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "global-network" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a customer gateway from a device", - "privilege": "DisassociateCustomerGateway", + "description": "Grants permission to create vcenter client", + "privilege": "CreateVcenterClientForMgn", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, { "condition_keys": [ - "networkmanager:cgwArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -127581,386 +141747,425 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate a link from a device", - "privilege": "DisassociateLink", + "description": "Grants permission to delete job", + "privilege": "DeleteJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "JobResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete launch configuration template", + "privilege": "DeleteLaunchConfigurationTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "LaunchConfigurationTemplateResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a transit gateway connect peer from a device", - "privilege": "DisassociateTransitGatewayConnectPeer", + "description": "Grants permission to delete replication configuration template", + "privilege": "DeleteReplicationConfigurationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwConnectPeerArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "ReplicationConfigurationTemplateResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe connections", - "privilege": "GetConnections", + "access_level": "Write", + "description": "Grants permission to delete source server", + "privilege": "DeleteSourceServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete vcenter client", + "privilege": "DeleteVcenterClient", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" + "resource_type": "VcenterClientResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe customer gateway associations", - "privilege": "GetCustomerGatewayAssociations", + "access_level": "Read", + "description": "Grants permission to describe job log items", + "privilege": "DescribeJobLogItems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "JobResource*" } ] }, { "access_level": "List", - "description": "Grants permission to describe devices", - "privilege": "GetDevices", + "description": "Grants permission to describe jobs", + "privilege": "DescribeJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to describe link associations", - "privilege": "GetLinkAssociations", + "description": "Grants permission to describe launch configuration template", + "privilege": "DescribeLaunchConfigurationTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to describe links", - "privilege": "GetLinks", + "description": "Grants permission to describe replication configuration template", + "privilege": "DescribeReplicationConfigurationTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return the number of resources for a global network grouped by type", - "privilege": "GetNetworkResourceCounts", + "description": "Grants permission to describe replication server associations", + "privilege": "DescribeReplicationServerAssociationsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve related resources for a resource within the global network", - "privilege": "GetNetworkResourceRelationships", + "description": "Grants permission to describe snapshots requests", + "privilege": "DescribeSnapshotRequestsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a global network resource", - "privilege": "GetNetworkResources", + "access_level": "List", + "description": "Grants permission to describe source servers", + "privilege": "DescribeSourceServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve routes for a route table within the global network", - "privilege": "GetNetworkRoutes", + "access_level": "List", + "description": "Grants permission to describe vcenter clients", + "privilege": "DescribeVcenterClients", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve network telemetry objects for the global network", - "privilege": "GetNetworkTelemetry", + "access_level": "Write", + "description": "Grants permission to disconnect source server from service", + "privilege": "DisconnectFromService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a route analysis configuration and result", - "privilege": "GetRouteAnalysis", + "access_level": "Write", + "description": "Grants permission to finalize cutover", + "privilege": "FinalizeCutover", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "GetSites", + "access_level": "Read", + "description": "Grants permission to get agent command", + "privilege": "GetAgentCommandForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "site" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe transit gateway connect peer associations", - "privilege": "GetTransitGatewayConnectPeerAssociations", + "access_level": "Read", + "description": "Grants permission to get agent confirmed resume info", + "privilege": "GetAgentConfirmedResumeInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe transit gateway registrations", - "privilege": "GetTransitGatewayRegistrations", + "access_level": "Read", + "description": "Grants permission to get agent installation assets", + "privilege": "GetAgentInstallationAssetsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to lists tag for a Network Manager resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to get agent replication info", + "privilege": "GetAgentReplicationInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get agent runtime configuration", + "privilege": "GetAgentRuntimeConfigurationForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get agent snapshots credits", + "privilege": "GetAgentSnapshotCreditsForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get channel commands", + "privilege": "GetChannelCommandsForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to register a transit gateway to a global network", - "privilege": "RegisterTransitGateway", + "access_level": "Read", + "description": "Grants permission to get launch configuration", + "privilege": "GetLaunchConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a route analysis and stores analysis configuration", - "privilege": "StartRouteAnalysis", + "access_level": "Read", + "description": "Grants permission to get replication configuration", + "privilege": "GetReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a Network Manager resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to get vcenter client commands", + "privilege": "GetVcenterClientCommandsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, + "resource_type": "VcenterClientResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initialize service", + "privilege": "InitializeService", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, + "dependent_actions": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:CreateServiceLinkedRole", + "iam:GetInstanceProfile" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to issue a client certificate", + "privilege": "IssueClientCertificateForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "SourceServerResource" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to mark source server as archived", + "privilege": "MarkAsArchived", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a Network Manager resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to notify agent authentication", + "privilege": "NotifyAgentAuthenticationForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify agent is connected", + "privilege": "NotifyAgentConnectedForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify agent is disconnected", + "privilege": "NotifyAgentDisconnectedForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify agent replication progress", + "privilege": "NotifyAgentReplicationProgressForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify vcenter client started", + "privilege": "NotifyVcenterClientStartedForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, + "resource_type": "VcenterClientResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register agent", + "privilege": "RegisterAgentForMgn", + "resource_types": [ { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -127970,194 +142175,163 @@ }, { "access_level": "Write", - "description": "Grants permission to update a connection", - "privilege": "UpdateConnection", + "description": "Grants permission to retry replication", + "privilege": "RetryDataReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a device", - "privilege": "UpdateDevice", + "description": "Grants permission to send agent logs", + "privilege": "SendAgentLogsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a global network", - "privilege": "UpdateGlobalNetwork", + "description": "Grants permission to send agent metrics", + "privilege": "SendAgentMetricsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a link", - "privilege": "UpdateLink", + "description": "Grants permission to send channel command result", + "privilege": "SendChannelCommandResultForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to add or update metadata key/value pairs on network resource", - "privilege": "UpdateNetworkResourceMetadata", + "description": "Grants permission to send client logs", + "privilege": "SendClientLogsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a site", - "privilege": "UpdateSite", + "description": "Grants permission to send client metrics", + "privilege": "SendClientMetricsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send vcenter client command result", + "privilege": "SendVcenterClientCommandResultForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site*" + "resource_type": "VcenterClientResource*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "global-network" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "site" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "link" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "connection" - } - ], - "service_name": "AWS Network Manager" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "networkmanager:cgwArn", - "description": "Controls which customer gateways can be associated or disassociated", - "type": "String" - }, - { - "condition": "networkmanager:tgwArn", - "description": "Controls which transit gateways can be registered or deregistered", - "type": "String" }, - { - "condition": "networkmanager:tgwConnectPeerArn", - "description": "Controls which connect peers can be associated or disassociated", - "type": "String" - } - ], - "prefix": "networkmanager", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a customer gateway to a device", - "privilege": "AssociateCustomerGateway", + "description": "Grants permission to send vcenter client logs", + "privilege": "SendVcenterClientLogsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "VcenterClientResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send vcenter client metrics", + "privilege": "SendVcenterClientMetricsForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "VcenterClientResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start cutover", + "privilege": "StartCutover", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "link" + "dependent_actions": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateSecurityGroup", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:ReportInstanceStatus", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "iam:PassRole", + "mgn:ListTagsForResource" + ], + "resource_type": "SourceServerResource*" }, { "condition_keys": [ - "networkmanager:cgwArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -128166,68 +142340,107 @@ }, { "access_level": "Write", - "description": "Grants permission to associate a link to a device", - "privilege": "AssociateLink", + "description": "Grants permission to start replication", + "privilege": "StartReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start test", + "privilege": "StartTest", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "dependent_actions": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateSecurityGroup", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:ReportInstanceStatus", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "iam:PassRole", + "mgn:ListTagsForResource" + ], + "resource_type": "SourceServerResource*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate a transit gateway connect peer to a device", - "privilege": "AssociateTransitGatewayConnectPeer", + "access_level": "Tagging", + "description": "Grants permission to assign a resource tag", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "JobResource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "LaunchConfigurationTemplateResource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "ReplicationConfigurationTemplateResource" }, { - "condition_keys": [ - "networkmanager:tgwConnectPeerArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new connection", - "privilege": "CreateConnection", - "resource_types": [ + "resource_type": "SourceServerResource" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "VcenterClientResource" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", + "mgn:CreateAction", "aws:TagKeys" ], "dependent_actions": [], @@ -128237,13 +142450,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new device", - "privilege": "CreateDevice", + "description": "Grants permission to terminate target instances", + "privilege": "TerminateTargetInstances", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "dependent_actions": [ + "ec2:DeleteVolume", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:TerminateInstances" + ], + "resource_type": "SourceServerResource*" }, { "condition_keys": [ @@ -128256,60 +142474,37 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a new global network", - "privilege": "CreateGlobalNetwork", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new link", - "privilege": "CreateLink", - "resource_types": [ + "condition_keys": [], + "dependent_actions": [], + "resource_type": "JobResource" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "LaunchConfigurationTemplateResource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "ReplicationConfigurationTemplateResource" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new site", - "privilege": "CreateSite", - "resource_types": [ + "resource_type": "SourceServerResource" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "VcenterClientResource" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -128319,128 +142514,205 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a connection", - "privilege": "DeleteConnection", + "description": "Grants permission to update agent backlog", + "privilege": "UpdateAgentBacklogForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update agent conversion info", + "privilege": "UpdateAgentConversionInfoForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a device", - "privilege": "DeleteDevice", + "description": "Grants permission to update agent replication info", + "privilege": "UpdateAgentReplicationInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update agent replication process state", + "privilege": "UpdateAgentReplicationProcessStateForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a global network", - "privilege": "DeleteGlobalNetwork", + "description": "Grants permission to update agent source properties", + "privilege": "UpdateAgentSourcePropertiesForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a link", - "privilege": "DeleteLink", + "description": "Grants permission to update launch configuration", + "privilege": "UpdateLaunchConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update launch configuration", + "privilege": "UpdateLaunchConfigurationTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "LaunchConfigurationTemplateResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a site", - "privilege": "DeleteSite", + "description": "Grants permission to update replication configuration", + "privilege": "UpdateReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update replication configuration template", + "privilege": "UpdateReplicationConfigurationTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site*" + "resource_type": "ReplicationConfigurationTemplateResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to deregister a transit gateway from a global network", - "privilege": "DeregisterTransitGateway", + "description": "Grants permission to update source server replication type", + "privilege": "UpdateSourceServerReplicationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "DescribeGlobalNetworks", + "access_level": "Read", + "description": "Grants permission to verify client role", + "privilege": "VerifyClientRoleForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mgn:${Region}:${Account}:job/${JobID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "JobResource" + }, + { + "arn": "arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${ReplicationConfigurationTemplateID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ReplicationConfigurationTemplateResource" + }, + { + "arn": "arn:${Partition}:mgn:${Region}:${Account}:launch-configuration-template/${LaunchConfigurationTemplateID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "LaunchConfigurationTemplateResource" + }, + { + "arn": "arn:${Partition}:mgn:${Region}:${Account}:vcenter-client/${VcenterClientID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "VcenterClientResource" + }, + { + "arn": "arn:${Partition}:mgn:${Region}:${Account}:source-server/${SourceServerID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SourceServerResource" + } + ], + "service_name": "AWS Application Migration Service" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "migrationhub-orchestrator", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to disassociate a customer gateway from a device", - "privilege": "DisassociateCustomerGateway", + "description": "Grants permission to create a workflow based on the selected template", + "privilege": "CreateWorkflow", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, { "condition_keys": [ - "networkmanager:cgwArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -128449,264 +142721,318 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate a link from a device", - "privilege": "DisassociateLink", + "description": "Grants permission to create a step under a workflow and a specific step group", + "privilege": "CreateWorkflowStep", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to to create a custom step group for a given workflow", + "privilege": "CreateWorkflowStepGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to a workflow", + "privilege": "DeleteWorkflow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "workflow*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a transit gateway connect peer from a device", - "privilege": "DisassociateTransitGatewayConnectPeer", + "description": "Grants permission to delete a step from a specific step group under a workflow", + "privilege": "DeleteWorkflowStep", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwConnectPeerArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe connections", - "privilege": "GetConnections", + "access_level": "Write", + "description": "Grants permission to delete a step group associated with a workflow", + "privilege": "DeleteWorkflowStepGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to the plugin to receive information from the service", + "privilege": "GetMessage", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe customer gateway associations", - "privilege": "GetCustomerGatewayAssociations", + "access_level": "Read", + "description": "Grants permission to get retrieve metadata for a Template", + "privilege": "GetTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe devices", - "privilege": "GetDevices", + "access_level": "Read", + "description": "Grants permission to retrieve details of a step associated with a template and a step group", + "privilege": "GetTemplateStep", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve metadata of a step group under a template", + "privilege": "GetTemplateStepGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe link associations", - "privilege": "GetLinkAssociations", + "access_level": "Read", + "description": "Grants permission to retrieve metadata asscociated with a workflow", + "privilege": "GetWorkflow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details of step associated with a workflow and a step group", + "privilege": "GetWorkflowStep", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details of a step group associated with a workflow", + "privilege": "GetWorkflowStepGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "workflow*" } ] }, { "access_level": "List", - "description": "Grants permission to describe links", - "privilege": "GetLinks", + "description": "Grants permission to get a list all registered Plugins", + "privilege": "ListPlugins", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of all the tags tied to a resource", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "workflow*" } ] }, { "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "GetSites", + "description": "Grants permission to lists step groups of a template", + "privilege": "ListTemplateStepGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "site" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to describe transit gateway connect peer associations", - "privilege": "GetTransitGatewayConnectPeerAssociations", + "description": "Grants permission to get a list of steps in a step group", + "privilege": "ListTemplateSteps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to describe transit gateway registrations", - "privilege": "GetTransitGatewayRegistrations", + "description": "Grants permission to get a list of all Templates available to customer", + "privilege": "ListTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to lists tag for a Network Manager resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to get list of step groups associated with a workflow", + "privilege": "ListWorkflowStepGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of steps within step group associated with a workflow", + "privilege": "ListWorkflowSteps", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all workflows", + "privilege": "ListWorkflows", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to register a transit gateway to a global network", - "privilege": "RegisterTransitGateway", + "description": "Grants permission to register the plugin to receive an ID and to start receiving messages from the service", + "privilege": "RegisterPlugin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwArn" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a Network Manager resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to retry a failed step within a workflow", + "privilege": "RetryWorkflowStep", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to the plugin to send information to the service", + "privilege": "SendMessage", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a workflow or resume a stopped workflow", + "privilege": "StartWorkflow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a workflow", + "privilege": "StopWorkflow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "workflow*" }, { "condition_keys": [ "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -128715,37 +143041,18 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag a Network Manager resource", + "description": "Grants permission to remove tags from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "site" + "resource_type": "workflow*" }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -128754,311 +143061,255 @@ }, { "access_level": "Write", - "description": "Grants permission to update a connection", - "privilege": "UpdateConnection", + "description": "Grants permission to update the metadata associated with the workflow", + "privilege": "UpdateWorkflow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, + "resource_type": "workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update metadata and status of a custom step within a workflow", + "privilege": "UpdateWorkflowStep", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "workflow*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a device", - "privilege": "UpdateDevice", + "description": "Grants permission to update metadata associated with a step group in a given workflow", + "privilege": "UpdateWorkflowStepGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, + "resource_type": "workflow*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:migrationhub-orchestrator:${Region}:${Account}:workflow/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workflow" + } + ], + "service_name": "AWS Migration Hub Orchestrator" + }, + { + "conditions": [], + "prefix": "migrationhub-strategy", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to get details of each anti pattern that collector should look at in a customer's environment", + "privilege": "GetAntiPattern", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a global network", - "privilege": "UpdateGlobalNetwork", + "access_level": "Read", + "description": "Grants permission to get details of an application", + "privilege": "GetApplicationComponentDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a link", - "privilege": "UpdateLink", + "access_level": "Read", + "description": "Grants permission to get a list of all recommended strategies and tools for an application running in a server", + "privilege": "GetApplicationComponentStrategies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve status of an on-going assessment", + "privilege": "GetAssessment", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a site", - "privilege": "UpdateSite", + "access_level": "Read", + "description": "Grants permission to get details of a specific import task", + "privilege": "GetImportFileTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to the collector to receive information from the service", + "privilege": "GetMessage", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site*" + "resource_type": "" } ] - } - ], - "resources": [ + }, { - "arn": "arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "global-network" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "site" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "link" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "connection" - } - ], - "service_name": "Network Manager" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a tag key and value pair that is allowed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair of a resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by a list of tag keys that are allowed in the request", - "type": "String" - }, - { - "condition": "nimble:createdBy", - "description": "Filters access by the createdBy request parameter or the ID of the creator of the resource", - "type": "String" + "access_level": "Read", + "description": "Grants permission to retrieve customer migration/Modernization preferences", + "privilege": "GetPortfolioPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "nimble:ownedBy", - "description": "Filters access by the ownedBy request parameter or the ID of the owner of the resource", - "type": "String" + "access_level": "Read", + "description": "Grants permission to retrieve overall summary (number-of servers to rehost etc as well as overall number of anti patterns)", + "privilege": "GetPortfolioSummary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "nimble:principalId", - "description": "Filters access by the principalId request parameter", - "type": "String" + "access_level": "Read", + "description": "Grants permission to retrieve detailed information about a recommendation report", + "privilege": "GetRecommendationReportDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "nimble:requesterPrincipalId", - "description": "Filters access by the ID of the logged in user", - "type": "String" + "access_level": "Read", + "description": "Grants permission to get info about a specific server", + "privilege": "GetServerDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "nimble:studioId", - "description": "Filters access by a specific studio", - "type": "ARN" - } - ], - "prefix": "nimble", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to accept EULAs", - "privilege": "AcceptEulas", + "access_level": "Read", + "description": "Grants permission to get recommended strategies and tools for a specific server", + "privilege": "GetServerStrategies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eula*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a launch profile", - "privilege": "CreateLaunchProfile", + "access_level": "List", + "description": "Grants permission to get a list of all anti patterns that collector should look for in a customer's environment", + "privilege": "ListAntiPatterns", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:RunInstances" - ], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a streaming image", - "privilege": "CreateStreamingImage", + "access_level": "List", + "description": "Grants permission to get a list of all applications running on servers on customer's servers", + "privilege": "ListApplicationComponents", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DescribeImages", - "ec2:DescribeSnapshots", - "ec2:ModifyInstanceAttribute", - "ec2:ModifySnapshotAttribute", - "ec2:RegisterImage" - ], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a streaming session", - "privilege": "CreateStreamingSession", + "access_level": "List", + "description": "Grants permission to get a list of all collectors installed by the customer", + "privilege": "ListCollectors", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileInitialization", - "nimble:ListEulaAcceptances" - ], - "resource_type": "launch-profile*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a StreamingSessionStream", - "privilege": "CreateStreamingSessionStream", + "access_level": "List", + "description": "Grants permission to get list of all imports performed by the customer", + "privilege": "ListImportFileTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streaming-session*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a studio", - "privilege": "CreateStudio", + "access_level": "List", + "description": "Grants permission to get a list of binaries that collector should assess", + "privilege": "ListJarArtifacts", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "sso:CreateManagedApplicationInstance" - ], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access", - "privilege": "CreateStudioComponent", + "access_level": "List", + "description": "Grants permission to get a list of all servers in a customer's environment", + "privilege": "ListServers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ds:AuthorizeApplication", - "ds:DescribeDirectories", - "ec2:DescribeSecurityGroups", - "fsx:DescribeFileSystems" - ], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } @@ -129066,115 +143317,104 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a launch profile", - "privilege": "DeleteLaunchProfile", + "description": "Grants permission to save customer's Migration/Modernization preferences", + "privilege": "PutPortfolioPreferences", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a launch profile member", - "privilege": "DeleteLaunchProfileMember", + "description": "Grants permission to register the collector to receive an ID and to start receiving messages from the service", + "privilege": "RegisterCollector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a streaming image", - "privilege": "DeleteStreamingImage", + "description": "Grants permission to the collector to send information to the service", + "privilege": "SendMessage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteSnapshot", - "ec2:DeregisterImage", - "ec2:ModifyInstanceAttribute", - "ec2:ModifySnapshotAttribute" - ], - "resource_type": "streaming-image*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a streaming session", - "privilege": "DeleteStreamingSession", + "description": "Grants permission to start assessment in a customer's environment (collect data from all servers and provide recommendations)", + "privilege": "StartAssessment", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteNetworkInterface" - ], - "resource_type": "streaming-session*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a studio", - "privilege": "DeleteStudio", + "description": "Grants permission to start importing data from a file provided by customer", + "privilege": "StartImportFileTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "studio*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a studio component", - "privilege": "DeleteStudioComponent", + "description": "Grants permission to start generating a recommendation report", + "privilege": "StartRecommendationReportGeneration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ds:UnauthorizeApplication" - ], - "resource_type": "studio-component*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a studio member", - "privilege": "DeleteStudioMember", + "description": "Grants permission to stop an on-going assessment", + "privilege": "StopAssessment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a EULA", - "privilege": "GetEula", + "access_level": "Write", + "description": "Grants permission to update details for an application", + "privilege": "UpdateApplicationComponentConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eula*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to allow Nimble Studio portal to show the appropriate features for this account", - "privilege": "GetFeatureMap", + "access_level": "Write", + "description": "Grants permission to update info on a server along with the recommended strategy", + "privilege": "UpdateServerConfig", "resource_types": [ { "condition_keys": [], @@ -129182,246 +143422,243 @@ "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS Migration Hub Strategy Recommendations" + }, + { + "conditions": [], + "prefix": "mobileanalytics", + "privileges": [ { "access_level": "Read", - "description": "Grants permission to get a launch profile", - "privilege": "GetLaunchProfile", + "description": "Grant access to financial metrics for an app", + "privilege": "GetFinancialReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile", - "privilege": "GetLaunchProfileDetails", + "description": "Grant access to standard metrics for an app", + "privilege": "GetReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information", - "privilege": "GetLaunchProfileInitialization", + "access_level": "Write", + "description": "The PutEvents operation records one or more events", + "privilege": "PutEvents", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ds:DescribeDirectories", - "ec2:DescribeSecurityGroups", - "fsx:DescribeFileSystems" - ], - "resource_type": "launch-profile*" + "dependent_actions": [], + "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "Amazon Mobile Analytics" + }, + { + "conditions": [], + "prefix": "mobilehub", + "privileges": [ { - "access_level": "Read", - "description": "Grants permission to get a launch profile member", - "privilege": "GetLaunchProfileMember", + "access_level": "Write", + "description": "Create a project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a streaming image", - "privilege": "GetStreamingImage", + "access_level": "Write", + "description": "Enable AWS Mobile Hub in the account by creating the required service role", + "privilege": "CreateServiceRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streaming-image*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a streaming session", - "privilege": "GetStreamingSession", + "access_level": "Write", + "description": "Delete the specified project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streaming-session*" + "resource_type": "project*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a streaming session stream", - "privilege": "GetStreamingSessionStream", + "access_level": "Write", + "description": "Delete a saved snapshot of project configuration", + "privilege": "DeleteProjectSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streaming-session*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a studio", - "privilege": "GetStudio", + "access_level": "Write", + "description": "Deploy changes to the specified stage", + "privilege": "DeployToStage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a studio component", - "privilege": "GetStudioComponent", + "description": "Describe the download bundle", + "privilege": "DescribeBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio-component*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a studio member", - "privilege": "GetStudioMember", + "description": "Export the download bundle", + "privilege": "ExportBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list EULA acceptances", - "privilege": "ListEulaAcceptances", + "description": "Export the project configuration", + "privilege": "ExportProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eula-acceptance*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to list EULAs", - "privilege": "ListEulas", + "description": "Generate project parameters required for code generation", + "privilege": "GenerateProjectParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eula*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to list launch profile members", - "privilege": "ListLaunchProfileMembers", + "description": "Get project configuration and resources", + "privilege": "GetProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to list launch profiles", - "privilege": "ListLaunchProfiles", + "description": "Fetch the previously exported project configuration snapshot", + "privilege": "GetProjectSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "nimble:principalId" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list streaming images", - "privilege": "ListStreamingImages", + "access_level": "Write", + "description": "Create a new project from the previously exported project configuration", + "privilege": "ImportProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list streaming sessions", - "privilege": "ListStreamingSessions", + "access_level": "Write", + "description": "Install a bundle in the project deployments S3 bucket", + "privilege": "InstallBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" - }, - { - "condition_keys": [ - "nimble:createdBy", - "nimble:ownedBy" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list studio components", - "privilege": "ListStudioComponents", + "access_level": "List", + "description": "List the available SaaS (Software as a Service) connectors", + "privilege": "ListAvailableConnectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list studio members", - "privilege": "ListStudioMembers", + "access_level": "List", + "description": "List available features", + "privilege": "ListAvailableFeatures", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all studios", - "privilege": "ListStudios", + "access_level": "List", + "description": "List available regions for projects", + "privilege": "ListAvailableRegions", "resource_types": [ { "condition_keys": [], @@ -129431,150 +143668,144 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags on a Nimble Studio resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "List the available download bundles", + "privilege": "ListBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-session" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "studio" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List saved snapshots of project configuration", + "privilege": "ListProjectSnapshots", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio-component" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add/update launch profile members", - "privilege": "PutLaunchProfileMembers", + "access_level": "List", + "description": "List projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers" - ], - "resource_type": "launch-profile*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health", - "privilege": "PutStudioLogEvents", + "description": "Synchronize state of resources into project", + "privilege": "SynchronizeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "studio*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to add/update studio members", - "privilege": "PutStudioMembers", + "description": "Update project", + "privilege": "UpdateProject", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers" - ], - "resource_type": "studio*" + "dependent_actions": [], + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a streaming session", - "privilege": "StartStreamingSession", + "access_level": "Read", + "description": "Validate a mobile hub project.", + "privilege": "ValidateProject", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileMember" - ], - "resource_type": "streaming-session*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to repair the studio's AWS SSO configuration", - "privilege": "StartStudioSSOConfigurationRepair", + "access_level": "Read", + "description": "Verify AWS Mobile Hub is enabled in the account", + "privilege": "VerifyServiceRole", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso:CreateManagedApplicationInstance", - "sso:GetManagedApplicationInstance" - ], - "resource_type": "studio*" + "dependent_actions": [], + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mobilehub:${Region}:${Account}:project/${ProjectId}", + "condition_keys": [], + "resource": "project" + } + ], + "service_name": "AWS Mobile Hub" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the pinpoint service", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service", + "type": "ArrayOfString" + } + ], + "prefix": "mobiletargeting", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to stop a streaming session", - "privilege": "StopStreamingSession", + "description": "Grants permission to create an app", + "privilege": "CreateApp", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "nimble:GetLaunchProfile" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], - "resource_type": "streaming-session*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a campaign for an app", + "privilege": "CreateCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-session" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "studio" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "studio-component" + "resource_type": "apps*" }, { "condition_keys": [ @@ -129588,38 +143819,15 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to disassociate one or more tags from the specified Nimble Studio resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create an email template", + "privilege": "CreateEmailTemplate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "launch-profile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "streaming-session" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "studio" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "studio-component" - }, { "condition_keys": [ - "aws:TagKeys" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129628,1366 +143836,1237 @@ }, { "access_level": "Write", - "description": "Grants permission to update a launch profile", - "privilege": "UpdateLaunchProfile", + "description": "Grants permission to create an export job that exports endpoint definitions to Amazon S3", + "privilege": "CreateExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a launch profile member", - "privilege": "UpdateLaunchProfileMember", + "description": "Grants permission to import endpoint definitions from to create a segment", + "privilege": "CreateImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "launch-profile*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a streaming image", - "privilege": "UpdateStreamingImage", + "description": "Grants permission to create an in-app message template", + "privilege": "CreateInAppTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "streaming-image*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a studio", - "privilege": "UpdateStudio", + "description": "Grants permission to create a Journey for an app", + "privilege": "CreateJourney", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" + "dependent_actions": [], + "resource_type": "apps*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], - "resource_type": "studio*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a studio component", - "privilege": "UpdateStudioComponent", + "description": "Grants permission to create a push notification template", + "privilege": "CreatePushTemplate", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "ds:AuthorizeApplication", - "ds:DescribeDirectories", - "ec2:DescribeSecurityGroups", - "fsx:DescribeFileSystems" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], - "resource_type": "studio-component*" + "dependent_actions": [], + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio/${StudioId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:studioId" - ], - "resource": "studio" - }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${StreamingImageId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:studioId" - ], - "resource": "streaming-image" - }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio-component/${StudioComponentId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:studioId" - ], - "resource": "studio-component" - }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${LaunchProfileId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:studioId" - ], - "resource": "launch-profile" - }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${StreamingSessionId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:createdBy", - "nimble:ownedBy" - ], - "resource": "streaming-session" - }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula/${EulaId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:requesterPrincipalId" - ], - "resource": "eula" }, - { - "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${EulaAcceptanceId}", - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys", - "nimble:studioId" - ], - "resource": "eula-acceptance" - } - ], - "service_name": "Amazon Nimble Studio" - }, - { - "conditions": [], - "prefix": "opsworks", - "privileges": [ { "access_level": "Write", - "description": "Assign a registered instance to a layer", - "privilege": "AssignInstance", + "description": "Grants permission to create an Amazon Pinpoint configuration for a recommender model", + "privilege": "CreateRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Assigns one of the stack's registered Amazon EBS volumes to a specified instance", - "privilege": "AssignVolume", + "description": "Grants permission to create a segment that is based on endpoint data reported to Pinpoint by your app. To allow a user to create a segment by importing endpoint data from outside of Pinpoint, allow the mobiletargeting:CreateImportJob action", + "privilege": "CreateSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Associates one of the stack's registered Elastic IP addresses with a specified instance", - "privilege": "AssociateElasticIp", + "description": "Grants permission to create an sms message template", + "privilege": "CreateSmsTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Attaches an Elastic Load Balancing load balancer to a specified layer", - "privilege": "AttachElasticLoadBalancer", + "description": "Grants permission to create a voice message template", + "privilege": "CreateVoiceTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a clone of a specified stack", - "privilege": "CloneStack", + "description": "Grants permission to delete the ADM channel for an app", + "privilege": "DeleteAdmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Creates an app for a specified stack", - "privilege": "CreateApp", + "description": "Grants permission to delete the APNs channel for an app", + "privilege": "DeleteApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Runs deployment or stack commands", - "privilege": "CreateDeployment", + "description": "Grants permission to delete the APNs sandbox channel for an app", + "privilege": "DeleteApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Creates an instance in a specified stack", - "privilege": "CreateInstance", + "description": "Grants permission to delete the APNs VoIP channel for an app", + "privilege": "DeleteApnsVoipChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Creates a layer", - "privilege": "CreateLayer", + "description": "Grants permission to delete the APNs VoIP sandbox channel for an app", + "privilege": "DeleteApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Creates a new stack", - "privilege": "CreateStack", + "description": "Grants permission to delete a specific campaign", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Creates a new user profile", - "privilege": "CreateUserProfile", + "description": "Grants permission to delete the Baidu channel for an app", + "privilege": "DeleteBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Deletes a specified app", - "privilege": "DeleteApp", + "description": "Grants permission to delete a specific campaign", + "privilege": "DeleteCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { "access_level": "Write", - "description": "Deletes a specified instance, which terminates the associated Amazon EC2 instance", - "privilege": "DeleteInstance", + "description": "Grants permission to delete the email channel for an app", + "privilege": "DeleteEmailChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Deletes a specified layer", - "privilege": "DeleteLayer", + "description": "Grants permission to delete an email template or an email template version", + "privilege": "DeleteEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Deletes a specified stack", - "privilege": "DeleteStack", + "description": "Grants permission to delete an endpoint", + "privilege": "DeleteEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Deletes a user profile", - "privilege": "DeleteUserProfile", + "description": "Grants permission to delete the event stream for an app", + "privilege": "DeleteEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Deletes a user profile", - "privilege": "DeregisterEcsCluster", + "description": "Grants permission to delete the GCM channel for an app", + "privilege": "DeleteGcmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Deregisters a specified Elastic IP address", - "privilege": "DeregisterElasticIp", + "description": "Grants permission to delete an in-app message template or an in-app message template version", + "privilege": "DeleteInAppTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Deregister a registered Amazon EC2 or on-premises instance", - "privilege": "DeregisterInstance", + "description": "Grants permission to delete a specific journey", + "privilege": "DeleteJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "journeys*" } ] }, { "access_level": "Write", - "description": "Deregisters an Amazon RDS instance", - "privilege": "DeregisterRdsDbInstance", + "description": "Grants permission to delete a push notification template or a push notification template version", + "privilege": "DeletePushTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Deregisters an Amazon EBS volume", - "privilege": "DeregisterVolume", + "description": "Grants permission to delete an Amazon Pinpoint configuration for a recommender model", + "privilege": "DeleteRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "recommenders*" } ] }, { - "access_level": "List", - "description": "Describes the available AWS OpsWorks agent versions", - "privilege": "DescribeAgentVersions", + "access_level": "Write", + "description": "Grants permission to delete a specific segment", + "privilege": "DeleteSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "segments*" } ] }, { - "access_level": "List", - "description": "Requests a description of a specified set of apps", - "privilege": "DescribeApps", + "access_level": "Write", + "description": "Grants permission to delete the SMS channel for an app", + "privilege": "DeleteSmsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes the results of specified commands", - "privilege": "DescribeCommands", + "access_level": "Write", + "description": "Grants permission to delete an sms message template or an sms message template version", + "privilege": "DeleteSmsTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Requests a description of a specified set of deployments", - "privilege": "DescribeDeployments", + "access_level": "Write", + "description": "Grants permission to delete all of the endpoints that are associated with a user ID", + "privilege": "DeleteUserEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes Amazon ECS clusters that are registered with a stack", - "privilege": "DescribeEcsClusters", + "access_level": "Write", + "description": "Grants permission to delete the Voice channel for an app", + "privilege": "DeleteVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes Elastic IP addresses", - "privilege": "DescribeElasticIps", + "access_level": "Write", + "description": "Grants permission to delete a voice message template or a voice message template version", + "privilege": "DeleteVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Describes a stack's Elastic Load Balancing instances", - "privilege": "DescribeElasticLoadBalancers", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Device Messaging (ADM) channel for an app", + "privilege": "GetAdmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Requests a description of a set of instances", - "privilege": "DescribeInstances", + "access_level": "Read", + "description": "Grants permission to retrieve information about the APNs channel for an app", + "privilege": "GetApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Requests a description of one or more layers in a specified stack", - "privilege": "DescribeLayers", + "access_level": "Read", + "description": "Grants permission to retrieve information about the APNs sandbox channel for an app", + "privilege": "GetApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes load-based auto scaling configurations for specified layers", - "privilege": "DescribeLoadBasedAutoScaling", + "access_level": "Read", + "description": "Grants permission to retrieve information about the APNs VoIP channel for an app", + "privilege": "GetApnsVoipChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes a user's SSH information", - "privilege": "DescribeMyUserProfile", + "access_level": "Read", + "description": "Grants permission to retrieve information about the APNs VoIP sandbox channel for an app", + "privilege": "GetApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes the operating systems that are supported by AWS OpsWorks Stacks", - "privilege": "DescribeOperatingSystems", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific app in your Amazon Pinpoint account", + "privilege": "GetApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes the permissions for a specified stack", - "privilege": "DescribePermissions", + "access_level": "Read", + "description": "Grants permission to retrieve (queries) pre-aggregated data for a standard metric that applies to an application", + "privilege": "GetApplicationDateRangeKpi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "List", - "description": "Describe an instance's RAID arrays", - "privilege": "DescribeRaidArrays", + "description": "Grants permission to retrieve the default settings for an app", + "privilege": "GetApplicationSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes Amazon RDS instances", - "privilege": "DescribeRdsDbInstances", + "access_level": "Read", + "description": "Grants permission to retrieve a list of apps in your Amazon Pinpoint account", + "privilege": "GetApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Describes AWS OpsWorks service errors", - "privilege": "DescribeServiceErrors", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Baidu channel for an app", + "privilege": "GetBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Requests a description of a stack's provisioning parameters", - "privilege": "DescribeStackProvisioningParameters", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific campaign", + "privilege": "GetCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Describes the number of layers and apps in a specified stack, and the number of instances in each state, such as running_setup or online", - "privilege": "DescribeStackSummary", + "description": "Grants permission to retrieve information about the activities performed by a campaign", + "privilege": "GetCampaignActivities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { - "access_level": "List", - "description": "Requests a description of one or more stacks", - "privilege": "DescribeStacks", + "access_level": "Read", + "description": "Grants permission to retrieve (queries) pre-aggregated data for a standard metric that applies to a campaign", + "privilege": "GetCampaignDateRangeKpi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { - "access_level": "List", - "description": "Describes time-based auto scaling configurations for specified instances", - "privilege": "DescribeTimeBasedAutoScaling", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific campaign version", + "privilege": "GetCampaignVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Describe specified users", - "privilege": "DescribeUserProfiles", + "description": "Grants permission to retrieve information about the current and prior versions of a campaign", + "privilege": "GetCampaignVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Describes an instance's Amazon EBS volumes", - "privilege": "DescribeVolumes", + "description": "Grants permission to retrieve information about all campaigns for an app", + "privilege": "GetCampaigns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Detaches a specified Elastic Load Balancing instance from its layer", - "privilege": "DetachElasticLoadBalancer", + "access_level": "List", + "description": "Grants permission to get all channels information for your app", + "privilege": "GetChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Disassociates an Elastic IP address from its instance", - "privilege": "DisassociateElasticIp", + "access_level": "Read", + "description": "Grants permission to obtain information about the email channel in an app", + "privilege": "GetEmailChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { "access_level": "Read", - "description": "Gets a generated host name for the specified layer, based on the current host name theme", - "privilege": "GetHostnameSuggestion", + "description": "Grants permission to retrieve information about a specific or the active version of an email template", + "privilege": "GetEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants RDP access to a Windows instance for a specified time period", - "privilege": "GrantAccess", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific endpoint", + "privilege": "GetEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Returns a list of tags that are applied to the specified stack or layer", - "privilege": "ListTags", + "access_level": "Read", + "description": "Grants permission to retrieve information about the event stream for an app", + "privilege": "GetEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Reboots a specified instance", - "privilege": "RebootInstance", + "access_level": "Read", + "description": "Grants permission to obtain information about a specific export job", + "privilege": "GetExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Registers a specified Amazon ECS cluster with a stack", - "privilege": "RegisterEcsCluster", + "access_level": "List", + "description": "Grants permission to retrieve a list of all of the export jobs for an app", + "privilege": "GetExportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Registers an Elastic IP address with a specified stack", - "privilege": "RegisterElasticIp", + "access_level": "Read", + "description": "Grants permission to retrieve information about the GCM channel for an app", + "privilege": "GetGcmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Registers instances with a specified stack that were created outside of AWS OpsWorks", - "privilege": "RegisterInstance", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific import job", + "privilege": "GetImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Registers an Amazon RDS instance with a stack", - "privilege": "RegisterRdsDbInstance", + "access_level": "List", + "description": "Grants permission to retrieve information about all import jobs for an app", + "privilege": "GetImportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Registers an Amazon EBS volume with a specified stack", - "privilege": "RegisterVolume", + "access_level": "Read", + "description": "Grants permission to retrive in-app messages for the given endpoint id", + "privilege": "GetInAppMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Specify the load-based auto scaling configuration for a specified layer", - "privilege": "SetLoadBasedAutoScaling", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific or the active version of an in-app message template", + "privilege": "GetInAppTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { - "access_level": "Permissions management", - "description": "Specifies a user's permissions", - "privilege": "SetPermission", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific journey", + "privilege": "GetJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Write", - "description": "Specify the time-based auto scaling configuration for a specified instance", - "privilege": "SetTimeBasedAutoScaling", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "journeys*" } ] }, { - "access_level": "Write", - "description": "Starts a specified instance", - "privilege": "StartInstance", + "access_level": "Read", + "description": "Grants permission to retrieve (queries) pre-aggregated data for a standard engagement metric that applies to a journey", + "privilege": "GetJourneyDateRangeKpi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Write", - "description": "Starts a stack's instances", - "privilege": "StartStack", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "journeys*" } ] }, { - "access_level": "Write", - "description": "Stops a specified instance", - "privilege": "StopInstance", + "access_level": "Read", + "description": "Grants permission to retrieve (queries) pre-aggregated data for a standard execution metric that applies to a journey activity", + "privilege": "GetJourneyExecutionActivityMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Write", - "description": "Stops a specified stack", - "privilege": "StopStack", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "journeys*" } ] }, { - "access_level": "Tagging", - "description": "Apply tags to a specified stack or layer", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve (queries) pre-aggregated data for a standard execution metric that applies to a journey", + "privilege": "GetJourneyExecutionMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Write", - "description": "Unassigns a registered instance from all of it's layers", - "privilege": "UnassignInstance", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "journeys*" } ] }, { - "access_level": "Write", - "description": "Unassigns an assigned Amazon EBS volume", - "privilege": "UnassignVolume", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific or the active version of an push notification template", + "privilege": "GetPushTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "templates*" } ] }, { - "access_level": "Tagging", - "description": "Removes tags from a specified stack or layer", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve information about an Amazon Pinpoint configuration for a recommender model", + "privilege": "GetRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "recommenders*" } ] }, { - "access_level": "Write", - "description": "Updates a specified app", - "privilege": "UpdateApp", + "access_level": "List", + "description": "Grants permission to retrieve information about all the recommender model configurations that are associated with an Amazon Pinpoint account", + "privilege": "GetRecommenderConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a registered Elastic IP address's name", - "privilege": "UpdateElasticIp", + "access_level": "Read", + "description": "Grants permission to mobiletargeting:GetReports", + "privilege": "GetReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a specified instance", - "privilege": "UpdateInstance", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific segment", + "privilege": "GetSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Write", - "description": "Updates a specified layer", - "privilege": "UpdateLayer", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Updates a user's SSH public key", - "privilege": "UpdateMyUserProfile", + "access_level": "List", + "description": "Grants permission to retrieve information about jobs that export endpoint definitions from segments to Amazon S3", + "privilege": "GetSegmentExportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Updates an Amazon RDS instance", - "privilege": "UpdateRdsDbInstance", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Updates a specified stack", - "privilege": "UpdateStack", + "access_level": "List", + "description": "Grants permission to retrieve information about jobs that create segments by importing endpoint definitions from", + "privilege": "GetSegmentImportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Updates a specified user profile", - "privilege": "UpdateUserProfile", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Updates an Amazon EBS volume's name or mount point", - "privilege": "UpdateVolume", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific segment version", + "privilege": "GetSegmentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:opsworks:${Region}:${Account}:stack/${StackId}/", - "condition_keys": [], - "resource": "stack" - } - ], - "service_name": "AWS OpsWorks" - }, - { - "conditions": [], - "prefix": "opsworks-cm", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to associate a node to a configuration management server", - "privilege": "AssociateNode", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a backup for the specified server", - "privilege": "CreateBackup", + "access_level": "List", + "description": "Grants permission to retrieve information about the current and prior versions of a segment", + "privilege": "GetSegmentVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new server", - "privilege": "CreateServer", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified backup and possibly its S3 bucket", - "privilege": "DeleteBackup", + "access_level": "List", + "description": "Grants permission to retrieve information about the segments for an app", + "privilege": "GetSegments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified server with its corresponding CloudFormation stack and possibly the S3 bucket", - "privilege": "DeleteServer", + "access_level": "Read", + "description": "Grants permission to obtain information about the SMS channel in an app", + "privilege": "GetSmsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the service limits for the user's account", - "privilege": "DescribeAccountAttributes", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific or the active version of an sms message template", + "privilege": "GetSmsTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe a single backup, all backups of a specified server or all backups of the user's account", - "privilege": "DescribeBackups", + "access_level": "Read", + "description": "Grants permission to retrieve information about the endpoints that are associated with a user ID", + "privilege": "GetUserEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe all events of the specified server", - "privilege": "DescribeEvents", + "access_level": "Read", + "description": "Grants permission to obtain information about the Voice channel in an app", + "privilege": "GetVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the association status for the specified node token and the specified server", - "privilege": "DescribeNodeAssociationStatus", + "access_level": "Read", + "description": "Grants permission to retrieve information about a specific or the active version of a voice message template", + "privilege": "GetVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { "access_level": "List", - "description": "Grants permission to describe the specified server or all servers of the user's account", - "privilege": "DescribeServers", + "description": "Grants permission to retrieve information about all journeys for an app", + "privilege": "ListJourneys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate a specified node from a server", - "privilege": "DisassociateNode", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "segments" } ] }, { - "access_level": "Read", - "description": "Grants permission to export an engine attribute from a server", - "privilege": "ExportServerEngineAttribute", + "access_level": "List", + "description": "Grants permission to retrieve all versions about a specific template", + "privilege": "ListTemplateVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list the tags that are applied to the specified server or backup", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to retrieve metadata about the queried templates", + "privilege": "ListTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants permission to apply a backup to specified server. Possibly swaps out the ec2-instance if specified", - "privilege": "RestoreServer", + "access_level": "Read", + "description": "Grants permission to obtain metadata for a phone number, such as the number type (mobile, landline, or VoIP), location, and provider", + "privilege": "PhoneNumberValidate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "phone-number-validate*" } ] }, { "access_level": "Write", - "description": "Grants permission to start the server maintenance immediately", - "privilege": "StartMaintenance", + "description": "Grants permission to create or update an event stream for an app", + "privilege": "PutEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to apply tags to the specified server or backup", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create or update events for an app", + "privilege": "PutEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from the specified server or backup", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to remove the attributes for an app", + "privilege": "RemoveAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to update general server settings", - "privilege": "UpdateServer", + "description": "Grants permission to send an SMS message or push notification to specific endpoints", + "privilege": "SendMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to update server settings specific to the configuration management type", - "privilege": "UpdateServerEngineAttributes", + "description": "Grants permission to send an OTP code to a user of your application", + "privilege": "SendOTPMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:opsworks-cm::${Account}:server/${ServerName}/${UniqueId}", - "condition_keys": [], - "resource": "server" - }, - { - "arn": "arn:${Partition}:opsworks-cm::${Account}:backup/${ServerName}-{Date-and-Time-Stamp-of-Backup}", - "condition_keys": [], - "resource": "backup" - } - ], - "service_name": "AWS OpsWorks Configuration Management" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "organizations:PolicyType", - "description": "Enables you to filter the request to only the specified policy type names.", - "type": "String" }, - { - "condition": "organizations:ServicePrincipal", - "description": "Enables you to filter the request to only the specified service principal names.", - "type": "String" - } - ], - "prefix": "organizations", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request.", - "privilege": "AcceptHandshake", + "description": "Grants permission to send an SMS message or push notification to all endpoints that are associated with a specific user ID", + "privilege": "SendUsersMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to attach a policy to a root, an organizational unit, or an individual account.", - "privilege": "AttachPolicy", + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" + "resource_type": "apps" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "campaigns" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "segments" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -130995,22 +145074,25 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a handshake.", - "privilege": "CancelHandshake", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request.", - "privilege": "CreateAccount", - "resource_types": [ + "resource_type": "apps" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "segments" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -131023,140 +145105,107 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS GovCloud (US) account.", - "privilege": "CreateGovCloudAccount", + "description": "Grants permission to update the Amazon Device Messaging (ADM) channel for an app", + "privilege": "UpdateAdmChannel", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization.", - "privilege": "CreateOrganization", + "description": "Grants permission to update the Apple Push Notification service (APNs) channel for an app", + "privilege": "UpdateApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an organizational unit (OU) within a root or parent OU.", - "privilege": "CreateOrganizationalUnit", + "description": "Grants permission to update the Apple Push Notification service (APNs) sandbox channel for an app", + "privilege": "UpdateApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account.", - "privilege": "CreatePolicy", + "description": "Grants permission to update the Apple Push Notification service (APNs) VoIP channel for an app", + "privilege": "UpdateApnsVoipChannel", "resource_types": [ { - "condition_keys": [ - "organizations:PolicyType", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request.", - "privilege": "DeclineHandshake", + "description": "Grants permission to update the Apple Push Notification service (APNs) VoIP sandbox channel for an app", + "privilege": "UpdateApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the organization.", - "privilege": "DeleteOrganization", + "description": "Grants permission to update the default settings for an app", + "privilege": "UpdateApplicationSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an organizational unit from a root or another OU.", - "privilege": "DeleteOrganizationalUnit", + "description": "Grants permission to update the Baidu channel for an app", + "privilege": "UpdateBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a policy from your organization.", - "privilege": "DeletePolicy", + "description": "Grants permission to update a specific campaign", + "privilege": "UpdateCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "apps*" }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal.", - "privilege": "DeregisterDelegatedAdministrator", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "campaigns*" }, { "condition_keys": [ - "organizations:ServicePrincipal" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131164,42 +145213,31 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve Organizations-related details about the specified account.", - "privilege": "DescribeAccount", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the current status of an asynchronous request to create an account.", - "privilege": "DescribeCreateAccountStatus", + "access_level": "Write", + "description": "Grants permission to update the email channel for an app", + "privilege": "UpdateEmailChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the effective policy for an account.", - "privilege": "DescribeEffectivePolicy", + "access_level": "Write", + "description": "Grants permission to update a specific email template under the same version or generate a new version", + "privilege": "UpdateEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "templates*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131207,54 +145245,55 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about a previously requested handshake.", - "privilege": "DescribeHandshake", + "access_level": "Write", + "description": "Grants permission to create an endpoint or update the information for an endpoint", + "privilege": "UpdateEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "apps*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieves details about the organization that the calling credentials belong to.", - "privilege": "DescribeOrganization", + "access_level": "Write", + "description": "Grants permission to create or update endpoints as a batch operation", + "privilege": "UpdateEndpointsBatch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about an organizational unit (OU).", - "privilege": "DescribeOrganizationalUnit", + "access_level": "Write", + "description": "Grants permission to update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key that allows to send push notifications to your Android app", + "privilege": "UpdateGcmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit*" + "resource_type": "apps*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieves details about a policy.", - "privilege": "DescribePolicy", + "access_level": "Write", + "description": "Grants permission to update a specific in-app message template under the same version or generate a new version", + "privilege": "UpdateInAppTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "templates*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131263,32 +145302,23 @@ }, { "access_level": "Write", - "description": "Grants permission to detach a policy from a target root, organizational unit, or account.", - "privilege": "DetachPolicy", + "description": "Grants permission to update a specific journey", + "privilege": "UpdateJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "journeys*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131297,31 +145327,23 @@ }, { "access_level": "Write", - "description": "Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", - "privilege": "DisableAWSServiceAccess", + "description": "Grants permission to update a specific journey state", + "privilege": "UpdateJourneyState", "resource_types": [ { - "condition_keys": [ - "organizations:ServicePrincipal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disable an organization policy type in a root.", - "privilege": "DisablePolicyType", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root*" + "resource_type": "journeys*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131330,12 +145352,18 @@ }, { "access_level": "Write", - "description": "Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", - "privilege": "EnableAWSServiceAccess", + "description": "Grants permission to update a specific push notification template under the same version or generate a new version", + "privilege": "UpdatePushTemplate", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "templates*" + }, { "condition_keys": [ - "organizations:ServicePrincipal" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131344,44 +145372,30 @@ }, { "access_level": "Write", - "description": "Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features.", - "privilege": "EnableAllFeatures", + "description": "Grants permission to update an Amazon Pinpoint configuration for a recommender model", + "privilege": "UpdateRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "recommenders*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable a policy type in a root.", - "privilege": "EnablePolicyType", + "description": "Grants permission to update a specific segment", + "privilege": "UpdateSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "root*" + "resource_type": "apps*" }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account.", - "privilege": "InviteAccountToOrganization", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" + "resource_type": "segments*" }, { "condition_keys": [ @@ -131395,217 +145409,280 @@ }, { "access_level": "Write", - "description": "Grants permission to remove a member account from its parent organization.", - "privilege": "LeaveOrganization", + "description": "Grants permission to update the SMS channel for an app", + "privilege": "UpdateSmsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization.", - "privilege": "ListAWSServiceAccessForOrganization", + "access_level": "Write", + "description": "Grants permission to update a specific sms message template under the same version or generate a new version", + "privilege": "UpdateSmsTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "templates*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the the accounts in the organization.", - "privilege": "ListAccounts", + "access_level": "Write", + "description": "Grants permission to update the active version parameter of a specific template", + "privilege": "UpdateTemplateActiveVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU).", - "privilege": "ListAccountsForParent", + "access_level": "Write", + "description": "Grants permission to update the Voice channel for an app", + "privilege": "UpdateVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the OUs or accounts that are contained in a parent OU or root.", - "privilege": "ListChildren", + "access_level": "Write", + "description": "Grants permission to update a specific voice message template under the same version or generate a new version", + "privilege": "UpdateVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "templates*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "root" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization.", - "privilege": "ListCreateAccountStatus", + "access_level": "Write", + "description": "Grants permission to check the validity of One-Time Passwords (OTPs)", + "privilege": "VerifyOTPMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "apps" }, { - "access_level": "List", - "description": "Grants permission to list the AWS accounts that are designated as delegated administrators in this organization.", - "privilege": "ListDelegatedAdministrators", - "resource_types": [ - { - "condition_keys": [ - "organizations:ServicePrincipal" - ], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/campaigns/${CampaignId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "campaigns" }, { - "access_level": "List", - "description": "Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization.", - "privilege": "ListDelegatedServicesForAccount", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/journeys/${JourneyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "journeys" + }, + { + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/segments/${SegmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "segments" + }, + { + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/${ChannelType}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "templates" + }, + { + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:recommenders/${RecommenderId}", + "condition_keys": [], + "resource": "recommenders" + }, + { + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:phone/number/validate", + "condition_keys": [], + "resource": "phone-number-validate" + } + ], + "service_name": "Amazon Pinpoint" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by the tag keys in the request", + "type": "ArrayOfString" + } + ], + "prefix": "monitron", + "privileges": [ + { + "access_level": "Permissions management", + "description": "Grants permission to associate a user with the project as an administrator", + "privilege": "AssociateProjectAdminUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "account*" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:AssociateProfile", + "sso:GetManagedApplicationInstance", + "sso:GetProfile", + "sso:ListDirectoryAssociations", + "sso:ListProfiles" + ], + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the handshakes that are associated with an account.", - "privilege": "ListHandshakesForAccount", + "access_level": "Write", + "description": "Grants permission to create a project", + "privilege": "CreateProject", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:CreateGrant", + "sso:CreateManagedApplicationInstance", + "sso:DeleteManagedApplicationInstance" + ], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the handshakes that are associated with the organization.", - "privilege": "ListHandshakesForOrganization", + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root.", - "privilege": "ListOrganizationalUnitsForParent", + "access_level": "Permissions management", + "description": "Grants permission to disassociate an administrator from the project", + "privilege": "DisassociateProjectAdminUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:DisassociateProfile", + "sso:GetManagedApplicationInstance", + "sso:GetProfile", + "sso:ListDirectoryAssociations", + "sso:ListProfiles" + ], + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account.", - "privilege": "ListParents", + "access_level": "Read", + "description": "Grants permission to get information about a project", + "privilege": "GetProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the policies in an organization.", - "privilege": "ListPolicies", + "access_level": "Read", + "description": "Grants permission to describe an administrator who is associated with the project", + "privilege": "GetProjectAdminUser", "resource_types": [ { - "condition_keys": [ - "organizations:PolicyType" + "condition_keys": [], + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:GetManagedApplicationInstance" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account.", - "privilege": "ListPoliciesForTarget", + "access_level": "Permissions management", + "description": "Grants permission to list all administrators associated with the project", + "privilege": "ListProjectAdminUsers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" - }, - { - "condition_keys": [ - "organizations:PolicyType" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:GetManagedApplicationInstance" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { "access_level": "List", - "description": "Grants permission to list all of the roots that are defined in the organization.", - "privilege": "ListRoots", + "description": "Grants permission to list all projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], @@ -131615,45 +145692,39 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all tags for the specified resource.", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy" + "resource_type": "project" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "root" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the roots, OUs, and accounts to which a policy is attached.", - "privilege": "ListTargetsForPolicy", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "project" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131661,87 +145732,140 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to move an account from its current root or OU to another parent root or OU.", - "privilege": "MoveAccount", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "project" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "root" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal.", - "privilege": "RegisterDelegatedAdministrator", + "description": "Grants permission to update a project", + "privilege": "UpdateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "project*" }, { "condition_keys": [ - "organizations:ServicePrincipal" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] - }, + } + ], + "resources": [ { - "access_level": "Write", - "description": "Grants permission to removes the specified account from the organization.", - "privilege": "RemoveAccountFromOrganization", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account*" - } - ] - }, + "arn": "arn:${Partition}:monitron:${Region}:${Account}:project/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "project" + } + ], + "service_name": "Amazon Monitron" + }, + { + "conditions": [ { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to the specified resource.", - "privilege": "TagResource", + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "mq", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a broker", + "privilege": "CreateBroker", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfacePermissions", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "ec2:ModifyNetworkInterfaceAttribute", + "iam:CreateServiceLinkedRole", + "route53:AssociateVPCWithHostedZone" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and engine version)", + "privilege": "CreateConfiguration", + "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "organizationalunit" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to create tags", + "privilege": "CreateTags", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy" + "resource_type": "brokers" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "configurations" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -131749,29 +145873,48 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from the specified resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create an ActiveMQ user", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, + "resource_type": "brokers*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a broker", + "privilege": "DeleteBroker", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, + "dependent_actions": [ + "ec2:DeleteNetworkInterface", + "ec2:DeleteNetworkInterfacePermission", + "ec2:DeleteVpcEndpoints", + "ec2:DetachNetworkInterface" + ], + "resource_type": "brokers*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to delete tags", + "privilege": "DeleteTags", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy" + "resource_type": "brokers" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "configurations" }, { "condition_keys": [ @@ -131784,91 +145927,32 @@ }, { "access_level": "Write", - "description": "Grants permission to rename an organizational unit (OU).", - "privilege": "UpdateOrganizationalUnit", + "description": "Grants permission to delete an ActiveMQ user", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit*" + "resource_type": "brokers*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an existing policy with a new name, description, or content.", - "privilege": "UpdatePolicy", + "access_level": "Read", + "description": "Grants permission to return information about the specified broker", + "privilege": "DescribeBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:account/o-${OrganizationId}/${AccountId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "account" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}", - "condition_keys": [], - "resource": "handshake" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:organization/o-${OrganizationId}", - "condition_keys": [], - "resource": "organization" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "organizationalunit" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "policy" - }, - { - "arn": "arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}", - "condition_keys": [], - "resource": "awspolicy" }, { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:root/o-${OrganizationId}/r-${RootId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "root" - } - ], - "service_name": "AWS Organizations" - }, - { - "conditions": [], - "prefix": "outposts", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create an Outpost", - "privilege": "CreateOutpost", + "access_level": "Read", + "description": "Grants permission to return information about broker engines", + "privilege": "DescribeBrokerEngineTypes", "resource_types": [ { "condition_keys": [], @@ -131878,9 +145962,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Outpost", - "privilege": "DeleteOutpost", + "access_level": "Read", + "description": "Grants permission to return information about the broker instance options", + "privilege": "DescribeBrokerInstanceOptions", "resource_types": [ { "condition_keys": [], @@ -131890,45 +145974,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an site", - "privilege": "DeleteSite", + "access_level": "Read", + "description": "Grants permission to return information about the specified configuration", + "privilege": "DescribeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about the specified Outpost", - "privilege": "GetOutpost", + "description": "Grants permission to return the specified configuration revision for the specified configuration", + "privilege": "DescribeConfigurationRevision", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { "access_level": "Read", - "description": "Grants permission to list the instance types for the specified Outpost", - "privilege": "GetOutpostInstanceTypes", + "description": "Grants permission to return information about an ActiveMQ user", + "privilege": "DescribeUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { "access_level": "List", - "description": "Grants permission to list the Outposts for your AWS account", - "privilege": "ListOutposts", + "description": "Grants permission to return a list of all brokers", + "privilege": "ListBrokers", "resource_types": [ { "condition_keys": [], @@ -131939,20 +146023,20 @@ }, { "access_level": "List", - "description": "Grants permission to list the sites for your AWS account", - "privilege": "ListSites", + "description": "Grants permission to return a list of all existing revisions for the specified configuration", + "privilege": "ListConfigurationRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to return a list of all configurations", + "privilege": "ListConfigurations", "resource_types": [ { "condition_keys": [], @@ -131962,199 +146046,196 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to return a list of tags", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurations" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to return a list of all ActiveMQ users", + "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] - } - ], - "resources": [], - "service_name": "AWS Outposts" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "panorama", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama application", - "privilege": "CreateApp", + "description": "Grants permission to reboot a broker", + "privilege": "RebootBroker", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to deploy an AWS Panorama application", - "privilege": "CreateAppDeployment", + "description": "Grants permission to add a pending configuration change to a broker", + "privilege": "UpdateBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a version of an AWS Panorama application", - "privilege": "CreateAppVersion", + "description": "Grants permission to update the specified configuration", + "privilege": "UpdateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "appVersion*" + "resource_type": "configurations*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama Application Instance", - "privilege": "CreateApplicationInstance", + "description": "Grants permission to update the information for an ActiveMQ user", + "privilege": "UpdateUser", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mq:${Region}:${Account}:broker:${BrokerId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "brokers" }, + { + "arn": "arn:${Partition}:mq:${Region}:${Account}:configuration:${ConfigurationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "configurations" + } + ], + "service_name": "Amazon MQ" + }, + { + "conditions": [ + { + "condition": "neptune-db:QueryLanguage", + "description": "Filters access by graph model", + "type": "String" + } + ], + "prefix": "neptune-db", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama datasource", - "privilege": "CreateDataSource", + "description": "Grants permission to cancel a loader job", + "privilege": "CancelLoaderJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to configure a deployment for an AWS Panorama application", - "privilege": "CreateDeploymentConfiguration", + "description": "Grants permission to cancel an ML data processing job", + "privilege": "CancelMLDataProcessingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to generate a list of cameras on the same network as an AWS Panorama Appliance", - "privilege": "CreateInputs", + "description": "Grants permission to cancel an ML model training job", + "privilege": "CancelMLModelTrainingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a job for an AWS Panorama Appliance", - "privilege": "CreateJobForDevices", + "description": "Grants permission to cancel an ML model transform job", + "privilege": "CancelMLModelTransformJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to import a machine learning model into AWS Panorama", - "privilege": "CreateModel", + "description": "Grants permission to cancel a query", + "privilege": "CancelQuery", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama Node", - "privilege": "CreateNodeFromTemplateJob", + "description": "Grants permission to create an ML endpoint", + "privilege": "CreateMLEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama Package", - "privilege": "CreatePackage", + "description": "Grants permission to run delete data via query APIs on database", + "privilege": "DeleteDataViaQuery", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "neptune-db:QueryLanguage" ], "dependent_actions": [], "resource_type": "" @@ -132163,512 +146244,666 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama Package", - "privilege": "CreatePackageImportJob", + "description": "Grants permission to delete an ML endpoint", + "privilege": "DeleteMLEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to generate a list of streams available to an AWS Panorama Appliance", - "privilege": "CreateStreams", + "description": "Grants permission to delete all the statistics in the database", + "privilege": "DeleteStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Panorama application", - "privilege": "DeleteApp", + "access_level": "Read", + "description": "Grants permission to check the status of the Neptune engine", + "privilege": "GetEngineStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a version of an AWS Panorama application", - "privilege": "DeleteAppVersion", + "access_level": "Read", + "description": "Grants permission to check the status of a loader job", + "privilege": "GetLoaderJobStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Panorama datasource", - "privilege": "DeleteDataSource", + "access_level": "Read", + "description": "Grants permission to check the status of an ML data processing job", + "privilege": "GetMLDataProcessingJobStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister an AWS Panorama Appliance", - "privilege": "DeleteDevice", + "access_level": "Read", + "description": "Grants permission to check the status of an ML endpoint", + "privilege": "GetMLEndpointStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a machine learning model from AWS Panorama", - "privilege": "DeleteModel", + "access_level": "Read", + "description": "Grants permission to check the status of an ML model training job", + "privilege": "GetMLModelTrainingJobStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Panorama Package", - "privilege": "DeletePackage", + "access_level": "Read", + "description": "Grants permission to check the status of an ML model transform job", + "privilege": "GetMLModelTransformJobStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "package*" + "resource_type": "database*" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister an AWS Panorama Package Version", - "privilege": "DeregisterPackageVersion", + "access_level": "Read", + "description": "Grants permission to check the status of all active queries", + "privilege": "GetQueryStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [ + "neptune-db:QueryLanguage" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama application", - "privilege": "DescribeApp", + "description": "Grants permission to check the status of statistics of the database", + "privilege": "GetStatisticsStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "database*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about a deployment for an AWS Panorama application", - "privilege": "DescribeAppDeployment", + "description": "Grants permission to fetch stream records from Neptune", + "privilege": "GetStreamRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [ + "neptune-db:QueryLanguage" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a version of an AWS Panorama application", - "privilege": "DescribeAppVersion", + "access_level": "List", + "description": "Grants permission to list all the loader jobs", + "privilege": "ListLoaderJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Application Instance", - "privilege": "DescribeApplicationInstance", + "access_level": "List", + "description": "Grants permission to list all the ML data processing jobs", + "privilege": "ListMLDataProcessingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applicationInstance*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Application Instance", - "privilege": "DescribeApplicationInstanceDetails", + "access_level": "List", + "description": "Grants permission to list all the ML endpoints", + "privilege": "ListMLEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applicationInstance*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a datasource in AWS Panorama", - "privilege": "DescribeDataSource", + "access_level": "List", + "description": "Grants permission to list all the ML model training jobs", + "privilege": "ListMLModelTrainingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Appliance", - "privilege": "DescribeDevice", + "access_level": "List", + "description": "Grants permission to list all the ML model transform jobs", + "privilege": "ListMLModelTransformJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view job details for an AWS Panorama Appliance", - "privilege": "DescribeDeviceJob", + "access_level": "Write", + "description": "Grants permission to manage statistics in the database", + "privilege": "ManageStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about a machine learning model in AWS Panorama", - "privilege": "DescribeModel", + "description": "Grants permission to run read data via query APIs on database", + "privilege": "ReadDataViaQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "database*" + }, + { + "condition_keys": [ + "neptune-db:QueryLanguage" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Node", - "privilege": "DescribeNode", + "access_level": "Write", + "description": "Grants permission to get the token needed for reset and resets the Neptune database", + "privilege": "ResetDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about AWS Panorama Node", - "privilege": "DescribeNodeFromTemplateJob", + "access_level": "Write", + "description": "Grants permission to start a loader job", + "privilege": "StartLoaderJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Package", - "privilege": "DescribePackage", + "access_level": "Write", + "description": "Grants permission to start an ML data processing job", + "privilege": "StartMLDataProcessingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "package*" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Package", - "privilege": "DescribePackageImportJob", + "access_level": "Write", + "description": "Grants permission to start an ML model training job", + "privilege": "StartMLModelTrainingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Package Version", - "privilege": "DescribePackageVersion", + "access_level": "Write", + "description": "Grants permission to start an ML model transform job", + "privilege": "StartMLModelTransformJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a software version for the AWS Panorama Appliance", - "privilege": "DescribeSoftware", + "access_level": "Write", + "description": "Grants permission to run write data via query APIs on database", + "privilege": "WriteDataViaQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [ + "neptune-db:QueryLanguage" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database", + "condition_keys": [], + "resource": "database" + } + ], + "service_name": "Amazon Neptune" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by on the allowed set of values for each of the tags", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to view details about a deployment configuration for an AWS Panorama application", - "privilege": "GetDeploymentConfiguration", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tag value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" + } + ], + "prefix": "network-firewall", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an association between a firewall policy and a firewall", + "privilege": "AssociateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of cameras generated with CreateInputs", - "privilege": "GetInputs", + "access_level": "Write", + "description": "Grants permission to associate VPC subnets to a firewall", + "privilege": "AssociateSubnets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of streams generated with CreateStreams", - "privilege": "GetStreams", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall firewall", + "privilege": "CreateFirewall", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Firewall*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to generate a WebSocket endpoint for communication with AWS Panorama", - "privilege": "GetWebSocketURL", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall firewall policy", + "privilege": "CreateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of deployments for an AWS Panorama application", - "privilege": "ListAppDeploymentOperations", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall rule group", + "privilege": "CreateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of application versions in AWS Panorama", - "privilege": "ListAppVersions", + "access_level": "Write", + "description": "Grants permission to delete a firewall", + "privilege": "DeleteFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "Firewall*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of application instance dependencies in AWS Panorama", - "privilege": "ListApplicationInstanceDependencies", + "access_level": "Write", + "description": "Grants permission to delete a firewall policy", + "privilege": "DeleteFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of node instances of application instances in AWS Panorama", - "privilege": "ListApplicationInstanceNodeInstances", + "access_level": "Write", + "description": "Grants permission to delete a resource policy for a firewall policy or rule group", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of application instances in AWS Panorama", - "privilege": "ListApplicationInstances", + "access_level": "Write", + "description": "Grants permission to delete a rule group", + "privilege": "DeleteRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of applications in AWS Panorama", - "privilege": "ListApps", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a firewall", + "privilege": "DescribeFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of datasources in AWS Panorama", - "privilege": "ListDataSources", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a firewall policy", + "privilege": "DescribeFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of deployment configurations in AWS Panorama", - "privilege": "ListDeploymentConfigurations", + "access_level": "Read", + "description": "Grants permission to describe the logging configuration of a firewall", + "privilege": "DescribeLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of appliances in AWS Panorama", - "privilege": "ListDevices", + "access_level": "Read", + "description": "Grants permission to describe a resource policy for a firewall policy or rule group", + "privilege": "DescribeResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of jobs for an AWS Panorama Appliance", - "privilege": "ListDevicesJobs", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a rule group", + "privilege": "DescribeRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of models in AWS Panorama", - "privilege": "ListModels", + "access_level": "Read", + "description": "Grants permission to retrieve the high-level information about a rule group", + "privilege": "DescribeRuleGroupMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of Nodes for an AWS Panorama Appliance", - "privilege": "ListNodeFromTemplateJobs", + "access_level": "Write", + "description": "Grants permission to disassociate VPC subnets from a firewall", + "privilege": "DisassociateSubnets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of nodes in AWS Panorama", - "privilege": "ListNodes", + "description": "Grants permission to retrieve the metadata for firewall policies", + "privilege": "ListFirewallPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of packages in AWS Panorama", - "privilege": "ListPackageImportJobs", + "description": "Grants permission to retrieve the metadata for firewalls", + "privilege": "ListFirewalls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of packages in AWS Panorama", - "privilege": "ListPackages", + "description": "Grants permission to retrieve the metadata for rule groups", + "privilege": "ListRuleGroups", "resource_types": [ { "condition_keys": [], @@ -132679,99 +146914,82 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of tags for a resource in AWS Panorama", + "description": "Grants permission to retrieve the tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to register an AWS Panorama Appliance", - "privilege": "ProvisionDevice", + "description": "Grants permission to put a resource policy for a firewall policy or rule group", + "privilege": "PutResourcePolicy", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to register an AWS Panorama Package Version", - "privilege": "RegisterPackageVersion", - "resource_types": [ + "resource_type": "FirewallPolicy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to remove an AWS Panorama Application Instance", - "privilege": "RemoveApplicationInstance", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "applicationInstance*" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add tags to a resource in AWS Panorama", + "description": "Grants permission to attach tags to a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" + "resource_type": "Firewall" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource" + "resource_type": "FirewallPolicy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "StatelessRuleGroup" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -132780,28 +146998,28 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource in AWS Panorama", + "description": "Grants permission to remove tags from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" + "resource_type": "Firewall" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource" + "resource_type": "FirewallPolicy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "StatelessRuleGroup" }, { "condition_keys": [ @@ -132814,1228 +147032,1213 @@ }, { "access_level": "Write", - "description": "Grants permission to modify an AWS Panorama application", - "privilege": "UpdateApp", + "description": "Grants permission to add or remove delete protection for a firewall", + "privilege": "UpdateFirewallDeleteProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the version-specific configuration of an AWS Panorama application", - "privilege": "UpdateAppConfiguration", + "description": "Grants permission to modify the description for a firewall", + "privilege": "UpdateFirewallDescription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an AWS Panorama datasource", - "privilege": "UpdateDataSource", + "description": "Grants permission to modify the encryption configuration of a firewall", + "privilege": "UpdateFirewallEncryptionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify basic settings for an AWS Panorama Appliance", - "privilege": "UpdateDeviceMetadata", + "description": "Grants permission to modify a firewall policy", + "privilege": "UpdateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:device/${DeviceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:package/${PackageId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "package" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:applicationInstance/${ApplicationInstanceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "applicationInstance" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:dataSource/${DeviceId}/${DataSourceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataSource" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:model/${ModelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "app" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}:${AppVersion}", - "condition_keys": [], - "resource": "appVersion" - } - ], - "service_name": "AWS Panorama" - }, - { - "conditions": [], - "prefix": "personalize", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a batch inference job", - "privilege": "CreateBatchInferenceJob", - "resource_types": [ + "resource_type": "FirewallPolicy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchInferenceJob*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a campaign", - "privilege": "CreateCampaign", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataset", + "description": "Grants permission to add or remove firewall policy change protection for a firewall", + "privilege": "UpdateFirewallPolicyChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset export job", - "privilege": "CreateDatasetExportJob", + "description": "Grants permission to modify the logging configuration of a firewall", + "privilege": "UpdateLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetExportJob*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset group", - "privilege": "CreateDatasetGroup", + "description": "Grants permission to modify a rule group", + "privilege": "UpdateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a dataset import job", - "privilege": "CreateDatasetImportJob", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to create an event tracker", - "privilege": "CreateEventTracker", + "description": "Grants permission to add or remove subnet change protection for a firewall", + "privilege": "UpdateSubnetChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" + "resource_type": "Firewall*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Firewall" }, { - "access_level": "Write", - "description": "Grants permission to create a filter", - "privilege": "CreateFilter", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "filter*" - } - ] + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "FirewallPolicy" }, { - "access_level": "Write", - "description": "Grants permission to create a schema", - "privilege": "CreateSchema", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" - } - ] + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StatefulRuleGroup" + }, + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StatelessRuleGroup" + } + ], + "service_name": "AWS Network Firewall" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "networkmanager:cgwArn", + "description": "Filters access by which customer gateways can be associated or disassociated", + "type": "String" + }, + { + "condition": "networkmanager:subnetArns", + "description": "Filters access by which VPC subnets can be added or removed from a VPC attachment", + "type": "ArrayOfString" }, + { + "condition": "networkmanager:tgwArn", + "description": "Filters access by which transit gateways can be registered, deregistered, or peered", + "type": "String" + }, + { + "condition": "networkmanager:tgwConnectPeerArn", + "description": "Filters access by which transit gateway connect peers can be associated or disassociated", + "type": "String" + }, + { + "condition": "networkmanager:tgwRtbArn", + "description": "Filters access by which Transit Gateway Route Table can be used to create an attachment", + "type": "String" + }, + { + "condition": "networkmanager:vpcArn", + "description": "Filters access by which VPC can be used to a create/update attachment", + "type": "String" + }, + { + "condition": "networkmanager:vpnConnectionArn", + "description": "Filters access by which Site-to-Site VPN can be used to a create/update attachment", + "type": "String" + } + ], + "prefix": "networkmanager", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a solution", - "privilege": "CreateSolution", + "description": "Grants permission to accept creation of an attachment between a source and destination in a core network", + "privilege": "AcceptAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "attachment*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a solution version", - "privilege": "CreateSolutionVersion", + "description": "Grants permission to associate a Connect Peer", + "privilege": "AssociateConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a campaign", - "privilege": "DeleteCampaign", - "resource_types": [ + "resource_type": "device*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "description": "Grants permission to associate a customer gateway to a device", + "privilege": "AssociateCustomerGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [ + "networkmanager:cgwArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset group", - "privilege": "DeleteDatasetGroup", + "description": "Grants permission to associate a link to a device", + "privilege": "AssociateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an event tracker", - "privilege": "DeleteEventTracker", + "description": "Grants permission to associate a transit gateway connect peer to a device", + "privilege": "AssociateTransitGatewayConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [ + "networkmanager:tgwConnectPeerArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a filter", - "privilege": "DeleteFilter", + "description": "Grants permission to create a Connect attachment", + "privilege": "CreateConnectAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "attachment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "core-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a schema", - "privilege": "DeleteSchema", + "description": "Grants permission to create a Connect Peer connection", + "privilege": "CreateConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "attachment*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a solution including all versions of the solution", - "privilege": "DeleteSolution", + "description": "Grants permission to create a new connection", + "privilege": "CreateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an algorithm", - "privilege": "DescribeAlgorithm", + "access_level": "Write", + "description": "Grants permission to create a new core network", + "privilege": "CreateCoreNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "algorithm*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a batch inference job", - "privilege": "DescribeBatchInferenceJob", + "access_level": "Write", + "description": "Grants permission to create a new device", + "privilege": "CreateDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchInferenceJob*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a campaign", - "privilege": "DescribeCampaign", + "access_level": "Write", + "description": "Grants permission to create a new global network", + "privilege": "CreateGlobalNetwork", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaign*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset", - "privilege": "DescribeDataset", + "access_level": "Write", + "description": "Grants permission to create a new link", + "privilege": "CreateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a dataset export job", - "privilege": "DescribeDatasetExportJob", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetExportJob*" + "resource_type": "site" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset group", - "privilege": "DescribeDatasetGroup", + "access_level": "Write", + "description": "Grants permission to create a new site", + "privilege": "CreateSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset import job", - "privilege": "DescribeDatasetImportJob", + "access_level": "Write", + "description": "Grants permission to create a site-to-site VPN attachment", + "privilege": "CreateSiteToSiteVpnAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "core-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "networkmanager:vpnConnectionArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an event tracker", - "privilege": "DescribeEventTracker", + "access_level": "Write", + "description": "Grants permission to create a Transit Gateway peering", + "privilege": "CreateTransitGatewayPeering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" + "resource_type": "core-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "networkmanager:tgwArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a feature transformation", - "privilege": "DescribeFeatureTransformation", + "access_level": "Write", + "description": "Grants permission to create a TGW RTB attachment", + "privilege": "CreateTransitGatewayRouteTableAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "featureTransformation*" + "resource_type": "peering*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "networkmanager:tgwRtbArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a filter", - "privilege": "DescribeFilter", + "access_level": "Write", + "description": "Grants permission to create a VPC attachment", + "privilege": "CreateVpcAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "core-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "networkmanager:vpcArn", + "networkmanager:subnetArns" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a recipe", - "privilege": "DescribeRecipe", + "access_level": "Write", + "description": "Grants permission to delete an attachment", + "privilege": "DeleteAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recipe*" + "resource_type": "attachment*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a schema", - "privilege": "DescribeSchema", + "access_level": "Write", + "description": "Grants permission to delete a Connect Peer", + "privilege": "DeleteConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "connect-peer*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a solution", - "privilege": "DescribeSolution", + "access_level": "Write", + "description": "Grants permission to delete a connection", + "privilege": "DeleteConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a version of a solution", - "privilege": "DescribeSolutionVersion", - "resource_types": [ + "resource_type": "connection*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a re-ranked list of recommendations", - "privilege": "GetPersonalizedRanking", + "access_level": "Write", + "description": "Grants permission to delete a core network", + "privilege": "DeleteCoreNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "core-network*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a list of recommendations from a campaign", - "privilege": "GetRecommendations", + "access_level": "Write", + "description": "Grants permission to delete the core network policy version", + "privilege": "DeleteCoreNetworkPolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "core-network*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get metrics for a solution version", - "privilege": "GetSolutionMetrics", + "access_level": "Write", + "description": "Grants permission to delete a device", + "privilege": "DeleteDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list batch inference jobs", - "privilege": "ListBatchInferenceJobs", - "resource_types": [ + "resource_type": "device*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list campaigns", - "privilege": "ListCampaigns", + "access_level": "Write", + "description": "Grants permission to delete a global network", + "privilege": "DeleteGlobalNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list dataset export jobs", - "privilege": "ListDatasetExportJobs", + "access_level": "Write", + "description": "Grants permission to delete a link", + "privilege": "DeleteLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list dataset groups", - "privilege": "ListDatasetGroups", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "link*" } ] }, { - "access_level": "List", - "description": "Grants permission to list dataset import jobs", - "privilege": "ListDatasetImportJobs", + "access_level": "Write", + "description": "Grants permission to delete a peering", + "privilege": "DeletePeering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "peering*" } ] }, { - "access_level": "List", - "description": "Grants permission to list datasets", - "privilege": "ListDatasets", + "access_level": "Write", + "description": "Grants permission to delete a resource", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list event trackers", - "privilege": "ListEventTrackers", + "access_level": "Write", + "description": "Grants permission to delete a site", + "privilege": "DeleteSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list filters", - "privilege": "ListFilters", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "site*" } ] }, { - "access_level": "List", - "description": "Grants permission to list recipes", - "privilege": "ListRecipes", + "access_level": "Write", + "description": "Grants permission to deregister a transit gateway from a global network", + "privilege": "DeregisterTransitGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:tgwArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list schemas", - "privilege": "ListSchemas", + "description": "Grants permission to describe global networks", + "privilege": "DescribeGlobalNetworks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network" } ] }, { - "access_level": "List", - "description": "Grants permission to list versions of a solution", - "privilege": "ListSolutionVersions", + "access_level": "Write", + "description": "Grants permission to disassociate a Connect Peer", + "privilege": "DisassociateConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list solutions", - "privilege": "ListSolutions", + "access_level": "Write", + "description": "Grants permission to disassociate a customer gateway from a device", + "privilege": "DisassociateCustomerGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:cgwArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to put real time event data", - "privilege": "PutEvents", + "description": "Grants permission to disassociate a link from a device", + "privilege": "DisassociateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to ingest Items data", - "privilege": "PutItems", - "resource_types": [ + "resource_type": "device*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link*" } ] }, { "access_level": "Write", - "description": "Grants permission to ingest Users data", - "privilege": "PutUsers", + "description": "Grants permission to disassociate a transit gateway connect peer from a device", + "privilege": "DisassociateTransitGatewayConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:tgwConnectPeerArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a solution version creation", - "privilege": "StopSolutionVersionCreation", + "description": "Grants permission to apply changes to the core network", + "privilege": "ExecuteCoreNetworkChangeSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "core-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a campaign", - "privilege": "UpdateCampaign", + "access_level": "Read", + "description": "Grants permission to retrieve a Connect attachment", + "privilege": "GetConnectAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "attachment*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:schema/${ResourceId}", - "condition_keys": [], - "resource": "schema" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:feature-transformation/${ResourceId}", - "condition_keys": [], - "resource": "featureTransformation" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset/${ResourceId}", - "condition_keys": [], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-group/${ResourceId}", - "condition_keys": [], - "resource": "datasetGroup" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-import-job/${ResourceId}", - "condition_keys": [], - "resource": "datasetImportJob" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-export-job/${ResourceId}", - "condition_keys": [], - "resource": "datasetExportJob" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:solution/${ResourceId}", - "condition_keys": [], - "resource": "solution" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:campaign/${ResourceId}", - "condition_keys": [], - "resource": "campaign" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:event-tracker/${ResourceId}", - "condition_keys": [], - "resource": "eventTracker" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:recipe/${ResourceId}", - "condition_keys": [], - "resource": "recipe" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:algorithm/${ResourceId}", - "condition_keys": [], - "resource": "algorithm" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:batch-inference-job/${ResourceId}", - "condition_keys": [], - "resource": "batchInferenceJob" }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:filter/${ResourceId}", - "condition_keys": [], - "resource": "filter" - } - ], - "service_name": "Amazon Personalize" - }, - { - "conditions": [], - "prefix": "pi", - "privileges": [ { "access_level": "Read", - "description": "For a specific time period, retrieve the top N dimension keys for a metric.", - "privilege": "DescribeDimensionKeys", + "description": "Grants permission to retrieve a Connect Peer", + "privilege": "GetConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "metric-resource*" + "resource_type": "connect-peer*" } ] }, { "access_level": "Read", - "description": "Retrieve the attributes of the specified dimension group.", - "privilege": "GetDimensionKeyDetails", + "description": "Grants permission to describe Connect Peer associations", + "privilege": "GetConnectPeerAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "metric-resource*" + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Retrieve PI metrics for a set of data sources, over a time period.", - "privilege": "GetResourceMetrics", + "access_level": "List", + "description": "Grants permission to describe connections", + "privilege": "GetConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "metric-resource*" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:pi:${Region}:${Account}:metrics/${ServiceType}/${Identifier}", - "condition_keys": [], - "resource": "metric-resource" - } - ], - "service_name": "AWS Performance Insights" - }, - { - "conditions": [], - "prefix": "polly", - "privileges": [ + }, { - "access_level": "Write", - "description": "Grants permissions to delete the specified pronunciation lexicon stored in an AWS Region", - "privilege": "DeleteLexicon", + "access_level": "Read", + "description": "Grants permission to retrieve a core network", + "privilege": "GetCoreNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "core-network*" } ] }, { - "access_level": "List", - "description": "Grants permissions to describe the list of voices that are available for use when requesting speech synthesis", - "privilege": "DescribeVoices", + "access_level": "Read", + "description": "Grants permission to retrieve a list of core network change events", + "privilege": "GetCoreNetworkChangeEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { "access_level": "Read", - "description": "Grants permissions to retrieve the content of the specified pronunciation lexicon stored in an AWS Region", - "privilege": "GetLexicon", + "description": "Grants permission to retrieve a list of core network change sets", + "privilege": "GetCoreNetworkChangeSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "core-network*" } ] }, { "access_level": "Read", - "description": "Grants permissions to get information about specific speech synthesis task", - "privilege": "GetSpeechSynthesisTask", + "description": "Grants permission to retrieve core network policy", + "privilege": "GetCoreNetworkPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { "access_level": "List", - "description": "Grants permisions to list the pronunciation lexicons stored in an AWS Region", - "privilege": "ListLexicons", + "description": "Grants permission to describe customer gateway associations", + "privilege": "GetCustomerGatewayAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "List", - "description": "Grants permissions to list requested speech synthesis tasks", - "privilege": "ListSpeechSynthesisTasks", + "description": "Grants permission to describe devices", + "privilege": "GetDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" } ] }, { - "access_level": "Write", - "description": "Grants permissions to store a pronunciation lexicon in an AWS Region", - "privilege": "PutLexicon", + "access_level": "List", + "description": "Grants permission to describe link associations", + "privilege": "GetLinkAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" } ] }, { - "access_level": "Write", - "description": "Grants permissions to synthesize long inputs to the provided S3 location", - "privilege": "StartSpeechSynthesisTask", + "access_level": "List", + "description": "Grants permission to describe links", + "privilege": "GetLinks", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "s3:PutObject" - ], - "resource_type": "lexicon" + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" } ] }, { "access_level": "Read", - "description": "Grants permissions to synthesize speech", - "privilege": "SynthesizeSpeech", + "description": "Grants permission to return the number of resources for a global network grouped by type", + "privilege": "GetNetworkResourceCounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon" + "resource_type": "global-network*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:polly:${Region}:${Account}:lexicon/${LexiconName}", - "condition_keys": [], - "resource": "lexicon" - } - ], - "service_name": "Amazon Polly" - }, - { - "conditions": [], - "prefix": "pricing", - "privileges": [ + }, { "access_level": "Read", - "description": "Returns the service details for all (paginated) services (if serviceCode is not set) or service detail for a particular service (if given serviceCode).", - "privilege": "DescribeServices", + "description": "Grants permission to retrieve related resources for a resource within the global network", + "privilege": "GetNetworkResourceRelationships", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Read", - "description": "Returns all (paginated) possible values for a given attribute.", - "privilege": "GetAttributeValues", + "description": "Grants permission to retrieve a global network resource", + "privilege": "GetNetworkResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Read", - "description": "Returns all matching products with given search criteria.", - "privilege": "GetProducts", + "description": "Grants permission to retrieve routes for a route table within the global network", + "privilege": "GetNetworkRoutes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] - } - ], - "resources": [], - "service_name": "AWS Price List" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the customer profile service", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the customer profile service", - "type": "String" - } - ], - "prefix": "profile", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to add a profile key", - "privilege": "AddProfileKey", + "access_level": "Read", + "description": "Grants permission to retrieve network telemetry objects for the global network", + "privilege": "GetNetworkTelemetry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "global-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a Domain", - "privilege": "CreateDomain", + "access_level": "Read", + "description": "Grants permission to retrieve a resource policy", + "privilege": "GetResourcePolicy", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a profile in the domain", - "privilege": "CreateProfile", + "access_level": "Read", + "description": "Grants permission to retrieve a route analysis configuration and result", + "privilege": "GetRouteAnalysis", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "global-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Domain", - "privilege": "DeleteDomain", + "access_level": "Read", + "description": "Grants permission to retrieve a site-to-site VPN attachment", + "privilege": "GetSiteToSiteVpnAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "attachment*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a integration in a domain", - "privilege": "DeleteIntegration", + "access_level": "List", + "description": "Grants permission to describe global networks", + "privilege": "GetSites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "global-network*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "site" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile", - "privilege": "DeleteProfile", + "access_level": "List", + "description": "Grants permission to describe transit gateway connect peer associations", + "privilege": "GetTransitGatewayConnectPeerAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "global-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile key", - "privilege": "DeleteProfileKey", + "access_level": "Read", + "description": "Grants permission to retrieve a Transit Gateway peering", + "privilege": "GetTransitGatewayPeering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "peering*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile object", - "privilege": "DeleteProfileObject", + "access_level": "List", + "description": "Grants permission to describe transit gateway registrations", + "privilege": "GetTransitGatewayRegistrations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "global-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a specific profile object type in the domain", - "privilege": "DeleteProfileObjectType", + "access_level": "Read", + "description": "Grants permission to retrieve a TGW RTB attachment", + "privilege": "GetTransitGatewayRouteTableAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "attachment*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a specific domain in an account", - "privilege": "GetDomain", + "description": "Grants permission to retrieve a VPC attachment", + "privilege": "GetVpcAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "attachment*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a specific integrations in a domain", - "privilege": "GetIntegration", + "access_level": "List", + "description": "Grants permission to describe attachments", + "privilege": "ListAttachments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "attachment*" } ] }, { "access_level": "List", - "description": "Grants permission to get profile matches", - "privilege": "GetMatches", + "description": "Grants permission to describe Connect Peers", + "privilege": "ListConnectPeers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "connect-peer*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a specific profile object type in the domain", - "privilege": "GetProfileObjectType", + "access_level": "List", + "description": "Grants permission to list core network policy versions", + "privilege": "ListCoreNetworkPolicyVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "core-network*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a specific object type template", - "privilege": "GetProfileObjectTypeTemplate", + "access_level": "List", + "description": "Grants permission to list core networks", + "privilege": "ListCoreNetworks", "resource_types": [ { "condition_keys": [], @@ -134046,8 +148249,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the integrations in the account", - "privilege": "ListAccountIntegrations", + "description": "Grants permission to list organization service access status", + "privilege": "ListOrganizationServiceAccessStatus", "resource_types": [ { "condition_keys": [], @@ -134058,8 +148261,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the domains in an account", - "privilege": "ListDomains", + "description": "Grants permission to describe peerings", + "privilege": "ListPeerings", "resource_types": [ { "condition_keys": [], @@ -134069,101 +148272,58 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all the integrations in a specific domain", - "privilege": "ListIntegrations", + "access_level": "Read", + "description": "Grants permission to list tags for a Network Manager resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all the profile object type templates in the account", - "privilege": "ListProfileObjectTypeTemplates", - "resource_types": [ + "resource_type": "attachment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all the profile object types in the domain", - "privilege": "ListProfileObjectTypes", - "resource_types": [ + "resource_type": "connect-peer" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all the profile objects for a profile", - "privilege": "ListProfileObjects", - "resource_types": [ + "resource_type": "connection" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "core-network" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "device" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to merge profiles", - "privilege": "MergeProfiles", - "resource_types": [ + "resource_type": "global-network" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to put a integration in a domain", - "privilege": "PutIntegration", - "resource_types": [ + "resource_type": "link" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "peering" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "site" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -134172,40 +148332,41 @@ }, { "access_level": "Write", - "description": "Grants permission to put an object for a profile", - "privilege": "PutProfileObject", + "description": "Grants permission to create a core network policy", + "privilege": "PutCoreNetworkPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "core-network*" } ] }, { "access_level": "Write", - "description": "Grants permission to put a specific profile object type in the domain", - "privilege": "PutProfileObjectType", + "description": "Grants permission to create or update a resource policy", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "core-network*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register a transit gateway to a global network", + "privilege": "RegisterTransitGateway", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "global-network*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "networkmanager:tgwArn" ], "dependent_actions": [], "resource_type": "" @@ -134213,42 +148374,36 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to search for profiles in a domain", - "privilege": "SearchProfiles", + "access_level": "Write", + "description": "Grants permission to reject attachment request", + "privilege": "RejectAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "attachment*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to adds tags to a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to restore the core network policy to a previous version", + "privilege": "RestoreCoreNetworkPolicyVersion", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to start organization service access update", + "privilege": "StartOrganizationServiceAccessUpdate", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -134256,128 +148411,71 @@ }, { "access_level": "Write", - "description": "Grants permission to update a Domain", - "privilege": "UpdateDomain", + "description": "Grants permission to start a route analysis and stores analysis configuration", + "privilege": "StartRouteAnalysis", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "global-network*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a profile in the domain", - "privilege": "UpdateProfile", + "access_level": "Tagging", + "description": "Grants permission to tag a Network Manager resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "domains" - }, - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/object-types/${ObjectTypeName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "object-types" - }, - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/integrations/${Uri}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "integrations" - } - ], - "service_name": "Amazon Connect Customer Profiles" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "proton:EnvironmentTemplate", - "description": "Filters actions based on specified environment template related to resource", - "type": "String" - }, - { - "condition": "proton:ServiceTemplate", - "description": "Filters actions based on specified service template related to resource", - "type": "String" - } - ], - "prefix": "proton", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to reject an environment account connection request from another environment account.", - "privilege": "AcceptEnvironmentAccountConnection", - "resource_types": [ + "resource_type": "attachment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-account-connection*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to cancel an environment deployment", - "privilege": "CancelEnvironmentDeployment", - "resource_types": [ + "resource_type": "connect-peer" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "connection" }, { - "condition_keys": [ - "proton:EnvironmentTemplate" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to cancel a service instance deployment", - "privilege": "CancelServiceInstanceDeployment", - "resource_types": [ + "resource_type": "core-network" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-instance*" + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "peering" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" }, { "condition_keys": [ - "proton:ServiceTemplate" + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -134385,18 +148483,58 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a service pipeline deployment", - "privilege": "CancelServicePipelineDeployment", + "access_level": "Tagging", + "description": "Grants permission to untag a Network Manager resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "attachment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connect-peer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "core-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "peering" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" }, { "condition_keys": [ - "proton:ServiceTemplate" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -134405,191 +148543,271 @@ }, { "access_level": "Write", - "description": "Grants permission to create an environment", - "privilege": "CreateEnvironment", + "description": "Grants permission to update a connection", + "privilege": "UpdateConnection", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "environment*" + "dependent_actions": [], + "resource_type": "connection*" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "proton:EnvironmentTemplate" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment account connection", - "privilege": "CreateEnvironmentAccountConnection", + "description": "Grants permission to update a core network", + "privilege": "UpdateCoreNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "core-network*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment template", - "privilege": "CreateEnvironmentTemplate", + "description": "Grants permission to update a device", + "privilege": "UpdateDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "device*" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use CreateEnvironmentTemplateVersion instead", - "privilege": "CreateEnvironmentTemplateMajorVersion", + "description": "Grants permission to update a global network", + "privilege": "UpdateGlobalNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use CreateEnvironmentTemplateVersion instead", - "privilege": "CreateEnvironmentTemplateMinorVersion", + "description": "Grants permission to update a link", + "privilege": "UpdateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "global-network*" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "link*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment template version", - "privilege": "CreateEnvironmentTemplateVersion", + "description": "Grants permission to add or update metadata key/value pairs on network resource", + "privilege": "UpdateNetworkResourceMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service", - "privilege": "CreateService", + "description": "Grants permission to update a site", + "privilege": "UpdateSite", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "codestar-connections:PassConnection" - ], - "resource_type": "service*" + "dependent_actions": [], + "resource_type": "global-network*" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "proton:ServiceTemplate" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "site*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service template", - "privilege": "CreateServiceTemplate", + "description": "Grants permission to update a VPC attachment", + "privilege": "UpdateVpcAttachment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "attachment*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "networkmanager:subnetArns" ], "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "global-network" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "site" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "link" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "device" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connection" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:core-network/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "core-network" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:attachment/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "attachment" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:connect-peer/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connect-peer" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:peering/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "peering" + } + ], + "service_name": "AWS Network Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key and value pair that is allowed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair of a resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "ArrayOfString" + }, + { + "condition": "nimble:createdBy", + "description": "Filters access by the createdBy request parameter or the ID of the creator of the resource", + "type": "String" + }, + { + "condition": "nimble:ownedBy", + "description": "Filters access by the ownedBy request parameter or the ID of the owner of the resource", + "type": "String" + }, + { + "condition": "nimble:principalId", + "description": "Filters access by the principalId request parameter", + "type": "String" + }, + { + "condition": "nimble:requesterPrincipalId", + "description": "Filters access by the ID of the logged in user", + "type": "String" }, + { + "condition": "nimble:studioId", + "description": "Filters access by a specific studio", + "type": "ARN" + } + ], + "prefix": "nimble", + "privileges": [ { "access_level": "Write", - "description": "DEPRECATED - use CreateServiceTemplateVersion instead", - "privilege": "CreateServiceTemplateMajorVersion", + "description": "Grants permission to accept EULAs", + "privilege": "AcceptEulas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "eula*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use CreateServiceTemplateVersion instead", - "privilege": "CreateServiceTemplateMinorVersion", + "description": "Grants permission to create a launch profile", + "privilege": "CreateLaunchProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template*" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:RunInstances" + ], + "resource_type": "studio*" }, { "condition_keys": [ @@ -134603,13 +148821,19 @@ }, { "access_level": "Write", - "description": "Grants permission to create a service template version", - "privilege": "CreateServiceTemplateVersion", + "description": "Grants permission to create a streaming image", + "privilege": "CreateStreamingImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template*" + "dependent_actions": [ + "ec2:DescribeImages", + "ec2:DescribeSnapshots", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySnapshotAttribute", + "ec2:RegisterImage" + ], + "resource_type": "studio*" }, { "condition_keys": [ @@ -134623,11 +148847,25 @@ }, { "access_level": "Write", - "description": "DEPRECATED - use UpdateAccountSettings instead", - "privilege": "DeleteAccountRoles", + "description": "Grants permission to create a streaming session", + "privilege": "CreateStreamingSession", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "nimble:GetLaunchProfile", + "nimble:GetLaunchProfileInitialization", + "nimble:ListEulaAcceptances" + ], + "resource_type": "launch-profile*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -134635,17 +148873,17 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an environment", - "privilege": "DeleteEnvironment", + "description": "Grants permission to create a StreamingSessionStream", + "privilege": "CreateStreamingSessionStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "streaming-session*" }, { "condition_keys": [ - "proton:EnvironmentTemplate" + "nimble:requesterPrincipalId" ], "dependent_actions": [], "resource_type": "" @@ -134654,77 +148892,109 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an environment account connection", - "privilege": "DeleteEnvironmentAccountConnection", + "description": "Grants permission to create a studio", + "privilege": "CreateStudio", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "sso:CreateManagedApplicationInstance" + ], + "resource_type": "studio*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "environment-account-connection*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an environment template", - "privilege": "DeleteEnvironmentTemplate", + "description": "Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access", + "privilege": "CreateStudioComponent", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ds:AuthorizeApplication", + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems", + "iam:PassRole" + ], + "resource_type": "studio*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use DeleteEnvironmentTemplateVersion instead", - "privilege": "DeleteEnvironmentTemplateMajorVersion", + "description": "Grants permission to delete a launch profile", + "privilege": "DeleteLaunchProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use DeleteEnvironmentTemplateVersion instead", - "privilege": "DeleteEnvironmentTemplateMinorVersion", + "description": "Grants permission to delete a launch profile member", + "privilege": "DeleteLaunchProfileMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an environment template version", - "privilege": "DeleteEnvironmentTemplateVersion", + "description": "Grants permission to delete a streaming image", + "privilege": "DeleteStreamingImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" + "dependent_actions": [ + "ec2:DeleteSnapshot", + "ec2:DeregisterImage", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySnapshotAttribute" + ], + "resource_type": "streaming-image*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a service", - "privilege": "DeleteService", + "description": "Grants permission to delete a streaming session", + "privilege": "DeleteStreamingSession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service*" + "dependent_actions": [ + "ec2:DeleteNetworkInterface" + ], + "resource_type": "streaming-session*" }, { "condition_keys": [ - "proton:ServiceTemplate" + "nimble:requesterPrincipalId" ], "dependent_actions": [], "resource_type": "" @@ -134733,56 +149003,60 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a service template", - "privilege": "DeleteServiceTemplate", + "description": "Grants permission to delete a studio", + "privilege": "DeleteStudio", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template*" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use DeleteServiceTemplateVersion instead", - "privilege": "DeleteServiceTemplateMajorVersion", + "description": "Grants permission to delete a studio component", + "privilege": "DeleteStudioComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template*" + "dependent_actions": [ + "ds:UnauthorizeApplication" + ], + "resource_type": "studio-component*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use DeleteServiceTemplateVersion instead", - "privilege": "DeleteServiceTemplateMinorVersion", + "description": "Grants permission to delete a studio member", + "privilege": "DeleteStudioMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "studio*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a service template version", - "privilege": "DeleteServiceTemplateVersion", + "access_level": "Read", + "description": "Grants permission to get a EULA", + "privilege": "GetEula", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "eula*" } ] }, { "access_level": "Read", - "description": "DEPRECATED - use GetAccountSettings instead", - "privilege": "GetAccountRoles", + "description": "Grants permission to allow Nimble Studio portal to show the appropriate features for this account", + "privilege": "GetFeatureMap", "resource_types": [ { "condition_keys": [], @@ -134793,224 +149067,259 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the account settings", - "privilege": "GetAccountSettings", + "description": "Grants permission to get a launch profile", + "privilege": "GetLaunchProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment", - "privilege": "GetEnvironment", + "description": "Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile", + "privilege": "GetLaunchProfileDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment account connection", - "privilege": "GetEnvironmentAccountConnection", + "description": "Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information", + "privilege": "GetLaunchProfileInitialization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-account-connection*" + "dependent_actions": [ + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems" + ], + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment template", - "privilege": "GetEnvironmentTemplate", + "description": "Grants permission to get a launch profile member", + "privilege": "GetLaunchProfileMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "DEPRECATED - use GetEnvironmentTemplateVersion instead", - "privilege": "GetEnvironmentTemplateMajorVersion", + "description": "Grants permission to get a streaming image", + "privilege": "GetStreamingImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "streaming-image*" } ] }, { "access_level": "Read", - "description": "DEPRECATED - use GetEnvironmentTemplateVersion instead", - "privilege": "GetEnvironmentTemplateMinorVersion", + "description": "Grants permission to get a streaming session", + "privilege": "GetStreamingSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "streaming-session*" + }, + { + "condition_keys": [ + "nimble:requesterPrincipalId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment template version", - "privilege": "GetEnvironmentTemplateVersion", + "description": "Grants permission to get a streaming session stream", + "privilege": "GetStreamingSessionStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "streaming-session*" + }, + { + "condition_keys": [ + "nimble:requesterPrincipalId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a service", - "privilege": "GetService", + "description": "Grants permission to get a studio", + "privilege": "GetStudio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "studio*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a service instance", - "privilege": "GetServiceInstance", + "description": "Grants permission to get a studio component", + "privilege": "GetStudioComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-instance*" + "resource_type": "studio-component*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a service template", - "privilege": "GetServiceTemplate", + "description": "Grants permission to get a studio member", + "privilege": "GetStudioMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "studio*" } ] }, { "access_level": "Read", - "description": "DEPRECATED - use GetServiceTemplateVersion instead", - "privilege": "GetServiceTemplateMajorVersion", + "description": "Grants permission to list EULA acceptances", + "privilege": "ListEulaAcceptances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "eula-acceptance*" } ] }, { "access_level": "Read", - "description": "DEPRECATED - use GetServiceTemplateVersion instead", - "privilege": "GetServiceTemplateMinorVersion", + "description": "Grants permission to list EULAs", + "privilege": "ListEulas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "eula*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a service template version", - "privilege": "GetServiceTemplateVersion", + "description": "Grants permission to list launch profile members", + "privilege": "ListLaunchProfileMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "launch-profile*" } ] }, { - "access_level": "List", - "description": "Grants permission to list environment account connections", - "privilege": "ListEnvironmentAccountConnections", + "access_level": "Read", + "description": "Grants permission to list launch profiles", + "privilege": "ListLaunchProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-account-connection*" + "resource_type": "studio*" + }, + { + "condition_keys": [ + "nimble:principalId", + "nimble:requesterPrincipalId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "DEPRECATED - use ListEnvironmentTemplateVersions instead", - "privilege": "ListEnvironmentTemplateMajorVersions", + "access_level": "Read", + "description": "Grants permission to list streaming images", + "privilege": "ListStreamingImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "DEPRECATED - use ListEnvironmentTemplateVersions instead", - "privilege": "ListEnvironmentTemplateMinorVersions", + "access_level": "Read", + "description": "Grants permission to list streaming sessions", + "privilege": "ListStreamingSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "studio*" + }, + { + "condition_keys": [ + "nimble:createdBy", + "nimble:ownedBy", + "nimble:requesterPrincipalId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list environment template versions", - "privilege": "ListEnvironmentTemplateVersions", + "access_level": "Read", + "description": "Grants permission to list studio components", + "privilege": "ListStudioComponents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "Grants permission to list environment templates", - "privilege": "ListEnvironmentTemplates", + "access_level": "Read", + "description": "Grants permission to list studio members", + "privilege": "ListStudioMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "Grants permission to list environments", - "privilege": "ListEnvironments", + "access_level": "Read", + "description": "Grants permission to list all studios", + "privilege": "ListStudios", "resource_types": [ { "condition_keys": [], @@ -135020,215 +149329,170 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list service instances", - "privilege": "ListServiceInstances", + "access_level": "Read", + "description": "Grants permission to list all tags on a Nimble Studio resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "DEPRECATED - use ListServiceTemplateVersions instead", - "privilege": "ListServiceTemplateMajorVersions", - "resource_types": [ + "resource_type": "launch-profile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "streaming-image" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streaming-session" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-component" } ] }, { - "access_level": "List", - "description": "DEPRECATED - use ListServiceTemplateVersions instead", - "privilege": "ListServiceTemplateMinorVersions", + "access_level": "Write", + "description": "Grants permission to add/update launch profile members", + "privilege": "PutLaunchProfileMembers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template*" + "dependent_actions": [ + "sso-directory:DescribeUsers" + ], + "resource_type": "launch-profile*" } ] }, { - "access_level": "List", - "description": "Grants permission to list service template versions", - "privilege": "ListServiceTemplateVersions", + "access_level": "Write", + "description": "Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health", + "privilege": "PutStudioLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "Grants permission to list service templates", - "privilege": "ListServiceTemplates", + "access_level": "Write", + "description": "Grants permission to add/update studio members", + "privilege": "PutStudioMembers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "sso-directory:DescribeUsers" + ], + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "Grants permission to list services", - "privilege": "ListServices", + "access_level": "Write", + "description": "Grants permission to start a streaming session", + "privilege": "StartStreamingSession", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "nimble:GetLaunchProfile", + "nimble:GetLaunchProfileMember" + ], + "resource_type": "streaming-session*" + }, + { + "condition_keys": [ + "nimble:requesterPrincipalId" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to list tags of a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to repair the studio's AWS SSO configuration", + "privilege": "StartStudioSSOConfigurationRepair", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-major-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-minor-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template-major-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template-minor-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-template-version" + "dependent_actions": [ + "sso:CreateManagedApplicationInstance", + "sso:GetManagedApplicationInstance" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Grants permission to reject an environment account connection request from another environment account.", - "privilege": "RejectEnvironmentAccountConnection", + "description": "Grants permission to stop a streaming session", + "privilege": "StopStreamingSession", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "nimble:GetLaunchProfile" + ], + "resource_type": "streaming-session*" + }, + { + "condition_keys": [ + "nimble:requesterPrincipalId" + ], "dependent_actions": [], - "resource_type": "environment-account-connection*" + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permissions to add tags to a resource", + "description": "Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-major-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-minor-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-instance" + "resource_type": "launch-profile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template" + "resource_type": "streaming-image" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-major-version" + "resource_type": "streaming-session" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-minor-version" + "resource_type": "studio" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-version" + "resource_type": "studio-component" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -135237,63 +149501,33 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to remove tags from a resource", + "description": "Grants permission to disassociate one or more tags from the specified Nimble Studio resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-major-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-minor-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service-instance" + "resource_type": "launch-profile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template" + "resource_type": "streaming-image" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-major-version" + "resource_type": "streaming-session" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-minor-version" + "resource_type": "studio" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template-version" + "resource_type": "studio-component" }, { "condition_keys": [ @@ -135306,1392 +149540,982 @@ }, { "access_level": "Write", - "description": "DEPRECATED - use UpdateAccountSettings instead", - "privilege": "UpdateAccountRoles", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the account settings", - "privilege": "UpdateAccountSettings", + "description": "Grants permission to update a launch profile", + "privilege": "UpdateLaunchProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "iam:PassRole" + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeRouteTables", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints" ], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an environment", - "privilege": "UpdateEnvironment", + "description": "Grants permission to update a launch profile member", + "privilege": "UpdateLaunchProfileMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "environment*" - }, - { - "condition_keys": [ - "proton:EnvironmentTemplate" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an environment account connection", - "privilege": "UpdateEnvironmentAccountConnection", + "description": "Grants permission to update a streaming image", + "privilege": "UpdateStreamingImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-account-connection*" + "resource_type": "streaming-image*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an environment template", - "privilege": "UpdateEnvironmentTemplate", + "description": "Grants permission to update a studio", + "privilege": "UpdateStudio", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use UpdateEnvironmentTemplateVersion instead", - "privilege": "UpdateEnvironmentTemplateMajorVersion", + "description": "Grants permission to update a studio component", + "privilege": "UpdateStudioComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" + "dependent_actions": [ + "ds:AuthorizeApplication", + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems", + "iam:PassRole" + ], + "resource_type": "studio-component*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio/${StudioId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "studio" }, { - "access_level": "Write", - "description": "DEPRECATED - use UpdateEnvironmentTemplateVersion instead", - "privilege": "UpdateEnvironmentTemplateMinorVersion", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" - } - ] + "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${StreamingImageId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "streaming-image" }, { - "access_level": "Write", - "description": "Grants permission to update an environment template version", - "privilege": "UpdateEnvironmentTemplateVersion", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" - } - ] + "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio-component/${StudioComponentId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "studio-component" }, { - "access_level": "Write", - "description": "Grants permission to update a service", - "privilege": "UpdateService", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "service*" - }, + "arn": "arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${LaunchProfileId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "launch-profile" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${StreamingSessionId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:createdBy", + "nimble:ownedBy" + ], + "resource": "streaming-session" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula/${EulaId}", + "condition_keys": [], + "resource": "eula" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${EulaAcceptanceId}", + "condition_keys": [ + "nimble:studioId" + ], + "resource": "eula-acceptance" + } + ], + "service_name": "Amazon Nimble Studio" + }, + { + "conditions": [], + "prefix": "opsworks", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to assign a registered instance to a layer", + "privilege": "AssignInstance", + "resource_types": [ { - "condition_keys": [ - "proton:ServiceTemplate" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update a service instance", - "privilege": "UpdateServiceInstance", + "description": "Grants permission to assign one of the stack's registered Amazon EBS volumes to a specified instance", + "privilege": "AssignVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-instance*" - }, - { - "condition_keys": [ - "proton:ServiceTemplate" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update a service pipeline", - "privilege": "UpdateServicePipeline", + "description": "Grants permission to associate one of the stack's registered Elastic IP addresses with a specified instance", + "privilege": "AssociateElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" - }, - { - "condition_keys": [ - "proton:ServiceTemplate" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update a service template", - "privilege": "UpdateServiceTemplate", + "description": "Grants permission to attach an Elastic Load Balancing load balancer to a specified layer", + "privilege": "AttachElasticLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use UpdateServiceTemplateVersion instead", - "privilege": "UpdateServiceTemplateMajorVersion", + "description": "Grants permission to create a clone of a specified stack", + "privilege": "CloneStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "DEPRECATED - use UpdateServiceTemplateVersion instead", - "privilege": "UpdateServiceTemplateMinorVersion", + "description": "Grants permission to create an app for a specified stack", + "privilege": "CreateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update a service template version", - "privilege": "UpdateServiceTemplateVersion", + "description": "Grants permission to run deployment or stack commands", + "privilege": "CreateDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "stack" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "environment-template" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersion}.${MinorVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "environment-template-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "environment-template-major-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "environment-template-minor-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service-template" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersion}.${MinorVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service-template-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service-template-major-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service-template-minor-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "environment" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${ServiceName}/service-instance/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service-instance" }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-account-connection/${Id}", - "condition_keys": [], - "resource": "environment-account-connection" - } - ], - "service_name": "AWS Proton" - }, - { - "conditions": [], - "prefix": "purchase-orders", - "privileges": [ { "access_level": "Write", - "description": "Modify purchase orders and details", - "privilege": "ModifyPurchaseOrders", + "description": "Grants permission to create an instance in a specified stack", + "privilege": "CreateInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "View purchase orders and details", - "privilege": "ViewPurchaseOrders", + "access_level": "Write", + "description": "Grants permission to create a layer", + "privilege": "CreateLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] - } - ], - "resources": [], - "service_name": "AWS Purchase Orders Console" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" }, - { - "condition": "qldb:Purge", - "description": "Filters access by the value of purge that is specified in a PartiQL DROP statement", - "type": "String" - } - ], - "prefix": "qldb", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel a journal kinesis stream", - "privilege": "CancelJournalKinesisStream", + "description": "Grants permission to create a new stack", + "privilege": "CreateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a ledger", - "privilege": "CreateLedger", + "description": "Grants permission to create a new user profile", + "privilege": "CreateUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a ledger", - "privilege": "DeleteLedger", + "description": "Grants permission to delete a specified app", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe information about a journal kinesis stream", - "privilege": "DescribeJournalKinesisStream", + "access_level": "Write", + "description": "Grants permission to delete a specified instance, which terminates the associated Amazon EC2 instance", + "privilege": "DeleteInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe information about a journal export job", - "privilege": "DescribeJournalS3Export", + "access_level": "Write", + "description": "Grants permission to delete a specified layer", + "privilege": "DeleteLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a ledger", - "privilege": "DescribeLedger", + "access_level": "Write", + "description": "Grants permission to delete a specified stack", + "privilege": "DeleteStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to send commands to a ledger via the console", - "privilege": "ExecuteStatement", + "description": "Grants permission to delete a user profile", + "privilege": "DeleteUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to export journal contents to an Amazon S3 bucket", - "privilege": "ExportJournalToS3", + "description": "Grants permission to delete a user profile", + "privilege": "DeregisterEcsCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a block from a ledger for a given BlockAddress", - "privilege": "GetBlock", + "access_level": "Write", + "description": "Grants permission to deregister a specified Elastic IP address", + "privilege": "DeregisterElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a digest from a ledger for a given BlockAddress", - "privilege": "GetDigest", + "access_level": "Write", + "description": "Grants permission to deregister a registered Amazon EC2 or on-premises instance", + "privilege": "DeregisterInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a revision for a given document ID and a given BlockAddress", - "privilege": "GetRevision", + "access_level": "Write", + "description": "Grants permission to deregister an Amazon RDS instance", + "privilege": "DeregisterRdsDbInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to insert sample application data via the console", - "privilege": "InsertSampleData", + "description": "Grants permission to deregister an Amazon EBS volume", + "privilege": "DeregisterVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "Grants permission to list journal kinesis streams for a specified ledger", - "privilege": "ListJournalKinesisStreamsForLedger", + "description": "Grants permission to describe the available AWS OpsWorks agent versions", + "privilege": "DescribeAgentVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "Grants permission to list journal export jobs for all ledgers", - "privilege": "ListJournalS3Exports", + "description": "Grants permission to request a description of a specified set of apps", + "privilege": "DescribeApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "Grants permission to list journal export jobs for a specified ledger", - "privilege": "ListJournalS3ExportsForLedger", + "description": "Grants permission to describe the results of specified commands", + "privilege": "DescribeCommands", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "Grants permission to list existing ledgers", - "privilege": "ListLedgers", + "description": "Grants permission to request a description of a specified set of deployments", + "privilege": "DescribeDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to describe Amazon ECS clusters that are registered with a stack", + "privilege": "DescribeEcsClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ledger" - }, + "resource_type": "stack" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe Elastic IP addresses", + "privilege": "DescribeElasticIps", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" - }, + "resource_type": "stack" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe a stack's Elastic Load Balancing instances", + "privilege": "DescribeElasticLoadBalancers", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an index on a table", - "privilege": "PartiQLCreateIndex", + "access_level": "List", + "description": "Grants permission to request a description of a set of instances", + "privilege": "DescribeInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a table", - "privilege": "PartiQLCreateTable", + "access_level": "List", + "description": "Grants permission to request a description of one or more layers in a specified stack", + "privilege": "DescribeLayers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete documents from a table", - "privilege": "PartiQLDelete", + "access_level": "List", + "description": "Grants permission to describe load-based auto scaling configurations for specified layers", + "privilege": "DescribeLoadBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to drop an index from a table", - "privilege": "PartiQLDropIndex", + "access_level": "List", + "description": "Grants permission to describe a user's SSH information", + "privilege": "DescribeMyUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "qldb:Purge" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to drop a table", - "privilege": "PartiQLDropTable", + "access_level": "List", + "description": "Grants permission to describe the operating systems that are supported by AWS OpsWorks Stacks", + "privilege": "DescribeOperatingSystems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "qldb:Purge" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to use the history function on a table", - "privilege": "PartiQLHistoryFunction", + "access_level": "List", + "description": "Grants permission to describe the permissions for a specified stack", + "privilege": "DescribePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to insert documents into a table", - "privilege": "PartiQLInsert", + "access_level": "List", + "description": "Grants permission to describe an instance's RAID arrays", + "privilege": "DescribeRaidArrays", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to select documents from a table", - "privilege": "PartiQLSelect", + "access_level": "List", + "description": "Grants permission to describe Amazon RDS instances", + "privilege": "DescribeRdsDbInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to undrop a table", - "privilege": "PartiQLUndropTable", + "access_level": "List", + "description": "Grants permission to describe AWS OpsWorks service errors", + "privilege": "DescribeServiceErrors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to update existing documents in a table", - "privilege": "PartiQLUpdate", + "access_level": "List", + "description": "Grants permission to request a description of a stack's provisioning parameters", + "privilege": "DescribeStackProvisioningParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to send commands to a ledger", - "privilege": "SendCommand", + "access_level": "List", + "description": "Grants permission to describe the number of layers and apps in a specified stack, and the number of instances in each state, such as running_setup or online", + "privilege": "DescribeStackSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to view a ledger's catalog via the console", - "privilege": "ShowCatalog", + "access_level": "List", + "description": "Grants permission to request a description of one or more stacks", + "privilege": "DescribeStacks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to stream journal contents to a Kinesis Data Stream", - "privilege": "StreamJournalToKinesis", + "access_level": "List", + "description": "Grants permission to describe time-based auto scaling configurations for specified instances", + "privilege": "DescribeTimeBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "stack" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to describe specified users", + "privilege": "DescribeUserProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ledger" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from a resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to describe an instance's Amazon EBS volumes", + "privilege": "DescribeVolumes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ledger" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update properties on a ledger", - "privilege": "UpdateLedger", + "description": "Grants permission to detache a specified Elastic Load Balancing instance from its layer", + "privilege": "DetachElasticLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to update the permissions mode on a ledger", - "privilege": "UpdateLedgerPermissionsMode", + "description": "Grants permission to disassociate an Elastic IP address from its instance", + "privilege": "DisassociateElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "stack" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ledger" - }, - { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:stream/${LedgerName}/${StreamId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "stream" - }, - { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/table/${TableId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "table" - }, - { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/information_schema/user_tables", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "catalog" - } - ], - "service_name": "Amazon QLDB" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by tag keys", - "type": "String" - }, - { - "condition": "quicksight:DirectoryType", - "description": "Filters access based on the user management options", - "type": "String" }, { - "condition": "quicksight:Edition", - "description": "Filters access based on the edition of QuickSight", - "type": "String" - }, - { - "condition": "quicksight:IamArn", - "description": "Filters access by IAM user or role ARN", - "type": "String" - }, - { - "condition": "quicksight:SessionName", - "description": "Filters access by session name", - "type": "String" - }, - { - "condition": "quicksight:UserName", - "description": "Filters access by user name", - "type": "String" - } - ], - "prefix": "quicksight", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to cancel a SPICE ingestions on a dataset", - "privilege": "CancelIngestion", + "access_level": "Read", + "description": "Grants permission to get a generated host name for the specified layer, based on the current host name theme", + "privilege": "GetHostnameSuggestion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ingestion*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create an account customization for QuickSight account or namespace", - "privilege": "CreateAccountCustomization", + "description": "Grants permission to grant RDP access to a Windows instance for a specified time period", + "privilege": "GrantAccess", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight administrators, authors, and readers", - "privilege": "CreateAdmin", + "access_level": "List", + "description": "Grants permission to return a list of tags that are applied to the specified stack or layer", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create an analysis from a template", - "privilege": "CreateAnalysis", + "description": "Grants permission to reboot a specified instance", + "privilege": "RebootInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create a custom permissions resource for restricting user access", - "privilege": "CreateCustomPermissions", + "access_level": "Write", + "description": "Grants permission to register a specified Amazon ECS cluster with a stack", + "privilege": "RegisterEcsCluster", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a QuickSight Dashboard", - "privilege": "CreateDashboard", + "description": "Grants permission to register an Elastic IP address with a specified stack", + "privilege": "RegisterElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataSet", + "description": "Grants permission to register instances with a specified stack that were created outside of AWS OpsWorks", + "privilege": "RegisterInstance", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "quicksight:PassDataSource" - ], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a data source", - "privilege": "CreateDataSource", + "description": "Grants permission to register an Amazon RDS instance with a stack", + "privilege": "RegisterRdsDbInstance", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a QuickSight folder", - "privilege": "CreateFolder", + "description": "Grants permission to register an Amazon EBS volume with a specified stack", + "privilege": "RegisterVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder", - "privilege": "CreateFolderMembership", + "description": "Grants permission to specify the load-based auto scaling configuration for a specified layer", + "privilege": "SetLoadBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "analysis" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a QuickSight group", - "privilege": "CreateGroup", + "access_level": "Permissions management", + "description": "Grants permission to specify a user's permissions", + "privilege": "SetPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to add a QuickSight user to a QuickSight group", - "privilege": "CreateGroupMembership", + "description": "Grants permission to specify the time-based auto scaling configuration for a specified instance", + "privilege": "SetTimeBasedAutoScaling", "resource_types": [ { - "condition_keys": [ - "quicksight:UserName" - ], - "dependent_actions": [], - "resource_type": "group*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight", - "privilege": "CreateIAMPolicyAssignment", + "description": "Grants permission to start a specified instance", + "privilege": "StartInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to start a SPICE ingestion on a dataset", - "privilege": "CreateIngestion", + "description": "Grants permission to start a stack's instances", + "privilege": "StartStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ingestion*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create an QuickSight namespace", - "privilege": "CreateNamespace", + "description": "Grants permission to stop a specified instance", + "privilege": "StopInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight readers", - "privilege": "CreateReader", + "description": "Grants permission to stop a specified stack", + "privilege": "StopStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a template", - "privilege": "CreateTemplate", + "access_level": "Tagging", + "description": "Grants permission to apply tags to a specified stack or layer", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a template alias", - "privilege": "CreateTemplateAlias", + "description": "Grants permission to unassign a registered instance from all of it's layers", + "privilege": "UnassignInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grant permission to create a theme", - "privilege": "CreateTheme", + "description": "Grants permission to unassign an assigned Amazon EBS volume", + "privilege": "UnassignVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an alias for a theme version", - "privilege": "CreateThemeAlias", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a specified stack or layer", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight authors and readers", - "privilege": "CreateUser", + "description": "Grants permission to update a specified app", + "privilege": "UpdateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a VPC connection", - "privilege": "CreateVPCConnection", + "description": "Grants permission to update a registered Elastic IP address's name", + "privilege": "UpdateElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an account customization for QuickSight account or namespace", - "privilege": "DeleteAccountCustomization", + "description": "Grants permission to update a specified instance", + "privilege": "UpdateInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete an analysis", - "privilege": "DeleteAnalysis", + "description": "Grants permission to update a specified layer", + "privilege": "UpdateLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "stack" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete a custom permissions resource", - "privilege": "DeleteCustomPermissions", + "access_level": "Write", + "description": "Grants permission to update a user's SSH public key", + "privilege": "UpdateMyUserProfile", "resource_types": [ { "condition_keys": [], @@ -136702,221 +150526,202 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a QuickSight Dashboard", - "privilege": "DeleteDashboard", + "description": "Grants permission to update an Amazon RDS instance", + "privilege": "UpdateRdsDbInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataSet", + "description": "Grants permission to update a specified stack", + "privilege": "UpdateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a data source", - "privilege": "DeleteDataSource", + "access_level": "Permissions management", + "description": "Grants permission to update a specified user profile", + "privilege": "UpdateUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a QuickSight Folder", - "privilege": "DeleteFolder", + "description": "Grants permission to update an Amazon EBS volume's name or mount point", + "privilege": "UpdateVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "stack" } ] - }, + } + ], + "resources": [ + { + "arn": "arn:${Partition}:opsworks:${Region}:${Account}:stack/${StackId}/", + "condition_keys": [], + "resource": "stack" + } + ], + "service_name": "AWS OpsWorks" + }, + { + "conditions": [], + "prefix": "opsworks-cm", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder", - "privilege": "DeleteFolderMembership", + "description": "Grants permission to associate a node to a configuration management server", + "privilege": "AssociateNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "analysis" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a user group from QuickSight", - "privilege": "DeleteGroup", + "description": "Grants permission to create a backup for the specified server", + "privilege": "CreateBackup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a user from a group so that he/she is no longer a member of the group", - "privilege": "DeleteGroupMembership", + "description": "Grants permission to create a new server", + "privilege": "CreateServer", "resource_types": [ { - "condition_keys": [ - "quicksight:UserName" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing assignment", - "privilege": "DeleteIAMPolicyAssignment", + "description": "Grants permission to delete the specified backup and possibly its S3 bucket", + "privilege": "DeleteBackup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a QuickSight namespace", - "privilege": "DeleteNamespace", + "description": "Grants permission to delete the specified server with its corresponding CloudFormation stack and possibly the S3 bucket", + "privilege": "DeleteServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a template", - "privilege": "DeleteTemplate", + "access_level": "List", + "description": "Grants permission to describe the service limits for the user's account", + "privilege": "DescribeAccountAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a template alias", - "privilege": "DeleteTemplateAlias", + "access_level": "List", + "description": "Grants permission to describe a single backup, all backups of a specified server or all backups of the user's account", + "privilege": "DescribeBackups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a theme", - "privilege": "DeleteTheme", + "access_level": "List", + "description": "Grants permission to describe all events of the specified server", + "privilege": "DescribeEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the alias of a theme", - "privilege": "DeleteThemeAlias", + "access_level": "List", + "description": "Grants permission to describe the association status for the specified node token and the specified server", + "privilege": "DescribeNodeAssociationStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a QuickSight user, given the user name", - "privilege": "DeleteUser", + "access_level": "List", + "description": "Grants permission to describe the specified server or all servers of the user's account", + "privilege": "DescribeServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to deletes a user identified by its principal ID", - "privilege": "DeleteUserByPrincipalId", + "description": "Grants permission to disassociate a specified node from a server", + "privilege": "DisassociateNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a VPC connection", - "privilege": "DeleteVPCConnection", + "access_level": "Read", + "description": "Grants permission to export an engine attribute from a server", + "privilege": "ExportServerEngineAttribute", "resource_types": [ { "condition_keys": [], @@ -136927,20 +150732,20 @@ }, { "access_level": "Read", - "description": "Grants permission to describe an account customization for QuickSight account or namespace", - "privilege": "DescribeAccountCustomization", + "description": "Grants permission to list the tags that are applied to the specified server or backup", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the administrative account settings for QuickSight account", - "privilege": "DescribeAccountSettings", + "access_level": "Write", + "description": "Grants permission to apply a backup to specified server. Possibly swaps out the ec2-instance if specified", + "privilege": "RestoreServer", "resource_types": [ { "condition_keys": [], @@ -136950,33 +150755,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe an analysis", - "privilege": "DescribeAnalysis", + "access_level": "Write", + "description": "Grants permission to start the server maintenance immediately", + "privilege": "StartMaintenance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for an analysis", - "privilege": "DescribeAnalysisPermissions", + "access_level": "Tagging", + "description": "Grants permission to apply tags to the specified server or backup", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to describe a custom permissions resource in a QuickSight account", - "privilege": "DescribeCustomPermissions", + "access_level": "Tagging", + "description": "Grants permission to remove tags from the specified server or backup", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], @@ -136986,103 +150791,114 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight Dashboard", - "privilege": "DescribeDashboard", + "access_level": "Write", + "description": "Grants permission to update general server settings", + "privilege": "UpdateServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for a QuickSight Dashboard", - "privilege": "DescribeDashboardPermissions", + "access_level": "Write", + "description": "Grants permission to update server settings specific to the configuration management type", + "privilege": "UpdateServerEngineAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:opsworks-cm::${Account}:server/${ServerName}/${UniqueId}", + "condition_keys": [], + "resource": "server" }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset", - "privilege": "DescribeDataSet", + "arn": "arn:${Partition}:opsworks-cm::${Account}:backup/${ServerName}-{Date-and-Time-Stamp-of-Backup}", + "condition_keys": [], + "resource": "backup" + } + ], + "service_name": "AWS OpsWorks Configuration Management" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "organizations:PolicyType", + "description": "Filters access by the specified policy type names", + "type": "String" + }, + { + "condition": "organizations:ServicePrincipal", + "description": "Filters access by the specified service principal names", + "type": "String" + } + ], + "prefix": "organizations", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request", + "privilege": "AcceptHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "handshake*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to describe the resource policy of a dataset", - "privilege": "DescribeDataSetPermissions", + "access_level": "Write", + "description": "Grants permission to attach a policy to a root, an organizational unit, or an individual account", + "privilege": "AttachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "policy*" }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a data source", - "privilege": "DescribeDataSource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "account" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to describe the resource policy of a data source", - "privilege": "DescribeDataSourcePermissions", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "root" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "organizations:PolicyType" ], "dependent_actions": [], "resource_type": "" @@ -137090,74 +150906,85 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight Folder", - "privilege": "DescribeFolder", + "access_level": "Write", + "description": "Grants permission to cancel a handshake", + "privilege": "CancelHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "handshake*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for a QuickSight Folder", - "privilege": "DescribeFolderPermissions", + "access_level": "Write", + "description": "Grants permission to close an AWS account that is now a part of an Organizations, either created within the organization, or invited to join the organization", + "privilege": "CloseAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "account*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe resolved permissions for a QuickSight Folder", - "privilege": "DescribeFolderResolvedPermissions", + "access_level": "Write", + "description": "Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request", + "privilege": "CreateAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight group", - "privilege": "DescribeGroup", + "access_level": "Write", + "description": "Grants permission to create an AWS GovCloud (US) account", + "privilege": "CreateGovCloudAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an existing assignment", - "privilege": "DescribeIAMPolicyAssignment", + "access_level": "Write", + "description": "Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization", + "privilege": "CreateOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a SPICE ingestion on a dataset", - "privilege": "DescribeIngestion", + "access_level": "Write", + "description": "Grants permission to create an organizational unit (OU) within a root or parent OU", + "privilege": "CreateOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ingestion*" + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" }, { "condition_keys": [ @@ -137170,146 +150997,154 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe the IP restrictions for QuickSight account", - "privilege": "DescribeIpRestriction", + "access_level": "Write", + "description": "Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account", + "privilege": "CreatePolicy", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight namespace", - "privilege": "DescribeNamespace", + "access_level": "Write", + "description": "Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request", + "privilege": "DeclineHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "handshake*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a template", - "privilege": "DescribeTemplate", + "access_level": "Write", + "description": "Grants permission to delete the organization", + "privilege": "DeleteOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a template alias", - "privilege": "DescribeTemplateAlias", + "access_level": "Write", + "description": "Grants permission to delete an organizational unit from a root or another OU", + "privilege": "DeleteOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "organizationalunit*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for a template", - "privilege": "DescribeTemplatePermissions", + "access_level": "Write", + "description": "Grants permission to delete a policy from your organization", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a theme", - "privilege": "DescribeTheme", - "resource_types": [ + "resource_type": "policy*" + }, { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType" + ], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a theme alias", - "privilege": "DescribeThemeAlias", + "access_level": "Write", + "description": "Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal", + "privilege": "DeregisterDelegatedAdministrator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "account*" + }, + { + "condition_keys": [ + "organizations:ServicePrincipal" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe permissions for a theme", - "privilege": "DescribeThemePermissions", + "description": "Grants permission to retrieve Organizations-related details about the specified account", + "privilege": "DescribeAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "account*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a QuickSight user given the user name", - "privilege": "DescribeUser", + "description": "Grants permission to retrieve the current status of an asynchronous request to create an account", + "privilege": "DescribeCreateAccountStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", - "privilege": "GenerateEmbedUrlForAnonymousUser", + "access_level": "Read", + "description": "Grants permission to retrieve the effective policy for an account", + "privilege": "DescribeEffectivePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "account*" }, { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType" + ], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight", - "privilege": "GenerateEmbedUrlForRegisteredUser", + "access_level": "Read", + "description": "Grants permission to retrieve details about a previously requested handshake", + "privilege": "DescribeHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "handshake*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", - "privilege": "GetAnonymousUserEmbedUrl", + "description": "Grants permission to retrieves details about the organization that the calling credentials belong to", + "privilege": "DescribeOrganization", "resource_types": [ { "condition_keys": [], @@ -137320,109 +151155,141 @@ }, { "access_level": "Read", - "description": "Grants permission to get an auth code representing a QuickSight user", - "privilege": "GetAuthCode", + "description": "Grants permission to retrieve details about an organizational unit (OU)", + "privilege": "DescribeOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "organizationalunit*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a URL used to embed a QuickSight Dashboard", - "privilege": "GetDashboardEmbedUrl", + "description": "Grants permission to retrieves details about a policy", + "privilege": "DescribePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight", - "privilege": "GetGroupMapping", + "access_level": "Write", + "description": "Grants permission to detach a policy from a target root, organizational unit, or account", + "privilege": "DetachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "account" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a URL to embed QuickSight console experience", - "privilege": "GetSessionEmbedUrl", + "access_level": "Write", + "description": "Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations", + "privilege": "DisableAWSServiceAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:ServicePrincipal" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all analyses in an account", - "privilege": "ListAnalyses", + "access_level": "Write", + "description": "Grants permission to disable an organization policy type in a root", + "privilege": "DisablePolicyType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "root*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to list custom permissions resources in QuickSight account", - "privilege": "ListCustomPermissions", + "description": "Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations", + "privilege": "EnableAWSServiceAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:ServicePrincipal" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all versions of a QuickSight Dashboard", - "privilege": "ListDashboardVersions", + "access_level": "Write", + "description": "Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features", + "privilege": "EnableAllFeatures", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all Dashboards in a QuickSight Account", - "privilege": "ListDashboards", + "access_level": "Write", + "description": "Grants permission to enable a policy type in a root", + "privilege": "EnablePolicyType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all datasets", - "privilege": "ListDataSets", - "resource_types": [ + "resource_type": "root*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "organizations:PolicyType" ], "dependent_actions": [], "resource_type": "" @@ -137430,10 +151297,15 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all data sources", - "privilege": "ListDataSources", + "access_level": "Write", + "description": "Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account", + "privilege": "InviteAccountToOrganization", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "account" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -137445,86 +151317,95 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list all members in a folder", - "privilege": "ListFolderMembers", + "access_level": "Write", + "description": "Grants permission to remove a member account from its parent organization", + "privilege": "LeaveOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all Folders in a QuickSight Account", - "privilege": "ListFolders", + "description": "Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization", + "privilege": "ListAWSServiceAccessForOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list member users in a group", - "privilege": "ListGroupMemberships", + "description": "Grants permission to list all of the the accounts in the organization", + "privilege": "ListAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all user groups in QuickSight", - "privilege": "ListGroups", + "description": "Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU)", + "privilege": "ListAccountsForParent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" } ] }, { "access_level": "List", - "description": "Grants permission to list all assignments in the current Amazon QuickSight account", - "privilege": "ListIAMPolicyAssignments", + "description": "Grants permission to list all of the OUs or accounts that are contained in a parent OU or root", + "privilege": "ListChildren", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" } ] }, { "access_level": "List", - "description": "Grants permission to list all assignments assigned to a user and the groups it belongs", - "privilege": "ListIAMPolicyAssignmentsForUser", + "description": "Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization", + "privilege": "ListCreateAccountStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all SPICE ingestions on a dataset", - "privilege": "ListIngestions", + "description": "Grants permission to list the AWS accounts that are designated as delegated administrators in this organization", + "privilege": "ListDelegatedAdministrators", "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "organizations:ServicePrincipal" ], "dependent_actions": [], "resource_type": "" @@ -137533,158 +151414,111 @@ }, { "access_level": "List", - "description": "Grants permission to lists all namespaces in a QuickSight account", - "privilege": "ListNamespaces", + "description": "Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization", + "privilege": "ListDelegatedServicesForAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "account*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags of a QuickSight resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to list all of the handshakes that are associated with an account", + "privilege": "ListHandshakesForAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "folder" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "theme" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all aliases for a template", - "privilege": "ListTemplateAliases", + "description": "Grants permission to list the handshakes that are associated with the organization", + "privilege": "ListHandshakesForOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all versions of a template", - "privilege": "ListTemplateVersions", + "description": "Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root", + "privilege": "ListOrganizationalUnitsForParent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all templates in a QuickSight account", - "privilege": "ListTemplates", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "root" } ] }, { "access_level": "List", - "description": "Grants permission to list all aliases of a theme", - "privilege": "ListThemeAliases", + "description": "Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account", + "privilege": "ListParents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all versions of a theme", - "privilege": "ListThemeVersions", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "organizationalunit" } ] }, { "access_level": "List", - "description": "Grants permission to list all themes in an account", - "privilege": "ListThemes", + "description": "Grants permission to list all of the policies in an organization", + "privilege": "ListPolicies", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType" + ], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list groups that a given user is a member of", - "privilege": "ListUserGroups", + "description": "Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account", + "privilege": "ListPoliciesForTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all of the QuickSight users belonging to this account", - "privilege": "ListUsers", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to use a dataset for a template", - "privilege": "PassDataSet", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "root" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "organizations:PolicyType" ], "dependent_actions": [], "resource_type": "" @@ -137692,156 +151526,140 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to use a data source for a data set", - "privilege": "PassDataSource", + "access_level": "List", + "description": "Grants permission to list all of the roots that are defined in the organization", + "privilege": "ListRoots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request", - "privilege": "RegisterUser", + "access_level": "List", + "description": "Grants permission to list all tags for the specified resource", + "privilege": "ListTagsForResource", "resource_types": [ { - "condition_keys": [ - "quicksight:IamArn", - "quicksight:SessionName" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to restore a deleted analysis", - "privilege": "RestoreAnalysis", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to search for a sub-set of analyses", - "privilege": "SearchAnalyses", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to search for a sub-set of QuickSight Dashboards", - "privilege": "SearchDashboards", - "resource_types": [ + "resource_type": "policy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "root" } ] }, { "access_level": "List", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", - "privilege": "SearchDirectoryGroups", + "description": "Grants permission to list all the roots, OUs, and accounts to which a policy is attached", + "privilege": "ListTargetsForPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to search for a sub-set of QuickSight Folders", - "privilege": "SearchFolders", + "access_level": "Write", + "description": "Grants permission to move an account from its current root or OU to another parent root or OU", + "privilege": "MoveAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "account*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" } ] }, { "access_level": "Write", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", - "privilege": "SetGroupMapping", + "description": "Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal", + "privilege": "RegisterDelegatedAdministrator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "account*" + }, + { + "condition_keys": [ + "organizations:ServicePrincipal" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition", - "privilege": "Subscribe", + "description": "Grants permission to removes the specified account from the organization", + "privilege": "RemoveAccountFromOrganization", "resource_types": [ { - "condition_keys": [ - "quicksight:Edition", - "quicksight:DirectoryType" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "account*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add tags to a QuickSight resource", + "description": "Grants permission to add one or more tags to the specified resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" + "resource_type": "account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder" + "resource_type": "organizationalunit" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "template" + "resource_type": "policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme" + "resource_type": "root" }, { "condition_keys": [ @@ -137853,47 +151671,30 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight", - "privilege": "Unsubscribe", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a QuickSight resource", + "description": "Grants permission to remove one or more tags from the specified resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" + "resource_type": "account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder" + "resource_type": "organizationalunit" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "template" + "resource_type": "policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme" + "resource_type": "root" }, { "condition_keys": [ @@ -137906,56 +151707,115 @@ }, { "access_level": "Write", - "description": "Grants permission to update an account customization for QuickSight account or namespace", - "privilege": "UpdateAccountCustomization", + "description": "Grants permission to rename an organizational unit (OU)", + "privilege": "UpdateOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" + "resource_type": "organizationalunit*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the administrative account settings for QuickSight account", - "privilege": "UpdateAccountSettings", + "description": "Grants permission to update an existing policy with a new name, description, or content", + "privilege": "UpdatePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:account/o-${OrganizationId}/${AccountId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "account" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}", + "condition_keys": [], + "resource": "handshake" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:organization/o-${OrganizationId}", + "condition_keys": [], + "resource": "organization" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "organizationalunit" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "policy" + }, + { + "arn": "arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}", + "condition_keys": [], + "resource": "awspolicy" }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:root/o-${OrganizationId}/r-${RootId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "root" + } + ], + "service_name": "AWS Organizations" + }, + { + "conditions": [], + "prefix": "outposts", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to update an analysis", - "privilege": "UpdateAnalysis", + "description": "Grants permission to cancel an order", + "privilege": "CancelOrder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update permissions for an analysis", - "privilege": "UpdateAnalysisPermissions", + "access_level": "Write", + "description": "Grants permission to create an order", + "privilege": "CreateOrder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update a custom permissions resource", - "privilege": "UpdateCustomPermissions", + "access_level": "Write", + "description": "Grants permission to create an Outpost", + "privilege": "CreateOutpost", "resource_types": [ { "condition_keys": [], @@ -137966,179 +151826,176 @@ }, { "access_level": "Write", - "description": "Grants permission to update a QuickSight Dashboard", - "privilege": "UpdateDashboard", + "description": "Grants permission to create a private connectivity configuration", + "privilege": "CreatePrivateConnectivityConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update permissions for a QuickSight Dashboard", - "privilege": "UpdateDashboardPermissions", + "access_level": "Write", + "description": "Grants permission to create a site", + "privilege": "CreateSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a QuickSight Dashboard\u2019s Published Version", - "privilege": "UpdateDashboardPublishedVersion", + "description": "Grants permission to delete an Outpost", + "privilege": "DeleteOutpost", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a dataset", - "privilege": "UpdateDataSet", + "description": "Grants permission to delete a site", + "privilege": "DeleteSite", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "quicksight:PassDataSource" - ], - "resource_type": "dataset*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update the resource policy of a dataset", - "privilege": "UpdateDataSetPermissions", + "access_level": "Read", + "description": "Grants permission to get a catalog item", + "privilege": "GetCatalogItem", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about the connection for your Outpost server", + "privilege": "GetConnection", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a data source", - "privilege": "UpdateDataSource", + "access_level": "Read", + "description": "Grants permission to get information about an order", + "privilege": "GetOrder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about the specified Outpost", + "privilege": "GetOutpost", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update the resource policy of a data source", - "privilege": "UpdateDataSourcePermissions", + "access_level": "Read", + "description": "Grants permission to get the instance types for the specified Outpost", + "privilege": "GetOutpostInstanceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a private connectivity configuration", + "privilege": "GetPrivateConnectivityConfig", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a QuickSight Folder", - "privilege": "UpdateFolder", + "access_level": "Read", + "description": "Grants permission to get a site", + "privilege": "GetSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update permissions for a QuickSight Folder", - "privilege": "UpdateFolderPermissions", + "access_level": "Read", + "description": "Grants permission to get a site address", + "privilege": "GetSiteAddress", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "folder*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to change group description", - "privilege": "UpdateGroup", + "access_level": "List", + "description": "Grants permission to list the assets for your Outpost", + "privilege": "ListAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an existing assignment", - "privilege": "UpdateIAMPolicyAssignment", + "access_level": "List", + "description": "Grants permission to list all catalog items", + "privilege": "ListCatalogItems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the IP restrictions for QuickSight account", - "privilege": "UpdateIpRestriction", + "access_level": "List", + "description": "Grants permission to list the orders for your AWS account", + "privilege": "ListOrders", "resource_types": [ { "condition_keys": [], @@ -138148,255 +152005,268 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a template", - "privilege": "UpdateTemplate", + "access_level": "List", + "description": "Grants permission to list the Outposts for your AWS account", + "privilege": "ListOutposts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a template alias", - "privilege": "UpdateTemplateAlias", + "access_level": "List", + "description": "Grants permission to list the sites for your AWS account", + "privilege": "ListSites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update permissions for a template", - "privilege": "UpdateTemplatePermissions", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a theme", - "privilege": "UpdateTheme", + "description": "Grants permission to start a connection for your Outpost server", + "privilege": "StartConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the alias of a theme", - "privilege": "UpdateThemeAlias", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update permissions for a theme", - "privilege": "UpdateThemePermissions", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an Amazon QuickSight user", - "privilege": "UpdateUser", + "description": "Grants permission to update an Outpost", + "privilege": "UpdateOutpost", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] - } - ], - "resources": [ + }, { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}", - "condition_keys": [], - "resource": "user" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}", - "condition_keys": [], - "resource": "group" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "analysis" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "template" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "datasource" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ingestion" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "theme" - }, - { - "arn": "arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}", - "condition_keys": [], - "resource": "assignment" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "customization" + "access_level": "Write", + "description": "Grants permission to update a site", + "privilege": "UpdateSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}", - "condition_keys": [], - "resource": "namespace" + "access_level": "Write", + "description": "Grants permission to update the site address", + "privilege": "UpdateSiteAddress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "folder" + "access_level": "Write", + "description": "Grants permission to update the physical properties of a rack at a site", + "privilege": "UpdateSiteRackPhysicalProperties", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], - "service_name": "Amazon QuickSight" + "resources": [], + "service_name": "AWS Outposts" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed when creating or tagging a resource share", - "type": "String" - }, - { - "condition": "ram:AllowsExternalPrincipals", - "description": "Filters access based on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization", - "type": "Bool" - }, + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "panorama", + "privileges": [ { - "condition": "ram:PermissionArn", - "description": "Filters access based on the specified Permission ARN", - "type": "Arn" + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama application", + "privilege": "CreateApp", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "ram:PermissionResourceType", - "description": "Filters access based on permissions of specified resource type", - "type": "String" + "access_level": "Write", + "description": "Grants permission to deploy an AWS Panorama application", + "privilege": "CreateAppDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "ram:Principal", - "description": "Filters access based on the format of the specified principal", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create a version of an AWS Panorama application", + "privilege": "CreateAppVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "appVersion*" + } + ] }, { - "condition": "ram:RequestedAllowsExternalPrincipals", - "description": "Filters access based on the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization", - "type": "Bool" + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama Application Instance", + "privilege": "CreateApplicationInstance", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "ram:RequestedResourceType", - "description": "Filters access based on the specified resource type", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama datasource", + "privilege": "CreateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "ram:ResourceArn", - "description": "Filters access based on a resource with the specified ARN", - "type": "Arn" + "access_level": "Write", + "description": "Grants permission to configure a deployment for an AWS Panorama application", + "privilege": "CreateDeploymentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "ram:ResourceShareName", - "description": "Filters access based on a resource share with the specified name", - "type": "String" + "access_level": "Write", + "description": "Grants permission to generate a list of cameras on the same network as an AWS Panorama Appliance", + "privilege": "CreateInputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, - { - "condition": "ram:ShareOwnerAccountId", - "description": "Filters access based on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner\u2019s account ID", - "type": "String" - } - ], - "prefix": "ram", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept the specified resource share invitation", - "privilege": "AcceptResourceShareInvitation", + "description": "Grants permission to create a job for an AWS Panorama Appliance", + "privilege": "CreateJobForDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share-invitation*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to import a machine learning model into AWS Panorama", + "privilege": "CreateModel", + "resource_types": [ { "condition_keys": [ - "ram:ShareOwnerAccountId" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -138405,22 +152275,25 @@ }, { "access_level": "Write", - "description": "Grants permission to associate resource(s) and/or principal(s) to a resource share", - "privilege": "AssociateResourceShare", + "description": "Grants permission to create an AWS Panorama Node", + "privilege": "CreateNodeFromTemplateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama Package", + "privilege": "CreatePackage", + "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:Principal", - "ram:RequestedResourceType", - "ram:ResourceArn" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -138429,106 +152302,128 @@ }, { "access_level": "Write", - "description": "Grants permission to associate a Permission with a Resource Share", - "privilege": "AssociateResourceSharePermission", + "description": "Grants permission to create an AWS Panorama Package", + "privilege": "CreatePackageImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a list of streams available to an AWS Panorama Appliance", + "privilege": "CreateStreams", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "device*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a resource share with provided resource(s) and/or principal(s)", - "privilege": "CreateResourceShare", + "description": "Grants permission to delete an AWS Panorama application", + "privilege": "DeleteApp", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ram:RequestedResourceType", - "ram:ResourceArn", - "ram:RequestedAllowsExternalPrincipals", - "ram:Principal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "app*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete resource share", - "privilege": "DeleteResourceShare", + "description": "Grants permission to delete a version of an AWS Panorama application", + "privilege": "DeleteAppVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "app*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS Panorama datasource", + "privilege": "DeleteDataSource", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataSource*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate resource(s) and/or principal(s) from a resource share", - "privilege": "DisassociateResourceShare", + "description": "Grants permission to deregister an AWS Panorama Appliance", + "privilege": "DeleteDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "device*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a machine learning model from AWS Panorama", + "privilege": "DeleteModel", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:Principal", - "ram:RequestedResourceType", - "ram:ResourceArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a Permission from a Resource Share", - "privilege": "DisassociateResourceSharePermission", + "description": "Grants permission to delete an AWS Panorama Package", + "privilege": "DeletePackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, + "resource_type": "package*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deregister an AWS Panorama Package Version", + "privilege": "DeregisterPackageVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to access customer's organization and create a SLR in the customer's account", - "privilege": "EnableSharingWithAwsOrganization", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama application", + "privilege": "DescribeApp", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a deployment for an AWS Panorama application", + "privilege": "DescribeAppDeployment", "resource_types": [ { "condition_keys": [], @@ -138539,18 +152434,71 @@ }, { "access_level": "Read", - "description": "Grants permission to get the contents of an AWS RAM permission", - "privilege": "GetPermission", + "description": "Grants permission to view details about a version of an AWS Panorama application", + "privilege": "DescribeAppVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, + "resource_type": "app*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Application Instance", + "privilege": "DescribeApplicationInstance", + "resource_types": [ { - "condition_keys": [ - "ram:PermissionArn" - ], + "condition_keys": [], + "dependent_actions": [], + "resource_type": "applicationInstance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Application Instance", + "privilege": "DescribeApplicationInstanceDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "applicationInstance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a datasource in AWS Panorama", + "privilege": "DescribeDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Appliance", + "privilege": "DescribeDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view job details for an AWS Panorama Appliance", + "privilege": "DescribeDeviceJob", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -138558,8 +152506,20 @@ }, { "access_level": "Read", - "description": "Grants permission to get the policies for the specified resources that you own and have shared", - "privilege": "GetResourcePolicies", + "description": "Grants permission to view details about a machine learning model in AWS Panorama", + "privilege": "DescribeModel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Node", + "privilege": "DescribeNode", "resource_types": [ { "condition_keys": [], @@ -138570,8 +152530,8 @@ }, { "access_level": "Read", - "description": "Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type", - "privilege": "GetResourceShareAssociations", + "description": "Grants permission to view details about AWS Panorama Node", + "privilege": "DescribeNodeFromTemplateJob", "resource_types": [ { "condition_keys": [], @@ -138582,8 +152542,20 @@ }, { "access_level": "Read", - "description": "Grants permission to get resource share invitations by the specified invitation arn or those for the resource share", - "privilege": "GetResourceShareInvitations", + "description": "Grants permission to view details about an AWS Panorama Package", + "privilege": "DescribePackage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "package*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Package", + "privilege": "DescribePackageImportJob", "resource_types": [ { "condition_keys": [], @@ -138594,8 +152566,8 @@ }, { "access_level": "Read", - "description": "Grants permission to get a set of resource shares from a provided list or with a specified status", - "privilege": "GetResourceShares", + "description": "Grants permission to view details about an AWS Panorama Package Version", + "privilege": "DescribePackageVersion", "resource_types": [ { "condition_keys": [], @@ -138606,20 +152578,68 @@ }, { "access_level": "Read", - "description": "Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for", - "privilege": "ListPendingInvitationResources", + "description": "Grants permission to view details about a software version for the AWS Panorama Appliance", + "privilege": "DescribeSoftware", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share-invitation*" + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a deployment configuration for an AWS Panorama application", + "privilege": "GetDeploymentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of cameras generated with CreateInputs", + "privilege": "GetInputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of streams generated with CreateStreams", + "privilege": "GetStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to generate a WebSocket endpoint for communication with AWS Panorama", + "privilege": "GetWebSocketURL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the AWS RAM permissions", - "privilege": "ListPermissions", + "description": "Grants permission to retrieve a list of deployments for an AWS Panorama application", + "privilege": "ListAppDeploymentOperations", "resource_types": [ { "condition_keys": [], @@ -138630,8 +152650,20 @@ }, { "access_level": "List", - "description": "Grants permission to list the principals that you have shared resources with or that have shared resources with you", - "privilege": "ListPrincipals", + "description": "Grants permission to retrieve a list of application versions in AWS Panorama", + "privilege": "ListAppVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of application instance dependencies in AWS Panorama", + "privilege": "ListApplicationInstanceDependencies", "resource_types": [ { "condition_keys": [], @@ -138642,20 +152674,23 @@ }, { "access_level": "List", - "description": "Grants permission to list the Permissions associated with a Resource Share", - "privilege": "ListResourceSharePermissions", + "description": "Grants permission to retrieve a list of node instances of application instances in AWS Panorama", + "privilege": "ListApplicationInstanceNodeInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of application instances in AWS Panorama", + "privilege": "ListApplicationInstances", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -138663,8 +152698,8 @@ }, { "access_level": "List", - "description": "Grants permission to list the shareable resource types supported by AWS RAM", - "privilege": "ListResourceTypes", + "description": "Grants permission to retrieve a list of applications in AWS Panorama", + "privilege": "ListApps", "resource_types": [ { "condition_keys": [], @@ -138675,8 +152710,20 @@ }, { "access_level": "List", - "description": "Grants permission to list the resources that you added to resource shares or the resources that are shared with you", - "privilege": "ListResources", + "description": "Grants permission to retrieve a list of datasources in AWS Panorama", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of deployment configurations in AWS Panorama", + "privilege": "ListDeploymentConfigurations", "resource_types": [ { "condition_keys": [], @@ -138686,50 +152733,184 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to promote the specified resource share", - "privilege": "PromoteResourceShareCreatedFromPolicy", + "access_level": "List", + "description": "Grants permission to retrieve a list of appliances in AWS Panorama", + "privilege": "ListDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to reject the specified resource share invitation", - "privilege": "RejectResourceShareInvitation", + "access_level": "List", + "description": "Grants permission to retrieve a list of jobs for an AWS Panorama Appliance", + "privilege": "ListDevicesJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share-invitation*" + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of models in AWS Panorama", + "privilege": "ListModels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of Nodes for an AWS Panorama Appliance", + "privilege": "ListNodeFromTemplateJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of nodes in AWS Panorama", + "privilege": "ListNodes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of packages in AWS Panorama", + "privilege": "ListPackageImportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of packages in AWS Panorama", + "privilege": "ListPackages", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of tags for a resource in AWS Panorama", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register an AWS Panorama Appliance", + "privilege": "ProvisionDevice", + "resource_types": [ { "condition_keys": [ - "ram:ShareOwnerAccountId" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] }, + { + "access_level": "Write", + "description": "Grants permission to register an AWS Panorama Package Version", + "privilege": "RegisterPackageVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove an AWS Panorama Application Instance", + "privilege": "RemoveApplicationInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "applicationInstance*" + } + ] + }, { "access_level": "Tagging", - "description": "Grants permission to tag the specified resource share", + "description": "Grants permission to add tags to a resource in AWS Panorama", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -138738,17 +152919,31 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag the specified resource share", + "description": "Grants permission to remove tags from a resource in AWS Panorama", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -138758,21 +152953,47 @@ }, { "access_level": "Write", - "description": "Grants permission to update attributes of the resource share", - "privilege": "UpdateResourceShare", + "description": "Grants permission to modify an AWS Panorama application", + "privilege": "UpdateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "app*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the version-specific configuration of an AWS Panorama application", + "privilege": "UpdateAppConfiguration", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:RequestedAllowsExternalPrincipals" - ], + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an AWS Panorama datasource", + "privilege": "UpdateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify basic settings for an AWS Panorama Appliance", + "privilege": "UpdateDeviceMetadata", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -138781,108 +153002,7419 @@ ], "resources": [ { - "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}", + "arn": "arn:${Partition}:panorama:${Region}:${Account}:device/${DeviceId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:AllowsExternalPrincipals", - "ram:ResourceShareName" + "aws:ResourceTag/${TagKey}" ], - "resource": "resource-share" + "resource": "device" }, { - "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}", + "arn": "arn:${Partition}:panorama:${Region}:${Account}:package/${PackageId}", "condition_keys": [ - "ram:ShareOwnerAccountId" + "aws:ResourceTag/${TagKey}" ], - "resource": "resource-share-invitation" + "resource": "package" }, { - "arn": "arn:${Partition}:ram::${Account}:permission/${ResourcePath}", + "arn": "arn:${Partition}:panorama:${Region}:${Account}:applicationInstance/${ApplicationInstanceId}", "condition_keys": [ - "ram:PermissionArn", - "ram:PermissionResourceType" + "aws:ResourceTag/${TagKey}" ], - "resource": "permission" - } - ], - "service_name": "AWS Resource Access Manager" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", - "type": "String" + "resource": "applicationInstance" }, { - "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "arn": "arn:${Partition}:panorama:${Region}:${Account}:dataSource/${DeviceId}/${DataSourceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataSource" }, { - "condition": "rds:DatabaseClass", - "description": "Filters access by the type of DB instance class", - "type": "String" + "arn": "arn:${Partition}:panorama:${Region}:${Account}:model/${ModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "model" }, { - "condition": "rds:DatabaseEngine", - "description": "Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API", - "type": "String" + "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "app" }, { - "condition": "rds:DatabaseName", - "description": "Filters access by the user-defined name of the database on the DB instance", - "type": "String" - }, + "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}:${AppVersion}", + "condition_keys": [], + "resource": "appVersion" + } + ], + "service_name": "AWS Panorama" + }, + { + "conditions": [], + "prefix": "personalize", + "privileges": [ { - "condition": "rds:EndpointType", - "description": "Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create a batch inference job", + "privilege": "CreateBatchInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchInferenceJob*" + } + ] }, { - "condition": "rds:MultiAz", - "description": "Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true", - "type": "Boolean" + "access_level": "Write", + "description": "Grants permission to create a batch segment job", + "privilege": "CreateBatchSegmentJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchSegmentJob*" + } + ] }, { - "condition": "rds:Piops", - "description": "Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to create a campaign", + "privilege": "CreateCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] }, { - "condition": "rds:StorageEncrypted", - "description": "Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true", - "type": "Boolean" + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] }, { - "condition": "rds:StorageSize", - "description": "Filters access by the storage volume size (in GB)", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to create a dataset export job", + "privilege": "CreateDatasetExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetExportJob*" + } + ] }, { - "condition": "rds:Vpc", - "description": "Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true", - "type": "Boolean" + "access_level": "Write", + "description": "Grants permission to create a dataset group", + "privilege": "CreateDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] }, { - "condition": "rds:cluster-pg-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster parameter group", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create a dataset import job", + "privilege": "CreateDatasetImportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob*" + } + ] }, { - "condition": "rds:cluster-snapshot-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster snapshot", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create an event tracker", + "privilege": "CreateEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] }, { - "condition": "rds:cluster-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create a filter", + "privilege": "CreateFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a recommender", + "privilege": "CreateRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a schema", + "privilege": "CreateSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a solution", + "privilege": "CreateSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a solution version", + "privilege": "CreateSolutionVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a campaign", + "privilege": "DeleteCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset group", + "privilege": "DeleteDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an event tracker", + "privilege": "DeleteEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a filter", + "privilege": "DeleteFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a recommender", + "privilege": "DeleteRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a schema", + "privilege": "DeleteSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a solution including all versions of the solution", + "privilege": "DeleteSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an algorithm", + "privilege": "DescribeAlgorithm", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "algorithm*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a batch inference job", + "privilege": "DescribeBatchInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchInferenceJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a batch segment job", + "privilege": "DescribeBatchSegmentJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchSegmentJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a campaign", + "privilege": "DescribeCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset export job", + "privilege": "DescribeDatasetExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetExportJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset group", + "privilege": "DescribeDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset import job", + "privilege": "DescribeDatasetImportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an event tracker", + "privilege": "DescribeEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a feature transformation", + "privilege": "DescribeFeatureTransformation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "featureTransformation*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a filter", + "privilege": "DescribeFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a recipe", + "privilege": "DescribeRecipe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recipe*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a recommender", + "privilege": "DescribeRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a schema", + "privilege": "DescribeSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a solution", + "privilege": "DescribeSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a version of a solution", + "privilege": "DescribeSolutionVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a re-ranked list of recommendations", + "privilege": "GetPersonalizedRanking", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of recommendations from a campaign", + "privilege": "GetRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get metrics for a solution version", + "privilege": "GetSolutionMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list batch inference jobs", + "privilege": "ListBatchInferenceJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list batch segment jobs", + "privilege": "ListBatchSegmentJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list campaigns", + "privilege": "ListCampaigns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset export jobs", + "privilege": "ListDatasetExportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset groups", + "privilege": "ListDatasetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset import jobs", + "privilege": "ListDatasetImportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list datasets", + "privilege": "ListDatasets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list event trackers", + "privilege": "ListEventTrackers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list filters", + "privilege": "ListFilters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list recipes", + "privilege": "ListRecipes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list recommenders", + "privilege": "ListRecommenders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list schemas", + "privilege": "ListSchemas", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list versions of a solution", + "privilege": "ListSolutionVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list solutions", + "privilege": "ListSolutions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put real time event data", + "privilege": "PutEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to ingest Items data", + "privilege": "PutItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to ingest Users data", + "privilege": "PutUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a recommender", + "privilege": "StartRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a recommender", + "privilege": "StopRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a solution version creation", + "privilege": "StopSolutionVersionCreation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a campaign", + "privilege": "UpdateCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a recommender", + "privilege": "UpdateRecommender", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recommender*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:schema/${ResourceId}", + "condition_keys": [], + "resource": "schema" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:feature-transformation/${ResourceId}", + "condition_keys": [], + "resource": "featureTransformation" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset/${ResourceId}", + "condition_keys": [], + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-group/${ResourceId}", + "condition_keys": [], + "resource": "datasetGroup" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-import-job/${ResourceId}", + "condition_keys": [], + "resource": "datasetImportJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-export-job/${ResourceId}", + "condition_keys": [], + "resource": "datasetExportJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:solution/${ResourceId}", + "condition_keys": [], + "resource": "solution" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:campaign/${ResourceId}", + "condition_keys": [], + "resource": "campaign" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:event-tracker/${ResourceId}", + "condition_keys": [], + "resource": "eventTracker" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:recipe/${ResourceId}", + "condition_keys": [], + "resource": "recipe" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:algorithm/${ResourceId}", + "condition_keys": [], + "resource": "algorithm" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:batch-inference-job/${ResourceId}", + "condition_keys": [], + "resource": "batchInferenceJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:filter/${ResourceId}", + "condition_keys": [], + "resource": "filter" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:recommender/${ResourceId}", + "condition_keys": [], + "resource": "recommender" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:batch-segment-job/${ResourceId}", + "condition_keys": [], + "resource": "batchSegmentJob" + } + ], + "service_name": "Amazon Personalize" + }, + { + "conditions": [], + "prefix": "pi", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to call DescribeDimensionKeys API to retrieve the top N dimension keys for a metric for a specific time period", + "privilege": "DescribeDimensionKeys", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to call GetDimensionKeyDetails API to retrieve the attributes of the specified dimension group", + "privilege": "GetDimensionKeyDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to call GetResourceMetadata API to retrieve the metadata for different features", + "privilege": "GetResourceMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to call GetResourceMetrics API to retrieve PI metrics for a set of data sources, over a time period", + "privilege": "GetResourceMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to call ListAvailableResourceDimensions API to retrieve the dimensions that can be queried for each specified metric type on a specified DB instance", + "privilege": "ListAvailableResourceDimensions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to call ListAvailableResourceMetrics API to retrieve metrics of the specified types that can be queried for a specified DB instance", + "privilege": "ListAvailableResourceMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:pi:${Region}:${Account}:metrics/${ServiceType}/${Identifier}", + "condition_keys": [], + "resource": "metric-resource" + } + ], + "service_name": "AWS Performance Insights" + }, + { + "conditions": [], + "prefix": "polly", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permissions to delete the specified pronunciation lexicon stored in an AWS Region", + "privilege": "DeleteLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to describe the list of voices that are available for use when requesting speech synthesis", + "privilege": "DescribeVoices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve the content of the specified pronunciation lexicon stored in an AWS Region", + "privilege": "GetLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get information about specific speech synthesis task", + "privilege": "GetSpeechSynthesisTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permisions to list the pronunciation lexicons stored in an AWS Region", + "privilege": "ListLexicons", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list requested speech synthesis tasks", + "privilege": "ListSpeechSynthesisTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to store a pronunciation lexicon in an AWS Region", + "privilege": "PutLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to synthesize long inputs to the provided S3 location", + "privilege": "StartSpeechSynthesisTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:PutObject" + ], + "resource_type": "lexicon" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to synthesize speech", + "privilege": "SynthesizeSpeech", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:polly:${Region}:${Account}:lexicon/${LexiconName}", + "condition_keys": [], + "resource": "lexicon" + } + ], + "service_name": "Amazon Polly" + }, + { + "conditions": [], + "prefix": "pricing", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to retrieve service details for all (paginated) services (if serviceCode is not set) or service detail for a particular service (if given serviceCode)", + "privilege": "DescribeServices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve all (paginated) possible values for a given attribute", + "privilege": "GetAttributeValues", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve all matching products with given search criteria", + "privilege": "GetProducts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Price List" + }, + { + "conditions": [], + "prefix": "private-networks", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to acknowledge that an order has been received", + "privilege": "AcknowledgeOrderReceipt", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "order*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate a device identifier", + "privilege": "ActivateDeviceIdentifier", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device-identifier*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate a network site", + "privilege": "ActivateNetworkSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-site*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "order*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to configure an access point", + "privilege": "ConfigureAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-resource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a network", + "privilege": "CreateNetwork", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a network site", + "privilege": "CreateNetworkSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate a device identifier", + "privilege": "DeactivateDeviceIdentifier", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device-identifier*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a network", + "privilege": "DeleteNetwork", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a network site", + "privilege": "DeleteNetworkSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-site*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a device identifier", + "privilege": "GetDeviceIdentifier", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device-identifier*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a network", + "privilege": "GetNetwork", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a network resource", + "privilege": "GetNetworkResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a network site", + "privilege": "GetNetworkSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-site*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a network order", + "privilege": "GetOrder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "order*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list device identifiers", + "privilege": "ListDeviceIdentifiers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list network resources", + "privilege": "ListNetworkResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list network sites", + "privilege": "ListNetworkSites", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list networks", + "privilege": "ListNetworks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list network orders", + "privilege": "ListOrders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a network site", + "privilege": "UpdateNetworkSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-site*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a plan at a network site", + "privilege": "UpdateNetworkSitePlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "network-site*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:private-networks:${Region}:${Account}:network/${NetworkName}", + "condition_keys": [], + "resource": "network" + }, + { + "arn": "arn:${Partition}:private-networks:${Region}:${Account}:network-site/${NetworkName}/${NetworkSiteName}", + "condition_keys": [], + "resource": "network-site" + }, + { + "arn": "arn:${Partition}:private-networks:${Region}:${Account}:network-resource/${NetworkName}/${ResourceId}", + "condition_keys": [], + "resource": "network-resource" + }, + { + "arn": "arn:${Partition}:private-networks:${Region}:${Account}:order/${NetworkName}/${OrderId}", + "condition_keys": [], + "resource": "order" + }, + { + "arn": "arn:${Partition}:private-networks:${Region}:${Account}:device-identifier/${NetworkName}/${DeviceId}", + "condition_keys": [], + "resource": "device-identifier" + } + ], + "service_name": "AWS service providing managed private networks" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the customer profile service", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the customer profile service", + "type": "ArrayOfString" + } + ], + "prefix": "profile", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to add a profile key", + "privilege": "AddProfileKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Domain", + "privilege": "CreateDomain", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an integration workflow in a domain", + "privilege": "CreateIntegrationWorkflow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a profile in the domain", + "privilege": "CreateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Domain", + "privilege": "DeleteDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a integration in a domain", + "privilege": "DeleteIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile", + "privilege": "DeleteProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile key", + "privilege": "DeleteProfileKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile object", + "privilege": "DeleteProfileObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specific profile object type in the domain", + "privilege": "DeleteProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a workflow in a domain", + "privilege": "DeleteWorkflow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a preview of auto merging in a domain", + "privilege": "GetAutoMergingPreview", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific domain in an account", + "privilege": "GetDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an identity resolution job in a domain", + "privilege": "GetIdentityResolutionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific integrations in a domain", + "privilege": "GetIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get profile matches in a domain", + "privilege": "GetMatches", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific profile object type in the domain", + "privilege": "GetProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific object type template", + "privilege": "GetProfileObjectTypeTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get workflow details in a domain", + "privilege": "GetWorkflow", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get workflow step details in a domain", + "privilege": "GetWorkflowSteps", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the integrations in the account", + "privilege": "ListAccountIntegrations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the domains in an account", + "privilege": "ListDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list identity resolution jobs in a domain", + "privilege": "ListIdentityResolutionJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the integrations in a specific domain", + "privilege": "ListIntegrations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile object type templates in the account", + "privilege": "ListProfileObjectTypeTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile object types in the domain", + "privilege": "ListProfileObjectTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile objects for a profile", + "privilege": "ListProfileObjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the workflows in a specific domain", + "privilege": "ListWorkflows", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to merge profiles in a domain", + "privilege": "MergeProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a integration in a domain", + "privilege": "PutIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put an object for a profile", + "privilege": "PutProfileObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a specific profile object type in the domain", + "privilege": "PutProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search for profiles in a domain", + "privilege": "SearchProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to adds tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a Domain", + "privilege": "UpdateDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a profile in the domain", + "privilege": "UpdateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "domains" + }, + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/object-types/${ObjectTypeName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "object-types" + }, + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/integrations/${Uri}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "integrations" + } + ], + "service_name": "Amazon Connect Customer Profiles" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "proton:EnvironmentTemplate", + "description": "Filters access by specified environment template related to resource", + "type": "String" + }, + { + "condition": "proton:ServiceTemplate", + "description": "Filters access by specified service template related to resource", + "type": "String" + } + ], + "prefix": "proton", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to reject an environment account connection request from another environment account", + "privilege": "AcceptEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel component deployment", + "privilege": "CancelComponentDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel an environment deployment", + "privilege": "CancelEnvironmentDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a service instance deployment", + "privilege": "CancelServiceInstanceDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a service pipeline deployment", + "privilege": "CancelServicePipelineDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create component", + "privilege": "CreateComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment", + "privilege": "CreateEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment account connection", + "privilege": "CreateEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template", + "privilege": "CreateEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template major version. DEPRECATED - use CreateEnvironmentTemplateVersion instead", + "privilege": "CreateEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template minor version. DEPRECATED - use CreateEnvironmentTemplateVersion instead", + "privilege": "CreateEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template version", + "privilege": "CreateEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a repository", + "privilege": "CreateRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service", + "privilege": "CreateService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "codestar-connections:PassConnection" + ], + "resource_type": "service*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template", + "privilege": "CreateServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template major version. DEPRECATED - use CreateServiceTemplateVersion instead", + "privilege": "CreateServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template minor version. DEPRECATED - use CreateServiceTemplateVersion instead", + "privilege": "CreateServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template version", + "privilege": "CreateServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a template sync config", + "privilege": "CreateTemplateSyncConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete account roles. DEPRECATED - use UpdateAccountSettings instead", + "privilege": "DeleteAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete component", + "privilege": "DeleteComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment", + "privilege": "DeleteEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment account connection", + "privilege": "DeleteEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template", + "privilege": "DeleteEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template major version. DEPRECATED - use DeleteEnvironmentTemplateVersion instead", + "privilege": "DeleteEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template minor version. DEPRECATED - use DeleteEnvironmentTemplateVersion instead", + "privilege": "DeleteEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template version", + "privilege": "DeleteEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a repository", + "privilege": "DeleteRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service", + "privilege": "DeleteService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template", + "privilege": "DeleteServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template major version. DEPRECATED - use DeleteServiceTemplateVersion instead", + "privilege": "DeleteServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template minor version. DEPRECATED - use DeleteServiceTemplateVersion instead", + "privilege": "DeleteServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template version", + "privilege": "DeleteServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a TemplateSyncConfig", + "privilege": "DeleteTemplateSyncConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get account roles. DEPRECATED - use GetAccountSettings instead", + "privilege": "GetAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the account settings", + "privilege": "GetAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a component", + "privilege": "GetComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment", + "privilege": "GetEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment account connection", + "privilege": "GetEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment template", + "privilege": "GetEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an environment template major version. DEPRECATED - use GetEnvironmentTemplateVersion instead", + "privilege": "GetEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an environment template minor version. DEPRECATED - use GetEnvironmentTemplateVersion instead", + "privilege": "GetEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment template version", + "privilege": "GetEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a repository", + "privilege": "GetRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the latest sync status for a repository", + "privilege": "GetRepositorySyncStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service", + "privilege": "GetService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service instance", + "privilege": "GetServiceInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service template", + "privilege": "GetServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a service template major version. DEPRECATED - use GetServiceTemplateVersion instead", + "privilege": "GetServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a service template minor version. DEPRECATED - use GetServiceTemplateVersion instead", + "privilege": "GetServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service template version", + "privilege": "GetServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a TemplateSyncConfig", + "privilege": "GetTemplateSyncConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the sync status of a template", + "privilege": "GetTemplateSyncStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list component outputs", + "privilege": "ListComponentOutputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list component provisioned resources", + "privilege": "ListComponentProvisionedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list components", + "privilege": "ListComponents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment account connections", + "privilege": "ListEnvironmentAccountConnections", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment outputs", + "privilege": "ListEnvironmentOutputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment provisioned resources", + "privilege": "ListEnvironmentProvisionedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment template major versions. DEPRECATED - use ListEnvironmentTemplateVersions instead", + "privilege": "ListEnvironmentTemplateMajorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list an environment template minor versions. DEPRECATED - use ListEnvironmentTemplateVersions instead", + "privilege": "ListEnvironmentTemplateMinorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment template versions", + "privilege": "ListEnvironmentTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment templates", + "privilege": "ListEnvironmentTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environments", + "privilege": "ListEnvironments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list repositories", + "privilege": "ListRepositories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list repository sync definitions", + "privilege": "ListRepositorySyncDefinitions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service instance outputs", + "privilege": "ListServiceInstanceOutputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service instance provisioned resources", + "privilege": "ListServiceInstanceProvisionedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service instances", + "privilege": "ListServiceInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service pipeline outputs", + "privilege": "ListServicePipelineOutputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service pipeline provisioned resources", + "privilege": "ListServicePipelineProvisionedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service template major versions. DEPRECATED - use ListServiceTemplateVersions instead", + "privilege": "ListServiceTemplateMajorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service template minor versions. DEPRECATED - use ListServiceTemplateVersions instead", + "privilege": "ListServiceTemplateMinorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service template versions", + "privilege": "ListServiceTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service templates", + "privilege": "ListServiceTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list services", + "privilege": "ListServices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags of a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify Proton of resource deployment status changes", + "privilege": "NotifyResourceDeploymentStatusChange", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject an environment account connection request from another environment account", + "privilege": "RejectEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update account roles. DEPRECATED - use UpdateAccountSettings instead", + "privilege": "UpdateAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the account settings", + "privilege": "UpdateAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update component", + "privilege": "UpdateComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "component*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment", + "privilege": "UpdateEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment account connection", + "privilege": "UpdateEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template", + "privilege": "UpdateEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template major version. DEPRECATED - use UpdateEnvironmentTemplateVersion instead", + "privilege": "UpdateEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template minor version. DEPRECATED - use UpdateEnvironmentTemplateVersion instead", + "privilege": "UpdateEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template version", + "privilege": "UpdateEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service", + "privilege": "UpdateService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service instance", + "privilege": "UpdateServiceInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service pipeline", + "privilege": "UpdateServicePipeline", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service template", + "privilege": "UpdateServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service template major version. DEPRECATED - use UpdateServiceTemplateVersion instead", + "privilege": "UpdateServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template minor version. DEPRECATED - use UpdateServiceTemplateVersion instead", + "privilege": "UpdateServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service template version", + "privilege": "UpdateServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a TemplateSyncConfig", + "privilege": "UpdateTemplateSyncConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersion}.${MinorVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-major-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-minor-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersion}.${MinorVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-major-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-minor-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${ServiceName}/service-instance/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-instance" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-account-connection/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-account-connection" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:repository/${Provider}:${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "repository" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:component/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "component" + } + ], + "service_name": "AWS Proton" + }, + { + "conditions": [], + "prefix": "purchase-orders", + "privileges": [ + { + "access_level": "Write", + "description": "Modify purchase orders and details", + "privilege": "ModifyPurchaseOrders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "View purchase orders and details", + "privilege": "ViewPurchaseOrders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Purchase Orders Console" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "qldb:Purge", + "description": "Filters access by the value of purge that is specified in a PartiQL DROP statement", + "type": "String" + } + ], + "prefix": "qldb", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to cancel a journal kinesis stream", + "privilege": "CancelJournalKinesisStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a ledger", + "privilege": "CreateLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a ledger", + "privilege": "DeleteLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe information about a journal kinesis stream", + "privilege": "DescribeJournalKinesisStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe information about a journal export job", + "privilege": "DescribeJournalS3Export", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a ledger", + "privilege": "DescribeLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send commands to a ledger via the console", + "privilege": "ExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to export journal contents to an Amazon S3 bucket", + "privilege": "ExportJournalToS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a block from a ledger for a given BlockAddress", + "privilege": "GetBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a digest from a ledger for a given BlockAddress", + "privilege": "GetDigest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a revision for a given document ID and a given BlockAddress", + "privilege": "GetRevision", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to insert sample application data via the console", + "privilege": "InsertSampleData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal kinesis streams for a specified ledger", + "privilege": "ListJournalKinesisStreamsForLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal export jobs for all ledgers", + "privilege": "ListJournalS3Exports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal export jobs for a specified ledger", + "privilege": "ListJournalS3ExportsForLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing ledgers", + "privilege": "ListLedgers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an index on a table", + "privilege": "PartiQLCreateIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a table", + "privilege": "PartiQLCreateTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete documents from a table", + "privilege": "PartiQLDelete", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to drop an index from a table", + "privilege": "PartiQLDropIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "qldb:Purge" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to drop a table", + "privilege": "PartiQLDropTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "qldb:Purge" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use the history function on a table", + "privilege": "PartiQLHistoryFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to insert documents into a table", + "privilege": "PartiQLInsert", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to select documents from a table", + "privilege": "PartiQLSelect", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to undrop a table", + "privilege": "PartiQLUndropTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update existing documents in a table", + "privilege": "PartiQLUpdate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send commands to a ledger", + "privilege": "SendCommand", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to view a ledger's catalog via the console", + "privilege": "ShowCatalog", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stream journal contents to a Kinesis Data Stream", + "privilege": "StreamJournalToKinesis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update properties on a ledger", + "privilege": "UpdateLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the permissions mode on a ledger", + "privilege": "UpdateLedgerPermissionsMode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ledger" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:stream/${LedgerName}/${StreamId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "stream" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/table/${TableId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "table" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/information_schema/user_tables", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "catalog" + } + ], + "service_name": "Amazon QLDB" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys", + "type": "ArrayOfString" + }, + { + "condition": "quicksight:AllowedEmbeddingDomains", + "description": "Filters access by the allowed embedding domains", + "type": "ArrayOfString" + }, + { + "condition": "quicksight:DirectoryType", + "description": "Filters access by the user management options", + "type": "String" + }, + { + "condition": "quicksight:Edition", + "description": "Filters access by the edition of QuickSight", + "type": "String" + }, + { + "condition": "quicksight:IamArn", + "description": "Filters access by IAM user or role ARN", + "type": "String" + }, + { + "condition": "quicksight:SessionName", + "description": "Filters access by session name", + "type": "String" + }, + { + "condition": "quicksight:UserName", + "description": "Filters access by user name", + "type": "String" + } + ], + "prefix": "quicksight", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to enable setting default access to AWS resources", + "privilege": "AccountConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a SPICE ingestions on a dataset", + "privilege": "CancelIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an account customization for QuickSight account or namespace", + "privilege": "CreateAccountCustomization", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to subscribe to QuickSight", + "privilege": "CreateAccountSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight administrators, authors, and readers", + "privilege": "CreateAdmin", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an analysis from a template", + "privilege": "CreateAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to create a custom permissions resource for restricting user access", + "privilege": "CreateCustomPermissions", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight Dashboard", + "privilege": "CreateDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "quicksight:PassDataSource" + ], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a data source", + "privilege": "CreateDataSource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight email customization template", + "privilege": "CreateEmailCustomizationTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "emailCustomizationTemplate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight folder", + "privilege": "CreateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder", + "privilege": "CreateFolderMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight group", + "privilege": "CreateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a QuickSight user to a QuickSight group", + "privilege": "CreateGroupMembership", + "resource_types": [ + { + "condition_keys": [ + "quicksight:UserName" + ], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight", + "privilege": "CreateIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a SPICE ingestion on a dataset", + "privilege": "CreateIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an QuickSight namespace", + "privilege": "CreateNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ds:CreateIdentityPoolDirectory" + ], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight readers", + "privilege": "CreateReader", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a template", + "privilege": "CreateTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a template alias", + "privilege": "CreateTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a theme", + "privilege": "CreateTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an alias for a theme version", + "privilege": "CreateThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight authors and readers", + "privilege": "CreateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a VPC connection", + "privilege": "CreateVPCConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an account customization for QuickSight account or namespace", + "privilege": "DeleteAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an analysis", + "privilege": "DeleteAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete a custom permissions resource", + "privilege": "DeleteCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight Dashboard", + "privilege": "DeleteDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight email customization template", + "privilege": "DeleteEmailCustomizationTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "emailCustomizationTemplate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight Folder", + "privilege": "DeleteFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder", + "privilege": "DeleteFolderMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a user group from QuickSight", + "privilege": "DeleteGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a user from a group so that he/she is no longer a member of the group", + "privilege": "DeleteGroupMembership", + "resource_types": [ + { + "condition_keys": [ + "quicksight:UserName" + ], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing assignment", + "privilege": "DeleteIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight namespace", + "privilege": "DeleteNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ds:DeleteDirectory" + ], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a template", + "privilege": "DeleteTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a template alias", + "privilege": "DeleteTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a theme", + "privilege": "DeleteTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the alias of a theme", + "privilege": "DeleteThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight user, given the user name", + "privilege": "DeleteUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes a user identified by its principal ID", + "privilege": "DeleteUserByPrincipalId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a VPC connection", + "privilege": "DeleteVPCConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an account customization for QuickSight account or namespace", + "privilege": "DescribeAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the administrative account settings for QuickSight account", + "privilege": "DescribeAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight account", + "privilege": "DescribeAccountSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "account*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an analysis", + "privilege": "DescribeAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for an analysis", + "privilege": "DescribeAnalysisPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to describe a custom permissions resource in a QuickSight account", + "privilege": "DescribeCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight Dashboard", + "privilege": "DescribeDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a QuickSight Dashboard", + "privilege": "DescribeDashboardPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to describe the resource policy of a dataset", + "privilege": "DescribeDataSetPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a data source", + "privilege": "DescribeDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to describe the resource policy of a data source", + "privilege": "DescribeDataSourcePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight email customization template", + "privilege": "DescribeEmailCustomizationTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "emailCustomizationTemplate*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight Folder", + "privilege": "DescribeFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a QuickSight Folder", + "privilege": "DescribeFolderPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe resolved permissions for a QuickSight Folder", + "privilege": "DescribeFolderResolvedPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight group", + "privilege": "DescribeGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight group member", + "privilege": "DescribeGroupMembership", + "resource_types": [ + { + "condition_keys": [ + "quicksight:UserName" + ], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an existing assignment", + "privilege": "DescribeIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a SPICE ingestion on a dataset", + "privilege": "DescribeIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the IP restrictions for QuickSight account", + "privilege": "DescribeIpRestriction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight namespace", + "privilege": "DescribeNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a template", + "privilege": "DescribeTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a template alias", + "privilege": "DescribeTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a template", + "privilege": "DescribeTemplatePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a theme", + "privilege": "DescribeTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a theme alias", + "privilege": "DescribeThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a theme", + "privilege": "DescribeThemePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight user given the user name", + "privilege": "DescribeUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", + "privilege": "GenerateEmbedUrlForAnonymousUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "quicksight:AllowedEmbeddingDomains" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight", + "privilege": "GenerateEmbedUrlForRegisteredUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "quicksight:AllowedEmbeddingDomains" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", + "privilege": "GetAnonymousUserEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an auth code representing a QuickSight user", + "privilege": "GetAuthCode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL used to embed a QuickSight Dashboard", + "privilege": "GetDashboardEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight", + "privilege": "GetGroupMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL to embed QuickSight console experience", + "privilege": "GetSessionEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all analyses in an account", + "privilege": "ListAnalyses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to list custom permissions resources in QuickSight account", + "privilege": "ListCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a QuickSight Dashboard", + "privilege": "ListDashboardVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all Dashboards in a QuickSight Account", + "privilege": "ListDashboards", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all datasets", + "privilege": "ListDataSets", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all data sources", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all members in a folder", + "privilege": "ListFolderMembers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all Folders in a QuickSight Account", + "privilege": "ListFolders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list member users in a group", + "privilege": "ListGroupMemberships", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all user groups in QuickSight", + "privilege": "ListGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assignments in the current Amazon QuickSight account", + "privilege": "ListIAMPolicyAssignments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assignments assigned to a user and the groups it belongs", + "privilege": "ListIAMPolicyAssignmentsForUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all SPICE ingestions on a dataset", + "privilege": "ListIngestions", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to lists all namespaces in a QuickSight account", + "privilege": "ListNamespaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags of a QuickSight resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all aliases for a template", + "privilege": "ListTemplateAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a template", + "privilege": "ListTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all templates in a QuickSight account", + "privilege": "ListTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all aliases of a theme", + "privilege": "ListThemeAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a theme", + "privilege": "ListThemeVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all themes in an account", + "privilege": "ListThemes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list groups that a given user is a member of", + "privilege": "ListUserGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all of the QuickSight users belonging to this account", + "privilege": "ListUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use a dataset for a template", + "privilege": "PassDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use a data source for a data set", + "privilege": "PassDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request", + "privilege": "RegisterUser", + "resource_types": [ + { + "condition_keys": [ + "quicksight:IamArn", + "quicksight:SessionName" + ], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a deleted analysis", + "privilege": "RestoreAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to manage scoping policies for permissions to AWS resources", + "privilege": "ScopeDownPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for a sub-set of analyses", + "privilege": "SearchAnalyses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for a sub-set of QuickSight Dashboards", + "privilege": "SearchDashboards", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", + "privilege": "SearchDirectoryGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search for a sub-set of QuickSight Folders", + "privilege": "SearchFolders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for a sub-set of QuickSight groups", + "privilege": "SearchGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", + "privilege": "SetGroupMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition", + "privilege": "Subscribe", + "resource_types": [ + { + "condition_keys": [ + "quicksight:Edition", + "quicksight:DirectoryType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a QuickSight resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight", + "privilege": "Unsubscribe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a QuickSight resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an account customization for QuickSight account or namespace", + "privilege": "UpdateAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the administrative account settings for QuickSight account", + "privilege": "UpdateAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an analysis", + "privilege": "UpdateAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for an analysis", + "privilege": "UpdateAnalysisPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update a custom permissions resource", + "privilege": "UpdateCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Dashboard", + "privilege": "UpdateDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a QuickSight Dashboard", + "privilege": "UpdateDashboardPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Dashboard\u2019s Published Version", + "privilege": "UpdateDashboardPublishedVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a dataset", + "privilege": "UpdateDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "quicksight:PassDataSource" + ], + "resource_type": "dataset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update the resource policy of a dataset", + "privilege": "UpdateDataSetPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a data source", + "privilege": "UpdateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update the resource policy of a data source", + "privilege": "UpdateDataSourcePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight email customization template", + "privilege": "UpdateEmailCustomizationTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "emailCustomizationTemplate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Folder", + "privilege": "UpdateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a QuickSight Folder", + "privilege": "UpdateFolderPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change group description", + "privilege": "UpdateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing assignment", + "privilege": "UpdateIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the IP restrictions for QuickSight account", + "privilege": "UpdateIpRestriction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable or disable public sharing on an account", + "privilege": "UpdatePublicSharingSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update resource-level permissions in QuickSight", + "privilege": "UpdateResourcePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a template", + "privilege": "UpdateTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a template alias", + "privilege": "UpdateTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a template", + "privilege": "UpdateTemplatePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a theme", + "privilege": "UpdateTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the alias of a theme", + "privilege": "UpdateThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a theme", + "privilege": "UpdateThemePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an Amazon QuickSight user", + "privilege": "UpdateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:account/${ResourceId}", + "condition_keys": [], + "resource": "account" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}", + "condition_keys": [], + "resource": "user" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}", + "condition_keys": [], + "resource": "group" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "analysis" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dashboard" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "template" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datasource" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ingestion" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "theme" + }, + { + "arn": "arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}", + "condition_keys": [], + "resource": "assignment" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "customization" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}", + "condition_keys": [], + "resource": "namespace" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "folder" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:email-customization-template/${ResourceId}", + "condition_keys": [], + "resource": "emailCustomizationTemplate" + } + ], + "service_name": "Amazon QuickSight" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed when creating or tagging a resource share", + "type": "ArrayOfString" + }, + { + "condition": "ram:AllowsExternalPrincipals", + "description": "Filters access based on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization", + "type": "Bool" + }, + { + "condition": "ram:PermissionArn", + "description": "Filters access based on the specified Permission ARN", + "type": "ARN" + }, + { + "condition": "ram:PermissionResourceType", + "description": "Filters access based on permissions of specified resource type", + "type": "String" + }, + { + "condition": "ram:Principal", + "description": "Filters access based on the format of the specified principal", + "type": "String" + }, + { + "condition": "ram:RequestedAllowsExternalPrincipals", + "description": "Filters access based on the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization", + "type": "Bool" + }, + { + "condition": "ram:RequestedResourceType", + "description": "Filters access based on the specified resource type", + "type": "String" + }, + { + "condition": "ram:ResourceArn", + "description": "Filters access based on a resource with the specified ARN", + "type": "ARN" + }, + { + "condition": "ram:ResourceShareName", + "description": "Filters access based on a resource share with the specified name", + "type": "String" + }, + { + "condition": "ram:ShareOwnerAccountId", + "description": "Filters access based on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner's account ID", + "type": "String" + } + ], + "prefix": "ram", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept the specified resource share invitation", + "privilege": "AcceptResourceShareInvitation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + }, + { + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate resource(s) and/or principal(s) to a resource share", + "privilege": "AssociateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:Principal", + "ram:RequestedResourceType", + "ram:ResourceArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a Permission with a Resource Share", + "privilege": "AssociateResourceSharePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a resource share with provided resource(s) and/or principal(s)", + "privilege": "CreateResourceShare", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ram:RequestedResourceType", + "ram:ResourceArn", + "ram:RequestedAllowsExternalPrincipals", + "ram:Principal" + ], + "dependent_actions": [ + "ec2:CreateTags" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete resource share", + "privilege": "DeleteResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate resource(s) and/or principal(s) from a resource share", + "privilege": "DisassociateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:Principal", + "ram:RequestedResourceType", + "ram:ResourceArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a Permission from a Resource Share", + "privilege": "DisassociateResourceSharePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to access customer's organization and create a SLR in the customer's account", + "privilege": "EnableSharingWithAwsOrganization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "organizations:DescribeOrganization", + "organizations:EnableAWSServiceAccess" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the contents of an AWS RAM permission", + "privilege": "GetPermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [ + "ram:PermissionArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the policies for the specified resources that you own and have shared", + "privilege": "GetResourcePolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type", + "privilege": "GetResourceShareAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get resource share invitations by the specified invitation arn or those for the resource share", + "privilege": "GetResourceShareInvitations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a set of resource shares from a provided list or with a specified status", + "privilege": "GetResourceShares", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for", + "privilege": "ListPendingInvitationResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the versions of an AWS RAM permission", + "privilege": "ListPermissionVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the AWS RAM permissions", + "privilege": "ListPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the principals that you have shared resources with or that have shared resources with you", + "privilege": "ListPrincipals", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Permissions associated with a Resource Share", + "privilege": "ListResourceSharePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the shareable resource types supported by AWS RAM", + "privilege": "ListResourceTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the resources that you added to resource shares or the resources that are shared with you", + "privilege": "ListResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote the specified resource share", + "privilege": "PromoteResourceShareCreatedFromPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject the specified resource share invitation", + "privilege": "RejectResourceShareInvitation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + }, + { + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag the specified resource share", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag the specified resource share", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update attributes of the resource share", + "privilege": "UpdateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:RequestedAllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:AllowsExternalPrincipals", + "ram:ResourceShareName" + ], + "resource": "resource-share" + }, + { + "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}", + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "resource": "resource-share-invitation" + }, + { + "arn": "arn:${Partition}:ram::${Account}:permission/${ResourcePath}", + "condition_keys": [ + "ram:PermissionArn", + "ram:PermissionResourceType" + ], + "resource": "permission" + } + ], + "service_name": "AWS Resource Access Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag's key and value in a request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys in a request", + "type": "ArrayOfString" + }, + { + "condition": "rbin:Attribute/ResourceType", + "description": "Filters access by the resource type of the existing rule", + "type": "String" + }, + { + "condition": "rbin:Request/ResourceType", + "description": "Filters access by the resource type in a request", + "type": "String" + } + ], + "prefix": "rbin", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a Recycle Bin retention rule", + "privilege": "CreateRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rbin:Request/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Recycle Bin retention rule", + "privilege": "DeleteRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get detailed information about a Recycle Bin retention rule", + "privilege": "GetRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the Recycle Bin retention rules in the Region", + "privilege": "ListRules", + "resource_types": [ + { + "condition_keys": [ + "rbin:Request/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags associated with a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add or update tags of a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags associated with a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Recycle Bin retention rule", + "privilege": "UpdateRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rbin:Attribute/ResourceType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rbin:${Region}:${Account}:rule/${ResourceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rule" + } + ], + "service_name": "AWS Recycle Bin" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the set of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the set of tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the set of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "rds:BackupTarget", + "description": "Filters access by the type of backup target. One of: REGION, OUTPOSTS", + "type": "String" + }, + { + "condition": "rds:DatabaseClass", + "description": "Filters access by the type of DB instance class", + "type": "String" + }, + { + "condition": "rds:DatabaseEngine", + "description": "Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API", + "type": "String" + }, + { + "condition": "rds:DatabaseName", + "description": "Filters access by the user-defined name of the database on the DB instance", + "type": "String" + }, + { + "condition": "rds:EndpointType", + "description": "Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM", + "type": "String" + }, + { + "condition": "rds:MultiAz", + "description": "Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true", + "type": "Bool" + }, + { + "condition": "rds:Piops", + "description": "Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0", + "type": "Numeric" + }, + { + "condition": "rds:StorageEncrypted", + "description": "Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true", + "type": "Bool" + }, + { + "condition": "rds:StorageSize", + "description": "Filters access by the storage volume size (in GB)", + "type": "Numeric" + }, + { + "condition": "rds:Vpc", + "description": "Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true", + "type": "Bool" + }, + { + "condition": "rds:cluster-pg-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster parameter group", + "type": "String" + }, + { + "condition": "rds:cluster-snapshot-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster snapshot", + "type": "String" + }, + { + "condition": "rds:cluster-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster", + "type": "String" }, { "condition": "rds:db-tag/${TagKey}", @@ -138890,178 +160422,3071 @@ "type": "String" }, { - "condition": "rds:es-tag/${TagKey}", - "description": "Filters access by the tag attached to an event subscription", + "condition": "rds:es-tag/${TagKey}", + "description": "Filters access by the tag attached to an event subscription", + "type": "String" + }, + { + "condition": "rds:og-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB option group", + "type": "String" + }, + { + "condition": "rds:pg-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB parameter group", + "type": "String" + }, + { + "condition": "rds:req-tag/${TagKey}", + "description": "Filters access by the set of tag keys and values that can be used to tag a resource", + "type": "String" + }, + { + "condition": "rds:ri-tag/${TagKey}", + "description": "Filters access by the tag attached to a reserved DB instance", + "type": "String" + }, + { + "condition": "rds:secgrp-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB security group", + "type": "String" + }, + { + "condition": "rds:snapshot-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB snapshot", + "type": "String" + }, + { + "condition": "rds:subgrp-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB subnet group", + "type": "String" + } + ], + "prefix": "rds", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster", + "privilege": "AddRoleToDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance", + "privilege": "AddRoleToDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a source identifier to an existing RDS event notification subscription", + "privilege": "AddSourceIdentifierToSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add metadata tags to an Amazon RDS resource", + "privilege": "AddTagsToResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cev" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to apply a pending maintenance action to a resource", + "privilege": "ApplyPendingMaintenanceAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization", + "privilege": "AuthorizeDBSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster", + "privilege": "BacktrackDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel an export task in progress", + "privilege": "CancelExportTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB cluster parameter group", + "privilege": "CopyDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot of a DB cluster", + "privilege": "CopyDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB parameter group", + "privilege": "CopyDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB snapshot", + "privilege": "CopyDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified option group", + "privilege": "CopyOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "og*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a custom engine version", + "privilege": "CreateCustomDBEngineVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "mediaimport:CreateDatabaseBinarySnapshot", + "rds:AddTagsToResource" + ], + "resource_type": "cev*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Amazon Aurora DB cluster", + "privilege": "CreateDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource", + "rds:CreateDBInstance" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:StorageEncrypted", + "rds:DatabaseClass", + "rds:StorageSize", + "rds:Piops" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster", + "privilege": "CreateDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + }, + { + "condition_keys": [ + "rds:EndpointType", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB cluster parameter group", + "privilege": "CreateDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot of a DB cluster", + "privilege": "CreateDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance", + "privilege": "CreateDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [ + "rds:BackupTarget", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a DB instance that acts as a Read Replica of a source DB instance", + "privilege": "CreateDBInstanceReadReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB parameter group", + "privilege": "CreateDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a database proxy", + "privilege": "CreateDBProxy", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a database proxy endpoint", + "privilege": "CreateDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB security group. DB security groups control access to a DB instance", + "privilege": "CreateDBSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "secgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a DBSnapshot", + "privilege": "CreateDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "rds:BackupTarget", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB subnet group", + "privilege": "CreateDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an RDS event notification subscription", + "privilege": "CreateEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "es*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Aurora global database spread across multiple regions", + "privilege": "CreateGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new option group", + "privilege": "CreateOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "og*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation", + "privilege": "CrossRegionCommunication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing custom engine version", + "privilege": "DeleteCustomDBEngineVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cev*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously provisioned DB cluster", + "privilege": "DeleteDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:DeleteDBInstance" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster", + "privilege": "DeleteDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified DB cluster parameter group", + "privilege": "DeleteDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB cluster snapshot", + "privilege": "DeleteDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously provisioned DB instance", + "privilege": "DeleteDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID", + "privilege": "DeleteDBInstanceAutomatedBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified DBParameterGroup", + "privilege": "DeleteDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a database proxy", + "privilege": "DeleteDBProxy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a database proxy endpoint", + "privilege": "DeleteDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB security group", + "privilege": "DeleteDBSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DBSnapshot", + "privilege": "DeleteDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB subnet group", + "privilege": "DeleteDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an RDS event notification subscription", + "privilege": "DeleteEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a global database cluster", + "privilege": "DeleteGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing option group", + "privilege": "DeleteOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove targets from a database proxy target group", + "privilege": "DeregisterDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all of the attributes for a customer account", + "privilege": "DescribeAccountAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the set of CA certificates provided by Amazon RDS for this AWS account", + "privilege": "DescribeCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about backtracks for a DB cluster", + "privilege": "DescribeDBClusterBacktracks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about endpoints for an Amazon Aurora DB cluster", + "privilege": "DescribeDBClusterEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBClusterParameterGroup descriptions", + "privilege": "DescribeDBClusterParameterGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the detailed parameter list for a particular DB cluster parameter group", + "privilege": "DescribeDBClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot", + "privilege": "DescribeDBClusterSnapshotAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about DB cluster snapshots", + "privilege": "DescribeDBClusterSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about provisioned Aurora DB clusters", + "privilege": "DescribeDBClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of the available DB engines", + "privilege": "DescribeDBEngineVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of automated backups for both current and deleted instances", + "privilege": "DescribeDBInstanceAutomatedBackups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about provisioned RDS instances", + "privilege": "DescribeDBInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB log files for the DB instance", + "privilege": "DescribeDBLogFiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBParameterGroup descriptions", + "privilege": "DescribeDBParameterGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the detailed parameter list for a particular DB parameter group", + "privilege": "DescribeDBParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view proxies", + "privilege": "DescribeDBProxies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view proxy endpoints", + "privilege": "DescribeDBProxyEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view database proxy target group details", + "privilege": "DescribeDBProxyTargetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view database proxy target details", + "privilege": "DescribeDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBSecurityGroup descriptions", + "privilege": "DescribeDBSecurityGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot", + "privilege": "DescribeDBSnapshotAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about DB snapshots", + "privilege": "DescribeDBSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBSubnetGroup descriptions", + "privilege": "DescribeDBSubnetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the default engine and system parameter information for the cluster database engine", + "privilege": "DescribeEngineDefaultClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the default engine and system parameter information for the specified database engine", + "privilege": "DescribeEngineDefaultParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type", + "privilege": "DescribeEventCategories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the subscription descriptions for a customer account", + "privilege": "DescribeEventSubscriptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days", + "privilege": "DescribeEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about the export tasks", + "privilege": "DescribeExportTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about Aurora global database clusters", + "privilege": "DescribeGlobalClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe all available options", + "privilege": "DescribeOptionGroupOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the available option groups", + "privilege": "DescribeOptionGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of orderable DB instance options for the specified engine", + "privilege": "DescribeOrderableDBInstanceOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action", + "privilege": "DescribePendingMaintenanceActions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about recommendation groups", + "privilege": "DescribeRecommendationGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about recommendations", + "privilege": "DescribeRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance", + "privilege": "DescribeReservedDBInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list available reserved DB instance offerings", + "privilege": "DescribeReservedDBInstancesOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from", + "privilege": "DescribeSourceRegions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list available modifications you can make to your DB instance", + "privilege": "DescribeValidDBInstanceModifications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download specified log file", + "privilege": "DownloadCompleteDBLogFile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download all or a portion of the specified log file, up to 1 MB in size", + "privilege": "DownloadDBLogFilePortion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to force a failover for a DB cluster", + "privilege": "FailoverDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to failover a global cluster", + "privilege": "FailoverGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all tags on an Amazon RDS resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cev" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a database activity stream", + "privilege": "ModifyActivityStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances", + "privilege": "ModifyCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify current cluster capacity for an Amazon Aurora Severless DB cluster", + "privilege": "ModifyCurrentDBClusterCapacity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing custom engine version", + "privilege": "ModifyCustomDBEngineVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cev*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a setting for an Amazon Aurora DB cluster", + "privilege": "ModifyDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:ModifyDBInstance" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [ + "rds:DatabaseClass", + "rds:StorageSize", + "rds:Piops" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster", + "privilege": "ModifyDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB cluster parameter group", + "privilege": "ModifyDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot", + "privilege": "ModifyDBClusterSnapshotAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify settings for a DB instance", + "privilege": "ModifyDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB parameter group", + "privilege": "ModifyDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify database proxy", + "privilege": "ModifyDBProxy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify database proxy endpoint", + "privilege": "ModifyDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify target group for a database proxy", + "privilege": "ModifyDBProxyTargetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version", + "privilege": "ModifyDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot", + "privilege": "ModifyDBSnapshotAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing DB subnet group", + "privilege": "ModifyDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing RDS event notification subscription", + "privilege": "ModifyEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a setting for an Amazon Aurora global cluster", + "privilege": "ModifyGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing option group", + "privilege": "ModifyOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "og*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify recommendation", + "privilege": "ModifyRecommendation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote a Read Replica DB instance to a standalone DB instance", + "privilege": "PromoteReadReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote a Read Replica DB cluster to a standalone DB cluster", + "privilege": "PromoteReadReplicaDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to purchase a reserved DB instance offering", + "privilege": "PurchaseReservedDBInstancesOffering", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reboot a previously provisioned DB cluster", + "privilege": "RebootDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:RebootDBInstance" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restart the database engine service", + "privilege": "RebootDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add targets to a database proxy target group", + "privilege": "RegisterDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster", + "privilege": "RemoveFromGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster", + "privilege": "RemoveRoleFromDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance", + "privilege": "RemoveRoleFromDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a source identifier from an existing RDS event notification subscription", + "privilege": "RemoveSourceIdentifierFromSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove metadata tags from an Amazon RDS resource", + "privilege": "RemoveTagsFromResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cev" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB cluster parameter group to the default value", + "privilege": "ResetDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB parameter group to the engine/system default value", + "privilege": "ResetDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket", + "privilege": "RestoreDBClusterFromS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:StorageEncrypted" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB cluster from a DB cluster snapshot", + "privilege": "RestoreDBClusterFromSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource", + "rds:CreateDBInstance" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseClass", + "rds:StorageSize", + "rds:Piops" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a DB cluster to an arbitrary point in time", + "privilege": "RestoreDBClusterToPointInTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource", + "rds:CreateDBInstance" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseClass", + "rds:StorageSize", + "rds:Piops" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance from a DB snapshot", + "privilege": "RestoreDBInstanceFromDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "rds:BackupTarget", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance from an Amazon S3 bucket", + "privilege": "RestoreDBInstanceFromS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a DB instance to an arbitrary point in time", + "privilege": "RestoreDBInstanceToPointInTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "rds:BackupTarget", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups", + "privilege": "RevokeDBSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start Activity Stream", + "privilege": "StartActivityStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start the DB cluster", + "privilege": "StartDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start the DB instance", + "privilege": "StartDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start replication of automated backups to a different AWS Region", + "privilege": "StartDBInstanceAutomatedBackupsReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a new Export task for a DB snapshot", + "privilege": "StartExportTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop Activity Stream", + "privilege": "StopActivityStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop the DB cluster", + "privilege": "StopDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop the DB instance", + "privilege": "StopDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop automated backup replication for a DB instance", + "privilege": "StopDBInstanceAutomatedBackupsReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to switch over a read replica, making it the new primary database", + "privilege": "SwitchoverReadReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-tag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster-endpoint" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-pg-tag/${TagKey}" + ], + "resource": "cluster-pg" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-snapshot-tag/${TagKey}" + ], + "resource": "cluster-snapshot" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:DatabaseClass", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:MultiAz", + "rds:Piops", + "rds:StorageEncrypted", + "rds:StorageSize", + "rds:Vpc", + "rds:db-tag/${TagKey}" + ], + "resource": "db" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:es-tag/${TagKey}" + ], + "resource": "es" + }, + { + "arn": "arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}", + "condition_keys": [], + "resource": "global-cluster" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:og-tag/${TagKey}" + ], + "resource": "og" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:pg-tag/${TagKey}" + ], + "resource": "pg" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proxy" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy-endpoint:${DbProxyEndpointId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proxy-endpoint" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:ri-tag/${TagKey}" + ], + "resource": "ri" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:secgrp-tag/${TagKey}" + ], + "resource": "secgrp" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:snapshot-tag/${TagKey}" + ], + "resource": "snapshot" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:subgrp-tag/${TagKey}" + ], + "resource": "subgrp" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}", + "condition_keys": [], + "resource": "target" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "target-group" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cev:${Engine}/${EngineVersion}/${CustomDbEngineVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cev" + } + ], + "service_name": "Amazon RDS" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { - "condition": "rds:og-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB option group", + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys associated with the resource", + "type": "ArrayOfString" + } + ], + "prefix": "rds-data", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to run a batch SQL statement over an array of data", + "privilege": "BatchExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a SQL transaction", + "privilege": "BeginTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to end a SQL transaction started with the BeginTransaction operation and commits the changes", + "privilege": "CommitTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds-data:BeginTransaction" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation", + "privilege": "ExecuteSql", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run a SQL statement against a database", + "privilege": "ExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to perform a rollback of a transaction. Rolling back a transaction cancels its changes", + "privilege": "RollbackTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds-data:BeginTransaction" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "resource": "cluster" + } + ], + "service_name": "Amazon RDS Data API" + }, + { + "conditions": [], + "prefix": "rds-db", + "privileges": [ + { + "access_level": "Permissions management", + "description": "Allows IAM role or user to connect to RDS database", + "privilege": "connect", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db-user*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}", + "condition_keys": [], + "resource": "db-user" + } + ], + "service_name": "Amazon RDS IAM Authentication" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by actions based on the allowed set of values for each of the tags", "type": "String" }, { - "condition": "rds:pg-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB parameter group", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by actions based on tag-value associated with the resource", "type": "String" }, { - "condition": "rds:req-tag/${TagKey}", - "description": "Filters access by the set of tag keys and values that can be used to tag a resource", + "condition": "aws:TagKeys", + "description": "Filters access by actions based on the presence of mandatory tags in the request", + "type": "ArrayOfString" + }, + { + "condition": "redshift:ConsumerArn", + "description": "Filters access by the datashare consumer arn", "type": "String" }, { - "condition": "rds:ri-tag/${TagKey}", - "description": "Filters access by the tag attached to a reserved DB instance", + "condition": "redshift:ConsumerIdentifier", + "description": "Filters access by the datashare consumer", "type": "String" }, { - "condition": "rds:secgrp-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB security group", + "condition": "redshift:DbName", + "description": "Filters access by the database name", "type": "String" }, { - "condition": "rds:snapshot-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB snapshot", + "condition": "redshift:DbUser", + "description": "Filters access by the database user name", "type": "String" }, { - "condition": "rds:subgrp-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB subnet group", + "condition": "redshift:DurationSeconds", + "description": "Filters access by the number of seconds until a temporary credential set expires", "type": "String" } ], - "prefix": "rds", + "prefix": "redshift", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster", - "privilege": "AddRoleToDBCluster", + "description": "Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration", + "privilege": "AcceptReservedNodeExchange", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance", - "privilege": "AddRoleToDBInstance", + "description": "Grants permission to add a partner integration to a cluster", + "privilege": "AddPartner", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to add a source identifier to an existing RDS event notification subscription", - "privilege": "AddSourceIdentifierToSubscription", + "description": "Grants permission to associate a consumer to a datashare", + "privilege": "AssociateDataShareConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "datashare*" + }, + { + "condition_keys": [ + "redshift:ConsumerArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add metadata tags to an Amazon RDS resource", - "privilege": "AddTagsToResource", + "access_level": "Write", + "description": "Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group", + "privilege": "AuthorizeClusterSecurityGroupIngress", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cev" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-endpoint" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-pg" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "es" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pg" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy-endpoint" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ri" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "secgrp" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "securitygroup*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp" - }, + "resource_type": "securitygroupingress-ec2securitygroup*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to authorize the specified datashare consumer to consume a datashare", + "privilege": "AuthorizeDataShare", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group" + "resource_type": "datashare*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "redshift:ConsumerIdentifier" ], "dependent_actions": [], "resource_type": "" @@ -139069,75 +163494,60 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to apply a pending maintenance action to a resource", - "privilege": "ApplyPendingMaintenanceAction", + "access_level": "Permissions management", + "description": "Grants permission to authorize endpoint related activities for redshift-managed vpc endpoint", + "privilege": "AuthorizeEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" + "resource_type": "" } ] }, { "access_level": "Permissions management", - "description": "Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization", - "privilege": "AuthorizeDBSecurityGroupIngress", + "description": "Grants permission to the specified AWS account to restore a snapshot", + "privilege": "AuthorizeSnapshotAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster", - "privilege": "BacktrackDBCluster", + "description": "Grants permission to delete snapshots in a batch of size upto 100", + "privilege": "BatchDeleteClusterSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to cancel an export task in progress", - "privilege": "CancelExportTask", + "description": "Grants permission to modify settings for a list of snapshots", + "privilege": "BatchModifyClusterSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to copy the specified DB cluster parameter group", - "privilege": "CopyDBClusterParameterGroup", + "description": "Grants permission to cancel a query through the Amazon Redshift console", + "privilege": "CancelQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "cluster-pg*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -139145,21 +163555,11 @@ }, { "access_level": "Write", - "description": "Grants permission to create a snapshot of a DB cluster", - "privilege": "CopyDBClusterSnapshot", + "description": "Grants permission to see queries in the Amazon Redshift console", + "privilege": "CancelQuerySession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "cluster-snapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -139167,36 +163567,24 @@ }, { "access_level": "Write", - "description": "Grants permission to copy the specified DB parameter group", - "privilege": "CopyDBParameterGroup", + "description": "Grants permission to cancel a resize operation", + "privilege": "CancelResize", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "pg*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to copy the specified DB snapshot", - "privilege": "CopyDBSnapshot", + "description": "Grants permission to copy a cluster snapshot", + "privilege": "CopyClusterSnapshot", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], + "dependent_actions": [], "resource_type": "snapshot*" }, { @@ -139211,21 +163599,11 @@ }, { "access_level": "Write", - "description": "Grants permission to copy the specified option group", - "privilege": "CopyOptionGroup", + "description": "Grants permission to create an Amazon Redshift authentication profile", + "privilege": "CreateAuthenticationProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "og*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -139233,29 +163611,33 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new custom availability zone", - "privilege": "CreateCustomAvailabilityZone", + "description": "Grants permission to create a cluster", + "privilege": "CreateCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a custom engine version", - "privilege": "CreateCustomDBEngineVersion", + "description": "Grants permission to create an Amazon Redshift parameter group", + "privilege": "CreateClusterParameterGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "mediaimport:CreateDatabaseBinarySnapshot", - "rds:AddTagsToResource" - ], - "resource_type": "cev*" + "dependent_actions": [], + "resource_type": "parametergroup*" }, { "condition_keys": [ @@ -139269,50 +163651,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new Amazon Aurora DB cluster", - "privilege": "CreateDBCluster", + "description": "Grants permission to create an Amazon Redshift security group", + "privilege": "CreateClusterSecurityGroup", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-pg*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subgrp*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster" + "resource_type": "securitygroup*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:StorageEncrypted" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139321,24 +163671,16 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster", - "privilege": "CreateDBClusterEndpoint", + "description": "Grants permission to create a manual snapshot of the specified cluster", + "privilege": "CreateClusterSnapshot", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "snapshot*" }, { "condition_keys": [ - "rds:EndpointType", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -139349,21 +163691,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB cluster parameter group", - "privilege": "CreateDBClusterParameterGroup", + "description": "Grants permission to create an Amazon Redshift subnet group", + "privilege": "CreateClusterSubnetGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "cluster-pg*" + "dependent_actions": [], + "resource_type": "subnetgroup*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139371,27 +163710,18 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a snapshot of a DB cluster", - "privilege": "CreateDBClusterSnapshot", + "access_level": "Permissions management", + "description": "Grants permission to automatically create the specified Amazon Redshift user if it does not exist", + "privilege": "CreateClusterUser", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "dbuser*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "redshift:DbUser" ], "dependent_actions": [], "resource_type": "" @@ -139400,47 +163730,30 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance", - "privilege": "CreateDBInstance", + "description": "Grants permission to create a redshift-managed vpc endpoint", + "privilege": "CreateEndpointAccess", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pg*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "secgrp*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift event notification subscription", + "privilege": "CreateEventSubscription", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "eventsubscription*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139449,32 +163762,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a DB instance that acts as a Read Replica of a source DB instance", - "privilege": "CreateDBInstanceReadReplica", + "description": "Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM", + "privilege": "CreateHsmClientCertificate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "hsmclientcertificate*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139483,21 +163782,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB parameter group", - "privilege": "CreateDBParameterGroup", + "description": "Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM)", + "privilege": "CreateHsmConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "pg*" + "dependent_actions": [], + "resource_type": "hsmconfiguration*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139506,35 +163802,37 @@ }, { "access_level": "Write", - "description": "Grants permission to create a database proxy", - "privilege": "CreateDBProxy", + "description": "Grants permission to create saved SQL queries through the Amazon Redshift console", + "privilege": "CreateSavedQuery", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:PassRole" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a database proxy endpoint", - "privilege": "CreateDBProxyEndpoint", + "description": "Grants permission to create an Amazon Redshift scheduled action", + "privilege": "CreateScheduledAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region", + "privilege": "CreateSnapshotCopyGrant", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy-endpoint*" + "resource_type": "snapshotcopygrant*" }, { "condition_keys": [ @@ -139548,21 +163846,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB security group. DB security groups control access to a DB instance", - "privilege": "CreateDBSecurityGroup", + "description": "Grants permission to create a snapshot schedule", + "privilege": "CreateSnapshotSchedule", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "secgrp*" + "dependent_actions": [], + "resource_type": "snapshotschedule*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139570,113 +163865,94 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a DBSnapshot", - "privilege": "CreateDBSnapshot", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a specified resource", + "privilege": "CreateTags", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "cluster" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "dbgroup" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new DB subnet group", - "privilege": "CreateDBSubnetGroup", - "resource_types": [ + "resource_type": "dbname" + }, { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "subgrp*" + "dependent_actions": [], + "resource_type": "dbuser" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an RDS event notification subscription", - "privilege": "CreateEventSubscription", - "resource_types": [ + "resource_type": "eventsubscription" + }, { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "es*" + "dependent_actions": [], + "resource_type": "hsmclientcertificate" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an Aurora global database spread across multiple regions", - "privilege": "CreateGlobalCluster", - "resource_types": [ + "resource_type": "hsmconfiguration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "parametergroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new option group", - "privilege": "CreateOptionGroup", - "resource_types": [ + "resource_type": "securitygroup" + }, { "condition_keys": [], - "dependent_actions": [ - "rds:AddTagsToResource" - ], - "resource_type": "og*" + "dependent_actions": [], + "resource_type": "securitygroupingress-cidr" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -139685,109 +163961,119 @@ }, { "access_level": "Write", - "description": "Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation", - "privilege": "CrossRegionCommunication", + "description": "Grants permission to create a usage limit", + "privilege": "CreateUsageLimit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "usagelimit*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a custom availability zone", - "privilege": "DeleteCustomAvailabilityZone", + "access_level": "Permissions management", + "description": "Grants permission to remove permission from the specified datashare consumer to consume a datashare", + "privilege": "DeauthorizeDataShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "datashare*" + }, + { + "condition_keys": [ + "redshift:ConsumerIdentifier" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing custom engine version", - "privilege": "DeleteCustomDBEngineVersion", + "description": "Grants permission to delete an Amazon Redshift authentication profile", + "privilege": "DeleteAuthenticationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cev*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a previously provisioned DB cluster", - "privilege": "DeleteDBCluster", + "description": "Grants permission to delete a previously provisioned cluster", + "privilege": "DeleteCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster", - "privilege": "DeleteDBClusterEndpoint", + "description": "Grants permission to delete an Amazon Redshift parameter group", + "privilege": "DeleteClusterParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "parametergroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a specified DB cluster parameter group", - "privilege": "DeleteDBClusterParameterGroup", + "description": "Grants permission to delete an Amazon Redshift security group", + "privilege": "DeleteClusterSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "securitygroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB cluster snapshot", - "privilege": "DeleteDBClusterSnapshot", + "description": "Grants permission to delete a manual snapshot", + "privilege": "DeleteClusterSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a previously provisioned DB instance", - "privilege": "DeleteDBInstance", + "description": "Grants permission to delete a cluster subnet group", + "privilege": "DeleteClusterSubnetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "subnetgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID", - "privilege": "DeleteDBInstanceAutomatedBackup", + "description": "Grants permission to delete a redshift-managed vpc endpoint", + "privilege": "DeleteEndpointAccess", "resource_types": [ { "condition_keys": [], @@ -139798,280 +164084,222 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a specified DBParameterGroup", - "privilege": "DeleteDBParameterGroup", + "description": "Grants permission to delete an Amazon Redshift event notification subscription", + "privilege": "DeleteEventSubscription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "eventsubscription*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a database proxy", - "privilege": "DeleteDBProxy", + "description": "Grants permission to delete an HSM client certificate", + "privilege": "DeleteHsmClientCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "hsmclientcertificate*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a database proxy endpoint", - "privilege": "DeleteDBProxyEndpoint", + "description": "Grants permission to delete an Amazon Redshift HSM configuration", + "privilege": "DeleteHsmConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy-endpoint*" + "resource_type": "hsmconfiguration*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB security group", - "privilege": "DeleteDBSecurityGroup", + "description": "Grants permission to delete a partner integration from a cluster", + "privilege": "DeletePartner", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DBSnapshot", - "privilege": "DeleteDBSnapshot", + "description": "Grants permission to delete saved SQL queries through the Amazon Redshift console", + "privilege": "DeleteSavedQueries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB subnet group", - "privilege": "DeleteDBSubnetGroup", + "description": "Grants permission to delete an Amazon Redshift scheduled action", + "privilege": "DeleteScheduledAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an RDS event notification subscription", - "privilege": "DeleteEventSubscription", + "description": "Grants permission to delete a snapshot copy grant", + "privilege": "DeleteSnapshotCopyGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "snapshotcopygrant*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a global database cluster", - "privilege": "DeleteGlobalCluster", + "description": "Grants permission to delete a snapshot schedule", + "privilege": "DeleteSnapshotSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "snapshotschedule*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an installation media", - "privilege": "DeleteInstallationMedia", + "access_level": "Tagging", + "description": "Grants permission to delete a tag or tags from a resource", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an existing option group", - "privilege": "DeleteOptionGroup", - "resource_types": [ + "resource_type": "cluster" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to remove targets from a database proxy target group", - "privilege": "DeregisterDBProxyTargets", - "resource_types": [ + "resource_type": "dbgroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "dbname" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "dbuser" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "eventsubscription" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all of the attributes for a customer account", - "privilege": "DescribeAccountAttributes", - "resource_types": [ + "resource_type": "hsmclientcertificate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the set of CA certificates provided by Amazon RDS for this AWS account", - "privilege": "DescribeCertificates", - "resource_types": [ + "resource_type": "hsmconfiguration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return information about provisioned custom availability zones", - "privilege": "DescribeCustomAvailabilityZones", - "resource_types": [ + "resource_type": "parametergroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return information about backtracks for a DB cluster", - "privilege": "DescribeDBClusterBacktracks", - "resource_types": [ + "resource_type": "securitygroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return information about endpoints for an Amazon Aurora DB cluster", - "privilege": "DescribeDBClusterEndpoints", - "resource_types": [ + "resource_type": "securitygroupingress-cidr" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "securitygroupingress-ec2securitygroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return a list of DBClusterParameterGroup descriptions", - "privilege": "DescribeDBClusterParameterGroups", - "resource_types": [ + "resource_type": "snapshot" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return the detailed parameter list for a particular DB cluster parameter group", - "privilege": "DescribeDBClusterParameters", - "resource_types": [ + "resource_type": "snapshotcopygrant" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot", - "privilege": "DescribeDBClusterSnapshotAttributes", - "resource_types": [ + "resource_type": "snapshotschedule" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about DB cluster snapshots", - "privilege": "DescribeDBClusterSnapshots", + "access_level": "Write", + "description": "Grants permission to delete a usage limit", + "privilege": "DeleteUsageLimit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "usagelimit*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about provisioned Aurora DB clusters", - "privilege": "DescribeDBClusters", + "access_level": "Read", + "description": "Grants permission to describe attributes attached to the specified AWS account", + "privilege": "DescribeAccountAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of the available DB engines", - "privilege": "DescribeDBEngineVersions", + "access_level": "Read", + "description": "Grants permission to describe created Amazon Redshift authentication profiles", + "privilege": "DescribeAuthenticationProfiles", "resource_types": [ { "condition_keys": [], @@ -140082,189 +164310,164 @@ }, { "access_level": "List", - "description": "Grants permission to return a list of automated backups for both current and deleted instances", - "privilege": "DescribeDBInstanceAutomatedBackups", + "description": "Grants permission to describe database revisions for a cluster", + "privilege": "DescribeClusterDbRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about provisioned RDS instances", - "privilege": "DescribeDBInstances", + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group", + "privilege": "DescribeClusterParameterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DB log files for the DB instance", - "privilege": "DescribeDBLogFiles", + "access_level": "Read", + "description": "Grants