diff --git a/parliament/__init__.py b/parliament/__init__.py index 1596023..29076e9 100644 --- a/parliament/__init__.py +++ b/parliament/__init__.py @@ -1,7 +1,7 @@ """ This library is a linter for AWS IAM policies. """ -__version__ = "1.4.0" +__version__ = "1.4.1" import fnmatch import functools diff --git a/parliament/iam_definition.json b/parliament/iam_definition.json index 0ec9b59..027e1a7 100644 --- a/parliament/iam_definition.json +++ b/parliament/iam_definition.json @@ -31,7 +31,7 @@ "privileges": [ { "access_level": "Write", - "description": "Associates a skill with the organization under the customer's AWS account. If a skill is private, the user implicitly accepts access to this skill during enablement.", + "description": "Grants permission to associate a skill with the organization under the customer's AWS account", "privilege": "ApproveSkill", "resource_types": [ { @@ -43,7 +43,7 @@ }, { "access_level": "Write", - "description": "Associates a contact with a given address book.", + "description": "Grants permission to associate a contact with a given address book", "privilege": "AssociateContactWithAddressBook", "resource_types": [ { @@ -60,7 +60,24 @@ }, { "access_level": "Write", - "description": "Associates device with given room.", + "description": "Grants permission to associate a device with the specified network profile", + "privilege": "AssociateDeviceWithNetworkProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkprofile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate device with given room", "privilege": "AssociateDeviceWithRoom", "resource_types": [ { @@ -77,7 +94,7 @@ }, { "access_level": "Write", - "description": "Associates the skill group with given room. SkillGroup ARN and Room ARN must be specified.", + "description": "Grants permission to associate the skill group with given room", "privilege": "AssociateSkillGroupWithRoom", "resource_types": [ { @@ -94,7 +111,7 @@ }, { "access_level": "Write", - "description": "Associates a skill with a skill group.", + "description": "Grants permission to associate a skill with a skill group", "privilege": "AssociateSkillWithSkillGroup", "resource_types": [ { @@ -106,7 +123,7 @@ }, { "access_level": "Write", - "description": "Makes a private skill available for enrolled users to enable on their devices.", + "description": "Grants permission to make a private skill available for enrolled users to enable on their devices", "privilege": "AssociateSkillWithUsers", "resource_types": [ { @@ -118,7 +135,7 @@ }, { "access_level": "Write", - "description": "Completes the operation of registering an Alexa device.", + "description": "Grants permission to complete the operation of registering an Alexa device", "privilege": "CompleteRegistration", "resource_types": [ { @@ -130,7 +147,7 @@ }, { "access_level": "Write", - "description": "Creates an address book with the specified details.", + "description": "Grants permission to create an address book with the specified details", "privilege": "CreateAddressBook", "resource_types": [ { @@ -142,7 +159,7 @@ }, { "access_level": "Write", - "description": "Creates a recurring schedule for usage reports to deliver to the specified S3 location with a specified daily or weekly interval.", + "description": "Grants permission to create a recurring schedule for usage reports to deliver to the specified S3 location with a specified daily or weekly interval", "privilege": "CreateBusinessReportSchedule", "resource_types": [ { @@ -154,7 +171,7 @@ }, { "access_level": "Write", - "description": "Adds a new conference provider under the user's AWS account.", + "description": "Grants permission to add a new conference provider under the user's AWS account", "privilege": "CreateConferenceProvider", "resource_types": [ { @@ -166,7 +183,7 @@ }, { "access_level": "Write", - "description": "Creates a contact with the specified details.", + "description": "Grants permission to create a contact with the specified details", "privilege": "CreateContact", "resource_types": [ { @@ -178,7 +195,31 @@ }, { "access_level": "Write", - "description": "Creates a new profile.", + "description": "Grants permission to create a gateway group with the specified details", + "privilege": "CreateGatewayGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a network profile with the specified details", + "privilege": "CreateNetworkProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new profile", "privilege": "CreateProfile", "resource_types": [ { @@ -190,7 +231,7 @@ }, { "access_level": "Write", - "description": "Create room with the specified details.", + "description": "Grants permission to create room with the specified details", "privilege": "CreateRoom", "resource_types": [ { @@ -202,7 +243,7 @@ }, { "access_level": "Write", - "description": "Creates a skill group with given name and description.", + "description": "Grants permission to create a skill group with given name and description", "privilege": "CreateSkillGroup", "resource_types": [ { @@ -214,7 +255,7 @@ }, { "access_level": "Write", - "description": "Creates a user.", + "description": "Grants permission to create a user", "privilege": "CreateUser", "resource_types": [ { @@ -226,7 +267,7 @@ }, { "access_level": "Write", - "description": "Deletes an address book by the address book ARN.", + "description": "Grants permission to delete an address book by the address book ARN", "privilege": "DeleteAddressBook", "resource_types": [ { @@ -238,7 +279,7 @@ }, { "access_level": "Write", - "description": "Deletes the recurring report delivery schedule with the specified schedule ARN.", + "description": "Grants permission to delete the recurring report delivery schedule with the specified schedule ARN", "privilege": "DeleteBusinessReportSchedule", "resource_types": [ { @@ -250,7 +291,7 @@ }, { "access_level": "Write", - "description": "Deletes a conference provider.", + "description": "Grants permission to delete a conference provider", "privilege": "DeleteConferenceProvider", "resource_types": [ { @@ -262,7 +303,7 @@ }, { "access_level": "Write", - "description": "Deletes a contact by the contact ARN.", + "description": "Grants permission to delete a contact by the contact ARN", "privilege": "DeleteContact", "resource_types": [ { @@ -274,7 +315,7 @@ }, { "access_level": "Write", - "description": "Removes a device from Alexa For Business.", + "description": "Grants permission to remove a device from Alexa For Business", "privilege": "DeleteDevice", "resource_types": [ { @@ -286,7 +327,43 @@ }, { "access_level": "Write", - "description": "Delete profile by profile ARN.", + "description": "Grants permission to delete the device's entire previous history of voice input data and associated response data", + "privilege": "DeleteDeviceUsageData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a gateway group", + "privilege": "DeleteGatewayGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewaygroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a network profile by the network profile ARN", + "privilege": "DeleteNetworkProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkprofile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete profile by profile ARN", "privilege": "DeleteProfile", "resource_types": [ { @@ -298,7 +375,7 @@ }, { "access_level": "Write", - "description": "Delete room.", + "description": "Grants permission to delete room", "privilege": "DeleteRoom", "resource_types": [ { @@ -310,7 +387,7 @@ }, { "access_level": "Write", - "description": "Delete a parameter from a skill and room.", + "description": "Grants permission to delete a parameter from a skill and room", "privilege": "DeleteRoomSkillParameter", "resource_types": [ { @@ -322,7 +399,7 @@ }, { "access_level": "Write", - "description": "Unlinks a third-party account from a skill.", + "description": "Grants permission to unlink a third-party account from a skill", "privilege": "DeleteSkillAuthorization", "resource_types": [ { @@ -334,7 +411,7 @@ }, { "access_level": "Write", - "description": "Deletes skill group with skill group ARN. Skillgroup ARN must be specified.", + "description": "Grants permission to delete skill group with skill group ARN", "privilege": "DeleteSkillGroup", "resource_types": [ { @@ -346,7 +423,7 @@ }, { "access_level": "Write", - "description": "Delete a user.", + "description": "Grants permission to delete a user", "privilege": "DeleteUser", "resource_types": [ { @@ -358,7 +435,7 @@ }, { "access_level": "Write", - "description": "Disassociates a contact from a given address book.", + "description": "Grants permission to disassociate a contact from a given address book", "privilege": "DisassociateContactFromAddressBook", "resource_types": [ { @@ -375,7 +452,7 @@ }, { "access_level": "Write", - "description": "Disassociates device from its current room.", + "description": "Grants permission to disassociate device from its current room", "privilege": "DisassociateDeviceFromRoom", "resource_types": [ { @@ -387,7 +464,7 @@ }, { "access_level": "Write", - "description": "Disassociates a skill from a skill group.", + "description": "Grants permission to disassociate a skill from a skill group", "privilege": "DisassociateSkillFromSkillGroup", "resource_types": [ { @@ -399,7 +476,7 @@ }, { "access_level": "Write", - "description": "Makes a private skill unavailable for enrolled users and prevents them from enabling it on their devices.", + "description": "Grants permission to make a private skill unavailable for enrolled users and prevent them from enabling it on their devices", "privilege": "DisassociateSkillFromUsers", "resource_types": [ { @@ -411,7 +488,7 @@ }, { "access_level": "Write", - "description": "Disassociates the skill group from given room. SkillGroup ARN and Room ARN must be specified.", + "description": "Grants permission to disassociate the skill group from given room", "privilege": "DisassociateSkillGroupFromRoom", "resource_types": [ { @@ -428,7 +505,7 @@ }, { "access_level": "Write", - "description": "Forgets smart home appliances associated to a room.", + "description": "Grants permission to forget smart home appliances associated to a room", "privilege": "ForgetSmartHomeAppliances", "resource_types": [ { @@ -440,7 +517,7 @@ }, { "access_level": "Read", - "description": "Gets the address book details by the address book ARN.", + "description": "Grants permission to get the address book details by the address book ARN", "privilege": "GetAddressBook", "resource_types": [ { @@ -452,7 +529,7 @@ }, { "access_level": "Read", - "description": "Retrieves the existing conference preferences.", + "description": "Grants permission to retrieve the existing conference preferences", "privilege": "GetConferencePreference", "resource_types": [ { @@ -464,7 +541,7 @@ }, { "access_level": "Read", - "description": "Gets details about a specific conference provider.", + "description": "Grants permission to get details about a specific conference provider", "privilege": "GetConferenceProvider", "resource_types": [ { @@ -476,7 +553,7 @@ }, { "access_level": "Read", - "description": "Gets the contact details by the contact ARN.", + "description": "Grants permission to get the contact details by the contact ARN", "privilege": "GetContact", "resource_types": [ { @@ -488,7 +565,7 @@ }, { "access_level": "Read", - "description": "Get device details.", + "description": "Grants permission to get device details", "privilege": "GetDevice", "resource_types": [ { @@ -500,7 +577,43 @@ }, { "access_level": "Read", - "description": "Gets the network profile details by the network profile ARN.", + "description": "Grants permission to retrieve the details of a gateway", + "privilege": "GetGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the details of a gateway group", + "privilege": "GetGatewayGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewaygroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the configured values for the user enrollment invitation email template", + "privilege": "GetInvitationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the network profile details by the network profile ARN", "privilege": "GetNetworkProfile", "resource_types": [ { @@ -512,7 +625,7 @@ }, { "access_level": "Read", - "description": "Gets profile when provided with Profile ARN.", + "description": "Grants permission to get profile when provided with Profile ARN", "privilege": "GetProfile", "resource_types": [ { @@ -524,7 +637,7 @@ }, { "access_level": "Read", - "description": "Get room details.", + "description": "Grants permission to get room details", "privilege": "GetRoom", "resource_types": [ { @@ -536,7 +649,7 @@ }, { "access_level": "Read", - "description": "Get an existing parameter that has been set for a skill and room.", + "description": "Grants permission to get an existing parameter that has been set for a skill and room", "privilege": "GetRoomSkillParameter", "resource_types": [ { @@ -548,7 +661,7 @@ }, { "access_level": "Read", - "description": "Gets skill group details with skill group ARN. Skillgroup ARN must be specified.", + "description": "Grants permission to get skill group details with skill group ARN", "privilege": "GetSkillGroup", "resource_types": [ { @@ -560,7 +673,7 @@ }, { "access_level": "List", - "description": "Lists the details of the schedules that a user configured.", + "description": "Grants permission to list the details of the schedules that a user configured", "privilege": "ListBusinessReportSchedules", "resource_types": [ { @@ -572,7 +685,7 @@ }, { "access_level": "List", - "description": "Lists conference providers under a specific AWS account.", + "description": "Grants permission to list conference providers under a specific AWS account", "privilege": "ListConferenceProviders", "resource_types": [ { @@ -584,7 +697,7 @@ }, { "access_level": "List", - "description": "Lists the device event history, including device connection status, for up to 30 days.", + "description": "Grants permission to list the device event history, including device connection status, for up to 30 days", "privilege": "ListDeviceEvents", "resource_types": [ { @@ -596,7 +709,31 @@ }, { "access_level": "List", - "description": "Lists skills.", + "description": "Grants permission to list gateway group summaries", + "privilege": "ListGatewayGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list gateway summaries", + "privilege": "ListGateways", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewaygroup*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list skills", "privilege": "ListSkills", "resource_types": [ { @@ -608,7 +745,7 @@ }, { "access_level": "List", - "description": "Lists all categories in the Alexa skill store.", + "description": "Grants permission to list all categories in the Alexa skill store", "privilege": "ListSkillsStoreCategories", "resource_types": [ { @@ -620,7 +757,7 @@ }, { "access_level": "List", - "description": "Lists all skills in the Alexa skill store by category.", + "description": "Grants permission to list all skills in the Alexa skill store by category", "privilege": "ListSkillsStoreSkillsByCategory", "resource_types": [ { @@ -632,7 +769,7 @@ }, { "access_level": "List", - "description": "Lists all of the smart home appliances associated with a room.", + "description": "Grants permission to list all of the smart home appliances associated with a room", "privilege": "ListSmartHomeAppliances", "resource_types": [ { @@ -644,7 +781,7 @@ }, { "access_level": "Read", - "description": "Lists all tags on a resource.", + "description": "Grants permission to list all tags on a resource", "privilege": "ListTags", "resource_types": [ { @@ -666,7 +803,7 @@ }, { "access_level": "Write", - "description": "Sets