permission to describe parameters contained within an Amazon Redshift parameter group", + "privilege": "DescribeClusterParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "parametergroup*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBParameterGroup descriptions", - "privilege": "DescribeDBParameterGroups", + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift security groups", + "privilege": "DescribeClusterSecurityGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return the detailed parameter list for a particular DB parameter group", - "privilege": "DescribeDBParameters", + "access_level": "Read", + "description": "Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots", + "privilege": "DescribeClusterSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to view proxies", - "privilege": "DescribeDBProxies", + "access_level": "Read", + "description": "Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups", + "privilege": "DescribeClusterSubnetGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to view proxy endpoints", - "privilege": "DescribeDBProxyEndpoints", + "description": "Grants permission to describe available maintenance tracks", + "privilege": "DescribeClusterTracks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy-endpoint*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to view database proxy target group details", - "privilege": "DescribeDBProxyTargetGroups", + "access_level": "Read", + "description": "Grants permission to describe available Amazon Redshift cluster versions", + "privilege": "DescribeClusterVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to view database proxy target details", - "privilege": "DescribeDBProxyTargets", + "description": "Grants permission to describe properties of provisioned clusters", + "privilege": "DescribeClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBSecurityGroup descriptions", - "privilege": "DescribeDBSecurityGroups", + "access_level": "Read", + "description": "Grants permission to describe datashares created and consumed by your clusters", + "privilege": "DescribeDataShares", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot", - "privilege": "DescribeDBSnapshotAttributes", + "access_level": "Read", + "description": "Grants permission to describe only datashares consumed by your clusters", + "privilege": "DescribeDataSharesForConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about DB snapshots", - "privilege": "DescribeDBSnapshots", + "access_level": "Read", + "description": "Grants permission to describe only datashares created by your clusters", + "privilege": "DescribeDataSharesForProducer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBSubnetGroup descriptions", - "privilege": "DescribeDBSubnetGroups", + "access_level": "Read", + "description": "Grants permission to describe parameter settings for a parameter group family", + "privilege": "DescribeDefaultClusterParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return the default engine and system parameter information for the cluster database engine", - "privilege": "DescribeEngineDefaultClusterParameters", + "access_level": "Read", + "description": "Grants permission to describe redshift-managed vpc endpoints", + "privilege": "DescribeEndpointAccess", "resource_types": [ { "condition_keys": [], @@ -140274,9 +164477,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return the default engine and system parameter information for the specified database engine", - "privilege": "DescribeEngineDefaultParameters", + "access_level": "Permissions management", + "description": "Grants permission to authorize describe activity for redshift-managed vpc endpoint", + "privilege": "DescribeEndpointAuthorization", "resource_types": [ { "condition_keys": [], @@ -140286,8 +164489,8 @@ ] }, { - "access_level": "List", - "description": "Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type", + "access_level": "Read", + "description": "Grants permission to describe event categories for all event source types, or for a specified source type", "privilege": "DescribeEventCategories", "resource_types": [ { @@ -140298,20 +164501,20 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all the subscription descriptions for a customer account", + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account", "privilege": "DescribeEventSubscriptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days", + "description": "Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days", "privilege": "DescribeEvents", "resource_types": [ { @@ -140322,9 +164525,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return information about the export tasks", - "privilege": "DescribeExportTasks", + "access_level": "Read", + "description": "Grants permission to describe HSM client certificates", + "privilege": "DescribeHsmClientCertificates", "resource_types": [ { "condition_keys": [], @@ -140334,57 +164537,57 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return information about Aurora global database clusters", - "privilege": "DescribeGlobalClusters", + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift HSM configurations", + "privilege": "DescribeHsmConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about available installation media", - "privilege": "DescribeInstallationMedia", + "access_level": "Read", + "description": "Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster", + "privilege": "DescribeLoggingStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "List", - "description": "Grants permission to describe all available options", - "privilege": "DescribeOptionGroupOptions", + "description": "Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type", + "privilege": "DescribeNodeConfigurationOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the available option groups", - "privilege": "DescribeOptionGroups", + "access_level": "Read", + "description": "Grants permission to describe orderable cluster options", + "privilege": "DescribeOrderableClusterOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of orderable DB instance options for the specified engine", - "privilege": "DescribeOrderableDBInstanceOptions", + "access_level": "Read", + "description": "Grants permission to retrieve information about the partner integrations defined for a cluster", + "privilege": "DescribePartners", "resource_types": [ { "condition_keys": [], @@ -140394,26 +164597,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action", - "privilege": "DescribePendingMaintenanceActions", + "access_level": "Read", + "description": "Grants permission to describe a query through the Amazon Redshift console", + "privilege": "DescribeQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about recommendation groups", - "privilege": "DescribeRecommendationGroups", + "description": "Grants permission to describe exchange status details and associated metadata for a reserved-node exchange. Statuses include such values as in progress and requested", + "privilege": "DescribeReservedNodeExchangeStatus", "resource_types": [ { "condition_keys": [], @@ -140424,8 +164622,8 @@ }, { "access_level": "Read", - "description": "Grants permission to return information about recommendations", - "privilege": "DescribeRecommendations", + "description": "Grants permission to describe available reserved node offerings by Amazon Redshift", + "privilege": "DescribeReservedNodeOfferings", "resource_types": [ { "condition_keys": [], @@ -140435,33 +164633,33 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance", - "privilege": "DescribeReservedDBInstances", + "access_level": "Read", + "description": "Grants permission to describe the reserved nodes", + "privilege": "DescribeReservedNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list available reserved DB instance offerings", - "privilege": "DescribeReservedDBInstancesOfferings", + "access_level": "Read", + "description": "Grants permission to describe the last resize operation for a cluster", + "privilege": "DescribeResize", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from", - "privilege": "DescribeSourceRegions", + "access_level": "Read", + "description": "Grants permission to describe saved queries through the Amazon Redshift console", + "privilege": "DescribeSavedQueries", "resource_types": [ { "condition_keys": [], @@ -140471,74 +164669,69 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list available modifications you can make to your DB instance", - "privilege": "DescribeValidDBInstanceModifications", + "access_level": "Read", + "description": "Grants permission to describe created Amazon Redshift scheduled actions", + "privilege": "DescribeScheduledActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to download specified log file", - "privilege": "DownloadCompleteDBLogFile", + "description": "Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region", + "privilege": "DescribeSnapshotCopyGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to download all or a portion of the specified log file, up to 1 MB in size", - "privilege": "DownloadDBLogFilePortion", + "description": "Grants permission to describe snapshot schedules", + "privilege": "DescribeSnapshotSchedules", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "snapshotschedule*" } ] }, { - "access_level": "Write", - "description": "Grants permission to force a failover for a DB cluster", - "privilege": "FailoverDBCluster", + "access_level": "Read", + "description": "Grants permission to describe account level backups storage size and provisional storage", + "privilege": "DescribeStorage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to failover a global cluster", - "privilege": "FailoverGlobalCluster", + "access_level": "Read", + "description": "Grants permission to describe a table through the Amazon Redshift console", + "privilege": "DescribeTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to import an installation media for a DB engine", - "privilege": "ImportInstallationMedia", + "access_level": "Read", + "description": "Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action", + "privilege": "DescribeTableRestoreStatus", "resource_types": [ { "condition_keys": [], @@ -140549,107 +164742,107 @@ }, { "access_level": "Read", - "description": "Grants permission to list all tags on an Amazon RDS resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to describe tags", + "privilege": "DescribeTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cev" + "resource_type": "cluster" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "dbgroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint" + "resource_type": "dbname" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg" + "resource_type": "dbuser" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot" + "resource_type": "eventsubscription" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" + "resource_type": "hsmclientcertificate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "es" + "resource_type": "hsmconfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og" + "resource_type": "parametergroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg" + "resource_type": "securitygroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy" + "resource_type": "securitygroupingress-cidr" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy-endpoint" + "resource_type": "securitygroupingress-ec2securitygroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri" + "resource_type": "snapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp" + "resource_type": "snapshotcopygrant" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "snapshotschedule" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp" + "resource_type": "subnetgroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group" + "resource_type": "usagelimit" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances", - "privilege": "ModifyCertificates", + "access_level": "Read", + "description": "Grants permission to describe usage limits", + "privilege": "DescribeUsageLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "usagelimit*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify current cluster capacity for an Amazon Aurora Severless DB cluster", - "privilege": "ModifyCurrentDBClusterCapacity", + "description": "Grants permission to disable logging information, such as queries and connection attempts, for a cluster", + "privilege": "DisableLogging", "resource_types": [ { "condition_keys": [], @@ -140660,576 +164853,421 @@ }, { "access_level": "Write", - "description": "Grants permission to modify an existing custom engine version", - "privilege": "ModifyCustomDBEngineVersion", + "description": "Grants permission to disable the automatic copy of snapshots for a cluster", + "privilege": "DisableSnapshotCopy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cev*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a setting for an Amazon Aurora DB cluster", - "privilege": "ModifyDBCluster", + "description": "Grants permission to disassociate a consumer from a datashare", + "privilege": "DisassociateDataShareConsumer", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "datashare*" }, { - "condition_keys": [], + "condition_keys": [ + "redshift:ConsumerArn" + ], "dependent_actions": [], - "resource_type": "cluster-pg*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable logging information, such as queries and connection attempts, for a cluster", + "privilege": "EnableLogging", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster", - "privilege": "ModifyDBClusterEndpoint", + "description": "Grants permission to enable the automatic copy of snapshots for a cluster", + "privilege": "EnableSnapshotCopy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB cluster parameter group", - "privilege": "ModifyDBClusterParameterGroup", + "description": "Grants permission to execute a query through the Amazon Redshift console", + "privilege": "ExecuteQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot", - "privilege": "ModifyDBClusterSnapshotAttribute", + "access_level": "Read", + "description": "Grants permission to fetch query results through the Amazon Redshift console", + "privilege": "FetchResults", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify settings for a DB instance", - "privilege": "ModifyDBInstance", + "description": "Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account", + "privilege": "GetClusterCredentials", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "dbuser*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "dbgroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "dbname" }, { - "condition_keys": [], + "condition_keys": [ + "redshift:DbName", + "redshift:DbUser", + "redshift:DurationSeconds" + ], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB parameter group", - "privilege": "ModifyDBParameterGroup", + "access_level": "Read", + "description": "Grants permission to get the configuration options for the reserved-node exchange", + "privilege": "GetReservedNodeExchangeConfigurationOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify database proxy", - "privilege": "ModifyDBProxy", + "access_level": "Read", + "description": "Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node", + "privilege": "GetReservedNodeExchangeOfferings", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "proxy*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify database proxy endpoint", - "privilege": "ModifyDBProxyEndpoint", + "access_level": "Permissions management", + "description": "Grants permission to join the specified Amazon Redshift group", + "privilege": "JoinGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy-endpoint*" + "resource_type": "dbgroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify target group for a database proxy", - "privilege": "ModifyDBProxyTargetGroup", + "access_level": "List", + "description": "Grants permission to list databases through the Amazon Redshift console", + "privilege": "ListDatabases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version", - "privilege": "ModifyDBSnapshot", + "access_level": "List", + "description": "Grants permission to list saved queries through the Amazon Redshift console", + "privilege": "ListSavedQueries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot", - "privilege": "ModifyDBSnapshotAttribute", + "access_level": "List", + "description": "Grants permission to list schemas through the Amazon Redshift console", + "privilege": "ListSchemas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing DB subnet group", - "privilege": "ModifyDBSubnetGroup", + "access_level": "List", + "description": "Grants permission to list tables through the Amazon Redshift console", + "privilege": "ListTables", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an existing RDS event notification subscription", - "privilege": "ModifyEventSubscription", + "description": "Grants permission to modify the AQUA configuration of a cluster", + "privilege": "ModifyAquaConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a setting for an Amazon Aurora global cluster", - "privilege": "ModifyGlobalCluster", + "description": "Grants permission to modify an existing Amazon Redshift authentication profile", + "privilege": "ModifyAuthenticationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an existing option group", - "privilege": "ModifyOptionGroup", + "description": "Grants permission to modify the settings of a cluster", + "privilege": "ModifyCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "og*" + "dependent_actions": [], + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify recommendation", - "privilege": "ModifyRecommendation", + "description": "Grants permission to modify the database revision of a cluster", + "privilege": "ModifyClusterDbRevision", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "Write", - "description": "Grants permission to promote a Read Replica DB instance to a standalone DB instance", - "privilege": "PromoteReadReplica", + "access_level": "Permissions management", + "description": "Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services", + "privilege": "ModifyClusterIamRoles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to promote a Read Replica DB cluster to a standalone DB cluster", - "privilege": "PromoteReadReplicaDBCluster", + "description": "Grants permission to modify the maintenance settings of a cluster", + "privilege": "ModifyClusterMaintenance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to purchase a reserved DB instance offering", - "privilege": "PurchaseReservedDBInstancesOffering", + "description": "Grants permission to modify the parameters of a parameter group", + "privilege": "ModifyClusterParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "parametergroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to restart the database engine service", - "privilege": "RebootDBInstance", + "description": "Grants permission to modify the settings of a snapshot", + "privilege": "ModifyClusterSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to add targets to a database proxy target group", - "privilege": "RegisterDBProxyTargets", + "description": "Grants permission to modify a snapshot schedule for a cluster", + "privilege": "ModifyClusterSnapshotSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster", - "privilege": "RemoveFromGlobalCluster", + "description": "Grants permission to modify a cluster subnet group to include the specified list of VPC subnets", + "privilege": "ModifyClusterSubnetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "subnetgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster", - "privilege": "RemoveRoleFromDBCluster", + "description": "Grants permission to modify a redshift-managed vpc endpoint", + "privilege": "ModifyEndpointAccess", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance", - "privilege": "RemoveRoleFromDBInstance", + "description": "Grants permission to modify an existing Amazon Redshift event notification subscription", + "privilege": "ModifyEventSubscription", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "eventsubscription*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a source identifier from an existing RDS event notification subscription", - "privilege": "RemoveSourceIdentifierFromSubscription", + "description": "Grants permission to modify an existing saved query through the Amazon Redshift console", + "privilege": "ModifySavedQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove metadata tags from an Amazon RDS resource", - "privilege": "RemoveTagsFromResource", + "access_level": "Write", + "description": "Grants permission to modify an existing Amazon Redshift scheduled action", + "privilege": "ModifyScheduledAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cev" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-endpoint" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-pg" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "es" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pg" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy-endpoint" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ri" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "secgrp" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subgrp" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "target-group" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB cluster parameter group to the default value", - "privilege": "ResetDBClusterParameterGroup", + "description": "Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region", + "privilege": "ModifySnapshotCopyRetentionPeriod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB parameter group to the engine/system default value", - "privilege": "ResetDBParameterGroup", + "description": "Grants permission to modify a snapshot schedule", + "privilege": "ModifySnapshotSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "snapshotschedule*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket", - "privilege": "RestoreDBClusterFromS3", + "description": "Grants permission to modify a usage limit", + "privilege": "ModifyUsageLimit", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:StorageEncrypted" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "usagelimit*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new DB cluster from a DB cluster snapshot", - "privilege": "RestoreDBClusterFromSnapshot", + "description": "Grants permission to pause a cluster", + "privilege": "PauseCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to restore a DB cluster to an arbitrary point in time", - "privilege": "RestoreDBClusterToPointInTime", + "description": "Grants permission to purchase a reserved node", + "privilege": "PurchaseReservedNodeOffering", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subgrp*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], "dependent_actions": [], "resource_type": "" } @@ -141237,95 +165275,71 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance from a DB snapshot", - "privilege": "RestoreDBInstanceFromDBSnapshot", + "description": "Grants permission to reboot a cluster", + "privilege": "RebootCluster", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "db*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - }, + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to decline a datashare shared from another account", + "privilege": "RejectDataShare", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" - }, + "resource_type": "datashare*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to \"engine-default\"", + "privilege": "ResetClusterParameterGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "parametergroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance from an Amazon S3 bucket", - "privilege": "RestoreDBInstanceFromS3", + "description": "Grants permission to change the size of a cluster", + "privilege": "ResizeCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "db*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to restore a DB instance to an arbitrary point in time", - "privilege": "RestoreDBInstanceToPointInTime", + "description": "Grants permission to create a cluster from a snapshot", + "privilege": "RestoreFromClusterSnapshot", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole", - "rds:AddTagsToResource" - ], - "resource_type": "db*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "cluster*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "snapshot*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -141334,32 +165348,25 @@ }, { "access_level": "Write", - "description": "Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups", - "privilege": "RevokeDBSecurityGroupIngress", + "description": "Grants permission to create a table from a table in an Amazon Redshift cluster snapshot", + "privilege": "RestoreTableFromClusterSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start Activity Stream", - "privilege": "StartActivityStream", - "resource_types": [ + "resource_type": "cluster*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to start the DB cluster", - "privilege": "StartDBCluster", + "description": "Grants permission to resume a cluster", + "privilege": "ResumeCluster", "resource_types": [ { "condition_keys": [], @@ -141370,46 +165377,49 @@ }, { "access_level": "Write", - "description": "Grants permission to start the DB instance", - "privilege": "StartDBInstance", + "description": "Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group", + "privilege": "RevokeClusterSecurityGroupIngress", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "securitygroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start replication of automated backups to a different AWS Region", - "privilege": "StartDBInstanceAutomatedBackupsReplication", + "access_level": "Permissions management", + "description": "Grants permission to revoke access for endpoint related activities for redshift-managed vpc endpoint", + "privilege": "RevokeEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a new Export task for a DB snapshot", - "privilege": "StartExportTask", + "access_level": "Permissions management", + "description": "Grants permission to revoke access from the specified AWS account to restore a snapshot", + "privilege": "RevokeSnapshotAccess", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop Activity Stream", - "privilege": "StopActivityStream", + "description": "Grants permission to rotate an encryption key for a cluster", + "privilege": "RotateEncryptionKey", "resource_types": [ { "condition_keys": [], @@ -141420,528 +165430,306 @@ }, { "access_level": "Write", - "description": "Grants permission to stop the DB cluster", - "privilege": "StopDBCluster", + "description": "Grants permission to update the status of a partner integration", + "privilege": "UpdatePartnerStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop the DB instance", - "privilege": "StopDBInstance", + "access_level": "List", + "description": "Grants permission to view query results through the Amazon Redshift console", + "privilege": "ViewQueriesFromConsole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop automated backup replication for a DB instance", - "privilege": "StopDBInstanceAutomatedBackupsReplication", + "access_level": "List", + "description": "Grants permission to terminate running queries and loads through the Amazon Redshift console", + "privilege": "ViewQueriesInConsole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "resource": "cluster" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:datashare:${ProducerClusterNamespace}/${DataShareName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cluster-endpoint" + "resource": "datashare" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-pg-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "cluster-pg" + "resource": "dbgroup" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-snapshot-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "cluster-snapshot" + "resource": "dbname" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:DatabaseClass", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:MultiAz", - "rds:Piops", - "rds:StorageEncrypted", - "rds:StorageSize", - "rds:Vpc", - "rds:db-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "db" + "resource": "dbuser" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:es-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "es" + "resource": "eventsubscription" }, { - "arn": "arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}", - "condition_keys": [], - "resource": "global-cluster" + "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "hsmclientcertificate" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:og-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "og" + "resource": "hsmconfiguration" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:namespace:${ProducerClusterNamespace}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:pg-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "pg" + "resource": "namespace" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "proxy" + "resource": "parametergroup" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy-endpoint:${DbProxyEndpointId}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "proxy-endpoint" + "resource": "securitygroup" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:ri-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "ri" + "resource": "securitygroupingress-cidr" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:secgrp-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "secgrp" + "resource": "securitygroupingress-ec2securitygroup" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:snapshot-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "resource": "snapshot" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:subgrp-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "subgrp" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}", - "condition_keys": [], - "resource": "target" + "resource": "snapshotcopygrant" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "target-group" + "resource": "snapshotschedule" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cev:${Engine}/${EngineVersion}/${CustomDbEngineVersionId}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cev" - } - ], - "service_name": "Amazon RDS" - }, - { - "conditions": [ - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys associated with the resource", - "type": "String" - } - ], - "prefix": "rds-data", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to run a batch SQL statement over an array of data", - "privilege": "BatchExecuteStatement", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a SQL transaction", - "privilege": "BeginTransaction", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to end a SQL transaction started with the BeginTransaction operation and commits the changes", - "privilege": "CommitTransaction", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "rds-data:BeginTransaction" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to run one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation", - "privilege": "ExecuteSql", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to run a SQL statement against a database", - "privilege": "ExecuteStatement", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] + "resource": "subnetgroup" }, { - "access_level": "Write", - "description": "Grants permission to perform a rollback of a transaction. Rolling back a transaction cancels its changes", - "privilege": "RollbackTransaction", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "rds-data:BeginTransaction" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "arn": "arn:${Partition}:redshift:${Region}:${Account}:usagelimit:${UsageLimitId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], - "resource": "cluster" - } - ], - "service_name": "Amazon RDS Data API" - }, - { - "conditions": [], - "prefix": "rds-db", - "privileges": [ - { - "access_level": "Permissions management", - "description": "Allows IAM role or user to connect to RDS database", - "privilege": "connect", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db-user*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}", - "condition_keys": [], - "resource": "db-user" + "resource": "usagelimit" } ], - "service_name": "Amazon RDS IAM Authentication" + "service_name": "Amazon Redshift" }, { "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, { "condition": "aws:ResourceTag/${TagKey}", "description": "Filters actions based on tag-value associated with the resource", "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - }, - { - "condition": "redshift:ConsumerIdentifier", - "description": "Filters access by the datashare consumer", - "type": "String" - }, - { - "condition": "redshift:DbName", - "description": "Filters access by the database name", - "type": "String" - }, - { - "condition": "redshift:DbUser", - "description": "Filters access by the database user name", - "type": "String" - }, - { - "condition": "redshift:DurationSeconds", - "description": "Filters access by the number of seconds until a temporary credential set expires", + "condition": "redshift-data:statement-owner-iam-userid", + "description": "Filters access by statement owner iam userid", "type": "String" } ], - "prefix": "redshift", + "prefix": "redshift-data", "privileges": [ { "access_level": "Write", - "description": "Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration", - "privilege": "AcceptReservedNodeExchange", + "description": "Grants permission to execute multiple queries under a single connection.", + "privilege": "BatchExecuteStatement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a consumer to a datashare", - "privilege": "AssociateDataShareConsumer", + "description": "Grants permission to cancel a running query", + "privilege": "CancelStatement", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], "dependent_actions": [], - "resource_type": "datashare*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group", - "privilege": "AuthorizeClusterSecurityGroupIngress", + "access_level": "Read", + "description": "Grants permission to retrieve detailed information about a statement execution", + "privilege": "DescribeStatement", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup*" - }, - { - "condition_keys": [], + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to authorize the specified datashare consumer to consume a datashare", - "privilege": "AuthorizeDataShare", + "access_level": "Read", + "description": "Grants permission to retrieve metadata about a particular table", + "privilege": "DescribeTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datashare*" - }, - { - "condition_keys": [ - "redshift:ConsumerIdentifier" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to the specified AWS account to restore a snapshot", - "privilege": "AuthorizeSnapshotAccess", + "access_level": "Write", + "description": "Grants permission to execute a query", + "privilege": "ExecuteStatement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "cluster*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete snapshots in a batch of size upto 100", - "privilege": "BatchDeleteClusterSnapshots", + "access_level": "Read", + "description": "Grants permission to fetch the result of a query", + "privilege": "GetStatementResult", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify settings for a list of snapshots", - "privilege": "BatchModifyClusterSnapshots", + "access_level": "Read", + "description": "Grants permission to list databases for a given cluster", + "privilege": "ListDatabases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "cluster*" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a query through the Amazon Redshift console", - "privilege": "CancelQuery", + "access_level": "Read", + "description": "Grants permission to list schemas for a given cluster", + "privilege": "ListSchemas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] }, { - "access_level": "Write", - "description": "Grants permission to see queries in the Amazon Redshift console", - "privilege": "CancelQuerySession", + "access_level": "List", + "description": "Grants permission to list queries for a given principal", + "privilege": "ListStatements", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a resize operation", - "privilege": "CancelResize", + "access_level": "List", + "description": "Grants permission to list tables for a given cluster", + "privilege": "ListTables", "resource_types": [ { "condition_keys": [], @@ -141949,12 +165737,74 @@ "resource_type": "cluster*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + } + ], + "service_name": "Amazon Redshift Data API" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "redshift-serverless:endpointAccessId", + "description": "Filters access by the endpoint access identifier", + "type": "String" + }, + { + "condition": "redshift-serverless:namespaceId", + "description": "Filters access by the namespace identifier", + "type": "String" + }, + { + "condition": "redshift-serverless:recoveryPointId", + "description": "Filters access by the recovery point identifier", + "type": "String" }, + { + "condition": "redshift-serverless:snapshotId", + "description": "Filters access by the snapshot identifier", + "type": "String" + }, + { + "condition": "redshift-serverless:workgroupId", + "description": "Filters access by the workgroup identifier", + "type": "String" + } + ], + "prefix": "redshift-serverless", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to copy a cluster snapshot", - "privilege": "CopyClusterSnapshot", + "description": "Grants permission to convert a recovery point to a snapshot", + "privilege": "ConvertRecoveryPointToSnapshot", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoveryPoint*" + }, { "condition_keys": [], "dependent_actions": [], @@ -141964,33 +165814,25 @@ }, { "access_level": "Write", - "description": "Grants permission to create a cluster", - "privilege": "CreateCluster", + "description": "Grants permission to create an Amazon Redshift Serverless managed VPC endpoint", + "privilege": "CreateEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointAccess*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift parameter group", - "privilege": "CreateClusterParameterGroup", + "description": "Grants permission to create an Amazon Redshift Serverless namespace", + "privilege": "CreateNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "namespace*" }, { "condition_keys": [ @@ -142004,53 +165846,37 @@ }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift security group", - "privilege": "CreateClusterSecurityGroup", + "description": "Grants permission to create a snapshot of all databases in a namespace", + "privilege": "CreateSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a manual snapshot of the specified cluster", - "privilege": "CreateClusterSnapshot", + "description": "Grants permission to create a usage limit for a specified Amazon Redshift Serverless usage type", + "privilege": "CreateUsageLimit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift subnet group", - "privilege": "CreateClusterSubnetGroup", + "description": "Grants permission to create a workgroup in Amazon Redshift Serverless", + "privilege": "CreateWorkgroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "workgroup*" }, { "condition_keys": [ @@ -142063,88 +165889,57 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to automatically create the specified Amazon Redshift user if it does not exist", - "privilege": "CreateClusterUser", + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift Serverless managed VPC endpoint", + "privilege": "DeleteEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbuser*" - }, - { - "condition_keys": [ - "redshift:DbUser" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointAccess*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift event notification subscription", - "privilege": "CreateEventSubscription", + "description": "Grants permission to delete a namespace from Amazon Redshift Serverless", + "privilege": "DeleteNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventsubscription*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "namespace*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM", - "privilege": "CreateHsmClientCertificate", + "description": "Grants permission to delete the specified resource policy", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM)", - "privilege": "CreateHsmConfiguration", + "description": "Grants permission to delete a snapshot from Amazon Redshift Serverless", + "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "snapshot*" } ] }, { "access_level": "Write", - "description": "Grants permission to create saved SQL queries through the Amazon Redshift console", - "privilege": "CreateSavedQuery", + "description": "Grants permission to delete a usage limit from Amazon Redshift Serverless", + "privilege": "DeleteUsageLimit", "resource_types": [ { "condition_keys": [], @@ -142155,290 +165950,200 @@ }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift scheduled action", - "privilege": "CreateScheduledAction", + "description": "Grants permission to delete a workgroup", + "privilege": "DeleteWorkgroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workgroup*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region", - "privilege": "CreateSnapshotCopyGrant", + "access_level": "Write", + "description": "Grants permission to get a database user name and temporary password with temporary authorization to log on to Amazon Redshift Serverless", + "privilege": "GetCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "workgroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a snapshot schedule", - "privilege": "CreateSnapshotSchedule", + "access_level": "Read", + "description": "Grants permission to create an Amazon Redshift Serverless managed VPC endpoint", + "privilege": "GetEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointAccess*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a specified resource", - "privilege": "CreateTags", + "access_level": "Read", + "description": "Grants permission to get information about a namespace in Amazon Redshift Serverless", + "privilege": "GetNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbname" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbuser" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventsubscription" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmclientcertificate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmconfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshotcopygrant" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshotschedule" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subnetgroup" - }, + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a recovery point", + "privilege": "GetRecoveryPoint", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "usagelimit" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "recoveryPoint*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a usage limit", - "privilege": "CreateUsageLimit", + "access_level": "Read", + "description": "Grants permission to get a resource policy", + "privilege": "GetResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "usagelimit*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Remove permission from the specified datashare consumer to consume a datashare", - "privilege": "DeauthorizeDataShare", + "access_level": "Read", + "description": "Grants permission to get information about a specific snapshot", + "privilege": "GetSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datashare*" - }, - { - "condition_keys": [ - "redshift:ConsumerIdentifier" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "snapshot*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a previously provisioned cluster", - "privilege": "DeleteCluster", + "access_level": "Read", + "description": "Grants permission to get information about a usage limit in Amazon Redshift Serverless", + "privilege": "GetUsageLimit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift parameter group", - "privilege": "DeleteClusterParameterGroup", + "access_level": "Read", + "description": "Grants permission to get information about a specific workgroup", + "privilege": "GetWorkgroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "workgroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift security group", - "privilege": "DeleteClusterSecurityGroup", + "access_level": "List", + "description": "Grants permission to list EndpointAccess objects and relevant information", + "privilege": "ListEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup*" + "resource_type": "endpointAccess*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a manual snapshot", - "privilege": "DeleteClusterSnapshot", + "access_level": "List", + "description": "Grants permission to list namespaces in Amazon Redshift Serverless", + "privilege": "ListNamespaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a cluster subnet group", - "privilege": "DeleteClusterSubnetGroup", + "access_level": "List", + "description": "Grants permission to list an array of recovery points", + "privilege": "ListRecoveryPoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "namespace" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift event notification subscription", - "privilege": "DeleteEventSubscription", + "access_level": "List", + "description": "Grants permission to list snapshots", + "privilege": "ListSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventsubscription*" + "resource_type": "snapshot*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an HSM client certificate", - "privilege": "DeleteHsmClientCertificate", + "access_level": "List", + "description": "Grants permission to list the tags assigned to a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate*" + "resource_type": "namespace" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift HSM configuration", - "privilege": "DeleteHsmConfiguration", + "access_level": "List", + "description": "Grants permission to list all usage limits within Amazon Redshift Serverless", + "privilege": "ListUsageLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete saved SQL queries through the Amazon Redshift console", - "privilege": "DeleteSavedQueries", + "access_level": "List", + "description": "Grants permission to list workgroups in Amazon Redshift Serverless", + "privilege": "ListWorkgroups", "resource_types": [ { "condition_keys": [], @@ -142449,8 +166154,8 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift scheduled action", - "privilege": "DeleteScheduledAction", + "description": "Grants permission to create or update a resource policy", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -142461,112 +166166,68 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a snapshot copy grant", - "privilege": "DeleteSnapshotCopyGrant", + "description": "Grants permission to restore the data from a recovery point", + "privilege": "RestoreFromRecoveryPoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant*" + "resource_type": "recoveryPoint*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a snapshot schedule", - "privilege": "DeleteSnapshotSchedule", + "description": "Grants permission to restore a namespace from a snapshot", + "privilege": "RestoreFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" + "resource_type": "snapshot*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to delete a tag or tags from a resource", - "privilege": "DeleteTags", + "description": "Grants permission to assign one or more tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbname" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbuser" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventsubscription" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmclientcertificate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmconfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "namespace" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant" + "resource_type": "workgroup" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "snapshotschedule" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove a tag or set of tags from a resource", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "namespace" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "usagelimit" + "resource_type": "workgroup" }, { "condition_keys": [ @@ -142579,44 +166240,44 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a usage limit", - "privilege": "DeleteUsageLimit", + "description": "Grants permission to update an Amazon Redshift Serverless managed VPC endpoint", + "privilege": "UpdateEndpointAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "usagelimit*" + "resource_type": "endpointAccess*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe attributes attached to the specified AWS account", - "privilege": "DescribeAccountAttributes", + "access_level": "Write", + "description": "Grants permission to update a namespace with the specified configuration settings", + "privilege": "UpdateNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "namespace*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe database revisions for a cluster", - "privilege": "DescribeClusterDbRevisions", + "access_level": "Write", + "description": "Grants permission to update a snapshot", + "privilege": "UpdateSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "snapshot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group", - "privilege": "DescribeClusterParameterGroups", + "access_level": "Write", + "description": "Grants permission to update a usage limit in Amazon Redshift Serverless", + "privilege": "UpdateUsageLimit", "resource_types": [ { "condition_keys": [], @@ -142626,177 +166287,210 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe parameters contained within an Amazon Redshift parameter group", - "privilege": "DescribeClusterParameters", + "access_level": "Write", + "description": "Grants permission to update an Amazon Redshift Serverless workgroup with the specified configuration settings", + "privilege": "UpdateWorkgroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "workgroup*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:redshift-serverless:${Region}:${Account}:namespace/${NamespaceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "namespace" }, { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift security groups", - "privilege": "DescribeClusterSecurityGroups", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:redshift-serverless:${Region}:${Account}:snapshot/${SnapshotId}", + "condition_keys": [], + "resource": "snapshot" }, { - "access_level": "Read", - "description": "Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots", - "privilege": "DescribeClusterSnapshots", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:redshift-serverless:${Region}:${Account}:workgroup/${WorkgroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workgroup" }, { - "access_level": "Read", - "description": "Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups", - "privilege": "DescribeClusterSubnetGroups", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:redshift-serverless:${Region}:${Account}:recovery-point/${RecoveryPointId}", + "condition_keys": [], + "resource": "recoveryPoint" }, { - "access_level": "List", - "description": "Grants permission to describe available maintenance tracks", - "privilege": "DescribeClusterTracks", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:redshift-serverless:${Region}:${Account}:managedvpcendpoint/${EndpointAccessId}", + "condition_keys": [], + "resource": "endpointAccess" + } + ], + "service_name": "Amazon Redshift Serverless" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to describe available Amazon Redshift cluster versions", - "privilege": "DescribeClusterVersions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" }, { - "access_level": "List", - "description": "Grants permission to describe properties of provisioned clusters", - "privilege": "DescribeClusters", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:TagKeys", + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" }, { - "access_level": "Read", - "description": "Grants permission to describe datashares created and consumed by your clusters", - "privilege": "DescribeDataShares", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "refactor-spaces:ApplicationCreatedByAccount", + "description": "Filters access by restricting the action to only those accounts that created the application within an environment", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to describe only datashares consumed by your clusters", - "privilege": "DescribeDataSharesForConsumer", + "condition": "refactor-spaces:CreatedByAccountIds", + "description": "Filters access by the accounts that created the resource", + "type": "ArrayOfString" + }, + { + "condition": "refactor-spaces:RouteCreatedByAccount", + "description": "Filters access by restricting the action to only those accounts that created the route within an application", + "type": "String" + }, + { + "condition": "refactor-spaces:ServiceCreatedByAccount", + "description": "Filters access by restricting the action to only those accounts that created the service within an application", + "type": "String" + }, + { + "condition": "refactor-spaces:SourcePath", + "description": "Filters access by the path of the route", + "type": "String" + } + ], + "prefix": "refactor-spaces", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an application within an environment", + "privilege": "CreateApplication", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe only datashares created by your clusters", - "privilege": "DescribeDataSharesForProducer", + "access_level": "Write", + "description": "Grants permission to create an environment", + "privilege": "CreateEnvironment", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe parameter settings for a parameter group family", - "privilege": "DescribeDefaultClusterParameters", + "access_level": "Write", + "description": "Grants permission to create a route within an application", + "privilege": "CreateRoute", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe event categories for all event source types, or for a specified source type", - "privilege": "DescribeEventCategories", + "access_level": "Write", + "description": "Grants permission to create a service within an application", + "privilege": "CreateService", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account", - "privilege": "DescribeEventSubscriptions", + "access_level": "Write", + "description": "Grants permission to delete an application from an environment", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days", - "privilege": "DescribeEvents", + "access_level": "Write", + "description": "Grants permission to delete an environment", + "privilege": "DeleteEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe HSM client certificates", - "privilege": "DescribeHsmClientCertificates", + "access_level": "Write", + "description": "Grants permission to delete a resource policy", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -142806,36 +166500,46 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift HSM configurations", - "privilege": "DescribeHsmConfigurations", + "access_level": "Write", + "description": "Grants permission to delete a route from an application", + "privilege": "DeleteRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "route*" + }, + { + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster", - "privilege": "DescribeLoggingStatus", + "access_level": "Write", + "description": "Grants permission to delete a service from an application", + "privilege": "DeleteService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type", - "privilege": "DescribeNodeConfigurationOptions", - "resource_types": [ + "resource_type": "service*" + }, { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -142843,32 +166547,48 @@ }, { "access_level": "Read", - "description": "Grants permission to describe orderable cluster options", - "privilege": "DescribeOrderableClusterOptions", + "description": "Grants permission to get more information about an application", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a query through the Amazon Redshift console", - "privilege": "DescribeQuery", + "description": "Grants permission to get more information for an environment", + "privilege": "GetEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe available reserved node offerings by Amazon Redshift", - "privilege": "DescribeReservedNodeOfferings", + "description": "Grants permission to get the details about a resource policy", + "privilege": "GetResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -142879,56 +166599,78 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the reserved nodes", - "privilege": "DescribeReservedNodes", + "description": "Grants permission to get more information about a route", + "privilege": "GetRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "route*" + }, + { + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the last resize operation for a cluster", - "privilege": "DescribeResize", + "description": "Grants permission to get more information about a service", + "privilege": "GetService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "service*" + }, + { + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe saved queries through the Amazon Redshift console", - "privilege": "DescribeSavedQueries", + "description": "Grants permission to list all the applications in an environment", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe created Amazon Redshift scheduled actions", - "privilege": "DescribeScheduledActions", + "description": "Grants permission to list all the VPCs for the environment", + "privilege": "ListEnvironmentVpcs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region", - "privilege": "DescribeSnapshotCopyGrants", + "description": "Grants permission to list all environments", + "privilege": "ListEnvironments", "resource_types": [ { "condition_keys": [], @@ -142939,32 +166681,32 @@ }, { "access_level": "Read", - "description": "Grants permission to describe snapshot schedules", - "privilege": "DescribeSnapshotSchedules", + "description": "Grants permission to list all the routes in an application", + "privilege": "ListRoutes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe account level backups storage size and provisional storage", - "privilege": "DescribeStorage", + "description": "Grants permission to list all the services in an environment", + "privilege": "ListServices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a table through the Amazon Redshift console", - "privilege": "DescribeTable", + "description": "Grants permission to list all the tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -142974,9 +166716,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action", - "privilege": "DescribeTableRestoreStatus", + "access_level": "Write", + "description": "Grants permission to add a resource policy", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], @@ -142986,343 +166728,462 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe tags", - "privilege": "DescribeTags", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "application" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbgroup" + "resource_type": "environment" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbname" + "resource_type": "route" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbuser" + "resource_type": "service" }, { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "eventsubscription" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove a tag from a resource", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate" + "resource_type": "application" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration" + "resource_type": "environment" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup" + "resource_type": "route" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup" + "resource_type": "service" }, { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a route from an application", + "privilege": "UpdateRoute", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" + "resource_type": "route*" }, { - "condition_keys": [], + "condition_keys": [ + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:SourcePath", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "snapshot" - }, + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment" + }, + { + "arn": "arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds" + ], + "resource": "application" + }, + { + "arn": "arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}/service/${ServiceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:ServiceCreatedByAccount" + ], + "resource": "service" + }, + { + "arn": "arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}/route/${RouteId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "refactor-spaces:ApplicationCreatedByAccount", + "refactor-spaces:CreatedByAccountIds", + "refactor-spaces:RouteCreatedByAccount", + "refactor-spaces:ServiceCreatedByAccount", + "refactor-spaces:SourcePath" + ], + "resource": "route" + } + ], + "service_name": "AWS Migration Hub Refactor Spaces" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "rekognition", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to compare faces in the source input image with each face detected in the target input image", + "privilege": "CompareFaces", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy an existing model version to a new model version", + "privilege": "CopyProjectVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule" + "resource_type": "project*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "projectversion*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "usagelimit" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe usage limits", - "privilege": "DescribeUsageLimits", + "access_level": "Write", + "description": "Grants permission to create a collection in an AWS Region", + "privilege": "CreateCollection", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "usagelimit*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disable logging information, such as queries and connection attempts, for a cluster", - "privilege": "DisableLogging", + "description": "Grants permission to create a new Amazon Rekognition Custom Labels dataset", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable the automatic copy of snapshots for a cluster", - "privilege": "DisableSnapshotCopy", + "description": "Grants permission to create an Amazon Rekognition Custom Labels project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a consumer from a datashare", - "privilege": "DisassociateDataShareConsumer", + "description": "Grants permission to begin training a new version of a model", + "privilege": "CreateProjectVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datashare*" + "resource_type": "project*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable logging information, such as queries and connection attempts, for a cluster", - "privilege": "EnableLogging", + "description": "Grants permission to create an Amazon Rekognition stream processor", + "privilege": "CreateStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "collection*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable the automatic copy of snapshots for a cluster", - "privilege": "EnableSnapshotCopy", + "description": "Grants permission to delete the specified collection", + "privilege": "DeleteCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "collection*" } ] }, { "access_level": "Write", - "description": "Grants permission to execute a query through the Amazon Redshift console", - "privilege": "ExecuteQuery", + "description": "Grants permission to delete an existing Amazon Rekognition Custom Labels dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { - "access_level": "Read", - "description": "Grants permission to fetch query results through the Amazon Redshift console", - "privilege": "FetchResults", + "access_level": "Write", + "description": "Grants permission to delete faces from a collection", + "privilege": "DeleteFaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "collection*" } ] }, { "access_level": "Write", - "description": "Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account", - "privilege": "GetClusterCredentials", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbuser*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbname" - }, - { - "condition_keys": [ - "redshift:DbName", - "redshift:DbUser", - "redshift:DurationSeconds" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node", - "privilege": "GetReservedNodeExchangeOfferings", + "access_level": "Write", + "description": "Grants permission to delete a resource policy attached to a project", + "privilege": "DeleteProjectPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to join the specified Amazon Redshift group", - "privilege": "JoinGroup", + "access_level": "Write", + "description": "Grants permission to delete a model", + "privilege": "DeleteProjectVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbgroup*" + "resource_type": "projectversion*" } ] }, { - "access_level": "List", - "description": "Grants permission to list databases through the Amazon Redshift console", - "privilege": "ListDatabases", + "access_level": "Write", + "description": "Grants permission to delete the specified stream processor", + "privilege": "DeleteStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "streamprocessor*" } ] }, { - "access_level": "List", - "description": "Grants permission to list saved queries through the Amazon Redshift console", - "privilege": "ListSavedQueries", + "access_level": "Read", + "description": "Grants permission to read details about a collection", + "privilege": "DescribeCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "collection*" } ] }, { - "access_level": "List", - "description": "Grants permission to list schemas through the Amazon Redshift console", - "privilege": "ListSchemas", + "access_level": "Read", + "description": "Grants permission to describe an Amazon Rekognition Custom Labels dataset", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { - "access_level": "List", - "description": "Grants permission to list tables through the Amazon Redshift console", - "privilege": "ListTables", + "access_level": "Read", + "description": "Grants permission to list the versions of a model in an Amazon Rekognition Custom Labels project", + "privilege": "DescribeProjectVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the AQUA configuration of a cluster", - "privilege": "ModifyAquaConfiguration", + "access_level": "Read", + "description": "Grants permission to list Amazon Rekognition Custom Labels projects", + "privilege": "DescribeProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the settings of a cluster", - "privilege": "ModifyCluster", + "access_level": "Read", + "description": "Grants permission to get information about the specified stream processor", + "privilege": "DescribeStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "streamprocessor*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the database revision of a cluster", - "privilege": "ModifyClusterDbRevision", + "access_level": "Read", + "description": "Grants permission to detect custom labels in a supplied image", + "privilege": "DetectCustomLabels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "projectversion*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services", - "privilege": "ModifyClusterIamRoles", + "access_level": "Read", + "description": "Grants permission to detect human faces within an image provided as input", + "privilege": "DetectFaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the maintenance settings of a cluster", - "privilege": "ModifyClusterMaintenance", + "access_level": "Read", + "description": "Grants permission to detect instances of real-world labels within an image provided as input", + "privilege": "DetectLabels", "resource_types": [ { "condition_keys": [], @@ -143332,69 +167193,69 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to modify the parameters of a parameter group", - "privilege": "ModifyClusterParameterGroup", + "access_level": "Read", + "description": "Grants permission to detect moderation labels within the input image", + "privilege": "DetectModerationLabels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the settings of a snapshot", - "privilege": "ModifyClusterSnapshot", + "access_level": "Read", + "description": "Grants permission to detect Personal Protective Equipment in the input image", + "privilege": "DetectProtectiveEquipment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a snapshot schedule for a cluster", - "privilege": "ModifyClusterSnapshotSchedule", + "access_level": "Read", + "description": "Grants permission to detect text in the input image and convert it into machine-readable text", + "privilege": "DetectText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a cluster subnet group to include the specified list of VPC subnets", - "privilege": "ModifyClusterSubnetGroup", + "description": "Grants permission to distribute the entries in a training dataset across the training dataset and the test dataset for a project", + "privilege": "DistributeDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "dataset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing Amazon Redshift event notification subscription", - "privilege": "ModifyEventSubscription", + "access_level": "Read", + "description": "Grants permission to read the name, and additional information, of a celebrity", + "privilege": "GetCelebrityInfo", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventsubscription*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing saved query through the Amazon Redshift console", - "privilege": "ModifySavedQuery", + "access_level": "Read", + "description": "Grants permission to read the celebrity recognition results found in a stored video by an asynchronous celebrity recognition job", + "privilege": "GetCelebrityRecognition", "resource_types": [ { "condition_keys": [], @@ -143404,9 +167265,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing Amazon Redshift scheduled action", - "privilege": "ModifyScheduledAction", + "access_level": "Read", + "description": "Grants permission to read the content moderation analysis results found in a stored video by an asynchronous content moderation job", + "privilege": "GetContentModeration", "resource_types": [ { "condition_keys": [], @@ -143416,57 +167277,57 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region", - "privilege": "ModifySnapshotCopyRetentionPeriod", + "access_level": "Read", + "description": "Grants permission to read the faces detection results found in a stored video by an asynchronous face detection job", + "privilege": "GetFaceDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a snapshot schedule", - "privilege": "ModifySnapshotSchedule", + "access_level": "Read", + "description": "Grants permission to read the matching collection faces found in a stored video by an asynchronous face search job", + "privilege": "GetFaceSearch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a usage limit", - "privilege": "ModifyUsageLimit", + "access_level": "Read", + "description": "Grants permission to read the label detected resuls found in a stored video by an asynchronous label detection job", + "privilege": "GetLabelDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "usagelimit*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to pause a cluster", - "privilege": "PauseCluster", + "access_level": "Read", + "description": "Grants permission to read the list of persons detected in a stored video by an asynchronous person tracking job", + "privilege": "GetPersonTracking", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to purchase a reserved node", - "privilege": "PurchaseReservedNodeOffering", + "access_level": "Read", + "description": "Grants permission to get the vdeo segments found in a stored video by an asynchronous segment detection job", + "privilege": "GetSegmentDetection", "resource_types": [ { "condition_keys": [], @@ -143476,144 +167337,129 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to reboot a cluster", - "privilege": "RebootCluster", + "access_level": "Read", + "description": "Grants permission to get the text found in a stored video by an asynchronous text detection job", + "privilege": "GetTextDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to decline a datashare shared from another account", - "privilege": "RejectDataShare", + "access_level": "Write", + "description": "Grants permission to update an existing collection with faces detected in the input image", + "privilege": "IndexFaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datashare*" + "resource_type": "collection*" } ] }, { - "access_level": "Write", - "description": "Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to \"engine-default\"", - "privilege": "ResetClusterParameterGroup", + "access_level": "Read", + "description": "Grants permission to read the collection Id's in your account", + "privilege": "ListCollections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "collection*" } ] }, { - "access_level": "Write", - "description": "Grants permission to change the size of a cluster", - "privilege": "ResizeCluster", + "access_level": "Read", + "description": "Grants permission to list the dataset entries in an existing Amazon Rekognition Custom Labels dataset", + "privilege": "ListDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "dataset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a cluster from a snapshot", - "privilege": "RestoreFromClusterSnapshot", + "access_level": "Read", + "description": "Grants permission to list the labels in a dataset", + "privilege": "ListDatasetLabels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "dataset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a table from a table in an Amazon Redshift cluster snapshot", - "privilege": "RestoreTableFromClusterSnapshot", + "access_level": "Read", + "description": "Grants permission to read metadata for faces in the specificed collection", + "privilege": "ListFaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "collection*" } ] }, { - "access_level": "Write", - "description": "Grants permission to resume a cluster", - "privilege": "ResumeCluster", + "access_level": "Read", + "description": "Grants permission to list the resource policies attached to a project", + "privilege": "ListProjectPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "project*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group", - "privilege": "RevokeClusterSecurityGroupIngress", + "access_level": "List", + "description": "Grants permission to get a list of your stream processors", + "privilege": "ListStreamProcessors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup*" + "resource_type": "streamprocessor*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke access from the specified AWS account to restore a snapshot", - "privilege": "RevokeSnapshotAccess", + "access_level": "Read", + "description": "Grants permission to return a list of tags associated with a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "projectversion*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to rotate an encryption key for a cluster", - "privilege": "RotateEncryptionKey", + "access_level": "Write", + "description": "Grants permission to attach a resource policy to a project", + "privilege": "PutProjectPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "Grants permission to view query results through the Amazon Redshift console", - "privilege": "ViewQueriesFromConsole", + "access_level": "Read", + "description": "Grants permission to detect celebrities in the input image", + "privilege": "RecognizeCelebrities", "resource_types": [ { "condition_keys": [], @@ -143623,320 +167469,141 @@ ] }, { - "access_level": "List", - "description": "Grants permission to terminate running queries and loads through the Amazon Redshift console", - "privilege": "ViewQueriesInConsole", + "access_level": "Read", + "description": "Grants permission to search the specificed collection for the supplied face ID", + "privilege": "SearchFaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "collection*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cluster" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:datashare:${ProducerClusterNamespace}/{DataShareName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "datashare" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbgroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbname" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbuser" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "eventsubscription" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "hsmclientcertificate" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "hsmconfiguration" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "parametergroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "securitygroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "securitygroupingress-cidr" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "securitygroupingress-ec2securitygroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshot" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshotcopygrant" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshotschedule" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "subnetgroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:usagelimit:${UsageLimitId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "usagelimit" - } - ], - "service_name": "Amazon Redshift" - }, - { - "conditions": [ - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", - "type": "String" - }, - { - "condition": "redshift-data:statement-owner-iam-userid", - "description": "Filters access by statement owner iam userid", - "type": "String" - } - ], - "prefix": "redshift-data", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to execute multiple queries under a single connection.", - "privilege": "BatchExecuteStatement", + "access_level": "Read", + "description": "Grants permission to search the specificed collection for the largest face in the input image", + "privilege": "SearchFacesByImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "collection*" } ] }, { "access_level": "Write", - "description": "Grants permission to cancel a running query", - "privilege": "CancelStatement", + "description": "Grants permission to start the asynchronous recognition of celebrities in a stored video", + "privilege": "StartCelebrityRecognition", "resource_types": [ { - "condition_keys": [ - "redshift-data:statement-owner-iam-userid" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve detailed information about a statement execution", - "privilege": "DescribeStatement", + "access_level": "Write", + "description": "Grants permission to start asynchronous detection of explicit or suggestive adult content in a stored video", + "privilege": "StartContentModeration", "resource_types": [ { - "condition_keys": [ - "redshift-data:statement-owner-iam-userid" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve metadata about a particular table", - "privilege": "DescribeTable", + "access_level": "Write", + "description": "Grants permission to start asynchronous detection of faces in a stored video", + "privilege": "StartFaceDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to execute a query", - "privilege": "ExecuteStatement", + "description": "Grants permission to start an asynchronous search for faces in a collection that match the faces of persons detected in a stored video", + "privilege": "StartFaceSearch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "collection*" } ] }, { - "access_level": "Read", - "description": "Grants permission to fetch the result of a query", - "privilege": "GetStatementResult", + "access_level": "Write", + "description": "Grants permission to start asynchronous detection of labels in a stored video", + "privilege": "StartLabelDetection", "resource_types": [ { - "condition_keys": [ - "redshift-data:statement-owner-iam-userid" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list databases for a given cluster", - "privilege": "ListDatabases", + "access_level": "Write", + "description": "Grants permission to start the asynchronous tracking of persons in a stored video", + "privilege": "StartPersonTracking", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list schemas for a given cluster", - "privilege": "ListSchemas", + "access_level": "Write", + "description": "Grants permission to start running a model version", + "privilege": "StartProjectVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "projectversion*" } ] }, { - "access_level": "List", - "description": "Grants permission to list queries for a given principal", - "privilege": "ListStatements", + "access_level": "Write", + "description": "Grants permission to start the asynchronous detection of segments in a stored video", + "privilege": "StartSegmentDetection", "resource_types": [ { - "condition_keys": [ - "redshift-data:statement-owner-iam-userid" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tables for a given cluster", - "privilege": "ListTables", + "access_level": "Write", + "description": "Grants permission to start running a stream processor", + "privilege": "StartStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "streamprocessor*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cluster" - } - ], - "service_name": "Amazon Redshift Data API" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "rekognition", - "privileges": [ - { - "access_level": "Read", - "description": "Compares a face in source input image with each face detected in the target input image.", - "privilege": "CompareFaces", + "access_level": "Write", + "description": "Grants permission to start the asynchronous detection of text in a stored video", + "privilege": "StartTextDetection", "resource_types": [ { "condition_keys": [], @@ -143947,50 +167614,47 @@ }, { "access_level": "Write", - "description": "Creates a collection in an AWS region. You can then add faces to the collection using the IndexFaces API.", - "privilege": "CreateCollection", + "description": "Grants permission to stop a running model version", + "privilege": "StopProjectVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "projectversion*" } ] }, { "access_level": "Write", - "description": "Creates a new Amazon Rekognition Custom Labels project.", - "privilege": "CreateProject", + "description": "Grants permission to stop a running stream processor", + "privilege": "StopStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "streamprocessor*" } ] }, { - "access_level": "Write", - "description": "Creates a new version of a model and begins training.", - "privilege": "CreateProjectVersion", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "collection" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "projectversion" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor" }, { "condition_keys": [ @@ -144003,23 +167667,27 @@ ] }, { - "access_level": "Write", - "description": "Creates an Amazon Rekognition stream processor that you can use to detect and recognize faces in a streaming video.", - "privilege": "CreateStreamProcessor", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "collection" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "projectversion" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -144029,224 +167697,312 @@ }, { "access_level": "Write", - "description": "Deletes the specified collection. Note that this operation removes all faces in the collection.", - "privilege": "DeleteCollection", + "description": "Grants permission to add or update one or more JSON Lines (entries) in a dataset", + "privilege": "UpdateDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Deletes faces from a collection.", - "privilege": "DeleteFaces", + "description": "Grants permission to modify properties for a stream processor", + "privilege": "UpdateStreamProcessor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "streamprocessor*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:collection/${CollectionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "collection" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:streamprocessor/${StreamprocessorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "streamprocessor" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/${CreationTimestamp}", + "condition_keys": [], + "resource": "project" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/version/${VersionName}/${CreationTimestamp}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "projectversion" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/dataset/${DatasetType}/${CreationTimestamp}", + "condition_keys": [], + "resource": "dataset" + } + ], + "service_name": "Amazon Rekognition" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "resiliencehub", + "privileges": [ { "access_level": "Write", - "description": "Deletes a project.", - "privilege": "DeleteProject", + "description": "Grants permission to add draft application version resource mappings", + "privilege": "AddDraftAppVersionResourceMappings", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "project*" + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "resource-groups:GetGroup", + "resource-groups:ListGroupResources", + "servicecatalog:GetApplication", + "servicecatalog:ListAssociatedResources" + ], + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Deletes a model.", - "privilege": "DeleteProjectVersion", + "description": "Grants permission to create application", + "privilege": "CreateApp", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the stream processor identified by Name.", - "privilege": "DeleteStreamProcessor", + "description": "Grants permission to create recommendation template", + "privilege": "CreateRecommendationTemplate", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "s3:CreateBucket", + "s3:ListBucket", + "s3:PutObject" + ], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes the specified collection.", - "privilege": "DescribeCollection", + "access_level": "Write", + "description": "Grants permission to create resiliency policy", + "privilege": "CreateResiliencyPolicy", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Lists and describes the model versions in an Amazon Rekognition Custom Labels project.", - "privilege": "DescribeProjectVersions", + "access_level": "Write", + "description": "Grants permission to batch delete application", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Lists and gets information about your Amazon Rekognition Custom Labels projects.", - "privilege": "DescribeProjects", + "access_level": "Write", + "description": "Grants permission to batch delete application assessment", + "privilege": "DeleteAppAssessment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Provides information about a stream processor created by CreateStreamProcessor.", - "privilege": "DescribeStreamProcessor", + "access_level": "Write", + "description": "Grants permission to batch delete recommendation template", + "privilege": "DeleteRecommendationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Detects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model version.", - "privilege": "DetectCustomLabels", + "access_level": "Write", + "description": "Grants permission to batch delete resiliency policy", + "privilege": "DeleteResiliencyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "resiliency-policy*" } ] }, { "access_level": "Read", - "description": "Detects human faces within an image (JPEG or PNG) provided as input.", - "privilege": "DetectFaces", + "description": "Grants permission to describe application", + "privilege": "DescribeApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Detects instances of real-world labels within an image (JPEG or PNG) provided as input.", - "privilege": "DetectLabels", + "description": "Grants permission to describe application assessment", + "privilege": "DescribeAppAssessment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Detects moderation labels within input image.", - "privilege": "DetectModerationLabels", + "description": "Grants permission to describe application resolution", + "privilege": "DescribeAppVersionResourcesResolutionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Detects Protective Equipment in the input image.", - "privilege": "DetectProtectiveEquipment", + "description": "Grants permission to describe application version template", + "privilege": "DescribeAppVersionTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Detects text in the input image and converts it into machine-readable text.", - "privilege": "DetectText", + "description": "Grants permission to describe draft application version resources import status", + "privilege": "DescribeDraftAppVersionResourcesImportStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Gets the name and additional information about a celebrity based on his or her Rekognition ID.", - "privilege": "GetCelebrityInfo", + "description": "Grants permission to describe resiliency policy", + "privilege": "DescribeResiliencyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "resiliency-policy*" } ] }, { - "access_level": "Read", - "description": "Gets the celebrity recognition results for a Rekognition Video analysis started by StartCelebrityRecognition.", - "privilege": "GetCelebrityRecognition", + "access_level": "Write", + "description": "Grants permission to import resources to draft application version", + "privilege": "ImportResourcesToDraftAppVersion", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "resource-groups:GetGroup", + "resource-groups:ListGroupResources", + "servicecatalog:GetApplication", + "servicecatalog:ListAssociatedResources" + ], + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets the content moderation analysis results for a Rekognition Video analysis started by StartContentModeration.", - "privilege": "GetContentModeration", + "access_level": "List", + "description": "Grants permission to list alarm recommendation", + "privilege": "ListAlarmRecommendations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets face detection results for a Rekognition Video analysis started by StartFaceDetection.", - "privilege": "GetFaceDetection", + "access_level": "List", + "description": "Grants permission to list application assessment", + "privilege": "ListAppAssessments", "resource_types": [ { "condition_keys": [], @@ -144256,129 +168012,129 @@ ] }, { - "access_level": "Read", - "description": "Gets the face search results for Rekognition Video face search started by StartFaceSearch.", - "privilege": "GetFaceSearch", + "access_level": "List", + "description": "Grants permission to list app component compliances", + "privilege": "ListAppComponentCompliances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets the label detection results of a Rekognition Video analysis started by StartLabelDetection.", - "privilege": "GetLabelDetection", + "access_level": "List", + "description": "Grants permission to list app component recommendations", + "privilege": "ListAppComponentRecommendations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets information about people detected within a video.", - "privilege": "GetPersonTracking", + "access_level": "List", + "description": "Grants permission to application version resource mappings", + "privilege": "ListAppVersionResourceMappings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets segment detection results for a Rekognition Video analysis started by StartSegmentDetection.", - "privilege": "GetSegmentDetection", + "access_level": "List", + "description": "Grants permission to list application resources", + "privilege": "ListAppVersionResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Gets text detection results for a Rekognition Video analysis started by StartTextDetection.", - "privilege": "GetTextDetection", + "access_level": "List", + "description": "Grants permission to list application version", + "privilege": "ListAppVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Detects faces in the input image and adds them to the specified collection.", - "privilege": "IndexFaces", + "access_level": "List", + "description": "Grants permission to list applications", + "privilege": "ListApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns a list of collection IDs in your account.", - "privilege": "ListCollections", + "access_level": "List", + "description": "Grants permission to list recommendation templates", + "privilege": "ListRecommendationTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns metadata for faces in the specified collection.", - "privilege": "ListFaces", + "access_level": "List", + "description": "Grants permission to list resiliency policies", + "privilege": "ListResiliencyPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Gets a list of stream processors that you have created with CreateStreamProcessor.", - "privilege": "ListStreamProcessors", + "description": "Grants permission to list SOP recommendations", + "privilege": "ListSopRecommendations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns a list of tags associated with a resource.", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to list suggested resiliency policies", + "privilege": "ListSuggestedResiliencyPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns an array of celebrities recognized in the input image.", - "privilege": "RecognizeCelebrities", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -144388,186 +168144,182 @@ ] }, { - "access_level": "Read", - "description": "For a given input face ID, searches the specified collection for matching faces.", - "privilege": "SearchFaces", + "access_level": "List", + "description": "Grants permission to list test recommendations", + "privilege": "ListTestRecommendations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "For a given input image, first detects the largest face in the image, and then searches the specified collection for matching faces.", - "privilege": "SearchFacesByImage", + "access_level": "List", + "description": "Grants permission to list unsupported application version resources", + "privilege": "ListUnsupportedAppVersionResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous recognition of celebrities in a video.", - "privilege": "StartCelebrityRecognition", + "description": "Grants permission to publish application version", + "privilege": "PublishAppVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of explicit or suggestive adult content in a video.", - "privilege": "StartContentModeration", + "description": "Grants permission to put draft application version template", + "privilege": "PutDraftAppVersionTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of faces in a video.", - "privilege": "StartFaceDetection", + "description": "Grants permission to remove draft application version mappings", + "privilege": "RemoveDraftAppVersionResourceMappings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Starts the asynchronous search for faces in a collection that match the faces of persons detected in a video.", - "privilege": "StartFaceSearch", + "description": "Grants permission to resolve application version resources", + "privilege": "ResolveAppVersionResources", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "collection*" + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "resource-groups:GetGroup", + "resource-groups:ListGroupResources", + "servicecatalog:GetApplication", + "servicecatalog:ListAssociatedResources" + ], + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of labels in a video.", - "privilege": "StartLabelDetection", + "description": "Grants permission to create application assessment", + "privilege": "StartAppAssessment", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "cloudwatch:DescribeAlarms", + "cloudwatch:GetMetricData", + "cloudwatch:GetMetricStatistics", + "cloudwatch:PutMetricData", + "ec2:DescribeRegions", + "fis:GetExperimentTemplate", + "fis:ListExperimentTemplates", + "fis:ListExperiments", + "resource-groups:GetGroup", + "resource-groups:ListGroupResources", + "servicecatalog:GetApplication", + "servicecatalog:ListAssociatedResources", + "ssm:GetParametersByPath" + ], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts the asynchronous tracking of persons in a video.", - "privilege": "StartPersonTracking", + "access_level": "Tagging", + "description": "Grants permission to assign a resource tag", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Starts the deployment of a model version.", - "privilege": "StartProjectVersion", - "resource_types": [ + "resource_type": "app-assessment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" - } - ] - }, - { - "access_level": "Write", - "description": "Starts asynchronous detection of segments in a video.", - "privilege": "StartSegmentDetection", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Starts processing a stream processor.", - "privilege": "StartStreamProcessor", - "resource_types": [ + "resource_type": "recommendation-template" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" - } - ] - }, - { - "access_level": "Write", - "description": "Starts asynchronous detection of text in a video.", - "privilege": "StartTextDetection", - "resource_types": [ + "resource_type": "resiliency-policy" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Stops a deployed model version.", - "privilege": "StopProjectVersion", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" - } - ] - }, - { - "access_level": "Write", - "description": "Stops a running stream processor that was created by CreateStreamProcessor.", - "privilege": "StopStreamProcessor", - "resource_types": [ + "resource_type": "app-assessment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Adds one or more tags to a resource.", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "recommendation-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resiliency-policy" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -144576,48 +168328,61 @@ ] }, { - "access_level": "Tagging", - "description": "Removes one or more tags from a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update application", + "privilege": "UpdateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" - }, + "resource_type": "application*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update resiliency policy", + "privilege": "UpdateResiliencyPolicy", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "resiliency-policy*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:collection/${CollectionId}", - "condition_keys": [], - "resource": "collection" + "arn": "arn:${Partition}:resiliencehub:${Region}:${Account}:resiliency-policy/${ResiliencyPolicyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resiliency-policy" }, { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:streamprocessor/${StreamprocessorId}", - "condition_keys": [], - "resource": "streamprocessor" + "arn": "arn:${Partition}:resiliencehub:${Region}:${Account}:app/${AppId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" }, { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/${CreationTimestamp}", - "condition_keys": [], - "resource": "project" + "arn": "arn:${Partition}:resiliencehub:${Region}:${Account}:app-assessment/${AppAssessmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "app-assessment" }, { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/version/${VersionName}/${CreationTimestamp}", - "condition_keys": [], - "resource": "projectversion" + "arn": "arn:${Partition}:resiliencehub:${Region}:${Account}:recommendation-template/${RecommendationTemplateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "recommendation-template" } ], - "service_name": "Amazon Rekognition" + "service_name": "AWS Resilience Hub Service" }, { "conditions": [], @@ -144669,18 +168434,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "resource-groups", @@ -144927,22 +168692,42 @@ ], "service_name": "AWS Resource Groups" }, + { + "conditions": [], + "prefix": "rhelkb", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to access the Red Hat Knowledgebase portal", + "privilege": "GetRhelURL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "Amazon RHEL Knowledgebase Portal" + }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "", + "description": "Filters access based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "", - "type": "String" + "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "robomaker", @@ -145164,6 +168949,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "world*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -145176,6 +168969,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "worldTemplate*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -145185,7 +168986,10 @@ "privilege": "CreateWorldTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -145510,7 +169314,7 @@ }, { "access_level": "List", - "description": "List tags for a RoboMaker resource.", + "description": "List tags for a RoboMaker resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -145947,6 +169751,426 @@ ], "service_name": "AWS RoboMaker" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "rolesanywhere", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a profile", + "privilege": "CreateProfile", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a trust anchor", + "privilege": "CreateTrustAnchor", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a certificate revocation list (crl)", + "privilege": "DeleteCrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile", + "privilege": "DeleteProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a trust anchor", + "privilege": "DeleteTrustAnchor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable a certificate revocation list (crl)", + "privilege": "DisableCrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable a profile", + "privilege": "DisableProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable a trust anchor", + "privilege": "DisableTrustAnchor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable a certificate revocation list (crl)", + "privilege": "EnableCrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable a profile", + "privilege": "EnableProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable a trust anchor", + "privilege": "EnableTrustAnchor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a certificate revocation list (crl)", + "privilege": "GetCrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a profile", + "privilege": "GetProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a subject", + "privilege": "GetSubject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a trust anchor", + "privilege": "GetTrustAnchor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to import a certificate revocation list (crl)", + "privilege": "ImportCrl", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list certificate revocation lists (crls)", + "privilege": "ListCrls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list profiles", + "privilege": "ListProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list subjects", + "privilege": "ListSubjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list trust anchors", + "privilege": "ListTrustAnchors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "crl" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subject" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trust-anchor" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "crl" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subject" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trust-anchor" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a certificate revocation list (crl)", + "privilege": "UpdateCrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a profile", + "privilege": "UpdateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a trust anchor", + "privilege": "UpdateTrustAnchor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rolesanywhere::${Account}:trust-anchor/${TrustAnchorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "trust-anchor" + }, + { + "arn": "arn:${Partition}:rolesanywhere::${Account}:profile/${ProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "profile" + }, + { + "arn": "arn:${Partition}:rolesanywhere::${Account}:subject/${SubjectId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "subject" + }, + { + "arn": "arn:${Partition}:rolesanywhere::${Account}:crl/${CrlId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "crl" + } + ], + "service_name": "AWS Identity and Access Management Roles Anywhere" + }, { "conditions": [], "prefix": "route53", @@ -145973,12 +170197,19 @@ "dependent_actions": [ "ec2:DescribeVpcs" ], - "resource_type": "vpc*" - }, + "resource_type": "hostedzone" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or delete CIDR blocks within a CIDR collection", + "privilege": "ChangeCidrCollection", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone" + "resource_type": "cidrcollection*" } ] }, @@ -146011,6 +170242,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new CIDR collection", + "privilege": "CreateCidrCollection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new health check, which monitors the health and performance of your web applications, web servers, and other resources", @@ -146033,7 +170276,7 @@ "dependent_actions": [ "ec2:DescribeVpcs" ], - "resource_type": "vpc" + "resource_type": "" } ] }, @@ -146138,6 +170381,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a CIDR collection", + "privilege": "DeleteCidrCollection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cidrcollection*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a health check", @@ -146257,11 +170512,6 @@ "ec2:DescribeVpcs" ], "resource_type": "hostedzone" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "vpc" } ] }, @@ -146495,6 +170745,42 @@ }, { "access_level": "List", + "description": "Grants permission to get a list of the CIDR blocks within a specified CIDR collection", + "privilege": "ListCidrBlocks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cidrcollection*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the CIDR collections that are associated with the current AWS account", + "privilege": "ListCidrCollections", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the CIDR locations that belong to a specified CIDR collection", + "privilege": "ListCidrLocations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cidrcollection*" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to get a list of geographic locations that Route 53 supports for geolocation", "privilege": "ListGeoLocations", "resource_types": [ @@ -146506,7 +170792,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of the health checks that are associated with the current AWS account", "privilege": "ListHealthChecks", "resource_types": [ @@ -146531,7 +170817,7 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www.", + "description": "Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www", "privilege": "ListHostedZonesByName", "resource_types": [ { @@ -146551,13 +170837,13 @@ "dependent_actions": [ "ec2:DescribeVpcs" ], - "resource_type": "vpc*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone.", + "description": "Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone", "privilege": "ListQueryLoggingConfigs", "resource_types": [ { @@ -146580,7 +170866,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list the reusable delegation sets that are associated with the current AWS account.", "privilege": "ListReusableDelegationSets", "resource_types": [ @@ -146592,7 +170878,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list tags for one health check or hosted zone", "privilege": "ListTagsForResource", "resource_types": [ @@ -146609,7 +170895,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list tags for up to 10 health checks or hosted zones", "privilege": "ListTagsForResources", "resource_types": [ @@ -146627,7 +170913,7 @@ }, { "access_level": "List", - "description": "Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created.", + "description": "Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created", "privilege": "ListTrafficPolicies", "resource_types": [ { @@ -146638,7 +170924,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get information about the traffic policy instances that you created by using the current AWS account", "privilege": "ListTrafficPolicyInstances", "resource_types": [ @@ -146759,6 +171045,11 @@ } ], "resources": [ + { + "arn": "arn:${Partition}:route53:::cidrcollection/${Id}", + "condition_keys": [], + "resource": "cidrcollection" + }, { "arn": "arn:${Partition}:route53:::change/${Id}", "condition_keys": [], @@ -146803,7 +171094,13 @@ "service_name": "Amazon Route 53" }, { - "conditions": [], + "conditions": [ + { + "condition": "route53-recovery-cluster:AllowSafetyRulesOverrides", + "description": "Override safety rules to allow routing control state updates", + "type": "Bool" + } + ], "prefix": "route53-recovery-cluster", "privileges": [ { @@ -146818,6 +171115,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list routing controls", + "privilege": "ListRoutingControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a routing control state", @@ -146827,6 +171136,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "routingcontrol*" + }, + { + "condition_keys": [ + "route53-recovery-cluster:AllowSafetyRulesOverrides" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -146839,6 +171155,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "routingcontrol*" + }, + { + "condition_keys": [ + "route53-recovery-cluster:AllowSafetyRulesOverrides" + ], + "dependent_actions": [], + "resource_type": "" } ] } @@ -146853,7 +171176,23 @@ "service_name": "Amazon Route 53 Recovery Cluster" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag's key and value in a request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], "prefix": "route53-recovery-control-config", "privileges": [ { @@ -146865,6 +171204,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -146877,6 +171224,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "controlpanel*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -146901,6 +171256,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "safetyrule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -147072,6 +171435,78 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a cluster", @@ -147112,12 +171547,16 @@ "resources": [ { "arn": "arn:${Partition}:route53-recovery-control::${Account}:cluster/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "cluster" }, { "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "controlpanel" }, { @@ -147127,7 +171566,9 @@ }, { "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}/safetyrule/${SafetyRuleId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "safetyrule" } ], @@ -147728,6 +172169,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete domains", + "privilege": "DeleteDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to delete the specified tags for a domain", @@ -147790,7 +172243,7 @@ }, { "access_level": "Read", - "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to get information about whether the registrant contact has responded", + "description": "Grants permission to get information about whether the registrant contact has responded for operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain", "privilege": "GetContactReachabilityStatus", "resource_types": [ { @@ -147862,6 +172315,18 @@ }, { "access_level": "List", + "description": "Grants permission to list the prices of operations for TLDs", + "privilege": "ListPrices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list all the tags that are associated with the specified domain", "privilege": "ListTagsForDomain", "resource_types": [ @@ -147910,7 +172375,7 @@ }, { "access_level": "Write", - "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to resend the confirmation email to the current email address for the registrant contact", + "description": "Grants permission to resend the confirmation email to the current email address for the registrant contact for operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain", "privilege": "ResendContactReachabilityEmail", "resource_types": [ { @@ -148024,18 +172489,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the presence of tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "route53resolver", @@ -148051,6 +172516,14 @@ "ec2:DescribeVpcs" ], "resource_type": "firewall-rule-group-association*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148073,7 +172546,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], "resource_type": "resolver-query-log-config*" } ] @@ -148099,6 +172574,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "firewall-domain-list*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148123,6 +172606,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "firewall-rule-group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148135,6 +172626,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-endpoint*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148147,18 +172646,34 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-query-log-config*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "For DNS queries that originate in your VPC, grants permission to define how to route the queries out of the VPC", + "description": "Grants permission to define how to route queries originating from your VPC out of the VPC", "privilege": "CreateResolverRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148344,6 +172859,20 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the Resolver Config status within the specified resource", + "privilege": "GetResolverConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "resolver-config*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource", @@ -148375,7 +172904,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], "resource_type": "resolver-query-log-config*" } ] @@ -148526,6 +173057,20 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list Resolver Config statuses", + "privilege": "ListResolverConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "resolver-config*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the DNSSEC validation support status for DNS queries", @@ -148540,7 +173085,7 @@ }, { "access_level": "List", - "description": "For a specified Resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", + "description": "Grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound) for a specified Resolver endpoint", "privilege": "ListResolverEndpointIpAddresses", "resource_types": [ { @@ -148569,7 +173114,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], "resource_type": "resolver-query-log-config*" } ] @@ -148581,7 +173128,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], "resource_type": "resolver-query-log-config*" } ] @@ -148615,11 +173164,31 @@ "description": "Grants permission to list the tags that you associated with the specified resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config" + }, { "condition_keys": [], "dependent_actions": [], @@ -148668,15 +173237,53 @@ "description": "Grants permission to add one or more tags to a specified resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-config" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-dnssec-config" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-rule" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148685,15 +173292,52 @@ "description": "Grants permission to remove one or more tags from a specified resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-config" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-dnssec-config" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "resolver-rule" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -148747,6 +173391,20 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the Resolver Config status within the specified resource", + "privilege": "UpdateResolverConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "resolver-config*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource", @@ -148840,6 +173498,11 @@ "aws:ResourceTag/${TagKey}" ], "resource": "firewall-config" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-config/${ResourceId}", + "condition_keys": [], + "resource": "resolver-config" } ], "service_name": "Amazon Route 53 Resolver" @@ -148848,12 +173511,179 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tags that are passed in the request", + "description": "Filters access by the tags that are passed the request on behalf of the IAM principal", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource that make the request on behalf of the IAM principal", "type": "String" }, { - "condition": "aws:RequestedRegion", - "description": "Filters access by Requested region for the multi region access point operation", + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request on behalf of the IAM principal", + "type": "ArrayOfString" + } + ], + "prefix": "rum", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create appMonitor metadata", + "privilege": "CreateAppMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "iam:GetRole" + ], + "resource_type": "AppMonitorResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete appMonitor metadata", + "privilege": "DeleteAppMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AppMonitorResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get appMonitor metadata", + "privilege": "GetAppMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AppMonitorResource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get appMonitor data", + "privilege": "GetAppMonitorData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AppMonitorResource*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list appMonitors metadata", + "privilege": "ListAppMonitors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for resources", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put RUM events for appmonitor", + "privilege": "PutRumEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AppMonitorResource*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag resources", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag resources", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update appmonitor metadata", + "privilege": "UpdateAppMonitor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "iam:GetRole" + ], + "resource_type": "AppMonitorResource*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rum:${Region}:${Account}:appmonitor/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "AppMonitorResource" + } + ], + "service_name": "AWS CloudWatch RUM" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { @@ -148901,11 +173731,6 @@ "description": "Filters access by a specific job suspended cause (for example, AWAITING_CONFIRMATION) to cancelling suspended jobs", "type": "String" }, - { - "condition": "s3:LocationConstraint", - "description": "Filters access by a specific Region", - "type": "String" - }, { "condition": "s3:RequestJobOperation", "description": "Filters access by operation to creating jobs", @@ -148936,11 +173761,6 @@ "description": "Filters access by the TLS version used by the client", "type": "Numeric" }, - { - "condition": "s3:VersionId", - "description": "Filters access by a specific object version", - "type": "String" - }, { "condition": "s3:authType", "description": "Filters access by authentication method", @@ -148974,12 +173794,12 @@ { "condition": "s3:object-lock-remaining-retention-days", "description": "Filters access by remaining object retention days", - "type": "String" + "type": "Numeric" }, { "condition": "s3:object-lock-retain-until-date", "description": "Filters access by object retain-until date", - "type": "String" + "type": "Date" }, { "condition": "s3:prefix", @@ -149046,6 +173866,11 @@ "description": "Filters access by object metadata behavior (COPY or REPLACE) when objects are copied", "type": "String" }, + { + "condition": "s3:x-amz-object-ownership", + "description": "Filters access by Object Ownership", + "type": "String" + }, { "condition": "s3:x-amz-server-side-encryption", "description": "Filters access by server-side encryption", @@ -149058,7 +173883,7 @@ }, { "condition": "s3:x-amz-server-side-encryption-customer-algorithm", - "description": "Filters access by customer-provided algorithm (SSE-C) for server-side encryption", + "description": "Filters access by customer specified algorithm for server-side encryption", "type": "String" }, { @@ -149227,7 +174052,8 @@ "s3:x-amz-grant-read", "s3:x-amz-grant-read-acp", "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp" + "s3:x-amz-grant-write-acp", + "s3:x-amz-object-ownership" ], "dependent_actions": [], "resource_type": "" @@ -149274,7 +174100,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -149507,7 +174332,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -149715,7 +174539,6 @@ }, { "condition_keys": [ - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -150035,6 +174858,18 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -150461,7 +175296,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -150488,7 +175322,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -150515,7 +175348,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -150583,6 +175415,34 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve attributes related to a specific object", + "privilege": "GetObjectAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get an object's current Legal Hold status", @@ -150747,6 +175607,35 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve attributes related to a specific version of an object", + "privilege": "GetObjectVersionAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS", @@ -150921,6 +175810,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to initiate the replication process by setting replication status of an object to pending", + "privilege": "InitiateReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:ResourceAccount" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list access points", @@ -151091,7 +175999,6 @@ "resource_types": [ { "condition_keys": [ - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -151278,6 +176185,18 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to associate public access block configurations with a specified access point, while creating a access point", + "privilege": "PutAccessPointPublicAccessBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to create or modify the PublicAccessBlock configuration for an AWS account", @@ -151777,7 +176696,6 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", - "aws:RequestedRegion", "s3:authType", "s3:ResourceAccount", "s3:signatureversion", @@ -153544,6 +178462,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list shared endpoints", + "privilege": "ListSharedEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to associate an access policy with a specified access point", @@ -153760,25 +178690,10 @@ "description": "Filters access by a tag key and value pair", "type": "String" }, - { - "condition": "aws:SourceIp", - "description": "Filters access by the requestor's IP address", - "type": "String" - }, - { - "condition": "aws:SourceVpc", - "description": "Filters access by the requestor's VPC", - "type": "String" - }, - { - "condition": "aws:SourceVpce", - "description": "Filters access by on requestor's VPC endpoint", - "type": "String" - }, { "condition": "aws:TagKeys", "description": "Filters access by the list of all the tag key names associated with the resource in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "sagemaker:AcceleratorTypes", @@ -153837,7 +178752,7 @@ }, { "condition": "sagemaker:HomeEfsFileSystemKmsKey", - "description": "This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey", + "description": "Filters access by a key that is present in the request the user makes to the SageMaker service. This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey", "type": "ARN" }, { @@ -153865,6 +178780,16 @@ "description": "Filters access by the max runtime in seconds associated with the resource in the request", "type": "Numeric" }, + { + "condition": "sagemaker:MinimumInstanceMetadataServiceVersion", + "description": "Filters access by the minimum instance metadata service version used by the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:ModelApprovalStatus", + "description": "Filters access by the model approval status with the model-package in the request", + "type": "String" + }, { "condition": "sagemaker:ModelArn", "description": "Filters access by the model arn associated with the resource in the request", @@ -153895,6 +178820,16 @@ "description": "Filters access by the root access associated with the resource in the request", "type": "String" }, + { + "condition": "sagemaker:ServerlessMaxConcurrency", + "description": "Filters access by limiting maximum concurrency used for Serverless inference in the request", + "type": "Numeric" + }, + { + "condition": "sagemaker:ServerlessMemorySize", + "description": "Filters access by limiting memory size used for Serverless inference in the request", + "type": "Numeric" + }, { "condition": "sagemaker:TargetModel", "description": "Filters access by the target model associated with the Multi-Model Endpoint in the request", @@ -154080,11 +179015,21 @@ "dependent_actions": [], "resource_type": "image" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "inference-recommendations-job" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "labeling-job" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lineage-group" + }, { "condition_keys": [], "dependent_actions": [], @@ -154140,6 +179085,11 @@ "dependent_actions": [], "resource_type": "project" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-lifecycle-config" + }, { "condition_keys": [], "dependent_actions": [], @@ -154155,6 +179105,11 @@ "dependent_actions": [], "resource_type": "user-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workforce" + }, { "condition_keys": [], "dependent_actions": [], @@ -154187,6 +179142,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more ModelPackages", + "privilege": "BatchDescribeModelPackage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-package*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action", @@ -154201,7 +179168,7 @@ }, { "access_level": "Read", - "description": "Get a batch of records from one or more feature groups.", + "description": "Grants permission to get a batch of records from one or more feature groups", "privilege": "BatchGetRecord", "resource_types": [ { @@ -154384,6 +179351,14 @@ "iam:PassRole" ], "resource_type": "compilation-job*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -154549,7 +179524,9 @@ "sagemaker:AcceleratorTypes", "sagemaker:InstanceTypes", "sagemaker:ModelArn", - "sagemaker:VolumeKmsKey" + "sagemaker:VolumeKmsKey", + "sagemaker:ServerlessMaxConcurrency", + "sagemaker:ServerlessMemorySize" ], "dependent_actions": [], "resource_type": "" @@ -154681,7 +179658,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a SageMaker Image", + "description": "Grants permission to create a SageMaker Image", "privilege": "CreateImage", "resource_types": [ { @@ -154703,7 +179680,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a SageMaker ImageVersion", + "description": "Grants permission to create a SageMaker ImageVersion", "privilege": "CreateImageVersion", "resource_types": [ { @@ -154713,6 +179690,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an inference recommendations job", + "privilege": "CreateInferenceRecommendationsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "inference-recommendations-job*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models", @@ -154739,6 +179738,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a lineage group policy", + "privilege": "CreateLineageGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers", @@ -154842,7 +179853,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "sagemaker:ModelApprovalStatus" ], "dependent_actions": [], "resource_type": "" @@ -154948,6 +179960,7 @@ "sagemaker:AcceleratorTypes", "sagemaker:DirectInternetAccess", "sagemaker:InstanceTypes", + "sagemaker:MinimumInstanceMetadataServiceVersion", "sagemaker:RootAccess", "sagemaker:VolumeKmsKey", "sagemaker:VpcSecurityGroupIds", @@ -155001,15 +180014,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "user-profile*" - }, - { - "condition_keys": [ - "aws:SourceIp", - "aws:SourceVpc", - "aws:SourceVpce" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -155075,6 +180079,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a Studio Lifecycle Configuration that can be deployed using Amazon SageMaker", + "privilege": "CreateStudioLifecycleConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-lifecycle-config*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify", @@ -155485,7 +180501,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a SageMaker Image", + "description": "Grants permission to delete a SageMaker Image", "privilege": "DeleteImage", "resource_types": [ { @@ -155497,7 +180513,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a SageMaker ImageVersion", + "description": "Grants permission to delete a SageMaker ImageVersion", "privilege": "DeleteImageVersion", "resource_types": [ { @@ -155507,6 +180523,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a lineage group policy", + "privilege": "DeleteLineageGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model", @@ -155663,6 +180691,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a Studio Lifecycle Configuration", + "privilege": "DeleteStudioLifecycleConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-lifecycle-config*" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to delete the specified set of tags from an Amazon SageMaker resource", @@ -155788,11 +180828,21 @@ "dependent_actions": [], "resource_type": "image" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "inference-recommendations-job" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "labeling-job" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lineage-group" + }, { "condition_keys": [], "dependent_actions": [], @@ -155848,6 +180898,11 @@ "dependent_actions": [], "resource_type": "project" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-lifecycle-config" + }, { "condition_keys": [], "dependent_actions": [], @@ -155863,6 +180918,11 @@ "dependent_actions": [], "resource_type": "user-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workforce" + }, { "condition_keys": [], "dependent_actions": [], @@ -156165,6 +181225,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return information about a feature metadata", + "privilege": "DescribeFeatureMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "feature-group*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about the specified flow definition", @@ -156191,7 +181263,7 @@ }, { "access_level": "Read", - "description": "Returns detailed information about the specified human review workflow user interface", + "description": "Grants permission to return detailed information about the specified human review workflow user interface", "privilege": "DescribeHumanTaskUi", "resource_types": [ { @@ -156215,7 +181287,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return information about a SageMaker Image", + "description": "Grants permission to return information about a SageMaker Image", "privilege": "DescribeImage", "resource_types": [ { @@ -156227,7 +181299,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return information about a SageMaker ImageVersion", + "description": "Grants permission to return information about a SageMaker ImageVersion", "privilege": "DescribeImageVersion", "resource_types": [ { @@ -156237,6 +181309,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get information about an inference recommendations job", + "privilege": "DescribeInferenceRecommendationsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "inference-recommendations-job*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about a labeling job", @@ -156249,6 +181333,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a lineage group", + "privilege": "DescribeLineageGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to describe a model that you created using the CreateModel API", @@ -156417,6 +181513,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describe a Studio Lifecycle Configuration", + "privilege": "DescribeStudioLifecycleConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-lifecycle-config*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about a subscribed workteam", @@ -156583,6 +181691,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retreive a lineage group policy", + "privilege": "GetLineageGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get a ModelPackageGroup policy", @@ -156784,7 +181904,7 @@ }, { "access_level": "List", - "description": "Grants permission to list contexts.", + "description": "Grants permission to list contexts", "privilege": "ListContexts", "resource_types": [ { @@ -156952,7 +182072,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list ImageVersions that belong to a SageMaker Image", + "description": "Grants permission to list ImageVersions that belong to a SageMaker Image", "privilege": "ListImageVersions", "resource_types": [ { @@ -156964,7 +182084,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list SageMaker Images in your account", + "description": "Grants permission to list SageMaker Images in your account", "privilege": "ListImages", "resource_types": [ { @@ -156974,6 +182094,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list inference recommendations jobs", + "privilege": "ListInferenceRecommendationsJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list labeling jobs", @@ -156998,6 +182130,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list lineage groups", + "privilege": "ListLineageGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list model bias job definitions", @@ -157022,6 +182166,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list model metadata for inference recommendations jobs", + "privilege": "ListModelMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list ModelPackageGroups", @@ -157042,7 +182198,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model-package-group" } ] }, @@ -157190,6 +182346,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the Studio Lifecycle Configurations that can be deployed using Amazon SageMaker", + "privilege": "ListStudioLifecycleConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list subscribed workteams", @@ -157495,6 +182663,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to put a lineage group policy", + "privilege": "PutLineageGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to put a ModelPackageGroup policy", @@ -157519,6 +182699,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to explore the lineage graph", + "privilege": "QueryLineage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to register a set of devices", @@ -157553,9 +182745,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to retry a pipeline execution", + "privilege": "RetryPipelineExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pipeline-execution*" + } + ] + }, { "access_level": "Read", - "description": "Search for SageMaker objects", + "description": "Grants permission to search for SageMaker objects", "privilege": "Search", "resource_types": [ { @@ -157709,6 +182913,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to stop an inference recommendations job", + "privilege": "StopInferenceRecommendationsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "inference-recommendations-job*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to stop a labeling job. Any labels already generated will be exported before stopping", @@ -157938,7 +183154,31 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the properties of a SageMaker Image", + "description": "Grants permission to update a feature group", + "privilege": "UpdateFeatureGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "feature-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a feature metadata", + "privilege": "UpdateFeatureMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "feature-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the properties of a SageMaker Image", "privilege": "UpdateImage", "resource_types": [ { @@ -157959,6 +183199,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "model-package*" + }, + { + "condition_keys": [ + "sagemaker:ModelApprovalStatus" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -158006,6 +183253,7 @@ "condition_keys": [ "sagemaker:AcceleratorTypes", "sagemaker:InstanceTypes", + "sagemaker:MinimumInstanceMetadataServiceVersion", "sagemaker:RootAccess" ], "dependent_actions": [], @@ -158051,6 +183299,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a Project", + "privilege": "UpdateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a training job", @@ -158189,6 +183457,14 @@ ], "resource": "human-task-ui" }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:inference-recommendations-job/${InferenceRecommendationsJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "inference-recommendations-job" + }, { "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}", "condition_keys": [ @@ -158245,6 +183521,14 @@ ], "resource": "app-image-config" }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:studio-lifecycle-config/${StudioLifecycleConfigName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "studio-lifecycle-config" + }, { "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}", "condition_keys": [ @@ -158488,10 +183772,110 @@ "sagemaker:ResourceTag/${TagKey}" ], "resource": "action" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:lineage-group/${LineageGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "lineage-group" } ], "service_name": "Amazon SageMaker" }, + { + "conditions": [], + "prefix": "sagemaker-groundtruth-synthetic", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a project", + "privilege": "CreateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a batch", + "privilege": "GetBatch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a project", + "privilege": "GetProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list batch summaries", + "privilege": "ListBatchSummaries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list project summaries", + "privilege": "ListProjectSummaries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a batch", + "privilege": "UpdateBatch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "Amazon SageMaker Ground Truth Synthetic" + }, { "conditions": [ { @@ -158675,61 +184059,85 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" } ], "prefix": "schemas", "privileges": [ { "access_level": "Write", - "description": "Creates an event schema discoverer. Once created, your events will be automatically map into corresponding schema documents", + "description": "Grants permission to create an event schema discoverer. Once created, your events will be automatically map into corresponding schema documents", "privilege": "CreateDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "discoverer*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new schema registry in your account.", + "description": "Grants permission to create a new schema registry in your account", "privilege": "CreateRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "registry*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new schema in your account.", + "description": "Grants permission to create a new schema in your account", "privilege": "CreateSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "schema*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes discoverer in your account.", + "description": "Grants permission to delete discoverer in your account", "privilege": "DeleteDiscoverer", "resource_types": [ { @@ -158741,7 +184149,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing registry in your account.", + "description": "Grants permission to delete an existing registry in your account", "privilege": "DeleteRegistry", "resource_types": [ { @@ -158753,7 +184161,7 @@ }, { "access_level": "Write", - "description": "Delete the resource-based policy attached to a given registry.", + "description": "Grants permission to delete the resource-based policy attached to a given registry", "privilege": "DeleteResourcePolicy", "resource_types": [ { @@ -158765,7 +184173,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing schema in your account.", + "description": "Grants permission to delete an existing schema in your account", "privilege": "DeleteSchema", "resource_types": [ { @@ -158777,7 +184185,7 @@ }, { "access_level": "Write", - "description": "Deletes a specific version of schema in your account.", + "description": "Grants permission to delete a specific version of schema in your account", "privilege": "DeleteSchemaVersion", "resource_types": [ { @@ -158789,7 +184197,7 @@ }, { "access_level": "Read", - "description": "Retrieves metadata for generated code for specific schema in your account.", + "description": "Grants permission to retrieve metadata for generated code for specific schema in your account", "privilege": "DescribeCodeBinding", "resource_types": [ { @@ -158801,7 +184209,7 @@ }, { "access_level": "Read", - "description": "Retrieves discoverer metadata in your account.", + "description": "Grants permission to retrieve discoverer metadata in your account", "privilege": "DescribeDiscoverer", "resource_types": [ { @@ -158813,7 +184221,7 @@ }, { "access_level": "Read", - "description": "Describes an existing registry metadata in your account.", + "description": "Grants permission to describe an existing registry metadata in your account", "privilege": "DescribeRegistry", "resource_types": [ { @@ -158825,7 +184233,7 @@ }, { "access_level": "Read", - "description": "Retrieves an existing schema in your account.", + "description": "Grants permission to retrieve an existing schema in your account", "privilege": "DescribeSchema", "resource_types": [ { @@ -158837,7 +184245,7 @@ }, { "access_level": "Read", - "description": "Allows exporting AWS registry or discovered schemas in OpenAPI 3 format to JSONSchema format.", + "description": "Grants permission to export the AWS registry or discovered schemas in OpenAPI 3 format to JSONSchema format", "privilege": "ExportSchema", "resource_types": [ { @@ -158854,7 +184262,7 @@ }, { "access_level": "Read", - "description": "Retrieves metadata for generated code for specific schema in your account.", + "description": "Grants permission to retrieve metadata for generated code for specific schema in your account", "privilege": "GetCodeBindingSource", "resource_types": [ { @@ -158866,7 +184274,7 @@ }, { "access_level": "Read", - "description": "Retrieves schema for the provided list of sample events.", + "description": "Grants permission to retrieve a schema for the provided list of sample events", "privilege": "GetDiscoveredSchema", "resource_types": [ { @@ -158878,7 +184286,7 @@ }, { "access_level": "Read", - "description": "Retrieves the resource-based policy attached to a given registry.", + "description": "Grants permission to retrieve the resource-based policy attached to a given registry", "privilege": "GetResourcePolicy", "resource_types": [ { @@ -158890,7 +184298,7 @@ }, { "access_level": "List", - "description": "Lists all the discoverers in your account.", + "description": "Grants permission to list all discoverers in your account", "privilege": "ListDiscoverers", "resource_types": [ { @@ -158902,7 +184310,7 @@ }, { "access_level": "List", - "description": "List all discoverers in your account.", + "description": "Grants permission to list all registries in your account", "privilege": "ListRegistries", "resource_types": [ { @@ -158914,7 +184322,7 @@ }, { "access_level": "List", - "description": "List all versions of a schema.", + "description": "Grants permission to list all versions of a schema", "privilege": "ListSchemaVersions", "resource_types": [ { @@ -158926,7 +184334,7 @@ }, { "access_level": "List", - "description": "List all schemas.", + "description": "Grants permission to list all schemas", "privilege": "ListSchemas", "resource_types": [ { @@ -158937,30 +184345,30 @@ ] }, { - "access_level": "List", - "description": "This action lists tags for a resource.", + "access_level": "Read", + "description": "Grants permission to lists tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "discoverer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "schema" } ] }, { "access_level": "Write", - "description": "Generates code for specific schema in your account.", + "description": "Grants permission to generate code for specific schema in your account", "privilege": "PutCodeBinding", "resource_types": [ { @@ -158972,7 +184380,7 @@ }, { "access_level": "Write", - "description": "Attach resource-based policy to the specific registry.", + "description": "Grants permission to attach a resource-based policy to a given registry", "privilege": "PutResourcePolicy", "resource_types": [ { @@ -158984,7 +184392,7 @@ }, { "access_level": "List", - "description": "Searches schemas based on specified keywords in your account.", + "description": "Grants permission to search schemas based on specified keywords in your account", "privilege": "SearchSchemas", "resource_types": [ { @@ -158996,7 +184404,7 @@ }, { "access_level": "Write", - "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", + "description": "Grants permission to start the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", "privilege": "StartDiscoverer", "resource_types": [ { @@ -159008,7 +184416,7 @@ }, { "access_level": "Write", - "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", + "description": "Grants permission to stop the specified discoverer. Once stopped the discoverer will no longer register schemas for published events to configured source in your account", "privilege": "StopDiscoverer", "resource_types": [ { @@ -159020,23 +184428,23 @@ }, { "access_level": "Tagging", - "description": "This action tags an resource.", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "discoverer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "schema" }, { "condition_keys": [ @@ -159050,23 +184458,23 @@ }, { "access_level": "Tagging", - "description": "This action removes a tag from on a resource.", + "description": "Grants permission to remove a tag from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "discoverer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "schema" }, { "condition_keys": [ @@ -159079,7 +184487,7 @@ }, { "access_level": "Write", - "description": "Updates an existing discoverer in your account.", + "description": "Grants permission to update an existing discoverer in your account", "privilege": "UpdateDiscoverer", "resource_types": [ { @@ -159091,7 +184499,7 @@ }, { "access_level": "Write", - "description": "Updates an existing registry metadata in your account.", + "description": "Grants permission to update an existing registry metadata in your account", "privilege": "UpdateRegistry", "resource_types": [ { @@ -159103,7 +184511,7 @@ }, { "access_level": "Write", - "description": "Updates an existing schema in your account.", + "description": "Grants permission to update an existing schema in your account", "privilege": "UpdateSchema", "resource_types": [ { @@ -159145,7 +184553,7 @@ "privileges": [ { "access_level": "Write", - "description": "Performs multiple DeleteAttributes operations in a single call, which reduces round trips and latencies.", + "description": "Performs multiple DeleteAttributes operations in a single call, which reduces round trips and latencies", "privilege": "BatchDeleteAttributes", "resource_types": [ { @@ -159157,7 +184565,7 @@ }, { "access_level": "Write", - "description": "With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call. With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call.", + "description": "With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call. With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call", "privilege": "BatchPutAttributes", "resource_types": [ { @@ -159169,7 +184577,7 @@ }, { "access_level": "Write", - "description": "The CreateDomain operation creates a new domain.", + "description": "The CreateDomain operation creates a new domain", "privilege": "CreateDomain", "resource_types": [ { @@ -159181,7 +184589,7 @@ }, { "access_level": "Write", - "description": "Deletes one or more attributes associated with the item.", + "description": "Deletes one or more attributes associated with the item", "privilege": "DeleteAttributes", "resource_types": [ { @@ -159193,7 +184601,7 @@ }, { "access_level": "Write", - "description": "The DeleteDomain operation deletes a domain.", + "description": "The DeleteDomain operation deletes a domain", "privilege": "DeleteDomain", "resource_types": [ { @@ -159205,7 +184613,7 @@ }, { "access_level": "Read", - "description": "Returns information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values.", + "description": "Returns information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values", "privilege": "DomainMetadata", "resource_types": [ { @@ -159217,7 +184625,7 @@ }, { "access_level": "Read", - "description": "Returns all of the attributes associated with the item.", + "description": "Returns all of the attributes associated with the item", "privilege": "GetAttributes", "resource_types": [ { @@ -159241,7 +184649,7 @@ }, { "access_level": "Write", - "description": "The PutAttributes operation creates or replaces attributes in an item.", + "description": "The PutAttributes operation creates or replaces attributes in an item", "privilege": "PutAttributes", "resource_types": [ { @@ -159276,78 +184684,103 @@ { "conditions": [ { - "condition": "aws:RequestTag/tag-key", - "description": "Filters access by a key that is present in the request the user makes to the Secrets Manager service.", + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the Secrets Manager service", "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key namespresent in the request the user makes to the Secrets Manager service.", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the Secrets Manager service", + "type": "ArrayOfString" + }, + { + "condition": "secretsmanager:AddReplicaRegions", + "description": "Filters access by the list of Regions in which to replicate the secret", + "type": "ArrayOfString" + }, { "condition": "secretsmanager:BlockPublicPolicy", - "description": "Filters access by whether the resource policy blocks broad AWS account access.", - "type": "Boolean" + "description": "Filters access by whether the resource policy blocks broad AWS account access", + "type": "Bool" }, { "condition": "secretsmanager:Description", - "description": "Filters access by the description text in the request.", + "description": "Filters access by the description text in the request", "type": "String" }, { "condition": "secretsmanager:ForceDeleteWithoutRecovery", - "description": "Filters access by whether the secret is to be deleted immediately without any recovery window.", - "type": "Boolean" + "description": "Filters access by whether the secret is to be deleted immediately without any recovery window", + "type": "Bool" + }, + { + "condition": "secretsmanager:ForceOverwriteReplicaSecret", + "description": "Filters access by whether to overwrite a secret with the same name in the destination Region", + "type": "Bool" }, { "condition": "secretsmanager:KmsKeyId", - "description": "Filters access by the ARN of the KMS key in the request.", + "description": "Filters access by the ARN of the KMS key in the request", "type": "String" }, + { + "condition": "secretsmanager:ModifyRotationRules", + "description": "Filters access by whether the rotation rules of the secret are to be modified", + "type": "Bool" + }, { "condition": "secretsmanager:Name", - "description": "Filters access by the friendly name of the secret in the request.", + "description": "Filters access by the friendly name of the secret in the request", "type": "String" }, { "condition": "secretsmanager:RecoveryWindowInDays", - "description": "Filters access by the number of days that Secrets Manager waits before it can delete the secret.", - "type": "Long" + "description": "Filters access by the number of days that Secrets Manager waits before it can delete the secret", + "type": "Numeric" }, { "condition": "secretsmanager:ResourceTag/tag-key", - "description": "Filters access by a tag key and value pair.", + "description": "Filters access by a tag key and value pair", "type": "String" }, + { + "condition": "secretsmanager:RotateImmediately", + "description": "Filters access by whether the secret is to be rotated immediately", + "type": "Bool" + }, { "condition": "secretsmanager:RotationLambdaARN", - "description": "Filters access by the ARN of the rotation Lambda function in the request.", + "description": "Filters access by the ARN of the rotation Lambda function in the request", "type": "ARN" }, { "condition": "secretsmanager:SecretId", - "description": "Filters access by the SecretID value in the request.", + "description": "Filters access by the SecretID value in the request", "type": "ARN" }, { "condition": "secretsmanager:SecretPrimaryRegion", - "description": "Primary region in which the secret is created.", + "description": "Filters access by primary region in which the secret is created", "type": "String" }, { "condition": "secretsmanager:VersionId", - "description": "Filters access by the unique identifier of the version of the secret in the request.", + "description": "Filters access by the unique identifier of the version of the secret in the request", "type": "String" }, { "condition": "secretsmanager:VersionStage", - "description": "Filters access by the list of version stages in the request.", + "description": "Filters access by the list of version stages in the request", "type": "String" }, { "condition": "secretsmanager:resource/AllowRotationLambdaArn", - "description": "Filters access by the ARN of the rotation Lambda function associated with the secret.", + "description": "Filters access by the ARN of the rotation Lambda function associated with the secret", "type": "ARN" } ], @@ -159355,7 +184788,7 @@ "privileges": [ { "access_level": "Write", - "description": "Enables the user to cancel an in-progress secret rotation.", + "description": "Grants permission to cancel an in-progress secret rotation", "privilege": "CancelRotateSecret", "resource_types": [ { @@ -159367,7 +184800,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159376,7 +184811,7 @@ }, { "access_level": "Write", - "description": "Enables the user to create a secret that stores encrypted data that can be queried and rotated.", + "description": "Grants permission to create a secret that stores encrypted data that can be queried and rotated", "privilege": "CreateSecret", "resource_types": [ { @@ -159389,9 +184824,12 @@ "secretsmanager:Name", "secretsmanager:Description", "secretsmanager:KmsKeyId", - "aws:RequestTag/tag-key", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", "aws:TagKeys", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "secretsmanager:AddReplicaRegions", + "secretsmanager:ForceOverwriteReplicaSecret" ], "dependent_actions": [], "resource_type": "" @@ -159400,7 +184838,7 @@ }, { "access_level": "Permissions management", - "description": "Enables the user to delete the resource policy attached to a secret.", + "description": "Grants permission to delete the resource policy attached to a secret", "privilege": "DeleteResourcePolicy", "resource_types": [ { @@ -159412,7 +184850,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159421,7 +184861,7 @@ }, { "access_level": "Write", - "description": "Enables the user to delete a secret.", + "description": "Grants permission to delete a secret", "privilege": "DeleteSecret", "resource_types": [ { @@ -159435,7 +184875,9 @@ "secretsmanager:resource/AllowRotationLambdaArn", "secretsmanager:RecoveryWindowInDays", "secretsmanager:ForceDeleteWithoutRecovery", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159444,7 +184886,7 @@ }, { "access_level": "Read", - "description": "Enables the user to retrieve the metadata about a secret, but not the encrypted data.", + "description": "Grants permission to retrieve the metadata about a secret, but not the encrypted data", "privilege": "DescribeSecret", "resource_types": [ { @@ -159456,7 +184898,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159465,7 +184909,7 @@ }, { "access_level": "Read", - "description": "Enables the user to generate a random string for use in password creation.", + "description": "Grants permission to generate a random string for use in password creation", "privilege": "GetRandomPassword", "resource_types": [ { @@ -159477,7 +184921,7 @@ }, { "access_level": "Read", - "description": "Enables the user to get the resource policy attached to a secret.", + "description": "Grants permission to get the resource policy attached to a secret", "privilege": "GetResourcePolicy", "resource_types": [ { @@ -159489,7 +184933,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159498,7 +184944,7 @@ }, { "access_level": "Read", - "description": "Enables the user to retrieve and decrypt the encrypted data.", + "description": "Grants permission to retrieve and decrypt the encrypted data", "privilege": "GetSecretValue", "resource_types": [ { @@ -159512,7 +184958,9 @@ "secretsmanager:VersionId", "secretsmanager:VersionStage", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159521,7 +184969,7 @@ }, { "access_level": "Read", - "description": "Enables the user to list the available versions of a secret.", + "description": "Grants permission to list the available versions of a secret", "privilege": "ListSecretVersionIds", "resource_types": [ { @@ -159533,7 +184981,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159542,7 +184992,7 @@ }, { "access_level": "List", - "description": "Enables the user to list the available secrets.", + "description": "Grants permission to list the available secrets", "privilege": "ListSecrets", "resource_types": [ { @@ -159554,7 +185004,7 @@ }, { "access_level": "Permissions management", - "description": "Enables the user to attach a resource policy to a secret.", + "description": "Grants permission to attach a resource policy to a secret", "privilege": "PutResourcePolicy", "resource_types": [ { @@ -159567,7 +185017,9 @@ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", "secretsmanager:ResourceTag/tag-key", - "secretsmanager:BlockPublicPolicy" + "aws:ResourceTag/${TagKey}", + "secretsmanager:BlockPublicPolicy", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159576,7 +185028,7 @@ }, { "access_level": "Write", - "description": "Enables the user to create a new version of the secret with new encrypted data.", + "description": "Grants permission to create a new version of the secret with new encrypted data", "privilege": "PutSecretValue", "resource_types": [ { @@ -159588,7 +185040,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159597,7 +185051,7 @@ }, { "access_level": "Write", - "description": "Remove regions from replication.", + "description": "Grants permission to remove regions from replication", "privilege": "RemoveRegionsFromReplication", "resource_types": [ { @@ -159609,7 +185063,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159618,7 +185074,7 @@ }, { "access_level": "Write", - "description": "Converts an existing secret to a multi-Region secret and begins replicating the secret to a list of new regions.", + "description": "Grants permission to convert an existing secret to a multi-Region secret and begin replicating the secret to a list of new regions", "privilege": "ReplicateSecretToRegions", "resource_types": [ { @@ -159630,7 +185086,11 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion", + "secretsmanager:AddReplicaRegions", + "secretsmanager:ForceOverwriteReplicaSecret" ], "dependent_actions": [], "resource_type": "" @@ -159639,7 +185099,7 @@ }, { "access_level": "Write", - "description": "Enables the user to cancel deletion of a secret.", + "description": "Grants permission to cancel deletion of a secret", "privilege": "RestoreSecret", "resource_types": [ { @@ -159651,7 +185111,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159660,7 +185122,7 @@ }, { "access_level": "Write", - "description": "Enables the user to start rotation of a secret.", + "description": "Grants permission to start rotation of a secret", "privilege": "RotateSecret", "resource_types": [ { @@ -159673,7 +185135,11 @@ "secretsmanager:SecretId", "secretsmanager:RotationLambdaARN", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion", + "secretsmanager:ModifyRotationRules", + "secretsmanager:RotateImmediately" ], "dependent_actions": [], "resource_type": "" @@ -159682,7 +185148,7 @@ }, { "access_level": "Write", - "description": "Removes the secret from replication and promotes the secret to a regional secret in the replica Region.", + "description": "Grants permission to remove the secret from replication and promote the secret to a regional secret in the replica Region", "privilege": "StopReplicationToReplica", "resource_types": [ { @@ -159694,7 +185160,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159703,7 +185171,7 @@ }, { "access_level": "Tagging", - "description": "Enables the user to add tags to a secret.", + "description": "Grants permission to add tags to a secret", "privilege": "TagResource", "resource_types": [ { @@ -159714,10 +185182,12 @@ { "condition_keys": [ "secretsmanager:SecretId", - "aws:RequestTag/tag-key", + "aws:RequestTag/${TagKey}", "aws:TagKeys", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159726,7 +185196,7 @@ }, { "access_level": "Tagging", - "description": "Enables the user to remove tags from a secret.", + "description": "Grants permission to remove tags from a secret", "privilege": "UntagResource", "resource_types": [ { @@ -159739,7 +185209,9 @@ "secretsmanager:SecretId", "aws:TagKeys", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159748,7 +185220,7 @@ }, { "access_level": "Write", - "description": "Enables the user to update a secret with new metadata or with a new version of the encrypted data.", + "description": "Grants permission to update a secret with new metadata or with a new version of the encrypted data", "privilege": "UpdateSecret", "resource_types": [ { @@ -159762,7 +185234,9 @@ "secretsmanager:Description", "secretsmanager:KmsKeyId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159771,7 +185245,7 @@ }, { "access_level": "Write", - "description": "Enables the user to move a stage from one secret to another.", + "description": "Grants permission to move a stage from one secret to another", "privilege": "UpdateSecretVersionStage", "resource_types": [ { @@ -159784,7 +185258,9 @@ "secretsmanager:SecretId", "secretsmanager:VersionStage", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159793,7 +185269,7 @@ }, { "access_level": "Permissions management", - "description": "Enables the user to validate a resource policy before attaching policy.", + "description": "Grants permission to validate a resource policy before attaching policy", "privilege": "ValidateResourcePolicy", "resource_types": [ { @@ -159805,7 +185281,9 @@ "condition_keys": [ "secretsmanager:SecretId", "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "secretsmanager:ResourceTag/tag-key", + "aws:ResourceTag/${TagKey}", + "secretsmanager:SecretPrimaryRegion" ], "dependent_actions": [], "resource_type": "" @@ -159817,7 +185295,8 @@ { "arn": "arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}", "condition_keys": [ - "aws:RequestTag/tag-key", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", "aws:TagKeys", "secretsmanager:ResourceTag/tag-key", "secretsmanager:resource/AllowRotationLambdaArn" @@ -159831,27 +185310,27 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by actions based on the presence of tag keys in the request", + "type": "ArrayOfString" }, { "condition": "securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}", - "description": "Filters access based on the presence of specific fields and values in the request", + "description": "Filters access by the specified fields and values in the request", "type": "String" }, { "condition": "securityhub:TargetAccount", - "description": "Filters access based on the presence of AwsAccountId field in the requests", + "description": "Filters access by the AwsAccountId field that is specified in the request", "type": "String" } ], @@ -159905,6 +185384,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the association between a list of security controls and standards in batches", + "privilege": "BatchGetStandardsControlAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to import findings into Security Hub from an integrated product", @@ -159943,6 +185434,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the association between a list of security controls and standards in batches", + "privilege": "BatchUpdateStandardsControlAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create custom actions in Security Hub", @@ -159955,6 +185458,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a finding aggregator, which contains the cross-Region finding aggregation configuration", + "privilege": "CreateFindingAggregator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create insights in Security Hub. Insights are collections of related findings", @@ -160003,6 +185518,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a finding aggregator, which disables finding aggregation across Regions", + "privilege": "DeleteFindingAggregator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "finding-aggregator*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete insights from Security Hub", @@ -160281,6 +185808,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details for a finding aggregator, which configures finding aggregation across Regions", + "privilege": "GetFindingAggregator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "finding-aggregator*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a list of findings from Security Hub", @@ -160437,6 +185976,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of finding aggregators, which contain the cross-Region finding aggregation configuration", + "privilege": "ListFindingAggregators", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve the Security Hub invitations sent to the account", @@ -160475,6 +186026,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of security control definitions, which contain cross-Region control details for security controls", + "privilege": "ListSecurityControlDefinitions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list of tags associated with a resource", @@ -160547,6 +186110,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a finding aggregator, which contains the cross-Region finding aggregation configuration", + "privilege": "UpdateFindingAggregator", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "finding-aggregator*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update Security Hub findings", @@ -160620,6 +186195,11 @@ "arn": "arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}", "condition_keys": [], "resource": "product" + }, + { + "arn": "arn:${Partition}:securityhub:${Region}:${Account}:finding-aggregator/${FindingAggregatorId}", + "condition_keys": [], + "resource": "finding-aggregator" } ], "service_name": "AWS Security Hub" @@ -160628,7 +186208,7 @@ "conditions": [ { "condition": "serverlessrepo:applicationType", - "description": "Application type", + "description": "Filters access by application type", "type": "String" } ], @@ -160636,7 +186216,7 @@ "privileges": [ { "access_level": "Write", - "description": "Creates an application, optionally including an AWS SAM file to create the first application version in the same call.", + "description": "Grants permission to create an application, optionally including an AWS SAM file to create the first application version in the same call", "privilege": "CreateApplication", "resource_types": [ { @@ -160648,7 +186228,7 @@ }, { "access_level": "Write", - "description": "Creates an application version.", + "description": "Grants permission to create an application version", "privilege": "CreateApplicationVersion", "resource_types": [ { @@ -160660,7 +186240,7 @@ }, { "access_level": "Write", - "description": "Creates an AWS CloudFormation ChangeSet for the given application.", + "description": "Grants permission to create an AWS CloudFormation ChangeSet for the given application", "privilege": "CreateCloudFormationChangeSet", "resource_types": [ { @@ -160679,7 +186259,7 @@ }, { "access_level": "Write", - "description": "Creates an AWS CloudFormation template", + "description": "Grants permission to create an AWS CloudFormation template", "privilege": "CreateCloudFormationTemplate", "resource_types": [ { @@ -160698,7 +186278,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified application", + "description": "Grants permission to delete the specified application", "privilege": "DeleteApplication", "resource_types": [ { @@ -160710,7 +186290,7 @@ }, { "access_level": "Read", - "description": "Gets the specified application.", + "description": "Grants permission to get the specified application", "privilege": "GetApplication", "resource_types": [ { @@ -160729,7 +186309,7 @@ }, { "access_level": "Read", - "description": "Gets the policy for the specified application.", + "description": "Grants permission to get the policy for the specified application", "privilege": "GetApplicationPolicy", "resource_types": [ { @@ -160741,7 +186321,7 @@ }, { "access_level": "Read", - "description": "Gets the specified AWS CloudFormation template", + "description": "Grants permission to get the specified AWS CloudFormation template", "privilege": "GetCloudFormationTemplate", "resource_types": [ { @@ -160753,7 +186333,7 @@ }, { "access_level": "List", - "description": "Retrieves the list of applications nested in the containing application", + "description": "Grants permission to retrieve the list of applications nested in the containing application", "privilege": "ListApplicationDependencies", "resource_types": [ { @@ -160772,7 +186352,7 @@ }, { "access_level": "List", - "description": "Lists versions for the specified application owned by the requester.", + "description": "Grants permission to list versions for the specified application owned by the requester", "privilege": "ListApplicationVersions", "resource_types": [ { @@ -160791,7 +186371,7 @@ }, { "access_level": "List", - "description": "Lists applications owned by the requester.", + "description": "Grants permission to list applications owned by the requester", "privilege": "ListApplications", "resource_types": [ { @@ -160803,7 +186383,7 @@ }, { "access_level": "Write", - "description": "Puts the policy for the specified application.", + "description": "Grants permission to put the policy for the specified application", "privilege": "PutApplicationPolicy", "resource_types": [ { @@ -160815,7 +186395,7 @@ }, { "access_level": "Read", - "description": "Gets all applications authorized for this user", + "description": "Grants permission to get all applications authorized for this user", "privilege": "SearchApplications", "resource_types": [ { @@ -160829,7 +186409,7 @@ }, { "access_level": "Write", - "description": "Unshares the specified application", + "description": "Grants permission to unshare the specified application", "privilege": "UnshareApplication", "resource_types": [ { @@ -160841,7 +186421,7 @@ }, { "access_level": "Write", - "description": "Updates meta-data of the application", + "description": "Grants permission to update meta-data of the application", "privilege": "UpdateApplication", "resource_types": [ { @@ -160865,32 +186445,32 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" }, { "condition": "servicecatalog:accountLevel", - "description": "Filters users to see and perform actions on resources created by anyone in the account", + "description": "Filters access by user to see and perform actions on resources created by anyone in the account", "type": "String" }, { "condition": "servicecatalog:roleLevel", - "description": "Filters users to see and perform actions on resources created either by them or by anyone federating into the same role as them", + "description": "Filters access by user to see and perform actions on resources created either by them or by anyone federating into the same role as them", "type": "String" }, { "condition": "servicecatalog:userLevel", - "description": "Filters users to see and perform actions on only resources that they created", + "description": "Filters access by user to see and perform actions on only resources that they created", "type": "String" } ], @@ -160968,7 +186548,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "cloudformation:DescribeStacks" + ], "resource_type": "Application*" } ] @@ -161150,7 +186732,11 @@ "privilege": "CreateProvisionedProductPlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161270,7 +186856,11 @@ "privilege": "DeleteProvisionedProductPlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161414,7 +187004,11 @@ "privilege": "DescribeProvisionedProduct", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161426,7 +187020,11 @@ "privilege": "DescribeProvisionedProductPlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161490,7 +187088,11 @@ "privilege": "DescribeServiceActionExecutionParameters", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161632,7 +187234,11 @@ "privilege": "ExecuteProvisionedProductPlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161644,7 +187250,11 @@ "privilege": "ExecuteProvisionedProductServiceAction", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161736,7 +187346,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the applications in your account", + "description": "Grants permission to list your applications", "privilege": "ListApplications", "resource_types": [ { @@ -161772,7 +187382,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the attribute groups in your account", + "description": "Grants permission to list your attribute groups", "privilege": "ListAttributeGroups", "resource_types": [ { @@ -161782,6 +187392,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the associated attribute groups for a given application", + "privilege": "ListAttributeGroupsForApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Application*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all the budgets associated to a resource", @@ -161884,7 +187506,11 @@ "privilege": "ListProvisionedProductPlans", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -161963,6 +187589,15 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "Product*" + }, + { + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -161972,7 +187607,11 @@ "privilege": "ListStackInstancesForProvisionedProduct", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -162094,7 +187733,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "cloudformation:UpdateStack" + ], "resource_type": "" } ] @@ -162367,7 +188008,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" }, { "condition": "servicediscovery:NamespaceArn", @@ -162581,7 +188222,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get summary information about the instances that were registered with a specified service", "privilege": "ListInstances", "resource_types": [ @@ -162595,7 +188236,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get information about the namespaces", "privilege": "ListNamespaces", "resource_types": [ @@ -162619,7 +188260,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get settings for all the services that match specified filters", "privilege": "ListServices", "resource_types": [ @@ -162631,7 +188272,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to lists tags for the specified resource", "privilege": "ListTagsForResource", "resource_types": [ @@ -162772,27 +188413,47 @@ ], "service_name": "AWS Cloud Map" }, + { + "conditions": [], + "prefix": "serviceextract", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to get required configuration for the AWS Microservice Extractor for .NET desktop client", + "privilege": "GetConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Microservice Extractor for .NET" + }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" }, { "condition": "servicequotas:service", - "description": "Filters or restricts access to a specified AWS service", - "type": "string" + "description": "Filters access by the specified AWS service", + "type": "String" } ], "prefix": "servicequotas", @@ -162966,7 +188627,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to view the existing tags on a SQ resource", "privilege": "ListTagsForResource", "resource_types": [ @@ -163020,297 +188681,26 @@ "description": "Grants permission to associate a set of tags with an existing SQ resource", "privilege": "TagResource", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove a set of tags from a SQ resource, where tags to be removed match a set of customer-supplied tag keys", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:servicequotas:${Region}:${Account}:${ServiceCode}/${QuotaCode}", - "condition_keys": [], - "resource": "quota" - } - ], - "service_name": "Service Quotas" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "servicequotas:service", - "description": "Filters or restricts access to a specified AWS service", - "type": "string" - } - ], - "prefix": "servicequotas", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to associate the Service Quotas template with your organization", - "privilege": "AssociateServiceQuotaTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to remove the specified service quota from the service quota template", - "privilege": "DeleteServiceQuotaIncreaseRequestFromTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disassociate the Service Quotas template from your organization", - "privilege": "DisassociateServiceQuotaTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return the details for the specified service quota, including the AWS default value", - "privilege": "GetAWSDefaultServiceQuota", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the ServiceQuotaTemplateAssociationStatus value, which tells you if the Service Quotas template is associated with an organization", - "privilege": "GetAssociationForServiceQuotaTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the details for a particular service quota increase request", - "privilege": "GetRequestedServiceQuotaChange", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return the details for the specified service quota, including the applied value", - "privilege": "GetServiceQuota", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the details for a service quota increase request from the service quota template", - "privilege": "GetServiceQuotaIncreaseRequestFromTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list all default service quotas for the specified AWS service", - "privilege": "ListAWSDefaultServiceQuotas", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to request a list of the changes to quotas for a service", - "privilege": "ListRequestedServiceQuotaChangeHistory", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to request a list of the changes to specific service quotas", - "privilege": "ListRequestedServiceQuotaChangeHistoryByQuota", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return a list of the service quota increase requests from the service quota template", - "privilege": "ListServiceQuotaIncreaseRequestsInTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list all service quotas for the specified AWS service, in that account, in that Region", - "privilege": "ListServiceQuotas", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list the AWS services available in Service Quotas", - "privilege": "ListServices", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view the existing tags on a SQ resource", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to define and add a quota to the service quota template", - "privilege": "PutServiceQuotaIncreaseRequestIntoTemplate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "quota" - }, - { - "condition_keys": [ - "servicequotas:service" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to submit the request for a service quota