the conference preferences on a specific conference provider at the account level.", + "description": "Grants permission to set the conference preferences on a specific conference provider at the account level", "privilege": "PutConferencePreference", "resource_types": [ { @@ -678,7 +815,7 @@ }, { "access_level": "Write", - "description": "Publishes Alexa device setup events.", + "description": "Grants permission to publish Alexa device setup events", "privilege": "PutDeviceSetupEvents", "resource_types": [ { @@ -690,7 +827,19 @@ }, { "access_level": "Write", - "description": "Put a room specific parameter for a skill.", + "description": "Grants permission to configure the email template for the user enrollment invitation with the specified attributes", + "privilege": "PutInvitationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a room specific parameter for a skill", "privilege": "PutRoomSkillParameter", "resource_types": [ { @@ -702,7 +851,7 @@ }, { "access_level": "Write", - "description": "Links a user's account to a third-party skill provider. If this API operation is called by an assumed IAM role, the skill being linked must be a private skill. Also, the skill must be owned by the AWS account that assumed the IAM role.", + "description": "Grants permission to link a user's account to a third-party skill provider", "privilege": "PutSkillAuthorization", "resource_types": [ { @@ -714,7 +863,7 @@ }, { "access_level": "Write", - "description": "Registers an Alexa-enabled device built by an Original Equipment Manufacturer (OEM) using Alexa Voice Service (AVS).", + "description": "Grants permission to register an Alexa-enabled device built by an Original Equipment Manufacturer (OEM) using Alexa Voice Service (AVS)", "privilege": "RegisterAVSDevice", "resource_types": [ { @@ -726,7 +875,7 @@ }, { "access_level": "Write", - "description": "Registers an Alexa device.", + "description": "Grants permission to register an Alexa device", "privilege": "RegisterDevice", "resource_types": [ { @@ -738,7 +887,7 @@ }, { "access_level": "Write", - "description": "Disassociates a skill from the organization under a user's AWS account. If the skill is a private skill, it moves to an AcceptStatus of PENDING.", + "description": "Grants permission to disassociate a skill from the organization under a user's AWS account", "privilege": "RejectSkill", "resource_types": [ { @@ -750,7 +899,7 @@ }, { "access_level": "Read", - "description": "Returns resolved room information.", + "description": "Grants permission to resolve room information", "privilege": "ResolveRoom", "resource_types": [ { @@ -762,7 +911,7 @@ }, { "access_level": "Write", - "description": "Revoke an invitation.", + "description": "Grants permission to revoke an invitation", "privilege": "RevokeInvitation", "resource_types": [ { @@ -774,7 +923,7 @@ }, { "access_level": "List", - "description": "Searches address books and lists the ones that meet a set of filter and sort criteria.", + "description": "Grants permission to search address books and list the ones that meet a set of filter and sort criteria", "privilege": "SearchAddressBooks", "resource_types": [ { @@ -786,7 +935,7 @@ }, { "access_level": "List", - "description": "Searches contacts and lists the ones that meet a set of filter and sort criteria.", + "description": "Grants permission to search contacts and list the ones that meet a set of filter and sort criteria", "privilege": "SearchContacts", "resource_types": [ { @@ -798,7 +947,7 @@ }, { "access_level": "List", - "description": "Search for devices.", + "description": "Grants permission to search for devices", "privilege": "SearchDevices", "resource_types": [ { @@ -810,7 +959,7 @@ }, { "access_level": "List", - "description": "Searches network profiles and lists the ones that meet a set of filter and sort criteria.", + "description": "Grants permission to search network profiles and list the ones that meet a set of filter and sort criteria", "privilege": "SearchNetworkProfiles", "resource_types": [ { @@ -822,7 +971,7 @@ }, { "access_level": "List", - "description": "Search for profiles.", + "description": "Grants permission to search for profiles", "privilege": "SearchProfiles", "resource_types": [ { @@ -834,7 +983,7 @@ }, { "access_level": "List", - "description": "Search for rooms.", + "description": "Grants permission to search for rooms", "privilege": "SearchRooms", "resource_types": [ { @@ -846,7 +995,7 @@ }, { "access_level": "List", - "description": "Search for skill groups.", + "description": "Grants permission to search for skill groups", "privilege": "SearchSkillGroups", "resource_types": [ { @@ -858,7 +1007,7 @@ }, { "access_level": "List", - "description": "Search for users.", + "description": "Grants permission to search for users", "privilege": "SearchUsers", "resource_types": [ { @@ -870,7 +1019,19 @@ }, { "access_level": "Write", - "description": "Send an invitation to a user.", + "description": "Grants permission to trigger an asynchronous flow to send text, SSML, or audio announcements to rooms that are identified by a search or filter", + "privilege": "SendAnnouncement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send an invitation to a user", "privilege": "SendInvitation", "resource_types": [ { @@ -882,7 +1043,7 @@ }, { "access_level": "Write", - "description": "Restore the device and its account to its known, default settings by clearing all information and settings set by its previous users.", + "description": "Grants permission to restore the device and its account to its known, default settings by clearing all information and settings set by its previous users", "privilege": "StartDeviceSync", "resource_types": [ { @@ -894,7 +1055,7 @@ }, { "access_level": "Read", - "description": "Initiates the discovery of any smart home appliances associated with the room.", + "description": "Grants permission to initiate the discovery of any smart home appliances associated with the room", "privilege": "StartSmartHomeApplianceDiscovery", "resource_types": [ { @@ -906,7 +1067,7 @@ }, { "access_level": "Tagging", - "description": "Adds metadata tags to a resource.", + "description": "Grants permission to add metadata tags to a resource", "privilege": "TagResource", "resource_types": [ { @@ -928,7 +1089,7 @@ }, { "access_level": "Tagging", - "description": "Removes metadata tags from a resource.", + "description": "Grants permission to remove metadata tags from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -950,7 +1111,7 @@ }, { "access_level": "Write", - "description": "Updates address book details by the address book ARN.", + "description": "Grants permission to update address book details by the address book ARN", "privilege": "UpdateAddressBook", "resource_types": [ { @@ -962,7 +1123,7 @@ }, { "access_level": "Write", - "description": "Updates the configuration of the report delivery schedule with the specified schedule ARN.", + "description": "Grants permission to update the configuration of the report delivery schedule with the specified schedule ARN", "privilege": "UpdateBusinessReportSchedule", "resource_types": [ { @@ -974,7 +1135,7 @@ }, { "access_level": "Write", - "description": "Updates an existing conference provider's settings.", + "description": "Grants permission to update an existing conference provider's settings", "privilege": "UpdateConferenceProvider", "resource_types": [ { @@ -986,7 +1147,7 @@ }, { "access_level": "Write", - "description": "Updates the contact details by the contact ARN.", + "description": "Grants permission to update the contact details by the contact ARN", "privilege": "UpdateContact", "resource_types": [ { @@ -998,7 +1159,7 @@ }, { "access_level": "Write", - "description": "Updates device name.", + "description": "Grants permission to update device name", "privilege": "UpdateDevice", "resource_types": [ { @@ -1010,7 +1171,43 @@ }, { "access_level": "Write", - "description": "Updates an existing profile.", + "description": "Grants permission to update the details of a gateway", + "privilege": "UpdateGateway", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the details of a gateway group", + "privilege": "UpdateGatewayGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewaygroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a network profile by the network profile ARN", + "privilege": "UpdateNetworkProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "networkprofile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing profile", "privilege": "UpdateProfile", "resource_types": [ { @@ -1022,7 +1219,7 @@ }, { "access_level": "Write", - "description": "Update room details.", + "description": "Grants permission to update room details", "privilege": "UpdateRoom", "resource_types": [ { @@ -1034,7 +1231,7 @@ }, { "access_level": "Write", - "description": "Updates skill group details with skill group ARN. Skillgroup ARN must be specified.", + "description": "Grants permission to update skill group details with skill group ARN", "privilege": "UpdateSkillGroup", "resource_types": [ { @@ -1101,10 +1298,427 @@ "arn": "arn:${Partition}:a4b:${Region}:${Account}:network-profile/${Resource_id}", "condition_keys": [], "resource": "networkprofile" + }, + { + "arn": "arn:${Partition}:a4b:${Region}:${Account}:gateway/${Resource_id}", + "condition_keys": [], + "resource": "gateway" + }, + { + "arn": "arn:${Partition}:a4b:${Region}:${Account}:gateway-group/${Resource_id}", + "condition_keys": [], + "resource": "gatewaygroup" } ], "service_name": "Alexa for Business" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "access-analyzer", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to apply an archive rule", + "privilege": "ApplyArchiveRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a policy generation", + "privilege": "CancelPolicyGeneration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an access preview for the specified analyzer", + "privilege": "CreateAccessPreview", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an analyzer", + "privilege": "CreateAnalyzer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Analyzer*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an archive rule for the specified analyzer", + "privilege": "CreateArchiveRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ArchiveRule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified analyzer", + "privilege": "DeleteAnalyzer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete archive rules for the specified analyzer", + "privilege": "DeleteArchiveRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ArchiveRule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about an access preview", + "privilege": "GetAccessPreview", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about an analyzed resource", + "privilege": "GetAnalyzedResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about analyzers", + "privilege": "GetAnalyzer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about archive rules for the specified analyzer", + "privilege": "GetArchiveRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ArchiveRule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve findings", + "privilege": "GetFinding", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a policy that was generated using StartPolicyGeneration", + "privilege": "GetGeneratedPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of findings from an access preview", + "privilege": "ListAccessPreviewFindings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of access previews", + "privilege": "ListAccessPreviews", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of resources that have been analyzed", + "privilege": "ListAnalyzedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieves a list of analyzers", + "privilege": "ListAnalyzers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of archive rules from an analyzer", + "privilege": "ListArchiveRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of findings from an analyzer", + "privilege": "ListFindings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the recently started policy generations", + "privilege": "ListPolicyGenerations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of tags applied to a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a policy generation", + "privilege": "StartPolicyGeneration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a scan of the policies applied to a resource", + "privilege": "StartResourceScan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add a tag to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove a tag from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an archive rule", + "privilege": "UpdateArchiveRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ArchiveRule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify findings", + "privilege": "UpdateFindings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Analyzer*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to validate a policy", + "privilege": "ValidatePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${AnalyzerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Analyzer" + }, + { + "arn": "arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${AnalyzerName}/archive-rule/${RuleName}", + "condition_keys": [], + "resource": "ArchiveRule" + } + ], + "service_name": "AWS IAM Access Analyzer" + }, { "conditions": [ { @@ -1462,17 +2076,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filter access by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filter access by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filter access by the presence of tag keys in the request", "type": "String" } ], @@ -1480,7 +2094,7 @@ "privileges": [ { "access_level": "Tagging", - "description": "Adds one or more tags to a certificate.", + "description": "Grants permission to add one or more tags to a certificate", "privilege": "AddTagsToCertificate", "resource_types": [ { @@ -1500,7 +2114,7 @@ }, { "access_level": "Write", - "description": "Deletes a certificate and its associated private key.", + "description": "Grants permission to delete a certificate and its associated private key", "privilege": "DeleteCertificate", "resource_types": [ { @@ -1512,7 +2126,7 @@ }, { "access_level": "Read", - "description": "Returns a list of the fields contained in the specified certificate.", + "description": "Grants permission to retreive a certificates and its metadata", "privilege": "DescribeCertificate", "resource_types": [ { @@ -1524,7 +2138,7 @@ }, { "access_level": "Read", - "description": "Exports a private certificate issued by a private certificate authority (CA) for use anywhere.", + "description": "Grants permission to export a private certificate issued by a private certificate authority (CA) for use anywhere", "privilege": "ExportCertificate", "resource_types": [ { @@ -1536,7 +2150,19 @@ }, { "access_level": "Read", - "description": "Retrieves a certificate and certificate chain for the certificate specified by an ARN.", + "description": "Grants permission to retrieve account level configuration from AWS Certificate Manager", + "privilege": "GetAccountConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a certificate and certificate chain for a certificate ARN", "privilege": "GetCertificate", "resource_types": [ { @@ -1548,7 +2174,7 @@ }, { "access_level": "Write", - "description": "Imports a 3rd party SSL/TLS certificate into AWS Certificate Manager (ACM).", + "description": "Grants permission to import a 3rd party certificate into AWS Certificate Manager (ACM)", "privilege": "ImportCertificate", "resource_types": [ { @@ -1568,7 +2194,7 @@ }, { "access_level": "List", - "description": "Retrieves a list of the certificate ARNs and the domain name for each ARN.", + "description": "Grants permission to retrieve a list of the certificate ARNs and the domain name for each ARN", "privilege": "ListCertificates", "resource_types": [ { @@ -1580,8 +2206,20 @@ }, { "access_level": "Read", - "description": "Lists the tags that have been applied to the certificate.", + "description": "Grants permission to lists the tags that have been associated with a certificate", "privilege": "ListTagsForCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "certificate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update account level configuration in AWS Certificate Manager", + "privilege": "PutAccountConfiguration", "resource_types": [ { "condition_keys": [], @@ -1592,7 +2230,7 @@ }, { "access_level": "Tagging", - "description": "Remove one or more tags from a certificate. A tag consists of a key-value pair", + "description": "Grants permission to remove one or more tags from a certificate", "privilege": "RemoveTagsFromCertificate", "resource_types": [ { @@ -1612,7 +2250,7 @@ }, { "access_level": "Write", - "description": "Renews an eligable private certificate.", + "description": "Grants permission to renew an eligible private certificate", "privilege": "RenewCertificate", "resource_types": [ { @@ -1624,7 +2262,7 @@ }, { "access_level": "Write", - "description": "Requests a public or private certificate.", + "description": "Grants permission to requests a public or private certificate", "privilege": "RequestCertificate", "resource_types": [ { @@ -1639,7 +2277,7 @@ }, { "access_level": "Write", - "description": "Resends an email to request domain ownership validation.", + "description": "Grants permission to resend an email to request domain ownership validation", "privilege": "ResendValidationEmail", "resource_types": [ { @@ -1651,7 +2289,7 @@ }, { "access_level": "Write", - "description": "Updates a certificate. Use to specify whether to opt in to or out of certificate transparency logging.", + "description": "Grants permission to update a certificate configuration. Use this to specify whether to opt in to or out of certificate transparency logging", "privilege": "UpdateCertificateOptions", "resource_types": [ { @@ -1699,7 +2337,7 @@ "prefix": "acm-pca", "privileges": [ { - "access_level": "Tagging", + "access_level": "Write", "description": "Creates an ACM Private CA and its associated private key and configuration.", "privilege": "CreateCertificateAuthority", "resource_types": [ @@ -2692,6 +3330,28 @@ } ] }, + { + "access_level": "Read", + "description": "List tags for an AWS Amplify Console resource.", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "apps" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "branches" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "jobs" + } + ] + }, { "access_level": "List", "description": "List webhooks on an App.", @@ -3181,6 +3841,28 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to import an existing auth resource of an Amplify Admin backend environment by appId and backendEnvironmentName", + "privilege": "ImportBackendAuth", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "auth*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backend*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve the jobs of an existing Amplify Admin backend environment by appId and backendEnvironmentName", @@ -3340,6 +4022,750 @@ ], "service_name": "AWS Amplify Admin" }, + { + "conditions": [ + { + "condition": "apigateway:Request/AccessLoggingDestination", + "description": "Filters access by access log destination. Available during the CreateStage and UpdateStage operations", + "type": "String" + }, + { + "condition": "apigateway:Request/AccessLoggingFormat", + "description": "Filters access by access log format. Available during the CreateStage and UpdateStage operations", + "type": "String" + }, + { + "condition": "apigateway:Request/ApiKeyRequired", + "description": "Filters access based on whether an API key is required or not. Available during the CreateRoute and UpdateRoute operations. Also available as a collection during import and reimport", + "type": "ArrayOfBool" + }, + { + "condition": "apigateway:Request/ApiName", + "description": "Filters access by API name. Available during the CreateApi and UpdateApi operations", + "type": "String" + }, + { + "condition": "apigateway:Request/AuthorizerType", + "description": "Filters access by type of authorizer in the request, for example REQUEST or JWT. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/AuthorizerUri", + "description": "Filters access by URI of a Lambda authorizer function. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/DisableExecuteApiEndpoint", + "description": "Filters access by status of the default execute-api endpoint. Available during the CreateApi and UpdateApi operations", + "type": "Bool" + }, + { + "condition": "apigateway:Request/EndpointType", + "description": "Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateApi, and UpdateApi operations", + "type": "String" + }, + { + "condition": "apigateway:Request/MtlsTrustStoreUri", + "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Request/MtlsTrustStoreVersion", + "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Request/RouteAuthorizationType", + "description": "Filters access by authorization type, for example NONE, AWS_IAM, CUSTOM, JWT. Available during the CreateRoute and UpdateRoute operations. Also available as a collection during import", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/SecurityPolicy", + "description": "Filters access by TLS version. Available during the CreateDomain and UpdateDomain operations", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/StageName", + "description": "Filters access by stage name of the deployment that you attempt to create. Available during the CreateDeployment operation", + "type": "String" + }, + { + "condition": "apigateway:Resource/AccessLoggingDestination", + "description": "Filters access by access log destination of the current Stage resource. Available during the UpdateStage and DeleteStage operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/AccessLoggingFormat", + "description": "Filters access by access log format of the current Stage resource. Available during the UpdateStage and DeleteStage operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/ApiKeyRequired", + "description": "Filters access based on whether an API key is required or not for the existing Route resource. Available during the UpdateRoute and DeleteRoute operations. Also available as a collection during reimport", + "type": "ArrayOfBool" + }, + { + "condition": "apigateway:Resource/ApiName", + "description": "Filters access by API name. Available during the UpdateApi and DeleteApi operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/AuthorizerType", + "description": "Filters access by the current type of authorizer, for example REQUEST or JWT. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during import and reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/AuthorizerUri", + "description": "Filters access by the URI of the current Lambda authorizer associated with the current API. Available during UpdateAuthorizer and DeleteAuthorizer. Also available as a collection during reimport", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/DisableExecuteApiEndpoint", + "description": "Filters access by status of the default execute-api endpoint. Available during the UpdateApi and DeleteApi operations", + "type": "Bool" + }, + { + "condition": "apigateway:Resource/EndpointType", + "description": "Filters access by endpoint type. Available during the UpdateDomainName, DeleteDomainName, UpdateApi, and DeleteApi operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/MtlsTrustStoreUri", + "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during the UpdateDomainName and DeleteDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/MtlsTrustStoreVersion", + "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during the UpdateDomainName and DeleteDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/RouteAuthorizationType", + "description": "ilters access by authorization type of the existing Route resource, for example NONE, AWS_IAM, CUSTOM. Available during the UpdateRoute and DeleteRoute operations. Also available as a collection during reimport", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/SecurityPolicy", + "description": "Filters access by TLS version. Available during the UpdateDomainName and DeleteDomainName operations", + "type": "ArrayOfString" + }, + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "apigateway", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to delete a particular resource", + "privilege": "DELETE", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AccessLogSettings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Api" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ApiMapping" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AuthorizersCache" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Cors" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Integration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteRequestParameter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteSettings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stage" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to read a particular resource", + "privilege": "GET", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AccessLogSettings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Api" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ApiMapping" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ApiMappings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Apis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AuthorizersCache" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Cors" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployments" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ExportedAPI" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Integration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponses" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Integrations" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ModelTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Models" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteRequestParameter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteResponses" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteSettings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Routes" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stage" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stages" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a particular resource", + "privilege": "PATCH", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Api" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ApiMapping" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Integration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteRequestParameter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stage" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a particular resource", + "privilege": "POST", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ApiMappings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Apis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployments" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponses" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Integrations" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Models" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RouteResponses" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Routes" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stages" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a particular resource", + "privilege": "PUT", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Apis" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/accesslogsettings", + "condition_keys": [], + "resource": "AccessLogSettings" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/ApiName", + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Request/DisableExecuteApiEndpoint", + "apigateway:Request/EndpointType", + "apigateway:Request/RouteAuthorizationType", + "apigateway:Resource/ApiKeyRequired", + "apigateway:Resource/ApiName", + "apigateway:Resource/AuthorizerType", + "apigateway:Resource/AuthorizerUri", + "apigateway:Resource/DisableExecuteApiEndpoint", + "apigateway:Resource/EndpointType", + "apigateway:Resource/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Api" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/ApiName", + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Request/DisableExecuteApiEndpoint", + "apigateway:Request/EndpointType", + "apigateway:Request/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Apis" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/apimappings/${ApiMappingId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ApiMapping" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/apimappings", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ApiMappings" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers/${AuthorizerId}", + "condition_keys": [ + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Resource/AuthorizerType", + "apigateway:Resource/AuthorizerUri", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Authorizer" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/authorizers", + "condition_keys": [ + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Authorizers" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/cache/authorizers", + "condition_keys": [], + "resource": "AuthorizersCache" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/cors", + "condition_keys": [], + "resource": "Cors" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments/${DeploymentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Deployment" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/deployments", + "condition_keys": [ + "apigateway:Request/StageName", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Deployments" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/exports/${Specification}", + "condition_keys": [], + "resource": "ExportedAPI" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Integration" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Integrations" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses/${IntegrationResponseId}", + "condition_keys": [], + "resource": "IntegrationResponse" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/integrations/${IntegrationId}/integrationresponses", + "condition_keys": [], + "resource": "IntegrationResponses" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Model" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Models" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/models/${ModelId}/template", + "condition_keys": [], + "resource": "ModelTemplate" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/RouteAuthorizationType", + "apigateway:Resource/ApiKeyRequired", + "apigateway:Resource/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Route" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Routes" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/routeresponses/${RouteResponseId}", + "condition_keys": [], + "resource": "RouteResponse" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/routeresponses", + "condition_keys": [], + "resource": "RouteResponses" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/routes/${RouteId}/requestparameters/${RequestParameterKey}", + "condition_keys": [], + "resource": "RouteRequestParameter" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}/routesettings/${RouteKey}", + "condition_keys": [], + "resource": "RouteSettings" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages/${StageName}", + "condition_keys": [ + "apigateway:Request/AccessLoggingDestination", + "apigateway:Request/AccessLoggingFormat", + "apigateway:Resource/AccessLoggingDestination", + "apigateway:Resource/AccessLoggingFormat", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stage" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apis/${ApiId}/stages", + "condition_keys": [ + "apigateway:Request/AccessLoggingDestination", + "apigateway:Request/AccessLoggingFormat", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stages" + } + ], + "service_name": "Amazon API Gateway Management V2" + }, { "conditions": [ { @@ -3490,229 +4916,285 @@ }, { "conditions": [ + { + "condition": "apigateway:Request/AccessLoggingDestination", + "description": "Filters access by access log destination. Available during the CreateStage and UpdateStage operations", + "type": "String" + }, + { + "condition": "apigateway:Request/AccessLoggingFormat", + "description": "Filters access by access log format. Available during the CreateStage and UpdateStage operations", + "type": "String" + }, + { + "condition": "apigateway:Request/ApiKeyRequired", + "description": "Filters access based on whether an API key is required or not. Available during the CreateMethod and PutMethod operations. Also available as a collection during import and reimport", + "type": "ArrayOfBool" + }, + { + "condition": "apigateway:Request/ApiName", + "description": "Filters access by API name. Available during the CreateRestApi and UpdateRestApi operations", + "type": "String" + }, + { + "condition": "apigateway:Request/AuthorizerType", + "description": "Filters access by type of authorizer in the request, for example TOKEN, REQUEST, JWT. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/AuthorizerUri", + "description": "Filters access by URI of a Lambda authorizer function. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/DisableExecuteApiEndpoint", + "description": "Filters access by status of the default execute-api endpoint. Available during the CreateRestApi and DeleteRestApi operations", + "type": "Bool" + }, + { + "condition": "apigateway:Request/EndpointType", + "description": "Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateRestApi, and UpdateRestApi operations", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/MtlsTrustStoreUri", + "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Request/MtlsTrustStoreVersion", + "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Request/RouteAuthorizationType", + "description": "Filters access by authorization type, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the CreateMethod and PutMethod operations Also available as a collection during import", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/SecurityPolicy", + "description": "Filters access by TLS version. Available during the CreateDomain and UpdateDomain operations", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Request/StageName", + "description": "Filters access by stage name of the deployment that you attempt to create. Available during the CreateDeployment operation", + "type": "String" + }, + { + "condition": "apigateway:Resource/AccessLoggingDestination", + "description": "Filters access by access log destination of the current Stage resource. Available during the UpdateStage and DeleteStage operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/AccessLoggingFormat", + "description": "Filters access by access log format of the current Stage resource. Available during the UpdateStage and DeleteStage operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/ApiKeyRequired", + "description": "Filters access based on whether an API key is required or not for the existing Method resource. Available during the PutMethod and DeleteMethod operations. Also available as a collection during reimport", + "type": "ArrayOfBool" + }, + { + "condition": "apigateway:Resource/ApiName", + "description": "Filters access by API name of the existing RestApi resource. Available during UpdateRestApi and DeleteRestApi operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/AuthorizerType", + "description": "Filters access by the current type of authorizer, for example TOKEN, REQUEST, JWT. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/AuthorizerUri", + "description": "Filters access by URI of a Lambda authorizer function. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during reimport as an ArrayOfString", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/DisableExecuteApiEndpoint", + "description": "Filters access by status of the default execute-api endpoint of the current RestApi resource. Available during UpdateRestApi and DeleteRestApi operations", + "type": "Bool" + }, + { + "condition": "apigateway:Resource/EndpointType", + "description": "Filters access by endpoint type. Available during the UpdateDomainName, DeleteDomainName, UpdateRestApi, and DeleteRestApi operations", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/MtlsTrustStoreUri", + "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/MtlsTrustStoreVersion", + "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations", + "type": "String" + }, + { + "condition": "apigateway:Resource/RouteAuthorizationType", + "description": "Filters access by authorization type of the existing Method resource, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the PutMethod and DeleteMethod operations. Also available as a collection during reimport", + "type": "ArrayOfString" + }, + { + "condition": "apigateway:Resource/SecurityPolicy", + "description": "Filters access by TLS version. Available during UpdateDomain and DeleteDomain operations", + "type": "ArrayOfString" + }, { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters 'Create' requests based on the allowed set of values for a specified tags", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on a tag key-value pair assigned to the AWS resource", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters 'Create' requests based on whether mandatory tags are included in the request", + "description": "Filters actions based on the presence of tag keys in the request", "type": "String" } ], - "prefix": "appconfig", + "prefix": "apigateway", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to create an application", - "privilege": "CreateApplication", + "access_level": "Permissions management", + "description": "Grants permission to add certificates for mutual TLS authentication to a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS", + "privilege": "AddCertificateToDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "DomainName" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "DomainNames" } ] }, { "access_level": "Write", - "description": "Grants permission to create a configuration profile", - "privilege": "CreateConfigurationProfile", + "description": "Grants permission to delete a particular resource", + "privilege": "DELETE", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "ApiKey" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "Authorizer" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a deployment strategy", - "privilege": "CreateDeploymentStrategy", - "resource_types": [ + "resource_type": "BasePathMapping" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" + "resource_type": "ClientCertificate" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an environment", - "privilege": "CreateEnvironment", - "resource_types": [ + "resource_type": "Deployment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "DocumentationPart" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "DocumentationVersion" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a hosted configuration version", - "privilege": "CreateHostedConfigurationVersion", - "resource_types": [ + "resource_type": "DomainName" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "GatewayResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "Integration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedconfigurationversion*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an application", - "privilege": "DeleteApplication", - "resource_types": [ + "resource_type": "IntegrationResponse" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a configuration profile", - "privilege": "DeleteConfigurationProfile", - "resource_types": [ + "resource_type": "Method" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "MethodResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a deployment strategy", - "privilege": "DeleteDeploymentStrategy", - "resource_types": [ + "resource_type": "Model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an environment", - "privilege": "DeleteEnvironment", - "resource_types": [ + "resource_type": "RequestValidator" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Resource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a hosted configuration version", - "privilege": "DeleteHostedConfigurationVersion", - "resource_types": [ + "resource_type": "RestApi" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stage" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "Template" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedconfigurationversion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about an application", - "privilege": "GetApplication", - "resource_types": [ + "resource_type": "UsagePlan" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "UsagePlanKey" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "VpcLink" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -3721,399 +5203,334 @@ }, { "access_level": "Read", - "description": "Grants permission to view details about a configuration", - "privilege": "GetConfiguration", + "description": "Grants permission to read a particular resource", + "privilege": "GET", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "ApiKey" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "ApiKeys" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about a configuration profile", - "privilege": "GetConfigurationProfile", - "resource_types": [ + "resource_type": "Authorizer" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Authorizers" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "BasePathMapping" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about a deployment", - "privilege": "GetDeployment", - "resource_types": [ + "resource_type": "BasePathMappings" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "ClientCertificate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment*" + "resource_type": "ClientCertificates" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "Deployment" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about a deployment strategy", - "privilege": "GetDeploymentStrategy", - "resource_types": [ + "resource_type": "Deployments" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" + "resource_type": "DocumentationPart" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about an environment", - "privilege": "GetEnvironment", - "resource_types": [ + "resource_type": "DocumentationParts" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "DocumentationVersion" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "DocumentationVersions" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view details about a hosted configuration version", - "privilege": "GetHostedConfigurationVersion", - "resource_types": [ + "resource_type": "DomainName" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "DomainNames" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "GatewayResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedconfigurationversion*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the applications in your account", - "privilege": "ListApplications", - "resource_types": [ + "resource_type": "GatewayResponses" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the configuration profiles for an application", - "privilege": "ListConfigurationProfiles", - "resource_types": [ + "resource_type": "Integration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the deployment strategies for your account", - "privilege": "ListDeploymentStrategies", - "resource_types": [ + "resource_type": "IntegrationResponse" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the deployments for an environment", - "privilege": "ListDeployments", - "resource_types": [ + "resource_type": "Method" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "MethodResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the environments for an application", - "privilege": "ListEnvironments", - "resource_types": [ + "resource_type": "Model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the hosted configuration versions for a configuration profile", - "privilege": "ListHostedConfigurationVersions", - "resource_types": [ + "resource_type": "Models" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "RequestValidator" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to view a list of resource tags for a specified resource", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "RequestValidators" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" + "resource_type": "Resource" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile" + "resource_type": "Resources" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment" + "resource_type": "RestApi" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy" + "resource_type": "RestApis" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment" + "resource_type": "Sdk" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to initiate a deployment", - "privilege": "StartDeployment", - "resource_types": [ + "resource_type": "Stage" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stages" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "UsagePlan" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment*" + "resource_type": "UsagePlanKey" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" + "resource_type": "UsagePlanKeys" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "UsagePlans" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "VpcLink" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "VpcLinks" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a deployment", - "privilege": "StopDeployment", + "description": "Grants permission to update a particular resource", + "privilege": "PATCH", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment*" + "resource_type": "ApiKey" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag an appconfig resource.", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "Authorizer" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" + "resource_type": "BasePathMapping" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile" + "resource_type": "ClientCertificate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment" + "resource_type": "Deployment" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy" + "resource_type": "DocumentationPart" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment" + "resource_type": "DocumentationVersion" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to untag an appconfig resource.", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "DomainName" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" + "resource_type": "GatewayResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile" + "resource_type": "Integration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment" + "resource_type": "IntegrationResponse" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy" + "resource_type": "Method" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment" + "resource_type": "MethodResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RequestValidator" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Resource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RestApi" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stage" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "UsagePlan" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "UsagePlanKey" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "VpcLink" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -4123,17 +5540,108 @@ }, { "access_level": "Write", - "description": "Grants permission to modify an application", - "privilege": "UpdateApplication", + "description": "Grants permission to create a particular resource", + "privilege": "POST", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "ApiKeys" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Authorizers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "BasePathMappings" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ClientCertificates" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Deployments" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DocumentationParts" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DocumentationVersions" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DomainNames" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "GatewayResponses" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MethodResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Models" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RequestValidators" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Resources" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RestApis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stages" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "UsagePlanKeys" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "UsagePlans" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "VpcLinks" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -4142,22 +5650,38 @@ }, { "access_level": "Write", - "description": "Grants permission to modify a configuration profile", - "privilege": "UpdateConfigurationProfile", + "description": "Grants permission to update a particular resource", + "privilege": "PUT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "DocumentationPart" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "GatewayResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "IntegrationResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MethodResponse" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RestApi" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -4165,147 +5689,405 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to modify a deployment strategy", - "privilege": "UpdateDeploymentStrategy", + "access_level": "Permissions management", + "description": "Grants permission to remove certificates for mutual TLS authentication from a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS", + "privilege": "RemoveCertificateFromDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentstrategy*" + "resource_type": "DomainName" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "DomainNames" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an environment", - "privilege": "UpdateEnvironment", + "access_level": "Permissions management", + "description": "Grants permission set a WAF access control list (ACL). This is an additional authorization control for managing the Stage resource due to the sensitive nature of WebAcl's", + "privilege": "SetWebACL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "Stage" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Stages" } ] }, { - "access_level": "Write", - "description": "Grants permission to validate a configuration", - "privilege": "ValidateConfiguration", + "access_level": "Permissions management", + "description": "Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy", + "privilege": "UpdateRestApiPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "RestApi" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurationprofile*" + "resource_type": "RestApis" } ] } ], "resources": [ { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}", + "arn": "arn:${Partition}:apigateway:${Region}::/account", + "condition_keys": [], + "resource": "Account" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/apikeys/${ApiKeyId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "application" + "resource": "ApiKey" }, { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}", + "arn": "arn:${Partition}:apigateway:${Region}::/apikeys", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "environment" + "resource": "ApiKeys" }, { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}", + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers/${AuthorizerId}", "condition_keys": [ + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Resource/AuthorizerType", + "apigateway:Resource/AuthorizerUri", "aws:ResourceTag/${TagKey}" ], - "resource": "configurationprofile" + "resource": "Authorizer" }, { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:deploymentstrategy/${DeploymentStrategyId}", + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/authorizers", "condition_keys": [ + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", "aws:ResourceTag/${TagKey}" ], - "resource": "deploymentstrategy" + "resource": "Authorizers" }, { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/deployment/${DeploymentNumber}", + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings/${BasePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "deployment" + "resource": "BasePathMapping" }, { - "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}/hostedconfigurationversion/${VersionNumber}", + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}/basepathmappings", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "BasePathMappings" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/clientcertificates/${ClientCertificateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ClientCertificate" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/clientcertificates", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ClientCertificates" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments/${DeploymentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Deployment" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/deployments", + "condition_keys": [ + "apigateway:Request/StageName" + ], + "resource": "Deployments" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts/${DocumentationPartId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DocumentationPart" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/parts", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DocumentationParts" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions/${DocumentationVersionId}", "condition_keys": [], - "resource": "hostedconfigurationversion" + "resource": "DocumentationVersion" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/documentation/versions", + "condition_keys": [], + "resource": "DocumentationVersions" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames/${DomainName}", + "condition_keys": [ + "apigateway:Request/EndpointType", + "apigateway:Request/MtlsTrustStoreUri", + "apigateway:Request/MtlsTrustStoreVersion", + "apigateway:Request/SecurityPolicy", + "apigateway:Resource/EndpointType", + "apigateway:Resource/MtlsTrustStoreUri", + "apigateway:Resource/MtlsTrustStoreVersion", + "apigateway:Resource/SecurityPolicy", + "aws:ResourceTag/${TagKey}" + ], + "resource": "DomainName" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/domainnames", + "condition_keys": [ + "apigateway:Request/EndpointType", + "apigateway:Request/MtlsTrustStoreUri", + "apigateway:Request/MtlsTrustStoreVersion", + "apigateway:Request/SecurityPolicy", + "aws:ResourceTag/${TagKey}" + ], + "resource": "DomainNames" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses/${ResponseType}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "GatewayResponse" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/gatewayresponses", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "GatewayResponses" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Integration" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/integration/responses/${StatusCode}", + "condition_keys": [], + "resource": "IntegrationResponse" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/RouteAuthorizationType", + "apigateway:Resource/ApiKeyRequired", + "apigateway:Resource/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Method" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}/methods/${HttpMethodType}/responses/${StatusCode}", + "condition_keys": [], + "resource": "MethodResponse" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models/${ModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Model" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/models", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Models" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators/${RequestValidatorId}", + "condition_keys": [], + "resource": "RequestValidator" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/requestvalidators", + "condition_keys": [], + "resource": "RequestValidators" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Resource" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/resources", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Resources" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/ApiName", + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Request/DisableExecuteApiEndpoint", + "apigateway:Request/EndpointType", + "apigateway:Request/RouteAuthorizationType", + "apigateway:Resource/ApiKeyRequired", + "apigateway:Resource/ApiName", + "apigateway:Resource/AuthorizerType", + "apigateway:Resource/AuthorizerUri", + "apigateway:Resource/DisableExecuteApiEndpoint", + "apigateway:Resource/EndpointType", + "apigateway:Resource/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "RestApi" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis", + "condition_keys": [ + "apigateway:Request/ApiKeyRequired", + "apigateway:Request/ApiName", + "apigateway:Request/AuthorizerType", + "apigateway:Request/AuthorizerUri", + "apigateway:Request/DisableExecuteApiEndpoint", + "apigateway:Request/EndpointType", + "apigateway:Request/RouteAuthorizationType", + "aws:ResourceTag/${TagKey}" + ], + "resource": "RestApis" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName}/sdks/${SdkType}", + "condition_keys": [], + "resource": "Sdk" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages/${StageName}", + "condition_keys": [ + "apigateway:Request/AccessLoggingDestination", + "apigateway:Request/AccessLoggingFormat", + "apigateway:Resource/AccessLoggingDestination", + "apigateway:Resource/AccessLoggingFormat", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stage" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/${RestApiId}/stages", + "condition_keys": [ + "apigateway:Request/AccessLoggingDestination", + "apigateway:Request/AccessLoggingFormat", + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stages" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/restapis/models/${ModelName}/template", + "condition_keys": [], + "resource": "Template" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "UsagePlan" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/usageplans", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "UsagePlans" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys/${Id}", + "condition_keys": [], + "resource": "UsagePlanKey" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/usageplans/${UsagePlanId}/keys", + "condition_keys": [], + "resource": "UsagePlanKeys" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/vpclinks/${VpcLinkId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "VpcLink" + }, + { + "arn": "arn:${Partition}:apigateway:${Region}::/vpclinks", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "VpcLinks" } ], - "service_name": "AWS AppConfig" + "service_name": "Amazon API Gateway Management" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" } ], - "prefix": "appflow", + "prefix": "app-integrations", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a login profile to be used with Amazon AppFlow flows", - "privilege": "CreateConnectorProfile", + "description": "Grants permissions to create a new EventIntegration", + "privilege": "CreateEventIntegration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an Amazon AppFlow flow", - "privilege": "CreateFlow", - "resource_types": [ + "resource_type": "event-integration*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -4318,30 +6100,32 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a login profile configured in Amazon AppFlow", - "privilege": "DeleteConnectorProfile", + "description": "Grants permissions to create an EventIntegrationAssociation", + "privilege": "CreateEventIntegrationAssociation", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "connectorprofile*" + "dependent_actions": [ + "events:PutRule", + "events:PutTargets" + ], + "resource_type": "event-integration-association*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an Amazon AppFlow flow", - "privilege": "DeleteFlow", + "description": "Grants permissions to delete an EventIntegration", + "privilege": "DeleteEventIntegration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "event-integration*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -4349,36 +6133,35 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe all fields for an object in a login profile configured in Amazon AppFlow", - "privilege": "DescribeConnectorEntity", + "access_level": "Write", + "description": "Grants permissions to delete an EventIntegrationAssociation", + "privilege": "DeleteEventIntegrationAssociation", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "connectorprofile*" + "dependent_actions": [ + "events:DeleteRule", + "events:ListTargetsByRule", + "events:RemoveTargets" + ], + "resource_type": "event-integration-association*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe all fields for an object in a login profile configured in Amazon AppFlow (Console Only)", - "privilege": "DescribeConnectorFields", + "description": "Grants permissions to view details about EventIntegrations", + "privilege": "GetEventIntegration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorprofile*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe all login profiles configured in Amazon AppFlow", - "privilege": "DescribeConnectorProfiles", - "resource_types": [ + "resource_type": "event-integration*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -4386,8 +6169,8 @@ }, { "access_level": "Read", - "description": "Grants permission to describe all connectors supported by Amazon AppFlow", - "privilege": "DescribeConnectors", + "description": "Grants permissions to list EventIntegrationAssociations", + "privilege": "ListEventIntegrationAssociations", "resource_types": [ { "condition_keys": [], @@ -4397,9 +6180,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a specific flow configured in Amazon AppFlow", - "privilege": "DescribeFlow", + "access_level": "List", + "description": "Grants permissions to list EventIntegrations", + "privilege": "ListEventIntegrations", "resource_types": [ { "condition_keys": [], @@ -4410,138 +6193,176 @@ }, { "access_level": "Read", - "description": "Grants permission to describe all