increase", - "privilege": "RequestServiceQuotaIncrease", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "quota" - }, { "condition_keys": [ - "servicequotas:service" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Tagging", - "description": "Grants permission to associate a set of tags with an existing SQ resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, { "access_level": "Tagging", "description": "Grants permission to remove a set of tags from a SQ resource, where tags to be removed match a set of customer-supplied tag keys", "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -163324,7 +188714,7 @@ "resource": "quota" } ], - "service_name": "AWS Service Quotas" + "service_name": "Service Quotas" }, { "conditions": [ @@ -163341,6 +188731,11 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "ses:ApiVersion", + "description": "Filters actions based on the SES API version", "type": "String" }, { @@ -163373,6 +188768,7 @@ "resource_types": [ { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -163393,6 +188789,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163407,6 +188804,7 @@ "resource_types": [ { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -163427,6 +188825,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -163442,6 +188841,7 @@ "resource_types": [ { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -163462,6 +188862,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163481,6 +188882,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163500,6 +188902,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163519,6 +188922,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163532,7 +188936,9 @@ "privilege": "GetAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163544,7 +188950,9 @@ "privilege": "GetBlacklistReports", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163562,6 +188970,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163581,6 +188990,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163594,7 +189004,9 @@ "privilege": "GetDedicatedIp", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163612,6 +189024,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163625,7 +189038,9 @@ "privilege": "GetDeliverabilityDashboardOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163643,6 +189058,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163656,7 +189072,9 @@ "privilege": "GetDomainDeliverabilityCampaign", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163674,6 +189092,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163693,6 +189112,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163706,7 +189126,9 @@ "privilege": "ListConfigurationSets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163718,7 +189140,9 @@ "privilege": "ListDedicatedIpPools", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163730,7 +189154,9 @@ "privilege": "ListDeliverabilityTestReports", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163742,7 +189168,9 @@ "privilege": "ListDomainDeliverabilityCampaigns", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163754,7 +189182,9 @@ "privilege": "ListEmailIdentities", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163784,6 +189214,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "identity" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -163793,7 +189230,9 @@ "privilege": "PutAccountDedicatedIpWarmupAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163805,7 +189244,9 @@ "privilege": "PutAccountSendingAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163823,6 +189264,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163842,6 +189284,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163861,6 +189304,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163880,6 +189324,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163899,6 +189344,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163912,7 +189358,9 @@ "privilege": "PutDedicatedIpWarmupAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163924,7 +189372,9 @@ "privilege": "PutDeliverabilityDashboardOption", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -163942,6 +189392,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163961,6 +189412,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163980,6 +189432,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -163999,6 +189452,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "ses:FeedbackAddress", "ses:FromAddress", "ses:FromDisplayName", @@ -164036,6 +189490,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -164071,6 +189526,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys" ], "dependent_actions": [], @@ -164090,6 +189546,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -164132,6 +189589,11 @@ }, { "conditions": [ + { + "condition": "ses:ApiVersion", + "description": "Filters actions based on the SES API version", + "type": "String" + }, { "condition": "ses:FeedbackAddress", "description": "Filters actions based on the \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding", @@ -164161,7 +189623,9 @@ "privilege": "CloneReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164173,7 +189637,9 @@ "privilege": "CreateConfigurationSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164185,7 +189651,9 @@ "privilege": "CreateConfigurationSetEventDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164197,7 +189665,9 @@ "privilege": "CreateConfigurationSetTrackingOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164209,9 +189679,11 @@ "privilege": "CreateCustomVerificationEmailTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164221,7 +189693,9 @@ "privilege": "CreateReceiptFilter", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164233,7 +189707,9 @@ "privilege": "CreateReceiptRule", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164245,7 +189721,9 @@ "privilege": "CreateReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164257,7 +189735,9 @@ "privilege": "CreateTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164269,7 +189749,9 @@ "privilege": "DeleteConfigurationSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164281,7 +189763,9 @@ "privilege": "DeleteConfigurationSetEventDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164293,7 +189777,9 @@ "privilege": "DeleteConfigurationSetTrackingOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164305,7 +189791,9 @@ "privilege": "DeleteCustomVerificationEmailTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164317,9 +189805,11 @@ "privilege": "DeleteIdentity", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164329,9 +189819,11 @@ "privilege": "DeleteIdentityPolicy", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164341,7 +189833,9 @@ "privilege": "DeleteReceiptFilter", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164353,7 +189847,9 @@ "privilege": "DeleteReceiptRule", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164365,7 +189861,9 @@ "privilege": "DeleteReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164377,7 +189875,9 @@ "privilege": "DeleteTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164389,9 +189889,11 @@ "privilege": "DeleteVerifiedEmailAddress", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164401,7 +189903,9 @@ "privilege": "DescribeActiveReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164413,7 +189917,9 @@ "privilege": "DescribeConfigurationSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164425,7 +189931,9 @@ "privilege": "DescribeReceiptRule", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164437,7 +189945,9 @@ "privilege": "DescribeReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164449,7 +189959,9 @@ "privilege": "GetAccountSendingEnabled", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164461,7 +189973,9 @@ "privilege": "GetCustomVerificationEmailTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164473,9 +189987,11 @@ "privilege": "GetIdentityDkimAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164485,9 +190001,11 @@ "privilege": "GetIdentityMailFromDomainAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164497,9 +190015,11 @@ "privilege": "GetIdentityNotificationAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164509,9 +190029,11 @@ "privilege": "GetIdentityPolicies", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164521,9 +190043,11 @@ "privilege": "GetIdentityVerificationAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164533,7 +190057,9 @@ "privilege": "GetSendQuota", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164545,7 +190071,9 @@ "privilege": "GetSendStatistics", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164557,7 +190085,9 @@ "privilege": "GetTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164569,7 +190099,9 @@ "privilege": "ListConfigurationSets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164581,7 +190113,9 @@ "privilege": "ListCustomVerificationEmailTemplates", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164593,7 +190127,9 @@ "privilege": "ListIdentities", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164605,7 +190141,9 @@ "privilege": "ListIdentityPolicies", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164617,7 +190155,9 @@ "privilege": "ListReceiptFilters", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164629,7 +190169,9 @@ "privilege": "ListReceiptRuleSets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164641,7 +190183,9 @@ "privilege": "ListTemplates", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164653,7 +190197,9 @@ "privilege": "ListVerifiedEmailAddresses", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164665,7 +190211,9 @@ "privilege": "PutConfigurationSetDeliveryOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164677,9 +190225,11 @@ "privilege": "PutIdentityPolicy", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164689,7 +190239,9 @@ "privilege": "ReorderReceiptRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164707,6 +190259,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "ses:FromAddress" ], "dependent_actions": [], @@ -164736,6 +190289,119 @@ }, { "condition_keys": [ + "ses:ApiVersion", + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an email address to the list of identities and attempts to verify it for your account", + "privilege": "SendCustomVerificationEmail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "ses:ApiVersion", + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send an email message", + "privilege": "SendEmail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [ + "ses:ApiVersion", + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send an email message, with header and content specified by the client", + "privilege": "SendRawEmail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [ + "ses:ApiVersion", + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to compose an email message using an email template", + "privilege": "SendTemplatedEmail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [ + "ses:ApiVersion", "ses:FeedbackAddress", "ses:FromAddress", "ses:FromDisplayName", @@ -164748,20 +190414,12 @@ }, { "access_level": "Write", - "description": "Grants permission to add an email address to the list of identities and attempts to verify it for your account", - "privilege": "SendCustomVerificationEmail", + "description": "Grants permission to set the specified receipt rule set as the active receipt rule set", + "privilege": "SetActiveReceiptRuleSet", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "ses:ApiVersion" ], "dependent_actions": [], "resource_type": "" @@ -164770,25 +190428,12 @@ }, { "access_level": "Write", - "description": "Grants permission to send an email message", - "privilege": "SendEmail", + "description": "Grants permission to enable or disable Easy DKIM signing of email sent from an identity", + "privilege": "SetIdentityDkimEnabled", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "configuration-set" - }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "ses:ApiVersion" ], "dependent_actions": [], "resource_type": "" @@ -164797,25 +190442,12 @@ }, { "access_level": "Write", - "description": "Grants permission to send an email message, with header and content specified by the client", - "privilege": "SendRawEmail", + "description": "Grants permission to enable or disable whether Amazon SES forwards bounce and complaint notifications for an identity (an email address or a domain)", + "privilege": "SetIdentityFeedbackForwardingEnabled", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "configuration-set" - }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "ses:ApiVersion" ], "dependent_actions": [], "resource_type": "" @@ -164824,93 +190456,29 @@ }, { "access_level": "Write", - "description": "Grants permission to compose an email message using an email template", - "privilege": "SendTemplatedEmail", + "description": "Grants permission to set whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type for a given identity (an email address or a domain)", + "privilege": "SetIdentityHeadersInNotificationsEnabled", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "template*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "configuration-set" - }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "ses:ApiVersion" ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Write", - "description": "Grants permission to set the specified receipt rule set as the active receipt rule set", - "privilege": "SetActiveReceiptRuleSet", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable or disable Easy DKIM signing of email sent from an identity", - "privilege": "SetIdentityDkimEnabled", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable or disable whether Amazon SES forwards bounce and complaint notifications for an identity (an email address or a domain)", - "privilege": "SetIdentityFeedbackForwardingEnabled", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type for a given identity (an email address or a domain)", - "privilege": "SetIdentityHeadersInNotificationsEnabled", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity*" - } - ] - }, { "access_level": "Write", "description": "Grants permission to enable or disable the custom MAIL FROM domain setup for a verified identity", "privilege": "SetIdentityMailFromDomain", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164920,9 +190488,11 @@ "privilege": "SetIdentityNotificationTopic", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -164932,7 +190502,9 @@ "privilege": "SetReceiptRulePosition", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164944,7 +190516,9 @@ "privilege": "TestRenderTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164956,7 +190530,9 @@ "privilege": "UpdateAccountSendingEnabled", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164968,7 +190544,9 @@ "privilege": "UpdateConfigurationSetEventDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164980,7 +190558,9 @@ "privilege": "UpdateConfigurationSetReputationMetricsEnabled", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -164992,7 +190572,9 @@ "privilege": "UpdateConfigurationSetSendingEnabled", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165004,7 +190586,9 @@ "privilege": "UpdateConfigurationSetTrackingOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165016,7 +190600,9 @@ "privilege": "UpdateCustomVerificationEmailTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165028,7 +190614,9 @@ "privilege": "UpdateReceiptRule", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165040,7 +190628,9 @@ "privilege": "UpdateTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165052,9 +190642,11 @@ "privilege": "VerifyDomainDkim", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, @@ -165064,7 +190656,9 @@ "privilege": "VerifyDomainIdentity", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165076,7 +190670,9 @@ "privilege": "VerifyEmailAddress", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165088,7 +190684,9 @@ "privilege": "VerifyEmailIdentity", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165134,6 +190732,11 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", + "type": "ArrayOfString" + }, + { + "condition": "ses:ApiVersion", + "description": "Filters actions based on the SES API version", "type": "String" }, { @@ -165171,6 +190774,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -165191,6 +190795,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165210,6 +190815,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165229,6 +190835,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -165246,6 +190853,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "custom-verification-email-template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165261,6 +190875,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -165281,6 +190896,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -165301,6 +190917,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -165321,6 +190938,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165337,6 +190955,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165346,7 +190971,9 @@ "privilege": "CreateImportJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165364,6 +190991,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165383,6 +191011,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165402,6 +191031,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165421,6 +191051,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165437,6 +191068,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "custom-verification-email-template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165452,6 +191090,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165471,6 +191110,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165490,6 +191130,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165506,6 +191147,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165515,7 +191163,9 @@ "privilege": "DeleteSuppressedDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165527,7 +191177,9 @@ "privilege": "GetAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165539,7 +191191,9 @@ "privilege": "GetBlacklistReports", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165557,6 +191211,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165576,6 +191231,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165595,6 +191251,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165611,6 +191268,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165623,6 +191287,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "custom-verification-email-template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165632,7 +191303,9 @@ "privilege": "GetDedicatedIp", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165650,6 +191323,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165663,7 +191337,9 @@ "privilege": "GetDeliverabilityDashboardOptions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165681,6 +191357,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165694,7 +191371,9 @@ "privilege": "GetDomainDeliverabilityCampaign", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165712,6 +191391,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165731,6 +191411,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165750,6 +191431,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -165766,6 +191448,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165778,6 +191467,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "import-job*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165787,7 +191483,9 @@ "privilege": "GetSuppressedDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165799,7 +191497,9 @@ "privilege": "ListConfigurationSets", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165811,7 +191511,9 @@ "privilege": "ListContactLists", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165826,6 +191528,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165835,7 +191544,9 @@ "privilege": "ListCustomVerificationEmailTemplates", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165847,7 +191558,9 @@ "privilege": "ListDedicatedIpPools", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165859,7 +191572,9 @@ "privilege": "ListDeliverabilityTestReports", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165871,7 +191586,9 @@ "privilege": "ListDomainDeliverabilityCampaigns", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165883,7 +191600,9 @@ "privilege": "ListEmailIdentities", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165895,7 +191614,9 @@ "privilege": "ListEmailTemplates", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165907,7 +191628,9 @@ "privilege": "ListImportJobs", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165919,7 +191642,9 @@ "privilege": "ListSuppressedDestinations", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165954,6 +191679,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "identity" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -165963,7 +191695,9 @@ "privilege": "PutAccountDedicatedIpWarmupAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165975,7 +191709,9 @@ "privilege": "PutAccountDetails", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165987,7 +191723,9 @@ "privilege": "PutAccountSendingAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -165999,7 +191737,9 @@ "privilege": "PutAccountSuppressionAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -166017,6 +191757,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166036,6 +191777,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166055,6 +191797,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166074,6 +191817,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166093,6 +191837,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166112,6 +191857,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166125,7 +191871,9 @@ "privilege": "PutDedicatedIpWarmupAttributes", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -166137,7 +191885,9 @@ "privilege": "PutDeliverabilityDashboardOption", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -166160,6 +191910,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166179,6 +191930,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166198,6 +191950,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166217,6 +191970,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166236,6 +191990,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166249,7 +192004,9 @@ "privilege": "PutSuppressedDestination", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ses:ApiVersion" + ], "dependent_actions": [], "resource_type": "" } @@ -166274,6 +192031,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "configuration-set" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -166286,6 +192050,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "custom-verification-email-template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -166311,6 +192082,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "ses:FeedbackAddress", "ses:FromAddress", "ses:FromDisplayName", @@ -166353,6 +192125,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys", "aws:RequestTag/${TagKey}" ], @@ -166370,6 +192143,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -166405,6 +192185,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:TagKeys" ], "dependent_actions": [], @@ -166424,6 +192205,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166443,6 +192225,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166462,6 +192245,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166478,6 +192262,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "custom-verification-email-template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -166493,6 +192284,7 @@ }, { "condition_keys": [ + "ses:ApiVersion", "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], @@ -166509,6 +192301,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "template*" + }, + { + "condition_keys": [ + "ses:ApiVersion" + ], + "dependent_actions": [], + "resource_type": "" } ] } @@ -166582,7 +192381,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "shield", @@ -166841,6 +192640,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disable application layer automatic response for Shield Advanced protection for a resource", + "privilege": "DisableApplicationLayerAutomaticResponse", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to remove authorization from the DDoS Response Team (DRT) to notify contacts about escalations", @@ -166900,6 +192711,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to enable application layer automatic response for Shield Advanced protection for a resource", + "privilege": "EnableApplicationLayerAutomaticResponse", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "cloudfront:GetDistribution", + "iam:CreateServiceLinkedRole", + "iam:GetRole" + ], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to authorize the DDoS Response Team (DRT) to use email and phone to notify contacts about escalations", @@ -167039,6 +192866,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update application layer automatic response for Shield Advanced protection for a resource", + "privilege": "UpdateApplicationLayerAutomaticResponse", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the details of the list of email addresses that the DRT can use to contact you during a suspected attack", @@ -167110,22 +192949,22 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access for create requests based on the allowed set of values for each of the tags", + "description": "Filters access by allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access for create requests based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by presence of mandatory tags in the request", + "type": "ArrayOfString" }, { "condition": "signer:ProfileVersion", - "description": "Filters access based on the version of the Signing Profile", + "description": "Filters access by version of the Signing Profile", "type": "String" } ], @@ -167406,220 +193245,20 @@ ], "resources": [ { - "arn": "arn:${Partition}:signer:${Region}:${Account}:/signing-profiles/${profileName}", + "arn": "arn:${Partition}:signer:${Region}:${Account}:/signing-profiles/${ProfileName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "signing-profile" }, { - "arn": "arn:${Partition}:signer:${Region}:${Account}:/signing-jobs/${jobId}", + "arn": "arn:${Partition}:signer:${Region}:${Account}:/signing-jobs/${JobId}", "condition_keys": [], "resource": "signing-job" } ], "service_name": "AWS Signer" }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" - } - ], - "prefix": "signer", - "privileges": [ - { - "access_level": "Write", - "description": "Cancels a signing profile.", - "privilege": "CancelSigningProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - } - ] - }, - { - "access_level": "Read", - "description": "Describe a signing job.", - "privilege": "DescribeSigningJob", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-job*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieves a signing platform.", - "privilege": "GetSigningPlatform", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieves a signing profile.", - "privilege": "GetSigningProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - } - ] - }, - { - "access_level": "List", - "description": "List signing jobs.", - "privilege": "ListSigningJobs", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "List all signing platforms.", - "privilege": "ListSigningPlatforms", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "List all signing profile associated with the account.", - "privilege": "ListSigningProfiles", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the tags associated with the Signing Profile resource.", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new signing profile if not exists.", - "privilege": "PutSigningProfile", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Starts a code signing request.", - "privilege": "StartSigningJob", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Adds one or more tags to an Signing Profile resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Removes one or more tags from an Signing Profile resource", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "signing-profile*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:signer:${Region}::/signing-profiles/${profileName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "signing-profile" - }, - { - "arn": "arn:${Partition}:signer:${Region}::/signing-jobs/${jobId}", - "condition_keys": [], - "resource": "signing-job" - } - ], - "service_name": "AWS Code Signing for Amazon FreeRTOS" - }, { "conditions": [], "prefix": "sms", @@ -168180,6 +193819,748 @@ "resources": [], "service_name": "Amazon Pinpoint SMS and Voice Service" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "sms-voice", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate an origination phone number or sender ID to a pool", + "privilege": "AssociateOriginationIdentity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a configuration set", + "privilege": "CreateConfigurationSet", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sms-voice:TagResource" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an event destination within a configuration set", + "privilege": "CreateEventDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an opt-out list", + "privilege": "CreateOptOutList", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sms-voice:TagResource" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a pool", + "privilege": "CreatePool", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "sms-voice:TagResource" + ], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a configuration set", + "privilege": "DeleteConfigurationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the default message type for a configuration set", + "privilege": "DeleteDefaultMessageType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the default sender ID for a configuration set", + "privilege": "DeleteDefaultSenderId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an event destination within a configuration set", + "privilege": "DeleteEventDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a keyword for a pool or origination phone number", + "privilege": "DeleteKeyword", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an opt-out list", + "privilege": "DeleteOptOutList", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a destination phone number from an opt-out list", + "privilege": "DeleteOptedOutNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a pool", + "privilege": "DeletePool", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an override for your account's text messaging monthly spend limit", + "privilege": "DeleteTextMessageSpendLimitOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an override for your account's voice messaging monthly spend limit", + "privilege": "DeleteVoiceMessageSpendLimitOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the attributes of your account", + "privilege": "DescribeAccountAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the service quotas for your account", + "privilege": "DescribeAccountLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the configuration sets in your account", + "privilege": "DescribeConfigurationSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the keywords for a pool or origination phone number", + "privilege": "DescribeKeywords", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the opt-out lists in your account", + "privilege": "DescribeOptOutLists", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the destination phone numbers in an opt-out list", + "privilege": "DescribeOptedOutNumbers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the origination phone numbers in your account", + "privilege": "DescribePhoneNumbers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the pools in your account", + "privilege": "DescribePools", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the sender IDs in your account", + "privilege": "DescribeSenderIds", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the monthly spend limits for your account", + "privilege": "DescribeSpendLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an origination phone number or sender ID from a pool", + "privilege": "DisassociateOriginationIdentity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all origination phone numbers and sender IDs associated to a pool", + "privilege": "ListPoolOriginationIdentities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or update a keyword for a pool or origination phone number", + "privilege": "PutKeyword", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a destination phone number into an opt-out list", + "privilege": "PutOptedOutNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to release an origination phone number", + "privilege": "ReleasePhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to request an origination phone number", + "privilege": "RequestPhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "sms-voice:AssociateOriginationIdentity", + "sms-voice:TagResource" + ], + "resource_type": "Pool" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send a text message to a destination phone number", + "privilege": "SendTextMessage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send a voice message to a destination phone number", + "privilege": "SendVoiceMessage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the default message type for a configuration set", + "privilege": "SetDefaultMessageType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the default sender ID for a configuration set", + "privilege": "SetDefaultSenderId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set an override for your account's text messaging monthly spend limit", + "privilege": "SetTextMessageSpendLimitOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set an override for your account's voice messaging monthly spend limit", + "privilege": "SetVoiceMessageSpendLimitOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationSet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "OptOutList" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SenderId" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an event destination within a configuration set", + "privilege": "UpdateEventDestination", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "ConfigurationSet*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an origination phone number's configuration", + "privilege": "UpdatePhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PhoneNumber*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a pool's configuration", + "privilege": "UpdatePool", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Pool*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:sms-voice:${Region}:${Account}:configuration-set/${ConfigurationSetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ConfigurationSet" + }, + { + "arn": "arn:${Partition}:sms-voice:${Region}:${Account}:opt-out-list/${OptOutListName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "OptOutList" + }, + { + "arn": "arn:${Partition}:sms-voice:${Region}:${Account}:phone-number/${PhoneNumberId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "PhoneNumber" + }, + { + "arn": "arn:${Partition}:sms-voice:${Region}:${Account}:pool/${PoolId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Pool" + }, + { + "arn": "arn:${Partition}:sms-voice:${Region}:${Account}:sender-id/${SenderId}/${IsoCountryCode}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SenderId" + } + ], + "service_name": "Amazon Pinpoint SMS Voice V2" + }, { "conditions": [ { @@ -168719,22 +195100,27 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access baded on tags from request", + "description": "Filters access by tags from request", "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters access baded on tag keys from request", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tags associated with the resource", "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys from request", + "type": "ArrayOfString" + }, { "condition": "sns:Endpoint", - "description": "Filters access based on the URL, email address, or ARN from a Subscribe request or a previously confirmed subscription", + "description": "Filters access by the URL, email address, or ARN from a Subscribe request or a previously confirmed subscription", "type": "String" }, { "condition": "sns:Protocol", - "description": "Filters access based on the protocol value from a Subscribe request or a previously confirmed subscription", + "description": "Filters access by the protocol value from a Subscribe request or a previously confirmed subscription", "type": "String" } ], @@ -168825,6 +195211,14 @@ "iam:PassRole" ], "resource_type": "topic*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -169244,7 +195638,9 @@ "resources": [ { "arn": "arn:${Partition}:sns:${Region}:${Account}:${TopicName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "topic" } ], @@ -169254,25 +195650,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on the tags associated with the resource", + "description": "Filters access by the tags that are associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "sqlworkbench", "privileges": [ { "access_level": "Write", - "description": "", + "description": "Grants permission to associate connection to a chart", "privilege": "AssociateConnectionWithChart", "resource_types": [ { @@ -169289,7 +195685,7 @@ }, { "access_level": "Write", - "description": "", + "description": "Grants permission to associate connection to a tab", "privilege": "AssociateConnectionWithTab", "resource_types": [ { @@ -169301,7 +195697,7 @@ }, { "access_level": "Write", - "description": "", + "description": "Grants permission to associate query to a tab", "privilege": "AssociateQueryWithTab", "resource_types": [ { @@ -169323,6 +195719,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get notebook cells content on your account", + "privilege": "BatchGetNotebookCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create SQLWorkbench account", @@ -169387,6 +195795,86 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new notebook on your account", + "privilege": "CreateNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a notebook cell on your account", + "privilege": "CreateNotebookCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new notebook from a notebook version on your account", + "privilege": "CreateNotebookFromVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a notebook version on your account", + "privilege": "CreateNotebookVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new saved query on your account", @@ -169431,6 +195919,42 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove notebooks on your account", + "privilege": "DeleteNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove notebooks cells on your account", + "privilege": "DeleteNotebookCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove notebooks cells on your account", + "privilege": "DeleteNotebookVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to remove saved queries on your account", @@ -169467,6 +195991,38 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new notebook by duplicating an existing one on your account", + "privilege": "DuplicateNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to export a notebook on your account", + "privilege": "ExportNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to generate a new session on your account", @@ -169491,6 +196047,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get account settings", + "privilege": "GetAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get charts on your account", @@ -169517,8 +196085,32 @@ }, { "access_level": "Read", - "description": "Grants permission to describe KMS Keys", - "privilege": "GetKMSKey", + "description": "Grants permission to get notebook metadata on your account", + "privilege": "GetNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the content of a notebook version on your account", + "privilege": "GetNotebookVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the query execution history on your account", + "privilege": "GetQueryExecutionHistory", "resource_types": [ { "condition_keys": [], @@ -169564,13 +196156,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list buckets", - "privilege": "ListBuckets", + "access_level": "Write", + "description": "Grants permission to import a notebook on your account", + "privilege": "ImportNotebook", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] @@ -169613,8 +196213,20 @@ }, { "access_level": "List", - "description": "Grants permission to list KMS Key Aliases", - "privilege": "ListKMSKeyAliases", + "description": "Grants permission to get notebook versions metadata on your account", + "privilege": "ListNotebookVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the notebooks on your account", + "privilege": "ListNotebooks", "resource_types": [ { "condition_keys": [], @@ -169625,8 +196237,8 @@ }, { "access_level": "List", - "description": "Grants permission to list KMS Keys", - "privilege": "ListKMSKeys", + "description": "Grants permission to list the query execution history on your account", + "privilege": "ListQueryExecutionHistory", "resource_types": [ { "condition_keys": [], @@ -169683,6 +196295,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list tagged resources", + "privilege": "ListTaggedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list the tags of an sqlworkbench resource", @@ -169698,6 +196322,11 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook" + }, { "condition_keys": [], "dependent_actions": [], @@ -169729,6 +196358,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to restore a notebook on your account to a version", + "privilege": "RestoreNotebookVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to tag an sqlworkbench resource", @@ -169744,6 +196393,11 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook" + }, { "condition_keys": [], "dependent_actions": [], @@ -169774,6 +196428,11 @@ "dependent_actions": [], "resource_type": "connection" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook" + }, { "condition_keys": [], "dependent_actions": [], @@ -169789,6 +196448,42 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update account-wide connection settings", + "privilege": "UpdateAccountConnectionSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update account-wide export settings", + "privilege": "UpdateAccountExportSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update account-wide general settings", + "privilege": "UpdateAccountGeneralSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a chart on your account", @@ -169858,6 +196553,66 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a notebook metadata on your account", + "privilege": "UpdateNotebook", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a notebook cell content on your account", + "privilege": "UpdateNotebookCellContent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a notebook cell layout on your account", + "privilege": "UpdateNotebookCellLayout", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a saved query on your account", @@ -169900,6 +196655,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "chart" + }, + { + "arn": "arn:${Partition}:sqlworkbench:${Region}:${Account}:notebook/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "notebook" } ], "service_name": "AWS SQL Workbench" @@ -170126,42 +196888,62 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters 'Create' requests based on the allowed set of values for a specified tags", + "description": "Filters access by 'Create' requests based on the allowed set of values for a specified tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on a tag key-value pair assigned to the AWS resource", + "description": "Filters access by based on a tag key-value pair assigned to the AWS resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters 'Create' requests based on whether mandatory tags are included in the request", + "description": "Filters access by 'Create' requests based on whether mandatory tags are included in the request", + "type": "ArrayOfString" + }, + { + "condition": "ssm:AutoApprove", + "description": "Filters access by verifying that a user has permission to start Change Manager workflows without a review step (with the exception of change freeze events)", "type": "String" }, + { + "condition": "ssm:DocumentCategories", + "description": "Filters access by verifying that a user has permission to access a document belonging to a specific category enum", + "type": "ArrayOfString" + }, { "condition": "ssm:Overwrite", - "description": "Filters access by controlling whether the values for specified resources can be overwritten", + "description": "Filters access by allowing Systems Manager parameters to be overwritten", "type": "String" }, { "condition": "ssm:Recursive", - "description": "Filters access for resources created in a hierarchical structure", + "description": "Filters access by allowing traversing hierarchical structure of the Systems Manager parameters", "type": "String" }, { "condition": "ssm:SessionDocumentAccessCheck", "description": "Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request", - "type": "Boolean" + "type": "Bool" + }, + { + "condition": "ssm:SourceInstanceARN", + "description": "Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile", + "type": "String" }, { "condition": "ssm:SyncType", "description": "Filters access by verifying that a user also has access to the ResourceDataSync SyncType specified in the request", "type": "String" }, + { + "condition": "ssm:resourceTag/${TagKey}", + "description": "Filters access by allowing access based on a tag key-value pair assigned to the Systems Manager resource", + "type": "String" + }, { "condition": "ssm:resourceTag/tag-key", - "description": "Filters access based on a tag key-value pair assigned to the Systems Manager resource", + "description": "Filters access by allowing access based on a tag key-value pair assigned to the Systems Manager resource", "type": "String" } ], @@ -170172,11 +196954,21 @@ "description": "Grants permission to add or overwrite one or more tags for a specified AWS resource", "privilege": "AddTagsToResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "automation-execution" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "document" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance" + }, { "condition_keys": [], "dependent_actions": [], @@ -170206,6 +196998,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "patchbaseline" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -170241,7 +197046,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "maintenancewindow*" } ] }, @@ -170251,7 +197056,10 @@ "privilege": "CreateActivation", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -170553,6 +197361,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "managed-instance*" + }, + { + "condition_keys": [ + "ssm:resourceTag/tag-key" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -170639,7 +197454,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "association*" } ] }, @@ -170651,7 +197466,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "association*" } ] }, @@ -170675,7 +197490,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "automation-execution*" } ] }, @@ -170735,12 +197550,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance" + "resource_type": "instance*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "managed-instance" + "resource_type": "managed-instance*" } ] }, @@ -170764,12 +197579,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance" + "resource_type": "instance*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "managed-instance" + "resource_type": "managed-instance*" } ] }, @@ -170865,7 +197680,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "maintenancewindow*" } ] }, @@ -170978,7 +197793,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to view aggregated status details for patches for a specified patch group", "privilege": "DescribePatchGroupState", "resource_types": [ @@ -171045,7 +197860,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "automation-execution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details of a specific calendar", + "privilege": "GetCalendar", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document*" } ] }, @@ -171081,6 +197908,24 @@ { "condition_keys": [], "dependent_actions": [], + "resource_type": "instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "ssm:resourceTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] @@ -171118,6 +197963,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "document*" + }, + { + "condition_keys": [ + "ssm:DocumentCategories" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -171207,7 +198059,7 @@ }, { "access_level": "Read", - "description": "Used by Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call)", + "description": "Grants permission to Systems Manager and SSM Agent to determine package installation requirements for an instance (internal Systems Manager call)", "privilege": "GetManifest", "resource_types": [ { @@ -171298,6 +198150,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" + }, + { + "condition_keys": [ + "ssm:Recursive" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -171357,7 +198216,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "association*" } ] }, @@ -171374,7 +198233,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to list information about command invocations sent to a specified instance", "privilege": "ListCommandInvocations", "resource_types": [ @@ -171386,7 +198245,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to list the commands sent to a specified instance", "privilege": "ListCommands", "resource_types": [ @@ -171422,7 +198281,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to view metadata history about a specified SSM document", "privilege": "ListDocumentMetadataHistory", "resource_types": [ @@ -171459,7 +198318,7 @@ }, { "access_level": "List", - "description": "Used by SSM Agent to check for new State Manager associations (internal Systems Manager call)", + "description": "Grants permission to SSM Agent to check for new State Manager associations (internal Systems Manager call)", "privilege": "ListInstanceAssociations", "resource_types": [ { @@ -171487,7 +198346,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to view details about OpsItemEvents", "privilege": "ListOpsItemEvents", "resource_types": [ @@ -171499,7 +198358,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to view details about OpsItem RelatedItems", "privilege": "ListOpsItemRelatedItems", "resource_types": [ @@ -171549,10 +198408,15 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to view a list of resource tags for a specified resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "automation-execution" + }, { "condition_keys": [], "dependent_actions": [], @@ -171591,7 +198455,7 @@ ] }, { - "access_level": "Write", + "access_level": "Permissions management", "description": "Grants permission to share a custom SSM document publicly or privately with specified AWS accounts", "privilege": "ModifyDocumentPermission", "resource_types": [ @@ -171602,6 +198466,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create/edit a specific calendar", + "privilege": "PutCalendar", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to register a compliance type and other compliance details on a specified resource", @@ -171621,7 +198497,7 @@ }, { "access_level": "Read", - "description": "Used by SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call)", + "description": "Grants permission to SSM Agent to generate a report of the results of specific agent requests (internal Systems Manager call)", "privilege": "PutConfigurePackageResult", "resource_types": [ { @@ -171656,7 +198532,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "ssm:Overwrite" ], "dependent_actions": [], "resource_type": "" @@ -171675,6 +198552,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to register a Systems Manager Agent", + "privilege": "RegisterManagedInstance", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to specify the default patch baseline for a specified patch group", @@ -171716,11 +198608,21 @@ "description": "Grants permission to remove a specified tag key from a specified resource", "privilege": "RemoveTagsFromResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "automation-execution" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "document" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance" + }, { "condition_keys": [], "dependent_actions": [], @@ -171750,6 +198652,18 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "patchbaseline" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -171785,7 +198699,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "automation-execution*" } ] }, @@ -171817,7 +198731,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ssm:resourceTag/tag-key" + "ssm:resourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -171857,6 +198771,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "automation-definition*" + }, + { + "condition_keys": [ + "ssm:AutoApprove" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -171875,6 +198796,11 @@ "dependent_actions": [], "resource_type": "instance" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-instance" + }, { "condition_keys": [], "dependent_actions": [], @@ -171882,7 +198808,9 @@ }, { "condition_keys": [ - "ssm:SessionDocumentAccessCheck" + "ssm:SessionDocumentAccessCheck", + "ssm:resourceTag/${TagKey}", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -171897,7 +198825,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "automation-execution*" } ] }, @@ -171913,6 +198841,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove an identifying label from a specified version of a parameter", + "privilege": "UnlabelParameterVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parameter*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update an association and immediately run the association on the specified targets", @@ -171959,6 +198899,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "managed-instance" + }, + { + "condition_keys": [ + "ssm:SourceInstanceARN" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172000,7 +198947,7 @@ }, { "access_level": "Write", - "description": "Used by SSM Agent to update the status of the association that it is currently running (internal Systems Manager call)", + "description": "Grants permission to SSM Agent to update the status of the association that it is currently running (internal Systems Manager call)", "privilege": "UpdateInstanceAssociationStatus", "resource_types": [ { @@ -172017,17 +198964,31 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "managed-instance" + }, + { + "condition_keys": [ + "ssm:SourceInstanceARN" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Used by SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud", + "description": "Grants permission to SSM Agent to send a heartbeat signal to the Systems Manager service in the cloud", "privilege": "UpdateInstanceInformation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "ssm:SourceInstanceARN" + ], + "dependent_actions": [], "resource_type": "" } ] @@ -172077,6 +199038,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "managed-instance*" + }, + { + "condition_keys": [ + "ssm:resourceTag/tag-key" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172156,7 +199124,10 @@ }, { "arn": "arn:${Partition}:ssm:${Region}:${Account}:automation-execution/${AutomationExecutionId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ssm:resourceTag/tag-key" + ], "resource": "automation-execution" }, { @@ -172173,7 +199144,7 @@ "arn": "arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ssm:resourceTag/tag-key" + "ssm:DocumentCategories" ], "resource": "document" }, @@ -172181,7 +199152,7 @@ "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ssm:resourceTag/tag-key" + "ssm:resourceTag/${TagKey}" ], "resource": "instance" }, @@ -172217,7 +199188,7 @@ "arn": "arn:${Partition}:ssm:${Region}:${Account}:opsmetadata/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ssm:resourceTag/tag-key" + "ssm:resourceTag/${TagKey}" ], "resource": "opsmetadata" }, @@ -172273,7 +199244,23 @@ "service_name": "AWS Systems Manager" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], "prefix": "ssm-contacts", "privileges": [ { @@ -172323,6 +199310,14 @@ "ssm-contacts:AssociateContact" ], "resource_type": "contact*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172374,18 +199369,6 @@ } ] }, - { - "access_level": "Write", - "description": "Grants permission to delete a contact's resource policy", - "privilege": "DeleteContactPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "contact*" - } - ] - }, { "access_level": "Read", "description": "Grants permission to describe an engagement", @@ -172587,6 +199570,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "contact*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172599,6 +199590,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "contact*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172627,24 +199625,14 @@ "resource_type": "contactchannel*" } ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a contact's resource policy", - "privilege": "UpdateContactPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "contact*" - } - ] } ], "resources": [ { "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:contact/${ContactAlias}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "contact" }, { @@ -172653,12 +199641,12 @@ "resource": "contactchannel" }, { - "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:engagement/${EngagementId}", + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:engagement/${ContactAlias}/${EngagementId}", "condition_keys": [], "resource": "engagement" }, { - "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:page/${ContactAlias}/${pageId}", + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:page/${ContactAlias}/${PageId}", "condition_keys": [], "resource": "page" } @@ -172667,6 +199655,66 @@ }, { "conditions": [], + "prefix": "ssm-guiconnect", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to terminate a GUI Connect session", + "privilege": "CancelConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the metadata for a GUI Connect session", + "privilege": "GetConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a GUI Connect session", + "privilege": "StartConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Systems Manager GUI Connect" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], "prefix": "ssm-incidents", "privileges": [ { @@ -172689,9 +199737,13 @@ "privilege": "CreateResponsePlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [ - "iam:PassRole" + "iam:PassRole", + "ssm-incidents:TagResource" ], "resource_type": "" } @@ -172905,7 +199957,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "response-plan*" + "resource_type": "incident-record" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan" } ] }, @@ -172958,7 +200015,20 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "response-plan*" + "resource_type": "incident-record" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -172970,7 +200040,19 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "response-plan*" + "resource_type": "incident-record" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -173040,9 +200122,18 @@ { "condition_keys": [], "dependent_actions": [ - "iam:PassRole" + "iam:PassRole", + "ssm-incidents:TagResource" ], "resource_type": "response-plan*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -173067,12 +200158,16 @@ "resources": [ { "arn": "arn:${Partition}:ssm-incidents::${Account}:response-plan/${ResponsePlan}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "response-plan" }, { "arn": "arn:${Partition}:ssm-incidents::${Account}:incident-record/${ResponsePlan}/${IncidentRecord}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "incident-record" }, { @@ -173084,7 +200179,13 @@ "service_name": "AWS Systems Manager Incident Manager" }, { - "conditions": [], + "conditions": [ + { + "condition": "ssm:SourceInstanceARN", + "description": "Filters access by verifying the Amazon Resource Name (ARN) of the AWS Systems Manager's managed instance from which the request is made. This key is not present when the request comes from the managed instance authenticated with an IAM role associated with EC2 instance profile", + "type": "String" + } + ], "prefix": "ssmmessages", "privileges": [ { @@ -173093,7 +200194,9 @@ "privilege": "CreateControlChannel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ssm:SourceInstanceARN" + ], "dependent_actions": [], "resource_type": "" } @@ -173143,25 +200246,25 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "sso", "privileges": [ { "access_level": "Write", - "description": "Grants permission to connect a directory to be used by AWS Single Sign-On", + "description": "Grants permission to connect a directory to be used by AWS IAM Identity Center", "privilege": "AssociateDirectory", "resource_types": [ { @@ -173187,7 +200290,24 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to attach an AWS managed policy to a permission set.", + "description": "Grants permission to attach a customer managed policy reference to a permission set", + "privilege": "AttachCustomerManagedPolicyReferenceToPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to attach an AWS managed policy to a permission set", "privilege": "AttachManagedPolicyToPermissionSet", "resource_types": [ { @@ -173204,7 +200324,7 @@ }, { "access_level": "Write", - "description": "Grants permission to assign access to a Principal for a specified AWS account using a specified permission set.", + "description": "Grants permission to assign access to a Principal for a specified AWS account using a specified permission set", "privilege": "CreateAccountAssignment", "resource_types": [ { @@ -173226,7 +200346,7 @@ }, { "access_level": "Write", - "description": "Grants permission to add an application instance to AWS Single Sign-On", + "description": "Grants permission to add an application instance to AWS IAM Identity Center", "privilege": "CreateApplicationInstance", "resource_types": [ { @@ -173255,14 +200375,25 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy" + ], "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Grants permission to add a managed application instance to AWS Single Sign-On", + "description": "Grants permission to add a managed application instance to AWS IAM Identity Center", "privilege": "CreateManagedApplicationInstance", "resource_types": [ { @@ -173318,7 +200449,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a Principal's access from a specified AWS account using a specified permission set.", + "description": "Grants permission to delete a Principal's access from a specified AWS account using a specified permission set", "privilege": "DeleteAccountAssignment", "resource_types": [ { @@ -173364,7 +200495,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the inline policy from a specified permission set.", + "description": "Grants permission to delete the inline policy from a specified permission set", "privilege": "DeleteInlinePolicyFromPermissionSet", "resource_types": [ { @@ -173420,6 +200551,23 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to remove permissions boundary from a permission set", + "privilege": "DeletePermissionsBoundaryFromPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to delete the permission policy associated with a permission set", @@ -173446,7 +200594,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the status of the assignment creation request.", + "description": "Grants permission to describe the status of the assignment creation request", "privilege": "DescribeAccountAssignmentCreationStatus", "resource_types": [ { @@ -173458,7 +200606,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the status of an assignment deletion request.", + "description": "Grants permission to describe the status of an assignment deletion request", "privilege": "DescribeAccountAssignmentDeletionStatus", "resource_types": [ { @@ -173499,7 +200647,7 @@ }, { "access_level": "Read", - "description": "Grants permission to describe the status for the given Permission Set Provisioning request.", + "description": "Grants permission to describe the status for the given Permission Set Provisioning request", "privilege": "DescribePermissionSetProvisioningStatus", "resource_types": [ { @@ -173523,7 +200671,7 @@ }, { "access_level": "Read", - "description": "Grants permission to obtain the regions where your organization has enabled AWS Single Sign-on", + "description": "Grants permission to obtain the regions where your organization has enabled AWS IAM Identity Center", "privilege": "DescribeRegisteredRegions", "resource_types": [ { @@ -173535,7 +200683,24 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to detach the attached AWS managed policy from the specified permission set.", + "description": "Grants permission to detach a customer managed policy reference from a permission set", + "privilege": "DetachCustomerManagedPolicyReferenceFromPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to detach the attached AWS managed policy from the specified permission set", "privilege": "DetachManagedPolicyFromPermissionSet", "resource_types": [ { @@ -173552,7 +200717,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate a directory to be used by AWS Single Sign-On", + "description": "Grants permission to disassociate a directory to be used by AWS IAM Identity Center", "privilege": "DisassociateDirectory", "resource_types": [ { @@ -173602,7 +200767,7 @@ }, { "access_level": "Read", - "description": "Grants permission to obtain the inline policy assigned to the permission set.", + "description": "Grants permission to obtain the inline policy assigned to the permission set", "privilege": "GetInlinePolicyForPermissionSet", "resource_types": [ { @@ -173653,6 +200818,23 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get permissions boundary for a permission set", + "privilege": "GetPermissionsBoundaryForPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve all permission policies associated with a permission set", @@ -173681,7 +200863,7 @@ }, { "access_level": "Read", - "description": "Grants permission to check if AWS Single Sign-On is enabled", + "description": "Grants permission to check if AWS IAM Identity Center is enabled", "privilege": "GetSSOStatus", "resource_types": [ { @@ -173741,7 +200923,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the status of the AWS account assignment creation requests for a specified SSO instance.", + "description": "Grants permission to list the status of the AWS account assignment creation requests for a specified SSO instance", "privilege": "ListAccountAssignmentCreationStatus", "resource_types": [ { @@ -173753,7 +200935,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the status of the AWS account assignment deletion requests for a specified SSO instance.", + "description": "Grants permission to list the status of the AWS account assignment deletion requests for a specified SSO instance", "privilege": "ListAccountAssignmentDeletionStatus", "resource_types": [ { @@ -173765,7 +200947,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the assignee of the specified AWS account with the specified permission set.", + "description": "Grants permission to list the assignee of the specified AWS account with the specified permission set", "privilege": "ListAccountAssignments", "resource_types": [ { @@ -173787,7 +200969,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all the AWS accounts where the specified permission set is provisioned.", + "description": "Grants permission to list all the AWS accounts where the specified permission set is provisioned", "privilege": "ListAccountsForProvisionedPermissionSet", "resource_types": [ { @@ -173854,9 +201036,26 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the customer managed policy references that are attached to a permission set", + "privilege": "ListCustomerManagedPolicyReferencesInPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to retrieve details about the directory connected to AWS Single Sign-On", + "description": "Grants permission to retrieve details about the directory connected to AWS IAM Identity Center", "privilege": "ListDirectoryAssociations", "resource_types": [ { @@ -173868,7 +201067,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the SSO Instances that the caller has access to.", + "description": "Grants permission to list the SSO Instances that the caller has access to", "privilege": "ListInstances", "resource_types": [ { @@ -173880,7 +201079,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the AWS managed policies that are attached to a specified permission set.", + "description": "Grants permission to list the AWS managed policies that are attached to a specified permission set", "privilege": "ListManagedPoliciesInPermissionSet", "resource_types": [ { @@ -173897,7 +201096,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance.", + "description": "Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance", "privilege": "ListPermissionSetProvisioningStatus", "resource_types": [ { @@ -173921,7 +201120,7 @@ }, { "access_level": "List", - "description": "Grants permission to list all the permission sets that are provisioned to a specified AWS account.", + "description": "Grants permission to list all the permission sets that are provisioned to a specified AWS account", "privilege": "ListPermissionSetsProvisionedToAccount", "resource_types": [ { @@ -173964,7 +201163,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list the tags that are attached to a specified resource.", + "description": "Grants permission to list the tags that are attached to a specified resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -173981,7 +201180,7 @@ }, { "access_level": "Write", - "description": "Grants permission to provision a specified permission set to the specified target.", + "description": "Grants permission to provision a specified permission set to the specified target", "privilege": "ProvisionPermissionSet", "resource_types": [ { @@ -174003,7 +201202,7 @@ }, { "access_level": "Write", - "description": "Grants permission to attach an IAM inline policy to a permission set.", + "description": "Grants permission to attach an IAM inline policy to a permission set", "privilege": "PutInlinePolicyToPermissionSet", "resource_types": [ { @@ -174030,6 +201229,23 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to add permissions boundary to a permission set", + "privilege": "PutPermissionsBoundaryToPermissionSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "PermissionSet*" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to add a policy to a permission set", @@ -174072,7 +201288,7 @@ }, { "access_level": "Write", - "description": "Grants permission to initialize AWS Single Sign-On", + "description": "Grants permission to initialize AWS IAM Identity Center", "privilege": "StartSSO", "resource_types": [ { @@ -174087,7 +201303,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to associate a set of tags with a specified resource.", + "description": "Grants permission to associate a set of tags with a specified resource", "privilege": "TagResource", "resource_types": [ { @@ -174112,7 +201328,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to disassociate a set of tags from a specified resource.", + "description": "Grants permission to disassociate a set of tags from a specified resource", "privilege": "UntagResource", "resource_types": [ { @@ -174257,7 +201473,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to update the permission set.", + "description": "Grants permission to update the permission set", "privilege": "UpdatePermissionSet", "resource_types": [ { @@ -174328,7 +201544,7 @@ "resource": "Instance" } ], - "service_name": "AWS SSO" + "service_name": "AWS IAM Identity Center (successor to AWS Single Sign-On)" }, { "conditions": [], @@ -174336,7 +201552,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to add a member to a group in the directory that AWS SSO provides by default", + "description": "Grants permission to add a member to a group in the directory that AWS IAM Identity Center provides by default", "privilege": "AddMemberToGroup", "resource_types": [ { @@ -174372,7 +201588,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create an alias for the directory that AWS SSO provides by default", + "description": "Grants permission to create an alias for the directory that AWS IAM Identity Center provides by default", "privilege": "CreateAlias", "resource_types": [ { @@ -174408,7 +201624,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a group in the directory that AWS SSO provides by default", + "description": "Grants permission to create a group in the directory that AWS IAM Identity Center provides by default", "privilege": "CreateGroup", "resource_types": [ { @@ -174432,7 +201648,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a user in the directory that AWS SSO provides by default", + "description": "Grants permission to create a user in the directory that AWS IAM Identity Center provides by default", "privilege": "CreateUser", "resource_types": [ { @@ -174480,7 +201696,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a group from the directory that AWS SSO provides by default", + "description": "Grants permission to delete a group from the directory that AWS IAM Identity Center provides by default", "privilege": "DeleteGroup", "resource_types": [ { @@ -174516,7 +201732,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a user from the directory that AWS SSO provides by default", + "description": "Grants permission to delete a user from the directory that AWS IAM Identity Center provides by default", "privilege": "DeleteUser", "resource_types": [ { @@ -174528,7 +201744,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the directory that AWS SSO provides by default", + "description": "Grants permission to retrieve information about the directory that AWS IAM Identity Center provides by default", "privilege": "DescribeDirectory", "resource_types": [ { @@ -174552,7 +201768,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about groups from the directory that AWS SSO provides by default", + "description": "Grants permission to retrieve information about groups from the directory that AWS IAM Identity Center provides by default", "privilege": "DescribeGroups", "resource_types": [ { @@ -174576,7 +201792,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a user from the directory that AWS SSO provides by default", + "description": "Grants permission to retrieve information about a user from the directory that AWS IAM Identity Center provides by default", "privilege": "DescribeUser", "resource_types": [ { @@ -174600,7 +201816,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about user from the directory that AWS SSO provides by default", + "description": "Grants permission to retrieve information about user from the directory that AWS IAM Identity Center provides by default", "privilege": "DescribeUsers", "resource_types": [ { @@ -174624,7 +201840,7 @@ }, { "access_level": "Write", - "description": "Grants permission to deactivate a user in the directory that AWS SSO provides by default", + "description": "Grants permission to deactivate a user in the directory that AWS IAM Identity Center provides by default", "privilege": "DisableUser", "resource_types": [ { @@ -174648,7 +201864,7 @@ }, { "access_level": "Write", - "description": "Grants permission to activate user in the directory that AWS SSO provides by default", + "description": "Grants permission to activate user in the directory that AWS IAM Identity Center provides by default", "privilege": "EnableUser", "resource_types": [ { @@ -174660,7 +201876,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the AWS SSO Service Provider configurations for the directory", + "description": "Grants permission to retrieve the AWS IAM Identity Center Service Provider configurations for the directory", "privilege": "GetAWSSPConfigurationForDirectory", "resource_types": [ { @@ -174696,7 +201912,7 @@ }, { "access_level": "Read", - "description": "Grants permission to check if a member is a part of the group in the directory that AWS SSO provides by default", + "description": "Grants permission to check if a member is a part of the group in the directory that AWS IAM Identity Center provides by default", "privilege": "IsMemberInGroup", "resource_types": [ { @@ -174756,7 +201972,7 @@ }, { "access_level": "Read", - "description": "Grants permission to list groups for a user from the directory that AWS SSO provides by default", + "description": "Grants permission to list groups for a user from the directory that AWS IAM Identity Center provides by default", "privilege": "ListGroupsForUser", "resource_types": [ { @@ -174768,7 +201984,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve all members that are part of a group in the directory that AWS SSO provides by default", + "description": "Grants permission to retrieve all members that are part of a group in the directory that AWS IAM Identity Center provides by default", "privilege": "ListMembersInGroup", "resource_types": [ { @@ -174804,7 +202020,7 @@ }, { "access_level": "Write", - "description": "Grants permission to remove a member that is part of a group in the directory that AWS SSO provides by default", + "description": "Grants permission to remove a member that is part of a group in the directory that AWS IAM Identity Center provides by default", "privilege": "RemoveMemberFromGroup", "resource_types": [ { @@ -174876,7 +202092,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update information about a group in the directory that AWS SSO provides by default", + "description": "Grants permission to update information about a group in the directory that AWS IAM Identity Center provides by default", "privilege": "UpdateGroup", "resource_types": [ { @@ -174912,7 +202128,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a password by sending password reset link via email or generating one time password for a user in the directory that AWS SSO provides by default", + "description": "Grants permission to update a password by sending password reset link via email or generating one time password for a user in the directory that AWS IAM Identity Center provides by default", "privilege": "UpdatePassword", "resource_types": [ { @@ -174924,7 +202140,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update user information in the directory that AWS SSO provides by default", + "description": "Grants permission to update user information in the directory that AWS IAM Identity Center provides by default", "privilege": "UpdateUser", "resource_types": [ { @@ -174960,7 +202176,7 @@ } ], "resources": [], - "service_name": "AWS SSO Directory" + "service_name": "AWS IAM Identity Center (successor to AWS Single Sign-On) directory" }, { "conditions": [ @@ -175340,18 +202556,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters acess based on the allowed set of values for each of the tags", + "description": "Filters access by the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters acess based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters acess based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" } ], "prefix": "storagegateway", @@ -175466,7 +202682,16 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ds:DescribeDirectories", + "ec2:DescribeNetworkInterfaces", + "fsx:DescribeFileSystems", + "iam:CreateServiceLinkedRole", + "logs:CreateLogDelivery", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:UpdateLogDelivery" + ], "resource_type": "gateway*" }, { @@ -175616,6 +202841,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -175628,6 +202861,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -176500,7 +203741,13 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "logs:CreateLogDelivery", + "logs:DeleteLogDelivery", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:UpdateLogDelivery" + ], "resource_type": "fs-association*" } ] @@ -176577,6 +203824,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the list of Active Directory users and groups that have special permissions for SMB file shares on the gateway", + "privilege": "UpdateSMBLocalGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the SMB security strategy on a file gateway", @@ -176598,6 +203857,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -176668,273 +203935,278 @@ "resource": "volume" } ], - "service_name": "Amazon Storage Gateway" + "service_name": "AWS Storage Gateway" }, { "conditions": [ { "condition": "accounts.google.com:aud", - "description": "Filters actions based on the Google application ID", + "description": "Filters access by the Google application ID", "type": "String" }, { "condition": "accounts.google.com:oaud", - "description": "Filters actions based on the Google audience", + "description": "Filters access by the Google audience", "type": "String" }, { "condition": "accounts.google.com:sub", - "description": "Filters actions based on the subject of the claim (the Google user ID)", + "description": "Filters access by the subject of the claim (the Google user ID)", "type": "String" }, { "condition": "aws:FederatedProvider", - "description": "Filters actions based on the IdP that was used to authenticate the user", + "description": "Filters access by the IdP that was used to authenticate the user", "type": "String" }, { "condition": "aws:PrincipalTag/${TagKey}", - "description": "Filters actions based on the tag associated with the principal that is making the request", + "description": "Filters access by the tag associated with the principal that is making the request", "type": "String" }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:SourceIdentity", - "description": "Filters actions based on the source identity that is set on the caller", + "description": "Filters access by the source identity that is set on the caller", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", + "description": "Filters access by the tag keys that are passed in the request", "type": "String" }, { "condition": "cognito-identity.amazonaws.com:amr", - "description": "Filters actions based on the login information for Amazon Cognito", + "description": "Filters access by the login information for Amazon Cognito", "type": "String" }, { "condition": "cognito-identity.amazonaws.com:aud", - "description": "Filters actions based on the Amazon Cognito identity pool ID", + "description": "Filters access by the Amazon Cognito identity pool ID", "type": "String" }, { "condition": "cognito-identity.amazonaws.com:sub", - "description": "Filters actions based on the subject of the claim (the Amazon Cognito user ID)", + "description": "Filters access by the subject of the claim (the Amazon Cognito user ID)", "type": "String" }, { "condition": "graph.facebook.com:app_id", - "description": "Filters actions based on the Facebook application ID", + "description": "Filters access by the Facebook application ID", "type": "String" }, { "condition": "graph.facebook.com:id", - "description": "Filters actions based on the Facebook user ID", + "description": "Filters access by the Facebook user ID", "type": "String" }, { "condition": "iam:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags that are attached to the role that is being assumed", + "description": "Filters access by the tags that are attached to the role that is being assumed", "type": "String" }, { "condition": "saml:aud", - "description": "Filters actions based on the endpoint URL to which SAML assertions are presented", + "description": "Filters access by the endpoint URL to which SAML assertions are presented", "type": "String" }, { "condition": "saml:cn", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:commonName", - "description": "Filters actions based on the commonName attribute", + "description": "Filters access by the commonName attribute", "type": "String" }, { "condition": "saml:doc", - "description": "Filters actions based on the principal that was used to assume the role", + "description": "Filters access by on the principal that was used to assume the role", "type": "String" }, { "condition": "saml:eduorghomepageuri", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:eduorgidentityauthnpolicyuri", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:eduorglegalname", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:eduorgsuperioruri", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:eduorgwhitepagesuri", - "description": "Filters actions based on the eduOrg attribute", - "type": "String" + "description": "Filters access by the eduOrg attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonaffiliation", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonassurance", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonentitlement", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonnickname", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonorgdn", - "description": "Filters actions based on the eduPerson attribute", + "description": "Filters access by the eduPerson attribute", "type": "String" }, { "condition": "saml:edupersonorgunitdn", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersonprimaryaffiliation", - "description": "Filters actions based on the eduPerson attribute", + "description": "Filters access by the eduPerson attribute", "type": "String" }, { "condition": "saml:edupersonprimaryorgunitdn", - "description": "Filters actions based on the eduPerson attribute", + "description": "Filters access by the eduPerson attribute", "type": "String" }, { "condition": "saml:edupersonprincipalname", - "description": "Filters actions based on the eduPerson attribute", + "description": "Filters access by the eduPerson attribute", "type": "String" }, { "condition": "saml:edupersonscopedaffiliation", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:edupersontargetedid", - "description": "Filters actions based on the eduPerson attribute", - "type": "String" + "description": "Filters access by the eduPerson attribute", + "type": "ArrayOfString" }, { "condition": "saml:givenName", - "description": "Filters actions based on the givenName attribute", + "description": "Filters access by the givenName attribute", "type": "String" }, { "condition": "saml:iss", - "description": "Filters actions based on the issuer, which is represented by a URN", + "description": "Filters access by on the issuer, which is represented by a URN", "type": "String" }, { "condition": "saml:mail", - "description": "Filters actions based on the mail attribute", + "description": "Filters access by the mail attribute", "type": "String" }, { "condition": "saml:name", - "description": "Filters actions based on the name attribute", + "description": "Filters access by the name attribute", "type": "String" }, { "condition": "saml:namequalifier", - "description": "Filters actions based on the hash value of the issuer, account ID, and friendly name", + "description": "Filters access by the hash value of the issuer, account ID, and friendly name", "type": "String" }, { "condition": "saml:organizationStatus", - "description": "Filters actions based on the organizationStatus attribute", + "description": "Filters access by the organizationStatus attribute", "type": "String" }, { "condition": "saml:primaryGroupSID", - "description": "Filters actions based on the primaryGroupSID attribute", + "description": "Filters access by the primaryGroupSID attribute", "type": "String" }, { "condition": "saml:sub", - "description": "Filters actions based on the subject of the claim (the SAML user ID)", + "description": "Filters access by the subject of the claim (the SAML user ID)", "type": "String" }, { "condition": "saml:sub_type", - "description": "Filters actions based on the value persistent, transient, or the full Format URI", + "description": "Filters access by the value persistent, transient, or the full Format URI", "type": "String" }, { "condition": "saml:surname", - "description": "Filters actions based on the surname attribute", + "description": "Filters access by the surname attribute", "type": "String" }, { "condition": "saml:uid", - "description": "Filters actions based on the uid attribute", + "description": "Filters access by the uid attribute", "type": "String" }, { "condition": "saml:x500UniqueIdentifier", - "description": "Filters actions based on the uid attribute", + "description": "Filters access by the uid attribute", + "type": "String" + }, + { + "condition": "sts:AWSServiceName", + "description": "Filters access by the service that is obtaining a bearer token", "type": "String" }, { "condition": "sts:ExternalId", - "description": "Filters actions based on the unique identifier required when you assume a role in another account", + "description": "Filters access by the unique identifier required when you assume a role in another account", "type": "String" }, { "condition": "sts:RoleSessionName", - "description": "Filters actions based on the role session name required when you assume a role", + "description": "Filters access by the role session name required when you assume a role", "type": "String" }, { "condition": "sts:SourceIdentity", - "description": "Filters actions based on the source identity that is passed in the request", + "description": "Filters access by the source identity that is passed in the request", "type": "String" }, { "condition": "sts:TransitiveTagKeys", - "description": "Filters actions based on the transitive tag keys that are passed in the request", + "description": "Filters access by the transitive tag keys that are passed in the request", "type": "String" }, { "condition": "www.amazon.com:app_id", - "description": "Filters actions based on the Login with Amazon application ID", + "description": "Filters access by the Login with Amazon application ID", "type": "String" }, { "condition": "www.amazon.com:user_id", - "description": "Filters actions based on the Login with Amazon user ID", + "description": "Filters access by the Login with Amazon user ID", "type": "String" } ], @@ -176942,7 +204214,7 @@ "privileges": [ { "access_level": "Write", - "description": "Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to", + "description": "Grants permission to obtain a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to", "privilege": "AssumeRole", "resource_types": [ { @@ -176969,7 +204241,7 @@ }, { "access_level": "Write", - "description": "Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response", + "description": "Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response", "privilege": "AssumeRoleWithSAML", "resource_types": [ { @@ -177025,7 +204297,7 @@ }, { "access_level": "Write", - "description": "Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider", + "description": "Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider", "privilege": "AssumeRoleWithWebIdentity", "resource_types": [ { @@ -177059,7 +204331,7 @@ }, { "access_level": "Write", - "description": "Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request", + "description": "Grants permission to decode additional information about the authorization status of a request from an encoded message returned in response to an AWS request", "privilege": "DecodeAuthorizationMessage", "resource_types": [ { @@ -177071,7 +204343,7 @@ }, { "access_level": "Read", - "description": "Returns details about the access key id passed as a parameter to the request.", + "description": "Grants permission to obtain details about the access key id passed as a parameter to the request", "privilege": "GetAccessKeyInfo", "resource_types": [ { @@ -177083,7 +204355,7 @@ }, { "access_level": "Read", - "description": "Returns details about the IAM identity whose credentials are used to call the API", + "description": "Grants permission to obtain details about the IAM identity whose credentials are used to call the API", "privilege": "GetCallerIdentity", "resource_types": [ { @@ -177095,7 +204367,7 @@ }, { "access_level": "Read", - "description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user", + "description": "Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user", "privilege": "GetFederationToken", "resource_types": [ { @@ -177116,11 +204388,13 @@ }, { "access_level": "Read", - "description": "Returns a STS bearer token for an AWS root user, IAM role, or an IAM user", + "description": "Grants permission to obtain a STS bearer token for an AWS root user, IAM role, or an IAM user", "privilege": "GetServiceBearerToken", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "sts:AWSServiceName" + ], "dependent_actions": [], "resource_type": "" } @@ -177128,7 +204402,7 @@ }, { "access_level": "Read", - "description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user", + "description": "Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user", "privilege": "GetSessionToken", "resource_types": [ { @@ -177213,7 +204487,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grant login access to the Sumerian console.", + "description": "Grants permission to log into the Sumerian console", "privilege": "Login", "resource_types": [ { @@ -177225,7 +204499,7 @@ }, { "access_level": "Read", - "description": "Grant access to view a project release.", + "description": "Grants permission to view a project release", "privilege": "ViewRelease", "resource_types": [ { @@ -177517,106 +204791,121 @@ "resources": [], "service_name": "AWS Support" }, + { + "conditions": [], + "prefix": "sustainability", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to view the carbon footprint tool", + "privilege": "GetCarbonFootprintSummary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Sustainability" + }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Tag for request.", + "description": "Filters access by tag of the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Tag for resource.", + "description": "Filters access by tag of the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Tag for key.", - "type": "String" + "description": "Filters access by tag of the key", + "type": "ArrayOfString" }, { "condition": "swf:activityType.name", - "description": "Constrains the policy statement to only an activity type of the specified name.", + "description": "Filters access by the name of the activity type", "type": "String" }, { "condition": "swf:activityType.version", - "description": "Contstrains the policy statement to only an activity type of the specified version.", + "description": "Filters access by the version of the activity type", "type": "String" }, { "condition": "swf:defaultTaskList.name", - "description": "Constrains the policy statement to only requests that specify a matching defaultTaskList name.", + "description": "Filters access by the name of the default task list", "type": "String" }, { "condition": "swf:name", - "description": "Constrains the policy statement to only activities or workflows with the specified name.", + "description": "Filters access by the name of activities or workflows", "type": "String" }, { "condition": "swf:tagFilter.tag", - "description": "Constrains the policy statement to only requests that specify a matching tagFilter.tag value.", + "description": "Filters access by the value of tagFilter.tag", "type": "String" }, { "condition": "swf:tagList.member.0", - "description": "Constrains the policy statement to only requests that contain the specified tag.", + "description": "Filters access by the specified tag", "type": "String" }, { "condition": "swf:tagList.member.1", - "description": "Constrains the policy statement to only requests that contain the specified tag.", + "description": "Filters access by the specified tag", "type": "String" }, { "condition": "swf:tagList.member.2", - "description": "Constrains the policy statement to only requests that contain the specified tag.", + "description": "Filters access by the specified tag", "type": "String" }, { "condition": "swf:tagList.member.3", - "description": "Constrains the policy statement to only requests that contain the specified tag.", + "description": "Filters access by the specified tag", "type": "String" }, { "condition": "swf:tagList.member.4", - "description": "Constrains the policy statement to only requests that contain the specified tag.", + "description": "Filters access by the specified tag", "type": "String" }, { "condition": "swf:taskList.name", - "description": "Constrains the policy statement to only requests that specify a tasklist with the specified name.", + "description": "Filters access by the name of the tasklist", "type": "String" }, { "condition": "swf:typeFilter.name", - "description": "Constrains the policy statement to only requests that specify a type filter with the specified name.", + "description": "Filters access by the name of the type filter", "type": "String" }, { "condition": "swf:typeFilter.version", - "description": "Constrains the policy statement to only requests that specify a type filter with the specified version.", + "description": "Filters access by the version of the type filter", "type": "String" }, { "condition": "swf:version", - "description": "Constrains the policy statement to only activities or workflows with the specified version.", + "description": "Filters access by the version of activities or workflows", "type": "String" }, { "condition": "swf:workflowType.name", - "description": "Constrains the policy statement to only a workflow of the specified type.", - "type": "String" - }, - { - "condition": "swf:workflowType.name", - "description": "Constrains the policy statement to only requests that specify a workflow type of the specified name.", + "description": "Filters access by the name of the workflow type", "type": "String" }, { "condition": "swf:workflowType.version", - "description": "Constrains the policy statement to only requests that specify a workflow type of the specified version.", + "description": "Filters access by the version of the workflow type", "type": "String" } ], @@ -177624,7 +204913,7 @@ "privileges": [ { "access_level": "Write", - "description": "Description for CancelTimer", + "description": "Grants permission to cancel a previously started timer and record a TimerCanceled event in the history", "privilege": "CancelTimer", "resource_types": [ { @@ -177636,7 +204925,7 @@ }, { "access_level": "Write", - "description": "Description for CancelWorkflowExecution", + "description": "Grants permission to close the workflow execution and record a WorkflowExecutionCanceled event in the history", "privilege": "CancelWorkflowExecution", "resource_types": [ { @@ -177648,7 +204937,7 @@ }, { "access_level": "Write", - "description": "Description for CompleteWorkflowExecution", + "description": "Grants permission to close the workflow execution and record a WorkflowExecutionCompleted event in the history", "privilege": "CompleteWorkflowExecution", "resource_types": [ { @@ -177660,7 +204949,7 @@ }, { "access_level": "Write", - "description": "Description for ContinueAsNewWorkflowExecution", + "description": "Grants permission to close the workflow execution and start a new workflow execution of the same type using the same workflow ID and a unique run Id", "privilege": "ContinueAsNewWorkflowExecution", "resource_types": [ { @@ -177672,7 +204961,7 @@ }, { "access_level": "Read", - "description": "Returns the number of closed workflow executions within the given domain that meet the specified filtering criteria.", + "description": "Grants permission to return the number of closed workflow executions within the given domain that meet the specified filtering criteria", "privilege": "CountClosedWorkflowExecutions", "resource_types": [ { @@ -177693,7 +204982,7 @@ }, { "access_level": "Read", - "description": "Returns the number of open workflow executions within the given domain that meet the specified filtering criteria.", + "description": "Grants permission to return the number of open workflow executions within the given domain that meet the specified filtering criteria", "privilege": "CountOpenWorkflowExecutions", "resource_types": [ { @@ -177714,7 +205003,7 @@ }, { "access_level": "Read", - "description": "Returns the estimated number of activity tasks in the specified task list.", + "description": "Grants permission to return the estimated number of activity tasks in the specified task list", "privilege": "CountPendingActivityTasks", "resource_types": [ { @@ -177733,7 +205022,7 @@ }, { "access_level": "Read", - "description": "Returns the estimated number of decision tasks in the specified task list.", + "description": "Grants permission to return the estimated number of decision tasks in the specified task list", "privilege": "CountPendingDecisionTasks", "resource_types": [ { @@ -177752,7 +205041,7 @@ }, { "access_level": "Write", - "description": "Deprecates the specified activity type.", + "description": "Grants permission to deprecate the specified activity type", "privilege": "DeprecateActivityType", "resource_types": [ { @@ -177772,7 +205061,7 @@ }, { "access_level": "Write", - "description": "Deprecates the specified domain.", + "description": "Grants permission to deprecate the specified domain", "privilege": "DeprecateDomain", "resource_types": [ { @@ -177784,7 +205073,7 @@ }, { "access_level": "Write", - "description": "Deprecates the specified workflow type.", + "description": "Grants permission to deprecate the specified workflow type", "privilege": "DeprecateWorkflowType", "resource_types": [ { @@ -177804,7 +205093,7 @@ }, { "access_level": "Read", - "description": "Returns information about the specified activity type.", + "description": "Grants permission to return information about the specified activity type", "privilege": "DescribeActivityType", "resource_types": [ { @@ -177824,7 +205113,7 @@ }, { "access_level": "Read", - "description": "Returns information about the specified domain, including description and status.", + "description": "Grants permission to return information about the specified domain, including its description and status", "privilege": "DescribeDomain", "resource_types": [ { @@ -177836,7 +205125,7 @@ }, { "access_level": "Read", - "description": "Returns information about the specified workflow execution including its type and some statistics.", + "description": "Grants permission to return information about the specified workflow execution including its type and some statistics", "privilege": "DescribeWorkflowExecution", "resource_types": [ { @@ -177848,7 +205137,7 @@ }, { "access_level": "Read", - "description": "Returns information about the specified workflow type.", + "description": "Grants permission to return information about the specified workflow type", "privilege": "DescribeWorkflowType", "resource_types": [ { @@ -177868,7 +205157,7 @@ }, { "access_level": "Write", - "description": "Description for FailWorkflowExecution", + "description": "Grants permission to close the workflow execution and record a WorkflowExecutionFailed event in the history", "privilege": "FailWorkflowExecution", "resource_types": [ { @@ -177880,7 +205169,7 @@ }, { "access_level": "Read", - "description": "Returns the history of the specified workflow execution.", + "description": "Grants permission to return the history of the specified workflow execution", "privilege": "GetWorkflowExecutionHistory", "resource_types": [ { @@ -177892,7 +205181,7 @@ }, { "access_level": "List", - "description": "Returns information about all activities registered in the specified domain that match the specified name and registration status.", + "description": "Grants permission to return information about all activities registered in the specified domain that match the specified name and registration status", "privilege": "ListActivityTypes", "resource_types": [ { @@ -177904,7 +205193,7 @@ }, { "access_level": "List", - "description": "Returns a list of closed workflow executions in the specified domain that meet the filtering criteria.", + "description": "Grants permission to return a list of closed workflow executions in the specified domain that meet the filtering criteria", "privilege": "ListClosedWorkflowExecutions", "resource_types": [ { @@ -177925,7 +205214,7 @@ }, { "access_level": "List", - "description": "Returns the list of domains registered in the account.", + "description": "Grants permission to return the list of domains registered in the account", "privilege": "ListDomains", "resource_types": [ { @@ -177937,7 +205226,7 @@ }, { "access_level": "List", - "description": "Returns a list of open workflow executions in the specified domain that meet the filtering criteria.", + "description": "Grants permission to return a list of open workflow executions in the specified domain that meet the filtering criteria", "privilege": "ListOpenWorkflowExecutions", "resource_types": [ { @@ -177958,7 +205247,7 @@ }, { "access_level": "List", - "description": "This action lists tags for an AWS SWF resource.", + "description": "Grants permission to list tags for an AWS SWF resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -177970,7 +205259,7 @@ }, { "access_level": "List", - "description": "Returns information about workflow types in the specified domain.", + "description": "Grants permission to return information about workflow types in the specified domain", "privilege": "ListWorkflowTypes", "resource_types": [ { @@ -177982,7 +205271,7 @@ }, { "access_level": "Write", - "description": "Used by workers to get an ActivityTask from the specified activity taskList.", + "description": "Grants permission to workers to get an ActivityTask from the specified activity taskList", "privilege": "PollForActivityTask", "resource_types": [ { @@ -178001,7 +205290,7 @@ }, { "access_level": "Write", - "description": "Used by deciders to get a DecisionTask from the specified decision taskList.", + "description": "Grants permission to deciders to get a DecisionTask from the specified decision taskList", "privilege": "PollForDecisionTask", "resource_types": [ { @@ -178020,7 +205309,7 @@ }, { "access_level": "Write", - "description": "Used by activity workers to report to the service that the ActivityTask represented by the specified taskToken is still making progress.", + "description": "Grants permission to workers to report to the service that the ActivityTask represented by the specified taskToken is still making progress", "privilege": "RecordActivityTaskHeartbeat", "resource_types": [ { @@ -178032,7 +205321,7 @@ }, { "access_level": "Write", - "description": "Description for RecordMarker", + "description": "Grants permission to record a MarkerRecorded event in the history", "privilege": "RecordMarker", "resource_types": [ { @@ -178044,7 +205333,7 @@ }, { "access_level": "Write", - "description": "Registers a new activity type along with its configuration settings in the specified domain.", + "description": "Grants permission to register a new activity type along with its configuration settings in the specified domain", "privilege": "RegisterActivityType", "resource_types": [ { @@ -178065,7 +205354,7 @@ }, { "access_level": "Write", - "description": "Registers a new domain.", + "description": "Grants permission to register a new domain", "privilege": "RegisterDomain", "resource_types": [ { @@ -178080,7 +205369,7 @@ }, { "access_level": "Write", - "description": "Registers a new workflow type and its configuration settings in the specified domain.", + "description": "Grants permission to register a new workflow type and its configuration settings in the specified domain", "privilege": "RegisterWorkflowType", "resource_types": [ { @@ -178101,7 +205390,7 @@ }, { "access_level": "Write", - "description": "Description for RequestCancelActivityTask", + "description": "Grants permission to attempt to cancel a previously scheduled activity task", "privilege": "RequestCancelActivityTask", "resource_types": [ { @@ -178113,7 +205402,7 @@ }, { "access_level": "Write", - "description": "Description for RequestCancelExternalWorkflowExecution", + "description": "Grants permission to request that a request be made to cancel the specified external workflow execution", "privilege": "RequestCancelExternalWorkflowExecution", "resource_types": [ { @@ -178125,7 +205414,7 @@ }, { "access_level": "Write", - "description": "Records a WorkflowExecutionCancelRequested event in the currently running workflow execution identified by the given domain, workflowId, and runId.", + "description": "Grants permission to record a WorkflowExecutionCancelRequested event in the currently running workflow execution identified by the given domain, workflowId, and runId", "privilege": "RequestCancelWorkflowExecution", "resource_types": [ { @@ -178137,7 +205426,7 @@ }, { "access_level": "Write", - "description": "Used by workers to tell the service that the ActivityTask identified by the taskToken was successfully canceled.", + "description": "Grants permission to workers to tell the service that the ActivityTask identified by the taskToken was successfully canceled", "privilege": "RespondActivityTaskCanceled", "resource_types": [ { @@ -178149,7 +205438,7 @@ }, { "access_level": "Write", - "description": "Used by workers to tell the service that the ActivityTask identified by the taskToken completed successfully with a result (if provided).", + "description": "Grants permission to workers to tell the service that the ActivityTask identified by the taskToken completed successfully with a result (if provided)", "privilege": "RespondActivityTaskCompleted", "resource_types": [ { @@ -178177,7 +205466,7 @@ }, { "access_level": "Write", - "description": "Used by workers to tell the service that the ActivityTask identified by the taskToken has failed with reason (if specified).", + "description": "Grants permission to workers to tell the service that the ActivityTask identified by the taskToken has failed with reason (if specified)", "privilege": "RespondActivityTaskFailed", "resource_types": [ { @@ -178189,7 +205478,7 @@ }, { "access_level": "Write", - "description": "Used by deciders to tell the service that the DecisionTask identified by the taskToken has successfully completed.", + "description": "Grants permission to deciders to tell the service that the DecisionTask identified by the taskToken has successfully completed", "privilege": "RespondDecisionTaskCompleted", "resource_types": [ { @@ -178201,7 +205490,7 @@ }, { "access_level": "Write", - "description": "Description for ScheduleActivityTask", + "description": "Grants permission to schedule an activity task", "privilege": "ScheduleActivityTask", "resource_types": [ { @@ -178213,7 +205502,7 @@ }, { "access_level": "Write", - "description": "Description for SignalExternalWorkflowExecution", + "description": "Grants permission to request a signal to be delivered to the specified external workflow execution and records", "privilege": "SignalExternalWorkflowExecution", "resource_types": [ { @@ -178225,7 +205514,7 @@ }, { "access_level": "Write", - "description": "Records a WorkflowExecutionSignaled event in the workflow execution history and creates a decision task for the workflow execution identified by the given domain, workflowId and runId.", + "description": "Grants permission to record a WorkflowExecutionSignaled event in the workflow execution history and create a decision task for the workflow execution identified by the given domain, workflowId and runId", "privilege": "SignalWorkflowExecution", "resource_types": [ { @@ -178237,7 +205526,7 @@ }, { "access_level": "Write", - "description": "Description for StartChildWorkflowExecution", + "description": "Grants permission to request that a child workflow execution be started", "privilege": "StartChildWorkflowExecution", "resource_types": [ { @@ -178249,7 +205538,7 @@ }, { "access_level": "Write", - "description": "Description for StartTimer", + "description": "Grants permission to start a timer for a workflow execution", "privilege": "StartTimer", "resource_types": [ { @@ -178261,7 +205550,7 @@ }, { "access_level": "Write", - "description": "Starts an execution of the workflow type in the specified domain using the provided workflowId and input data.", + "description": "Grants permission to start an execution of the workflow type in the specified domain using the provided workflowId and input data", "privilege": "StartWorkflowExecution", "resource_types": [ { @@ -178287,7 +205576,7 @@ }, { "access_level": "Tagging", - "description": "This action tags an AWS SWF resource.", + "description": "Grants permission to tag an AWS SWF resource", "privilege": "TagResource", "resource_types": [ { @@ -178307,7 +205596,7 @@ }, { "access_level": "Write", - "description": "Records a WorkflowExecutionTerminated event and forces closure of the workflow execution identified by the given domain, runId, and workflowId.", + "description": "Grants permission to record a WorkflowExecutionTerminated event and force closure of the workflow execution identified by the given domain, runId, and workflowId", "privilege": "TerminateWorkflowExecution", "resource_types": [ { @@ -178319,7 +205608,7 @@ }, { "access_level": "Write", - "description": "Undeprecates a previously deprecated activity type.", + "description": "Grants permission to undeprecate a previously deprecated activity type", "privilege": "UndeprecateActivityType", "resource_types": [ { @@ -178339,7 +205628,7 @@ }, { "access_level": "Write", - "description": "Undeprecates a previously deprecated domain.", + "description": "Grants permission to undeprecate a previously deprecated domain", "privilege": "UndeprecateDomain", "resource_types": [ { @@ -178351,7 +205640,7 @@ }, { "access_level": "Write", - "description": "Undeprecates a previously deprecated workflow type.", + "description": "Grants permission to undeprecate a previously deprecated workflow type", "privilege": "UndeprecateWorkflowType", "resource_types": [ { @@ -178371,7 +205660,7 @@ }, { "access_level": "Tagging", - "description": "This action removes a tag from an AWS SWF resource.", + "description": "Grants permission to remove a tag from an AWS SWF resource", "privilege": "UntagResource", "resource_types": [ { @@ -178402,21 +205691,74 @@ }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, { "condition": "aws:ResourceTag/${TagKey}", "description": "Filters access based on the tags associated with the resource", "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "synthetics:Names", + "description": "Filters access based on the name of the canary", + "type": "ArrayOfString" } ], "prefix": "synthetics", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate a resource with a group", + "privilege": "AssociateResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a canary", "privilege": "CreateCanary", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a group", + "privilege": "CreateGroup", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -178431,6 +205773,34 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a group", + "privilege": "DeleteGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -178440,7 +205810,9 @@ "privilege": "DescribeCanaries", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "synthetics:Names" + ], "dependent_actions": [], "resource_type": "" } @@ -178452,7 +205824,9 @@ "privilege": "DescribeCanariesLastRun", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "synthetics:Names" + ], "dependent_actions": [], "resource_type": "" } @@ -178464,45 +205838,158 @@ "privilege": "DescribeRuntimeVersions", "resource_types": [ { - "condition_keys": [], + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a resource from a group", + "privilege": "DisassociateResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the details of a canary", + "privilege": "GetCanary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list information about all the test runs associated with a canary", + "privilege": "GetCanaryRuns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the details of a group", + "privilege": "GetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list information about the associated groups of a canary", + "privilege": "ListAssociatedGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a canary details", - "privilege": "GetCanary", + "access_level": "List", + "description": "Grants permission to list information about canaries in a group", + "privilege": "ListGroupResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "canary*" + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list information about all the test runs associated with a canary", - "privilege": "GetCanaryRuns", + "access_level": "List", + "description": "Grants permission to list information of all groups", + "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "canary*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list all tags and values associated with a canary", + "description": "Grants permission to list all tags and values associated with a resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "canary" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group" } ] }, @@ -178515,6 +206002,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -178527,30 +206022,64 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a canary", + "description": "Grants permission to add one or more tags to a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "canary" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from a canary", + "description": "Grants permission to remove one or more tags from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "canary" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -178563,6 +206092,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "canary*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] } @@ -178574,6 +206111,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "canary" + }, + { + "arn": "arn:${Partition}:synthetics:${Region}:${Account}:group:${GroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "group" } ], "service_name": "Amazon CloudWatch Synthetics" @@ -178682,6 +206226,38 @@ "resources": [], "service_name": "Amazon Resource Group Tagging API" }, + { + "conditions": [], + "prefix": "tax", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to view tax exemptions data", + "privilege": "GetExemptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update tax exemptions data", + "privilege": "UpdateExemptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Tax Settings" + }, { "conditions": [], "prefix": "textract", @@ -178714,6 +206290,20 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to detect relevant information from identity documents provided as input", + "privilege": "AnalyzeID", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to detect text in document images", @@ -178814,42 +206404,46 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the presence of tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "timestream", "privileges": [ { "access_level": "Write", - "description": "Grants Permission to cancel queries in your account", + "description": "Grants permission to cancel queries in your account", "privilege": "CancelQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to create a database in your account.", + "description": "Grants permission to create a database in your account", "privilege": "CreateDatabase", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "database*" }, { @@ -178864,174 +206458,32 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a table in your account.", - "privilege": "CreateTable", + "description": "Grants permission to create a scheduled query in your account", + "privilege": "CreateScheduledQuery", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole", + "timestream:DescribeEndpoints" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a database in your account.", - "privilege": "DeleteDatabase", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permissions to delete a table in your account.", - "privilege": "DeleteTable", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permissions to describe a database in your account.", - "privilege": "DescribeDatabase", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permissions to describe timestream endpoints.", - "privilege": "DescribeEndpoints", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants Permissions to describe a table in your account", - "privilege": "DescribeTable", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "List", - "description": "Grants Permission to list databases in your account", - "privilege": "ListDatabases", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants Permissions to list measures of a table in your account", - "privilege": "ListMeasures", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "List", - "description": "Grants Permission to list tables in your account", - "privilege": "ListTables", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permissions to list tags of a resource in your account.", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants Permission to issue 'select from table' queries", - "privilege": "Select", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants Permissions to issue 'select 1' queries", - "privilege": "SelectValues", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permissions to add tags to a resource.", - "privilege": "TagResource", + "description": "Grants permission to create a table in your account", + "privilege": "CreateTable", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "table*" }, { @@ -179045,108 +206497,65 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permissions to remove a tag from a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete a database in your account", + "privilege": "DeleteDatabase", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "aws:TagKeys" + "dependent_actions": [ + "timestream:DescribeEndpoints" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permissions to update a database in your account.", - "privilege": "UpdateDatabase", + "description": "Grants permission to delete a scheduled query in your account", + "privilege": "DeleteScheduledQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "scheduled-query*" } ] }, { "access_level": "Write", - "description": "Grants permissions to update a table in your account.", - "privilege": "UpdateTable", + "description": "Grants permission to delete a table in your account", + "privilege": "DeleteTable", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "table*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to ingest data to a table in your account.", - "privilege": "WriteRecords", + "access_level": "Read", + "description": "Grants permission to describe a database in your account", + "privilege": "DescribeDatabase", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "database*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:timestream:${Region}:${Account}:database/${DatabaseName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "database" - }, - { - "arn": "arn:${Partition}:timestream:${Region}:${Account}:database/${DatabaseName}/table/${TableName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "table" - } - ], - "service_name": "AWS Timestream" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "timestream", - "privileges": [ - { - "access_level": "Write", - "description": "Grants Permission to cancel queries in your account", - "privilege": "CancelQuery", + "access_level": "List", + "description": "Grants permission to describe timestream endpoints", + "privilege": "DescribeEndpoints", "resource_types": [ { "condition_keys": [], @@ -179156,192 +206565,187 @@ ] }, { - "access_level": "Write", - "description": "Grants permissions to create a database in your account.", - "privilege": "CreateDatabase", + "access_level": "Read", + "description": "Grants permission to describe a scheduled query in your account", + "privilege": "DescribeScheduledQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "timestream:DescribeEndpoints" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "scheduled-query*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a table in your account.", - "privilege": "CreateTable", + "access_level": "Read", + "description": "Grants permission to describe a table in your account", + "privilege": "DescribeTable", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "timestream:DescribeEndpoints" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a database in your account.", - "privilege": "DeleteDatabase", + "description": "Grants permission to execute a scheduled query in your account", + "privilege": "ExecuteScheduledQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "scheduled-query*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a table in your account.", - "privilege": "DeleteTable", + "access_level": "List", + "description": "Grants permission to list databases in your account", + "privilege": "ListDatabases", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to describe a database in your account.", - "privilege": "DescribeDatabase", + "access_level": "List", + "description": "Grants permission to list measures of a table in your account", + "privilege": "ListMeasures", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "table*" } ] }, { "access_level": "List", - "description": "Grants permissions to describe timestream endpoints.", - "privilege": "DescribeEndpoints", + "description": "Grants permission to list scheduled queries in your account", + "privilege": "ListScheduledQueries", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants Permissions to describe a table in your account", - "privilege": "DescribeTable", + "access_level": "List", + "description": "Grants permission to list tables in your account", + "privilege": "ListTables", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "database*" } ] }, { - "access_level": "List", - "description": "Grants Permission to list databases in your account", - "privilege": "ListDatabases", + "access_level": "Read", + "description": "Grants permission to list tags of a resource in your account", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants Permissions to list measures of a table in your account", - "privilege": "ListMeasures", - "resource_types": [ + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "List", - "description": "Grants Permission to list tables in your account", - "privilege": "ListTables", - "resource_types": [ + "resource_type": "scheduled-query*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "table*" } ] }, { - "access_level": "List", - "description": "Grants permissions to list tags of a resource in your account.", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to issue prepare queries", + "privilege": "PrepareQuery", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints", + "timestream:Select" + ], "resource_type": "table*" } ] }, { "access_level": "Read", - "description": "Grants Permission to issue 'select from table' queries", + "description": "Grants permission to issue 'select from table' queries", "privilege": "Select", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "table*" } ] }, { "access_level": "Read", - "description": "Grants Permissions to issue 'select 1' queries", + "description": "Grants permission to issue 'select 1' queries", "privilege": "SelectValues", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permissions to add tags to a resource.", + "description": "Grants permission to add tags to a resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "database*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduled-query*" + }, { "condition_keys": [], "dependent_actions": [], @@ -179359,14 +206763,21 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to remove a tag from a resource.", + "description": "Grants permission to remove a tag from a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "database*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduled-query*" + }, { "condition_keys": [], "dependent_actions": [], @@ -179383,36 +206794,56 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a database in your account.", + "description": "Grants permission to update a database in your account", "privilege": "UpdateDatabase", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permissions to update a table in your account.", + "description": "Grants permission to update a scheduled query in your account", + "privilege": "UpdateScheduledQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], + "resource_type": "scheduled-query*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a table in your account", "privilege": "UpdateTable", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permissions to ingest data to a table in your account.", + "description": "Grants permission to ingest data to a table in your account", "privilege": "WriteRecords", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "timestream:DescribeEndpoints" + ], "resource_type": "table*" } ] @@ -179432,6 +206863,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "table" + }, + { + "arn": "arn:${Partition}:timestream:${Region}:${Account}:scheduled-query/${ScheduledQueryName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "scheduled-query" } ], "service_name": "Amazon Timestream" @@ -179482,6 +206920,21 @@ }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by requiring tag values present in a resource creation request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by requiring tag value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by requiring the presence of mandatory tags in the request", + "type": "ArrayOfString" + }, { "condition": "transcribe:OutputBucketName", "description": "Filters access based on the output bucket name included in the request", @@ -179496,6 +206949,11 @@ "condition": "transcribe:OutputKey", "description": "Filters access based on the output key included in the request", "type": "String" + }, + { + "condition": "transcribe:OutputLocation", + "description": "Filters access based on the output location included in the request", + "type": "String" } ], "prefix": "transcribe", @@ -179518,7 +206976,10 @@ "privilege": "CreateLanguageModel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "s3:GetObject", "s3:ListBucket" @@ -179533,7 +206994,10 @@ "privilege": "CreateMedicalVocabulary", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "s3:GetObject" ], @@ -179547,7 +207011,10 @@ "privilege": "CreateVocabulary", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "s3:GetObject" ], @@ -179561,7 +207028,10 @@ "privilege": "CreateVocabularyFilter", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "s3:GetObject" ], @@ -179601,7 +207071,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "languagemodel*" } ] }, @@ -179613,7 +207083,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "medicaltranscriptionjob*" } ] }, @@ -179625,7 +207095,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "medicalvocabulary*" } ] }, @@ -179637,7 +207107,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "transcriptionjob*" } ] }, @@ -179649,7 +207119,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vocabulary*" } ] }, @@ -179661,7 +207131,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vocabularyfilter*" } ] }, @@ -179673,7 +207143,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "languagemodel*" } ] }, @@ -179709,7 +207179,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "medicaltranscriptionjob*" } ] }, @@ -179721,7 +207191,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "medicalvocabulary*" } ] }, @@ -179733,7 +207203,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "transcriptionjob*" } ] }, @@ -179745,7 +207215,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vocabulary*" } ] }, @@ -179757,7 +207227,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vocabularyfilter*" } ] }, @@ -179821,6 +207291,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list transcription jobs with the specified status", @@ -179863,7 +207345,10 @@ "privilege": "StartCallAnalyticsJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "transcribe:OutputEncryptionKMSKeyId", + "transcribe:OutputLocation" + ], "dependent_actions": [ "s3:GetObject" ], @@ -179901,7 +207386,13 @@ "privilege": "StartMedicalTranscriptionJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "transcribe:OutputBucketName", + "transcribe:OutputEncryptionKMSKeyId", + "transcribe:OutputKey", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ "s3:GetObject" ], @@ -179942,7 +207433,9 @@ "condition_keys": [ "transcribe:OutputBucketName", "transcribe:OutputEncryptionKMSKeyId", - "transcribe:OutputKey" + "transcribe:OutputKey", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [ "s3:GetObject" @@ -179951,6 +207444,35 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource with given key value pairs", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource with given key", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the call analytics category with new values. The UpdateCallAnalyticsCategory operation overwrites all of the existing information with the values that you provide in the request", @@ -179973,7 +207495,7 @@ "dependent_actions": [ "s3:GetObject" ], - "resource_type": "" + "resource_type": "medicalvocabulary*" } ] }, @@ -179987,7 +207509,7 @@ "dependent_actions": [ "s3:GetObject" ], - "resource_type": "" + "resource_type": "vocabulary*" } ] }, @@ -180001,55 +207523,105 @@ "dependent_actions": [ "s3:GetObject" ], - "resource_type": "" + "resource_type": "vocabularyfilter*" } ] } ], - "resources": [], + "resources": [ + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:transcription-job/${JobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "transcriptionjob" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:vocabulary/${VocabularyName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "vocabulary" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:vocabulary-filter/${VocabularyFilterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "vocabularyfilter" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:language-model/${ModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "languagemodel" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:medical-transcription-job/${JobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "medicaltranscriptionjob" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:medical-vocabulary/${VocabularyName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "medicalvocabulary" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:analytics-job/${JobName}", + "condition_keys": [], + "resource": "callanalyticsjob" + }, + { + "arn": "arn:${Partition}:transcribe:${Region}:${Account}:analytics-category/${CategoryName}", + "condition_keys": [], + "resource": "callanalyticscategory" + } + ], "service_name": "Amazon Transcribe" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "transfer", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a server", - "privilege": "CreateServer", + "description": "Grants permission to add an access associated with a server", + "privilege": "CreateAccess", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [ "iam:PassRole" ], - "resource_type": "" + "resource_type": "server*" } ] }, { "access_level": "Write", - "description": "Grants permission to add a user associated with a server", - "privilege": "CreateUser", + "description": "Grants permission to add an agreement associated with a server", + "privilege": "CreateAgreement", "resource_types": [ { "condition_keys": [], @@ -180070,145 +207642,94 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a server", - "privilege": "DeleteServer", + "description": "Grants permission to create a connector", + "privilege": "CreateConnector", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "server*" + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an SSH public key from a user", - "privilege": "DeleteSshPublicKey", + "description": "Grants permission to create a profile", + "privilege": "CreateProfile", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a user associated with a server", - "privilege": "DeleteUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a security policy", - "privilege": "DescribeSecurityPolicy", + "description": "Grants permission to create a server", + "privilege": "CreateServer", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "" } ] }, - { - "access_level": "Read", - "description": "Grants permission to describe a server", - "privilege": "DescribeServer", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "server*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a user associated with a server", - "privilege": "DescribeUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, { "access_level": "Write", - "description": "Grants permission to add an SSH public key to a user", - "privilege": "ImportSshPublicKey", + "description": "Grants permission to add a user associated with a server", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list security policies", - "privilege": "ListSecurityPolicies", - "resource_types": [ + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "server*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list servers", - "privilege": "ListServers", + "access_level": "Write", + "description": "Grants permission to create a workflow", + "privilege": "CreateWorkflow", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Read", - "description": "Grants permission to list tags for a server or a user", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "server" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list users associated with a server", - "privilege": "ListUsers", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "server*" - } - ] - }, { "access_level": "Write", - "description": "Grants permission to start a server", - "privilege": "StartServer", + "description": "Grants permission to delete access", + "privilege": "DeleteAccess", "resource_types": [ { "condition_keys": [], @@ -180219,228 +207740,104 @@ }, { "access_level": "Write", - "description": "Grants permission to stop a server", - "privilege": "StopServer", + "description": "Grants permission to delete agreement", + "privilege": "DeleteAgreement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server*" + "resource_type": "agreement*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a server or a user", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to delete certificate", + "privilege": "DeleteCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "certificate*" } ] }, { - "access_level": "Read", - "description": "Grants permission to test a server's custom identity provider", - "privilege": "TestIdentityProvider", + "access_level": "Write", + "description": "Grants permission to delete connector", + "privilege": "DeleteConnector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "connector*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a server or a user", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete profile", + "privilege": "DeleteProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "profile*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the configuration of a server", - "privilege": "UpdateServer", + "description": "Grants permission to delete a server", + "privilege": "DeleteServer", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "server*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the configuration of a user", - "privilege": "UpdateUser", + "description": "Grants permission to delete an SSH public key from a user", + "privilege": "DeleteSshPublicKey", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "user*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:transfer:${region}:${account}:user/${serverId}/${username}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "user" - }, - { - "arn": "arn:${Partition}:transfer:${region}:${account}:server/${serverId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "server" - } - ], - "service_name": "AWS Transfer for SFTP" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "transfer", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to add an access associated with a server", - "privilege": "CreateAccess", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "server*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a server", - "privilege": "CreateServer", - "resource_types": [ - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" - } - ] }, { "access_level": "Write", - "description": "Grants permission to add a user associated with a server", - "privilege": "CreateUser", + "description": "Grants permission to delete a user associated with a server", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "server*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a workflow", - "privilege": "CreateWorkflow", - "resource_types": [ - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete access", - "privilege": "DeleteAccess", + "description": "Grants permission to delete a workflow", + "privilege": "DeleteWorkflow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server*" + "resource_type": "workflow*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a server", - "privilege": "DeleteServer", + "access_level": "Read", + "description": "Grants permission to describe an access assigned to a server", + "privilege": "DescribeAccess", "resource_types": [ { "condition_keys": [], @@ -180450,62 +207847,62 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an SSH public key from a user", - "privilege": "DeleteSshPublicKey", + "access_level": "Read", + "description": "Grants permission to describe an agreement assigned to a server", + "privilege": "DescribeAgreement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "agreement*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a user associated with a server", - "privilege": "DeleteUser", + "access_level": "Read", + "description": "Grants permission to describe a certificate", + "privilege": "DescribeCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "certificate*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a workflow", - "privilege": "DeleteWorkflow", + "access_level": "Read", + "description": "Grants permission to describe a connector", + "privilege": "DescribeConnector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workflow*" + "resource_type": "connector*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an access assigned to a server", - "privilege": "DescribeAccess", + "description": "Grants permission to describe an execution associated with a workflow", + "privilege": "DescribeExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server*" + "resource_type": "workflow*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an execution associated with a workflow", - "privilege": "DescribeExecution", + "description": "Grants permission to describe a profile", + "privilege": "DescribeProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workflow*" + "resource_type": "profile*" } ] }, @@ -180557,6 +207954,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to add a certificate", + "privilege": "ImportCertificate", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to add an SSH public key to a user", @@ -180581,6 +207993,42 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list agreements", + "privilege": "ListAgreements", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "server*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list certificates", + "privilege": "ListCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list connectors", + "privilege": "ListConnectors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list executions associated with a workflow", @@ -180593,6 +208041,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list profiles", + "privilege": "ListProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list security policies", @@ -180619,9 +208079,29 @@ }, { "access_level": "Read", - "description": "Grants permission to list tags for a server, a user, or a workflow", + "description": "Grants permission to list tags for an AWS Transfer Family resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agreement" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "certificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile" + }, { "condition_keys": [], "dependent_actions": [], @@ -180701,9 +208181,29 @@ }, { "access_level": "Tagging", - "description": "Grants permission to tag a server or a user", + "description": "Grants permission to tag an AWS Transfer Family resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agreement" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "certificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile" + }, { "condition_keys": [], "dependent_actions": [], @@ -180743,9 +208243,29 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag a server, a user, or a workflow", + "description": "Grants permission to untag an AWS Transfer Family resource", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agreement" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "certificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile" + }, { "condition_keys": [], "dependent_actions": [], @@ -180784,6 +208304,58 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an agreement", + "privilege": "UpdateAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "agreement*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a certificate", + "privilege": "UpdateCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "certificate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a connector", + "privilege": "UpdateConnector", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "connector*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a profile", + "privilege": "UpdateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "profile*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the configuration of a server", @@ -180815,25 +208387,53 @@ ], "resources": [ { - "arn": "arn:${Partition}:transfer:${region}:${account}:user/${serverId}/${username}", + "arn": "arn:${Partition}:transfer:${Region}:${Account}:user/${ServerId}/${UserName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "user" }, { - "arn": "arn:${Partition}:transfer:${region}:${account}:server/${serverId}", + "arn": "arn:${Partition}:transfer:${Region}:${Account}:server/${ServerId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "server" }, { - "arn": "arn:${Partition}:transfer:${region}:${account}:workflow/${workflowId}", + "arn": "arn:${Partition}:transfer:${Region}:${Account}:workflow/${WorkflowId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "workflow" + }, + { + "arn": "arn:${Partition}:transfer:${Region}:${Account}:certificate/${CertificateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "certificate" + }, + { + "arn": "arn:${Partition}:transfer:${Region}:${Account}:connector/${ConnectorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connector" + }, + { + "arn": "arn:${Partition}:transfer:${Region}:${Account}:profile/${ProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "profile" + }, + { + "arn": "arn:${Partition}:transfer:${Region}:${Account}:agreement/${AgreementId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "agreement" } ], "service_name": "AWS Transfer Family" @@ -180850,7 +208450,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "parallel-data" } ] }, @@ -180862,7 +208462,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "parallel-data" } ] }, @@ -180874,7 +208474,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "terminology" } ] }, @@ -180898,7 +208498,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "parallel-data" } ] }, @@ -180910,7 +208510,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "terminology" } ] }, @@ -180918,6 +208518,18 @@ "access_level": "Write", "description": "Grants permission to create or update a terminology, depending on whether or not one already exists for the given terminology name", "privilege": "ImportTerminology", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "terminology" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list supported languages", + "privilege": "ListLanguages", "resource_types": [ { "condition_keys": [], @@ -180970,7 +208582,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "parallel-data" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "terminology" } ] }, @@ -180994,7 +208611,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "terminology" } ] }, @@ -181006,18 +208623,41 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "parallel-data" } ] } ], - "resources": [], + "resources": [ + { + "arn": "arn:${Partition}:translate:${Region}:${Account}:terminology/${ResourceName}", + "condition_keys": [], + "resource": "terminology" + }, + { + "arn": "arn:${Partition}:translate:${Region}:${Account}:parallel-data/${ResourceName}", + "condition_keys": [], + "resource": "parallel-data" + } + ], "service_name": "Amazon Translate" }, { "conditions": [], "prefix": "trustedadvisor", "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to the organization management account to delete email notification preferences from a delegated administrator account for Trusted Advisor Priority", + "privilege": "DeleteNotificationConfigurationForDelegatedAdmin", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the AWS Support plan and various AWS Trusted Advisor preferences", @@ -181090,6 +208730,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get your email notification preferences for Trusted Advisor Priority", + "privilege": "DescribeNotificationConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the notification preferences for the AWS account", @@ -181138,6 +208790,42 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view risk details in AWS Trusted Advisor Priority", + "privilege": "DescribeRisk", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view affected resources for a risk in AWS Trusted Advisor Priority", + "privilege": "DescribeRiskResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view risks in AWS Trusted Advisor Priority", + "privilege": "DescribeRisks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view information about organizational view reports, such as the AWS Regions, check categories, check names, and resource statuses", @@ -181150,6 +208838,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to download a file that contains details about the risk in AWS Trusted Advisor Priority", + "privilege": "DownloadRisk", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to exclude recommendations for AWS Trusted Advisor checks", @@ -181258,6 +208958,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create or update your email notification preferences for Trusted Advisor Priority", + "privilege": "UpdateNotificationConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update notification preferences for AWS Trusted Advisor", @@ -181269,6 +208981,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the risk status in AWS Trusted Advisor Priority", + "privilege": "UpdateRiskStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -181280,6 +209004,245 @@ ], "service_name": "AWS Trusted Advisor" }, + { + "conditions": [], + "prefix": "vendor-insights", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to activate the security profile", + "privilege": "ActivateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate security profile with a data source", + "privilege": "AssociateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "vendor-insights:GetDataSource" + ], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new data source", + "privilege": "CreateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new security profile", + "privilege": "CreateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate the security profile", + "privilege": "DeactivateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DataSource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate security profile from a data source", + "privilege": "DisassociateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "vendor-insights:GetDataSource" + ], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the details of an existing data source", + "privilege": "GetDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DataSource*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the details of a security profile snapshot that requester is entitled to read", + "privilege": "GetEntitledSecurityProfileSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the access terms for a vendor insights profile", + "privilege": "GetProfileAccessTerms", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the details of an existing security profile", + "privilege": "GetSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the details of a security profile snapshot", + "privilege": "GetSecurityProfileSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing data sources", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the snapshot summary list for an existing security profile that requester is entitled to list", + "privilege": "ListEntitledSecurityProfileSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list entitled security profiles", + "privilege": "ListEntitledSecurityProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the snapshot summary list for an existing security profile", + "privilege": "ListSecurityProfileSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing security profiles", + "privilege": "ListSecurityProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the security profile", + "privilege": "UpdateSecurityProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SecurityProfile*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:vendor-insights:::data-source:${ResourceId}", + "condition_keys": [], + "resource": "DataSource" + }, + { + "arn": "arn:${Partition}:vendor-insights:::security-profile:${ResourceId}", + "condition_keys": [], + "resource": "SecurityProfile" + } + ], + "service_name": "AWS Marketplace Vendor Insights" + }, { "conditions": [ { @@ -181621,7 +209584,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "waf", @@ -182739,7 +210702,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "waf-regional", @@ -183904,18 +211867,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters access by tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" + "description": "Filters access by the presence of mandatory tags in the request", + "type": "ArrayOfString" } ], "prefix": "wafv2", @@ -183944,6 +211907,11 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "loadbalancer/app/" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool" } ] }, @@ -184009,6 +211977,16 @@ "dependent_actions": [], "resource_type": "rulegroup*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ipset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "regexpatternset" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -184020,7 +211998,7 @@ ] }, { - "access_level": "Permissions management", + "access_level": "Write", "description": "Grants permission to create a WebACL", "privilege": "CreateWebACL", "resource_types": [ @@ -184029,6 +212007,26 @@ "dependent_actions": [], "resource_type": "webacl*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ipset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedruleset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "regexpatternset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rulegroup" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -184112,7 +212110,7 @@ ] }, { - "access_level": "Permissions management", + "access_level": "Write", "description": "Grants permission to delete a WebACL", "privilege": "DeleteWebACL", "resource_types": [ @@ -184124,7 +212122,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to retrieve high-level information for a managed rule group", "privilege": "DescribeManagedRuleGroup", "resource_types": [ @@ -184149,7 +212147,7 @@ }, { "access_level": "Write", - "description": "Grants permission disassociate a WebACL from an application resource", + "description": "Grants permission to disassociate a WebACL from an application resource", "privilege": "DisassociateWebACL", "resource_types": [ { @@ -184166,6 +212164,23 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "loadbalancer/app/" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to generate a presigned download URL for the specified release of the mobile SDK", + "privilege": "GenerateMobileSdkReleaseUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -184207,6 +212222,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details about a ManagedRuleSet", + "privilege": "GetManagedRuleSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedruleset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information for the specified mobile SDK release, including release notes and tags", + "privilege": "GetMobileSdkRelease", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve a PermissionPolicy for a RuleGroup", @@ -184326,6 +212365,23 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "loadbalancer/app/" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userpool" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve an array of managed rule group versions that are available for you to use", + "privilege": "ListAvailableManagedRuleGroupVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -184365,6 +212421,30 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve an array of your ManagedRuleSet objects", + "privilege": "ListManagedRuleSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of the available releases for the mobile SDK and the specified device platform", + "privilege": "ListMobileSdkReleases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve an array of RegexPatternSetSummary objects for the regex pattern sets that you manage", @@ -184473,6 +212553,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to enable create a new or update an existing version of a ManagedRuleSet", + "privilege": "PutManagedRuleSetVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedruleset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rulegroup*" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to attach an IAM policy to a resource, used to share rule groups between accounts", @@ -184574,6 +212671,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the expiry date of a version in ManagedRuleSet", + "privilege": "UpdateManagedRuleSetVersionExpiryDate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedruleset*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a RegexPatternSet", @@ -184603,6 +212712,16 @@ "dependent_actions": [], "resource_type": "rulegroup*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ipset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "regexpatternset" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -184613,7 +212732,7 @@ ] }, { - "access_level": "Permissions management", + "access_level": "Write", "description": "Grants permission to update a WebACL", "privilege": "UpdateWebACL", "resource_types": [ @@ -184622,6 +212741,26 @@ "dependent_actions": [], "resource_type": "webacl*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ipset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedruleset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "regexpatternset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rulegroup" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}" @@ -184647,6 +212786,11 @@ ], "resource": "ipset" }, + { + "arn": "arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/managedruleset/${Name}/${Id}", + "condition_keys": [], + "resource": "managedruleset" + }, { "arn": "arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/rulegroup/${Name}/${Id}", "condition_keys": [ @@ -184675,6 +212819,11 @@ "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}", "condition_keys": [], "resource": "appsync" + }, + { + "arn": "arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}", + "condition_keys": [], + "resource": "userpool" } ], "service_name": "AWS WAF V2" @@ -184703,18 +212852,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", + "description": "Filters access by tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by tag keys in the request", + "type": "ArrayOfString" } ], "prefix": "wellarchitected", @@ -184731,6 +212880,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to an owner of a lens to share with other AWS accounts and IAM Users", + "privilege": "CreateLensShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new lens version", + "privilege": "CreateLensVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new milestone for the specified workload", @@ -184770,6 +212943,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a lens", + "privilege": "DeleteLens", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing lens share", + "privilege": "DeleteLensShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete an existing workload", @@ -184806,6 +213003,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to export an existing lens", + "privilege": "ExportLens", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the specified answer from the specified lens review", @@ -184818,6 +213027,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get an existing lens", + "privilege": "GetLens", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the specified lens review of the specified workload", @@ -184850,7 +213078,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "lens*" } ] }, @@ -184885,6 +213113,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import a new lens", + "privilege": "ImportLens", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the answers from the specified lens review", @@ -184921,6 +213164,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list all shares created for a lens", + "privilege": "ListLensShares", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lens*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the lenses available to this account", @@ -184977,7 +213232,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workload*" + "resource_type": "lens" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload" }, { "condition_keys": [ @@ -185020,7 +213280,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workload*" + "resource_type": "lens" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload" }, { "condition_keys": [ @@ -185040,7 +213305,12 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workload*" + "resource_type": "lens" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload" }, { "condition_keys": [ @@ -185063,6 +213333,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update settings to enable aws-organization support", + "privilege": "UpdateGlobalSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update properties of the specified lens review", @@ -185131,6 +213413,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "workload" + }, + { + "arn": "arn:${Partition}:wellarchitected:${Region}:${Account}:lens/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "lens" } ], "service_name": "AWS Well-Architected Tool" @@ -186284,7 +214573,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "worklink", @@ -186734,7 +215023,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:worklink::${Account}:fleet/${fleetName}", + "arn": "arn:${Partition}:worklink::${Account}:fleet/${FleetName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -186747,18 +215036,18 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access by the tag key-value pairs that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access by the tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" } ], "prefix": "workmail", @@ -186967,6 +215256,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the email monitoring configuration for an organization", + "privilege": "DeleteEmailMonitoringConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a group from WorkMail", @@ -187027,6 +215328,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a mobile device access override", + "privilege": "DeleteMobileDeviceAccessOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a mobile device access rule", @@ -187123,6 +215436,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to deregister a mail domain from an organization", + "privilege": "DeregisterMailDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "List", "description": "Grants permission to show a list of directories available for use in creating an organization", @@ -187135,6 +215460,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the email monitoring configuration for an organization", + "privilege": "DescribeEmailMonitoringConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "List", "description": "Grants permission to read the details for a group", @@ -187423,6 +215760,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details of a given mail domain in an organization", + "privilege": "GetMailDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the details of the mail domain", @@ -187483,6 +215832,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a mobile device access override", + "privilege": "GetMobileDeviceAccessOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the details of the mobile device", @@ -187520,7 +215881,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list the access control rules", "privilege": "ListAccessControlRules", "resource_types": [ @@ -187579,6 +215940,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the mail domains for a given organization", + "privilege": "ListMailDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list mailbox export jobs", @@ -187616,7 +215989,19 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to list the mobile device access overrides", + "privilege": "ListMobileDeviceAccessOverrides", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list the mobile device access rules", "privilege": "ListMobileDeviceAccessRules", "resource_types": [ @@ -187696,6 +216081,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "organization*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -187723,6 +216116,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to add or update the email monitoring configuration for an organization", + "privilege": "PutEmailMonitoringConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to enable or disable a DMARC policy for a given organization", @@ -187747,6 +216152,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to add or update a mobile device access override", + "privilege": "PutMobileDeviceAccessOverride", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to add or update the retention policy", @@ -187759,6 +216176,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to register a new mail domain in an organization", + "privilege": "RegisterMailDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities", @@ -187912,6 +216341,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "organization*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -187943,6 +216380,26 @@ "access_level": "Tagging", "description": "Grants permission to untag the specified Amazon WorkMail organization resource", "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update which domain is the default domain for an organization", + "privilege": "UpdateDefaultMailDomain", "resource_types": [ { "condition_keys": [], @@ -187977,7 +216434,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an mobile device access rule", + "description": "Grants permission to update a mobile device access rule", "privilege": "UpdateMobileDeviceAccessRule", "resource_types": [ { @@ -188112,6 +216569,11 @@ { "condition": "aws:TagKeys", "description": "Filters access based on the tag keys that are passed in the request", + "type": "ArrayOfString" + }, + { + "condition": "workspaces:userId", + "description": "Filters access by the ID of the Workspaces user", "type": "String" } ], @@ -188185,6 +216647,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Connect client add-in within a directory", + "privilege": "CreateConnectClientAddIn", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create connection aliases for use with cross-Region redirection", @@ -188221,7 +216695,10 @@ "privilege": "CreateTags", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -188257,6 +216734,11 @@ "dependent_actions": [ "workspaces:CreateTags" ], + "resource_type": "workspacebundle*" + }, + { + "condition_keys": [], + "dependent_actions": [], "resource_type": "workspaceimage*" }, { @@ -188269,6 +216751,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a new WorkSpace image", + "privilege": "CreateWorkspaceImage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceid*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create one or more WorkSpaces", @@ -188284,6 +216786,11 @@ "dependent_actions": [], "resource_type": "workspacebundle*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceid*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -188294,6 +216801,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete AWS WorkSpaces Client branding data within a directory", + "privilege": "DeleteClientBranding", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Connect client add-in that is configured within a directory", + "privilege": "DeleteConnectClientAddIn", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete connection aliases", @@ -188324,7 +216855,10 @@ "privilege": "DeleteTags", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -188390,6 +216924,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve AWS WorkSpaces Client branding data within a directory", + "privilege": "DescribeClientBranding", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve information about WorkSpaces clients", @@ -188402,6 +216948,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of Amazon Connect client add-ins that have been created", + "privilege": "DescribeConnectClientAddIns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the permissions that the owners of connection aliases have granted to other AWS accounts for connection aliases", @@ -188439,7 +216997,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to describe the tags for WorkSpaces resources", "privilege": "DescribeTags", "resource_types": [ @@ -188563,6 +217121,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import AWS WorkSpaces Client branding data within a directory", + "privilege": "ImportClientBranding", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to import Bring Your Own License (BYOL) images into Amazon WorkSpaces", @@ -188631,6 +217201,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify the SAML properties of a directory", + "privilege": "ModifySamlProperties", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to modify the self-service WorkSpace management capabilities for your users", @@ -188783,6 +217365,25 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to federated users to sign in by using their existing credentials and stream their workspace", + "privilege": "Stream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + }, + { + "condition_keys": [ + "workspaces:userId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to terminate WorkSpaces", @@ -188795,6 +217396,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an Amazon Connect client add-in. Use this action to update the name and endpoint URL of an Amazon Connect client add-in", + "privilege": "UpdateConnectClientAddIn", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to share or unshare connection aliases with other accounts", @@ -188895,6 +217508,655 @@ ], "service_name": "Amazon WorkSpaces" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "ArrayOfString" + } + ], + "prefix": "workspaces-web", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate browser settings to web portals", + "privilege": "AssociateBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "browserSettings*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate network settings to web portals", + "privilege": "AssociateNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:CreateTags", + "ec2:DeleteNetworkInterface", + "ec2:DeleteNetworkInterfacePermission", + "ec2:ModifyNetworkInterfaceAttribute" + ], + "resource_type": "networkSettings*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate trust stores with web portals", + "privilege": "AssociateTrustStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trustStore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate user settings with web portals", + "privilege": "AssociateUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create browser settings", + "privilege": "CreateBrowserSettings", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create identity providers", + "privilege": "CreateIdentityProvider", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create network settings", + "privilege": "CreateNetworkSettings", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create web portals", + "privilege": "CreatePortal", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create trust stores", + "privilege": "CreateTrustStore", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create user settings", + "privilege": "CreateUserSettings", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete browser settings", + "privilege": "DeleteBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "browserSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete identity providers", + "privilege": "DeleteIdentityProvider", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete network settings", + "privilege": "DeleteNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete web portals", + "privilege": "DeletePortal", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete trust stores", + "privilege": "DeleteTrustStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trustStore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete user settings", + "privilege": "DeleteUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate browser settings from web portals", + "privilege": "DisassociateBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate network settings from web portals", + "privilege": "DisassociateNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate trust stores from web portals", + "privilege": "DisassociateTrustStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate user settings from web portals", + "privilege": "DisassociateUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on browser settings", + "privilege": "GetBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "browserSettings*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on identity providers", + "privilege": "GetIdentityProvider", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on network settings", + "privilege": "GetNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkSettings*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on web portals", + "privilege": "GetPortal", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get service provider metadata information for web portals", + "privilege": "GetPortalServiceProviderMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on trust stores", + "privilege": "GetTrustStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trustStore*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get certificates from trust stores", + "privilege": "GetTrustStoreCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trustStore*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details on user settings", + "privilege": "GetUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userSettings*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list browser settings", + "privilege": "ListBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list identity providers", + "privilege": "ListIdentityProviders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list network settings", + "privilege": "ListNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list web portals", + "privilege": "ListPortals", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list certificates in a trust store", + "privilege": "ListTrustStoreCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list trust stores", + "privilege": "ListTrustStores", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list user settings", + "privilege": "ListUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update browser settings", + "privilege": "UpdateBrowserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "browserSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update identity provider", + "privilege": "UpdateIdentityProvider", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update network settings", + "privilege": "UpdateNetworkSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkSettings*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update web portals", + "privilege": "UpdatePortal", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update trust stores", + "privilege": "UpdateTrustStore", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trustStore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update user settings", + "privilege": "UpdateUserSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userSettings*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:workspaces-web:${Region}:${Account}:browserSettings/${BrowserSettingsId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "browserSettings" + }, + { + "arn": "arn:${Partition}:workspaces-web:${Region}:${Account}:networkSettings/${NetworkSettingsId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "networkSettings" + }, + { + "arn": "arn:${Partition}:workspaces-web:${Region}:${Account}:portal/${PortalId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "portal" + }, + { + "arn": "arn:${Partition}:workspaces-web:${Region}:${Account}:trustStore/${TrustStoreId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "trustStore" + }, + { + "arn": "arn:${Partition}:workspaces-web:${Region}:${Account}:userSettings/${UserSettingsId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "userSettings" + } + ], + "service_name": "Amazon WorkSpaces Web" + }, { "conditions": [ { @@ -188910,7 +218172,7 @@ { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "type": "ArrayOfString" } ], "prefix": "xray", From aa6bfbf683702d6c264f1b5250c1100e0084bde4 Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 19:09:26 -0600 Subject: [PATCH 3/6] import json for error reporting --- parliament/statement.py | 1 + 1 file changed, 1 insertion(+) diff --git a/parliament/statement.py b/parliament/statement.py index 560cfd3..4acc165 100644 --- a/parliament/statement.py +++ b/parliament/statement.py @@ -1,3 +1,4 @@ +import json import jsoncfg import re From 11f84a52e4f370a12492250de8cd3eaeaa4157cb Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 19:09:45 -0600 Subject: [PATCH 4/6] Increase required test coverage limit --- .coveragerc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.coveragerc b/.coveragerc index 32ac7e3..30589fc 100644 --- a/.coveragerc +++ b/.coveragerc @@ -3,4 +3,4 @@ source = parliament omit = parliament/cli.py [report] -fail_under = 65 \ No newline at end of file +fail_under = 75 \ No newline at end of file From b78f632912070722464d98558aaf7c160c23f050 Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 19:10:47 -0600 Subject: [PATCH 5/6] Bump version --- parliament/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parliament/__init__.py b/parliament/__init__.py index 95361bb..b24162e 100644 --- a/parliament/__init__.py +++ b/parliament/__init__.py @@ -1,7 +1,7 @@ """ This library is a linter for AWS IAM policies. """ -__version__ = "1.5.2" +__version__ = "1.6.0" import fnmatch import functools From c129a2c27c1d099937123b0f26b6b5748aeabee1 Mon Sep 17 00:00:00 2001 From: Scott Piper Date: Sun, 4 Sep 2022 20:36:33 -0600 Subject: [PATCH 6/6] Add ability to say whether we want to raise exceptions or not in get_allowed_actions --- parliament/policy.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/parliament/policy.py b/parliament/policy.py index b638586..49973af 100644 --- a/parliament/policy.py +++ b/parliament/policy.py @@ -90,12 +90,12 @@ def get_references(self, privilege_prefix, privilege_name): references[resource].append(stmt) return references - def get_allowed_actions(self): + def get_allowed_actions(self, raise_exceptions=True): actions_referenced = set() for stmt in self.statements: actions = make_list(stmt.stmt["Action"]) for action in actions: - expanded_actions = expand_action(action.value) + expanded_actions = expand_action(action.value, raise_exceptions) for expanded_action in expanded_actions: actions_referenced.add( "{}:{}".format(