flow executions for a flow configured in Amazon AppFlow (Console Only)", - "privilege": "DescribeFlowExecution", + "description": "Grants permission to lists tag for an Amazon AppIntegration resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe all flow executions for a flow configured in Amazon AppFlow", - "privilege": "DescribeFlowExecutionRecords", - "resource_types": [ + "resource_type": "event-integration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe all flows configured in Amazon AppFlow (Console Only)", - "privilege": "DescribeFlows", - "resource_types": [ + "resource_type": "event-integration-association" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all objects for a login profile configured in Amazon AppFlow", - "privilege": "ListConnectorEntities", + "access_level": "Tagging", + "description": "Grants permission to tag an Amazon AppIntegration resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorprofile*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list all objects for a login profile configured in Amazon AppFlow (Console Only)", - "privilege": "ListConnectorFields", - "resource_types": [ + "resource_type": "event-integration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorprofile*" + "resource_type": "event-integration-association" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all flows configured in Amazon AppFlow", - "privilege": "ListFlows", + "access_level": "Tagging", + "description": "Grants permissions to untag an Amazon AppIntegration resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list tags for a flow", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "event-integration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "event-integration-association" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to run a flow configured in Amazon AppFlow (Console Only)", - "privilege": "RunFlow", + "description": "Grants permissions to modify an EventIntegration", + "privilege": "UpdateEventIntegration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "event-integration*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:app-integrations:${Region}:${Account}:event-integration/${EventIntegrationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "event-integration" + }, + { + "arn": "arn:${Partition}:app-integrations:${Region}:${Account}:event-integration-association/${EventIntegrationName}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "event-integration-association" + } + ], + "service_name": "Amazon AppIntegrations" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the allowed set of values for a specified tag", + "type": "String" }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on a tag key-value pair assigned to the AWS resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on whether mandatory tags are included in the request", + "type": "String" + } + ], + "prefix": "appconfig", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to activate (for scheduled and event-triggered flows) or run (for on-demand flows) a flow configured in Amazon AppFlow", - "privilege": "StartFlow", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to deactivate a scheduled or event-triggered flow configured in Amazon AppFlow", - "privilege": "StopFlow", + "description": "Grants permission to create a configuration profile", + "privilege": "CreateConfigurationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag a flow", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "configurationprofile*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -4549,17 +6370,18 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a flow", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a deployment strategy", + "privilege": "CreateDeploymentStrategy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" + "resource_type": "deploymentstrategy*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -4569,56 +6391,24 @@ }, { "access_level": "Write", - "description": "Grants permission to update a login profile configured in Amazon AppFlow", - "privilege": "UpdateConnectorProfile", + "description": "Grants permission to create an environment", + "privilege": "CreateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a flow configured in Amazon AppFlow", - "privilege": "UpdateFlow", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:appflow:${Region}:${Account}:connectorprofile/${profileName}", - "condition_keys": [], - "resource": "connectorprofile" - }, - { - "arn": "arn:${Partition}:appflow:${Region}:${Account}:flow/${flowName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "flow" - } - ], - "service_name": "Amazon AppFlow" - }, - { - "conditions": [], - "prefix": "application-autoscaling", - "privileges": [ - { - "access_level": "Write", - "description": "Deletes an Application Auto Scaling scaling policy that was previously created.", - "privilege": "DeleteScalingPolicy", - "resource_types": [ + "resource_type": "environment*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -4626,291 +6416,275 @@ }, { "access_level": "Write", - "description": "Deletes an Application Auto Scaling scheduled action that was previously created.", - "privilege": "DeleteScheduledAction", + "description": "Grants permission to create a hosted configuration version", + "privilege": "CreateHostedConfigurationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Deregisters a scalable target that was previously registered.", - "privilege": "DeregisterScalableTarget", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Provides descriptive information for scalable targets with a specified service namespace.", - "privilege": "DescribeScalableTargets", - "resource_types": [ + "resource_type": "configurationprofile*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hostedconfigurationversion*" } ] }, { - "access_level": "Read", - "description": "Provides descriptive information for scaling activities with a specified service namespace for the previous six weeks.", - "privilege": "DescribeScalingActivities", + "access_level": "Write", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Provides descriptive information for scaling policies with a specified service namespace.", - "privilege": "DescribeScalingPolicies", + "access_level": "Write", + "description": "Grants permission to delete a configuration profile", + "privilege": "DeleteConfigurationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Provides descriptive information for scheduled actions with a specified service namespace.", - "privilege": "DescribeScheduledActions", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurationprofile*" } ] }, { "access_level": "Write", - "description": "Creates or updates a policy for an existing Application Auto Scaling scalable target.", - "privilege": "PutScalingPolicy", + "description": "Grants permission to delete a deployment strategy", + "privilege": "DeleteDeploymentStrategy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "deploymentstrategy*" } ] }, { "access_level": "Write", - "description": "Creates or updates a scheduled action for an existing Application Auto Scaling scalable target.", - "privilege": "PutScheduledAction", + "description": "Grants permission to delete an environment", + "privilege": "DeleteEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" } ] }, { "access_level": "Write", - "description": "Registers or updates a scalable target. A scalable target is a resource that can be scaled out or in with Application Auto Scaling.", - "privilege": "RegisterScalableTarget", + "description": "Grants permission to delete a hosted configuration version", + "privilege": "DeleteHostedConfigurationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "Application Auto Scaling" - }, - { - "conditions": [], - "prefix": "applicationinsights", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create an application from a resource group", - "privilege": "CreateApplication", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a component from a group of resources", - "privilege": "CreateComponent", - "resource_types": [ + "resource_type": "configurationprofile*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hostedconfigurationversion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create log a pattern", - "privilege": "CreateLogPattern", + "access_level": "Read", + "description": "Grants permission to view details about an application", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an application", - "privilege": "DeleteApplication", + "access_level": "Read", + "description": "Grants permission to view details about a configuration", + "privilege": "GetConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a component", - "privilege": "DeleteComponent", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a log pattern", - "privilege": "DeleteLogPattern", - "resource_types": [ + "resource_type": "configurationprofile*" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an application", - "privilege": "DescribeApplication", + "description": "Grants permission to view details about a configuration profile", + "privilege": "GetConfigurationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a component", - "privilege": "DescribeComponent", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "configurationprofile*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a component's configuration", - "privilege": "DescribeComponentConfiguration", + "description": "Grants permission to view details about a deployment", + "privilege": "GetDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe the recommended application component configuration", - "privilege": "DescribeComponentConfigurationRecommendation", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a log pattern", - "privilege": "DescribeLogPattern", - "resource_types": [ + "resource_type": "deployment*" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an observation", - "privilege": "DescribeObservation", + "description": "Grants permission to view details about a deployment strategy", + "privilege": "GetDeploymentStrategy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "deploymentstrategy*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a problem", - "privilege": "DescribeProblem", + "description": "Grants permission to view details about an environment", + "privilege": "GetEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the observation in a problem", - "privilege": "DescribeProblemObservations", + "description": "Grants permission to view details about a hosted configuration version", + "privilege": "GetHostedConfigurationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurationprofile*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedconfigurationversion*" } ] }, { "access_level": "List", - "description": "Grants permission to list all applications", + "description": "Grants permission to list the applications in your account", "privilege": "ListApplications", "resource_types": [ { @@ -4922,20 +6696,20 @@ }, { "access_level": "List", - "description": "Grants permission to list an application's components", - "privilege": "ListComponents", + "description": "Grants permission to list the configuration profiles for an application", + "privilege": "ListConfigurationProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "List", - "description": "Grants permission to list configuration history", - "privilege": "ListConfigurationHistory", + "description": "Grants permission to list the deployment strategies for your account", + "privilege": "ListDeploymentStrategies", "resource_types": [ { "condition_keys": [], @@ -4946,187 +6720,178 @@ }, { "access_level": "List", - "description": "Grants permission to list log pattern sets for an application", - "privilege": "ListLogPatternSets", + "description": "Grants permission to list the deployments for an environment", + "privilege": "ListDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" } ] }, { "access_level": "List", - "description": "Grants permission to list log patterns", - "privilege": "ListLogPatterns", + "description": "Grants permission to list the environments for an application", + "privilege": "ListEnvironments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "List", - "description": "Grants permission to list the problems in an application", - "privilege": "ListProblems", + "description": "Grants permission to list the hosted configuration versions for a configuration profile", + "privilege": "ListHostedConfigurationVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurationprofile*" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags for the resource", + "access_level": "Read", + "description": "Grants permission to view a list of resource tags for a specified resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "configurationprofile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an application", - "privilege": "UpdateApplication", - "resource_types": [ + "resource_type": "deployment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a component", - "privilege": "UpdateComponent", - "resource_types": [ + "resource_type": "deploymentstrategy" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a component's configuration", - "privilege": "UpdateComponentConfiguration", + "description": "Grants permission to initiate a deployment", + "privilege": "StartDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a log pattern", - "privilege": "UpdateLogPattern", - "resource_types": [ + "resource_type": "application*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurationprofile*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deployment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentstrategy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" } ] - } - ], - "resources": [], - "service_name": "CloudWatch Application Insights" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request.", - "type": "String" - } - ], - "prefix": "appmesh", - "privileges": [ { "access_level": "Write", - "description": "Creates a gateway route that is associated with a virtual gateway.", - "privilege": "CreateGatewayRoute", + "description": "Grants permission to stop a deployment", + "privilege": "StopDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute*" + "resource_type": "application*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService" + "resource_type": "deployment*" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] }, { - "access_level": "Write", - "description": "Creates a service mesh.", - "privilege": "CreateMesh", + "access_level": "Tagging", + "description": "Grants permission to tag an appconfig resource.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurationprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deployment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentstrategy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" }, { "condition_keys": [ "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -5134,24 +6899,38 @@ ] }, { - "access_level": "Write", - "description": "Creates a route that is associated with a virtual router.", - "privilege": "CreateRoute", + "access_level": "Tagging", + "description": "Grants permission to untag an appconfig resource.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "route*" + "resource_type": "application" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode" + "resource_type": "configurationprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deployment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentstrategy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -5160,18 +6939,17 @@ }, { "access_level": "Write", - "description": "Creates a virtual gateway within a service mesh.", - "privilege": "CreateVirtualGateway", + "description": "Grants permission to modify an application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway*" + "resource_type": "application*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -5180,23 +6958,22 @@ }, { "access_level": "Write", - "description": "Creates a virtual node within a service mesh.", - "privilege": "CreateVirtualNode", + "description": "Grants permission to modify a configuration profile", + "privilege": "UpdateConfigurationProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode*" + "resource_type": "application*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService" + "resource_type": "configurationprofile*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -5205,18 +6982,17 @@ }, { "access_level": "Write", - "description": "Creates a virtual router within a service mesh.", - "privilege": "CreateVirtualRouter", + "description": "Grants permission to modify a deployment strategy", + "privilege": "UpdateDeploymentStrategy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter*" + "resource_type": "deploymentstrategy*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -5225,28 +7001,22 @@ }, { "access_level": "Write", - "description": "Creates a virtual service within a service mesh.", - "privilege": "CreateVirtualService", + "description": "Grants permission to modify an environment", + "privilege": "UpdateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualNode" + "resource_type": "application*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter" + "resource_type": "environment*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -5255,579 +7025,980 @@ }, { "access_level": "Write", - "description": "Deletes an existing gateway route.", - "privilege": "DeleteGatewayRoute", + "description": "Grants permission to validate a configuration", + "privilege": "ValidateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute*" + "resource_type": "application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurationprofile*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "configurationprofile" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:deploymentstrategy/${DeploymentStrategyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deploymentstrategy" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/deployment/${DeploymentNumber}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deployment" + }, + { + "arn": "arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/configurationprofile/${ConfigurationProfileId}/hostedconfigurationversion/${VersionNumber}", + "condition_keys": [], + "resource": "hostedconfigurationversion" + } + ], + "service_name": "AWS AppConfig" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + } + ], + "prefix": "appflow", + "privileges": [ { "access_level": "Write", - "description": "Deletes an existing service mesh.", - "privilege": "DeleteMesh", + "description": "Grants permission to create a login profile to be used with Amazon AppFlow flows", + "privilege": "CreateConnectorProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an existing route.", - "privilege": "DeleteRoute", + "description": "Grants permission to create an Amazon AppFlow flow", + "privilege": "CreateFlow", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "route*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an existing virtual gateway.", - "privilege": "DeleteVirtualGateway", + "description": "Grants permission to delete a login profile configured in Amazon AppFlow", + "privilege": "DeleteConnectorProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway*" + "resource_type": "connectorprofile*" } ] }, { "access_level": "Write", - "description": "Deletes an existing virtual node.", - "privilege": "DeleteVirtualNode", + "description": "Grants permission to delete an Amazon AppFlow flow", + "privilege": "DeleteFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode*" + "resource_type": "flow*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an existing virtual router.", - "privilege": "DeleteVirtualRouter", + "access_level": "Read", + "description": "Grants permission to describe all fields for an object in a login profile configured in Amazon AppFlow", + "privilege": "DescribeConnectorEntity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter*" + "resource_type": "connectorprofile*" } ] }, { - "access_level": "Write", - "description": "Deletes an existing virtual service.", - "privilege": "DeleteVirtualService", + "access_level": "Read", + "description": "Grants permission to describe all fields for an object in a login profile configured in Amazon AppFlow (Console Only)", + "privilege": "DescribeConnectorFields", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService*" + "resource_type": "connectorprofile*" } ] }, { "access_level": "Read", - "description": "Describes an existing gateway route.", - "privilege": "DescribeGatewayRoute", + "description": "Grants permission to describe all login profiles configured in Amazon AppFlow", + "privilege": "DescribeConnectorProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes an existing service mesh.", - "privilege": "DescribeMesh", + "description": "Grants permission to describe all connectors supported by Amazon AppFlow", + "privilege": "DescribeConnectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes an existing route.", - "privilege": "DescribeRoute", + "description": "Grants permission to describe a specific flow configured in Amazon AppFlow", + "privilege": "DescribeFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "route*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes an existing virtual gateway.", - "privilege": "DescribeVirtualGateway", + "description": "Grants permission to describe all flow executions for a flow configured in Amazon AppFlow (Console Only)", + "privilege": "DescribeFlowExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway*" + "resource_type": "flow*" } ] }, { "access_level": "Read", - "description": "Describes an existing virtual node.", - "privilege": "DescribeVirtualNode", + "description": "Grants permission to describe all flow executions for a flow configured in Amazon AppFlow", + "privilege": "DescribeFlowExecutionRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode*" + "resource_type": "flow*" } ] }, { "access_level": "Read", - "description": "Describes an existing virtual router.", - "privilege": "DescribeVirtualRouter", + "description": "Grants permission to describe all flows configured in Amazon AppFlow (Console Only)", + "privilege": "DescribeFlows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes an existing virtual service.", - "privilege": "DescribeVirtualService", + "access_level": "List", + "description": "Grants permission to list all objects for a login profile configured in Amazon AppFlow", + "privilege": "ListConnectorEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService*" + "resource_type": "connectorprofile*" } ] }, { - "access_level": "List", - "description": "Returns a list of existing gateway routes in a service mesh.", - "privilege": "ListGatewayRoutes", + "access_level": "Read", + "description": "Grants permission to list all objects for a login profile configured in Amazon AppFlow (Console Only)", + "privilege": "ListConnectorFields", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway*" + "resource_type": "connectorprofile*" } ] }, { "access_level": "List", - "description": "Returns a list of existing service meshes.", - "privilege": "ListMeshes", + "description": "Grants permission to list all flows configured in Amazon AppFlow", + "privilege": "ListFlows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "flow*" } ] }, { - "access_level": "List", - "description": "Returns a list of existing routes in a service mesh.", - "privilege": "ListRoutes", + "access_level": "Read", + "description": "Grants permission to list tags for a flow", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter*" + "resource_type": "flow*" } ] }, { - "access_level": "List", - "description": "List the tags for an App Mesh resource.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to run a flow configured in Amazon AppFlow (Console Only)", + "privilege": "RunFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute" - }, + "resource_type": "flow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate (for scheduled and event-triggered flows) or run (for on-demand flows) a flow configured in Amazon AppFlow", + "privilege": "StartFlow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh" - }, + "resource_type": "flow*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate a scheduled or event-triggered flow configured in Amazon AppFlow", + "privilege": "StopFlow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "route" - }, + "resource_type": "flow*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a flow", + "privilege": "TagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway" + "resource_type": "flow*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "virtualNode" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a flow", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter" + "resource_type": "flow*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "virtualService" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns a list of existing virtual gateways in a service mesh.", - "privilege": "ListVirtualGateways", + "access_level": "Write", + "description": "Grants permission to update a login profile configured in Amazon AppFlow", + "privilege": "UpdateConnectorProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "connectorprofile*" } ] }, { - "access_level": "List", - "description": "Returns a list of existing virtual nodes.", - "privilege": "ListVirtualNodes", + "access_level": "Write", + "description": "Grants permission to update a flow configured in Amazon AppFlow", + "privilege": "UpdateFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "flow*" } ] }, { - "access_level": "List", - "description": "Returns a list of existing virtual routers in a service mesh.", - "privilege": "ListVirtualRouters", + "access_level": "Write", + "description": "Grants permission to use a connector profile while creating a flow in Amazon AppFlow", + "privilege": "UseConnectorProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "connectorprofile*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:appflow:${Region}:${Account}:connectorprofile/${profileName}", + "condition_keys": [], + "resource": "connectorprofile" }, { - "access_level": "List", - "description": "Returns a list of existing virtual services in a service mesh.", - "privilege": "ListVirtualServices", + "arn": "arn:${Partition}:appflow:${Region}:${Account}:flow/${flowName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "flow" + } + ], + "service_name": "Amazon AppFlow" + }, + { + "conditions": [], + "prefix": "application-autoscaling", + "privileges": [ + { + "access_level": "Write", + "description": "Deletes an Application Auto Scaling scaling policy that was previously created.", + "privilege": "DeleteScalingPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Allows an Envoy Proxy to receive streamed resources for an App Mesh endpoint (VirtualNode or VirtualGateway).", - "privilege": "StreamAggregatedResources", + "access_level": "Write", + "description": "Deletes an Application Auto Scaling scheduled action that was previously created.", + "privilege": "DeleteScheduledAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualNode" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Associates the specified tags to a resource with the specified resourceArn.", - "privilege": "TagResource", + "description": "Deregisters a scalable target that was previously registered.", + "privilege": "DeregisterScalableTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mesh" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "route" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Provides descriptive information for scalable targets with a specified service namespace.", + "privilege": "DescribeScalableTargets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Provides descriptive information for scaling activities with a specified service namespace for the previous six weeks.", + "privilege": "DescribeScalingActivities", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Provides descriptive information for scaling policies with a specified service namespace.", + "privilege": "DescribeScalingPolicies", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Provides descriptive information for scheduled actions with a specified service namespace.", + "privilege": "DescribeScheduledActions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualService" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes specified tags from a resource.", - "privilege": "UntagResource", + "description": "Creates or updates a policy for an existing Application Auto Scaling scalable target.", + "privilege": "PutScalingPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mesh" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "route" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualGateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualNode" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualRouter" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualService" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing gateway route for a specified service mesh and virtual gateway.", - "privilege": "UpdateGatewayRoute", + "description": "Creates or updates a scheduled action for an existing Application Auto Scaling scalable target.", + "privilege": "PutScheduledAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gatewayRoute*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualService" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing service mesh.", - "privilege": "UpdateMesh", + "description": "Registers or updates a scalable target. A scalable target is a resource that can be scaled out or in with Application Auto Scaling.", + "privilege": "RegisterScalableTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "Application Auto Scaling" + }, + { + "conditions": [], + "prefix": "application-cost-profiler", + "privileges": [ { "access_level": "Write", - "description": "Updates an existing route for a specified service mesh and virtual router.", - "privilege": "UpdateRoute", + "description": "Grants permission to delete the configuration with specific Application Cost Profiler Report thereby effectively disabling report generation", + "privilege": "DeleteReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "route*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to fetch the configuration with specific Application Cost Profiler Report request", + "privilege": "GetReportDefinition", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing virtual gateway in a specified service mesh.", - "privilege": "UpdateVirtualGateway", + "description": "Grants permission to import the application usage from S3", + "privilege": "ImportApplicationUsage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualGateway*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates an existing virtual node in a specified service mesh.", - "privilege": "UpdateVirtualNode", + "access_level": "Read", + "description": "Grants permission to get a list of the different Application Cost Profiler Report configurations they have created", + "privilege": "ListReportDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualNode*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing virtual router in a specified service mesh.", - "privilege": "UpdateVirtualRouter", + "description": "Grants permission to create Application Cost Profiler Report configurations", + "privilege": "PutReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualRouter*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing virtual service in a specified service mesh.", - "privilege": "UpdateVirtualService", + "description": "Grants permission to update an existing Application Cost Profiler Report configuration", + "privilege": "UpdateReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualNode" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "virtualRouter" + "resource_type": "" } ] } ], - "resources": [ - { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "mesh" + "resources": [], + "service_name": "AWS Application Cost Profiler Service" + }, + { + "conditions": [], + "prefix": "applicationinsights", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an application from a resource group", + "privilege": "CreateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualService/${VirtualServiceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "virtualService" + "access_level": "Write", + "description": "Grants permission to create a component from a group of resources", + "privilege": "CreateComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualNode/${VirtualNodeName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "virtualNode" + "access_level": "Write", + "description": "Grants permission to create log a pattern", + "privilege": "CreateLogPattern", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "virtualRouter" + "access_level": "Write", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}/route/${RouteName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "route" + "access_level": "Write", + "description": "Grants permission to delete a component", + "privilege": "DeleteComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "virtualGateway" + "access_level": "Write", + "description": "Grants permission to delete a log pattern", + "privilege": "DeleteLogPattern", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}/gatewayRoute/${GatewayRouteName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "gatewayRoute" + "access_level": "Read", + "description": "Grants permission to describe an application", + "privilege": "DescribeApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a component", + "privilege": "DescribeComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a component's configuration", + "privilege": "DescribeComponentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the recommended application component configuration", + "privilege": "DescribeComponentConfigurationRecommendation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a log pattern", + "privilege": "DescribeLogPattern", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an observation", + "privilege": "DescribeObservation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a problem", + "privilege": "DescribeProblem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the observation in a problem", + "privilege": "DescribeProblemObservations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all applications", + "privilege": "ListApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list an application's components", + "privilege": "ListComponents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list configuration history", + "privilege": "ListConfigurationHistory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list log pattern sets for an application", + "privilege": "ListLogPatternSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list log patterns", + "privilege": "ListLogPatterns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the problems in an application", + "privilege": "ListProblems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for the resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an application", + "privilege": "UpdateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a component", + "privilege": "UpdateComponent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a component's configuration", + "privilege": "UpdateComponentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a log pattern", + "privilege": "UpdateLogPattern", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], - "service_name": "AWS App Mesh" + "resources": [], + "service_name": "CloudWatch Application Insights" }, { - "conditions": [], - "prefix": "appmesh-preview", + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions by the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions by the tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "appmesh", "privileges": [ { "access_level": "Write", - "description": "Creates a gateway route that is associated with a virtual gateway.", + "description": "Grants permission to create a gateway route that is associated with a virtual gateway", "privilege": "CreateGatewayRoute", "resource_types": [ { @@ -5839,24 +8010,40 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "virtualService" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a service mesh.", + "description": "Grants permission to create a service mesh", "privilege": "CreateMesh", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "mesh*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a route that is associated with a virtual router.", + "description": "Grants permission to create a route that is associated with a virtual router", "privilege": "CreateRoute", "resource_types": [ { @@ -5868,24 +8055,40 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "virtualNode" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a virtual gateway within a service mesh.", + "description": "Grants permission to create a virtual gateway within a service mesh", "privilege": "CreateVirtualGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "virtualGateway*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a virtual node within a service mesh.", + "description": "Grants permission to create a virtual node within a service mesh", "privilege": "CreateVirtualNode", "resource_types": [ { @@ -5897,24 +8100,40 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "virtualService" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a virtual router within a service mesh.", + "description": "Grants permission to create a virtual router within a service mesh", "privilege": "CreateVirtualRouter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "virtualRouter*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a virtual service within a service mesh.", + "description": "Grants permission to create a virtual service within a service mesh", "privilege": "CreateVirtualService", "resource_types": [ { @@ -5931,12 +8150,20 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "virtualRouter" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an existing gateway route.", + "description": "Grants permission to delete an existing gateway route", "privilege": "DeleteGatewayRoute", "resource_types": [ { @@ -5948,7 +8175,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing service mesh.", + "description": "Grants permission to delete an existing service mesh", "privilege": "DeleteMesh", "resource_types": [ { @@ -5960,7 +8187,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing route.", + "description": "Grants permission to delete an existing route", "privilege": "DeleteRoute", "resource_types": [ { @@ -5972,7 +8199,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing virtual gateway.", + "description": "Grants permission to delete an existing virtual gateway", "privilege": "DeleteVirtualGateway", "resource_types": [ { @@ -5984,7 +8211,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing virtual node.", + "description": "Grants permission to delete an existing virtual node", "privilege": "DeleteVirtualNode", "resource_types": [ { @@ -5996,7 +8223,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing virtual router.", + "description": "Grants permission to delete an existing virtual router", "privilege": "DeleteVirtualRouter", "resource_types": [ { @@ -6008,7 +8235,7 @@ }, { "access_level": "Write", - "description": "Deletes an existing virtual service.", + "description": "Grants permission to delete an existing virtual service", "privilege": "DeleteVirtualService", "resource_types": [ { @@ -6020,7 +8247,7 @@ }, { "access_level": "Read", - "description": "Describes an existing gateway route.", + "description": "Grants permission to describe an existing gateway route", "privilege": "DescribeGatewayRoute", "resource_types": [ { @@ -6032,7 +8259,7 @@ }, { "access_level": "Read", - "description": "Describes an existing service mesh.", + "description": "Grants permission to describe an existing service mesh", "privilege": "DescribeMesh", "resource_types": [ { @@ -6044,7 +8271,7 @@ }, { "access_level": "Read", - "description": "Describes an existing route.", + "description": "Grants permission to describe an existing route", "privilege": "DescribeRoute", "resource_types": [ { @@ -6056,7 +8283,7 @@ }, { "access_level": "Read", - "description": "Describes an existing virtual gateway.", + "description": "Grants permission to describe an existing virtual gateway", "privilege": "DescribeVirtualGateway", "resource_types": [ { @@ -6068,7 +8295,7 @@ }, { "access_level": "Read", - "description": "Describes an existing virtual node.", + "description": "Grants permission to describe an existing virtual node", "privilege": "DescribeVirtualNode", "resource_types": [ { @@ -6080,7 +8307,7 @@ }, { "access_level": "Read", - "description": "Describes an existing virtual router.", + "description": "Grants permission to describe an existing virtual router", "privilege": "DescribeVirtualRouter", "resource_types": [ { @@ -6092,7 +8319,7 @@ }, { "access_level": "Read", - "description": "Describes an existing virtual service.", + "description": "Grants permission to describe an existing virtual service", "privilege": "DescribeVirtualService", "resource_types": [ { @@ -6104,7 +8331,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing gateway routes in a service mesh.", + "description": "Grants permission to list existing gateway routes in a service mesh", "privilege": "ListGatewayRoutes", "resource_types": [ { @@ -6116,7 +8343,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing service meshes.", + "description": "Grants permission to list existing service meshes", "privilege": "ListMeshes", "resource_types": [ { @@ -6128,7 +8355,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing routes in a service mesh.", + "description": "Grants permission to list existing routes in a service mesh", "privilege": "ListRoutes", "resource_types": [ { @@ -6140,7 +8367,49 @@ }, { "access_level": "List", - "description": "Returns a list of existing virtual gateways in a service mesh.", + "description": "Grants permission to list the tags for an App Mesh resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewayRoute" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mesh" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualNode" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualRouter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualService" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing virtual gateways in a service mesh", "privilege": "ListVirtualGateways", "resource_types": [ { @@ -6152,7 +8421,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing virtual nodes.", + "description": "Grants permission to list existing virtual nodes", "privilege": "ListVirtualNodes", "resource_types": [ { @@ -6164,7 +8433,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing virtual routers in a service mesh.", + "description": "Grants permission to list existing virtual routers in a service mesh", "privilege": "ListVirtualRouters", "resource_types": [ { @@ -6176,7 +8445,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing virtual services in a service mesh.", + "description": "Grants permission to list existing virtual services in a service mesh", "privilege": "ListVirtualServices", "resource_types": [ { @@ -6188,7 +8457,7 @@ }, { "access_level": "Read", - "description": "Allows an Envoy Proxy to receive streamed resources for an App Mesh endpoint (VirtualNode/VirtualGateway).", + "description": "Grants permission to receive streamed resources for an App Mesh endpoint (VirtualNode/VirtualGateway)", "privilege": "StreamAggregatedResources", "resource_types": [ { @@ -6203,9 +8472,108 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource with a specified resourceArn", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewayRoute" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mesh" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualNode" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualRouter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualService" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to delete a tag from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gatewayRoute" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mesh" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "route" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualNode" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualRouter" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualService" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Updates an existing gateway route for a specified service mesh and virtual gateway.", + "description": "Grants permission to update an existing gateway route for a specified service mesh and virtual gateway", "privilege": "UpdateGatewayRoute", "resource_types": [ { @@ -6222,7 +8590,7 @@ }, { "access_level": "Write", - "description": "Updates an existing service mesh.", + "description": "Grants permission to update an existing service mesh", "privilege": "UpdateMesh", "resource_types": [ { @@ -6234,7 +8602,7 @@ }, { "access_level": "Write", - "description": "Updates an existing route for a specified service mesh and virtual router.", + "description": "Grants permission to update an existing route for a specified service mesh and virtual router", "privilege": "UpdateRoute", "resource_types": [ { @@ -6251,7 +8619,7 @@ }, { "access_level": "Write", - "description": "Updates an existing virtual gateway in a specified service mesh.", + "description": "Grants permission to update an existing virtual gateway in a specified service mesh", "privilege": "UpdateVirtualGateway", "resource_types": [ { @@ -6263,7 +8631,7 @@ }, { "access_level": "Write", - "description": "Updates an existing virtual node in a specified service mesh.", + "description": "Grants permission to update an existing virtual node in a specified service mesh", "privilege": "UpdateVirtualNode", "resource_types": [ { @@ -6275,7 +8643,7 @@ }, { "access_level": "Write", - "description": "Updates an existing virtual router in a specified service mesh.", + "description": "Grants permission to update an existing virtual router in a specified service mesh", "privilege": "UpdateVirtualRouter", "resource_types": [ { @@ -6287,13 +8655,13 @@ }, { "access_level": "Write", - "description": "Updates an existing virtual service in a specified service mesh.", + "description": "Grants permission to update an existing virtual service in a specified service mesh", "privilege": "UpdateVirtualService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mesh*" + "resource_type": "virtualService*" }, { "condition_keys": [], @@ -6310,706 +8678,639 @@ ], "resources": [ { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "mesh" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualService/${VirtualServiceName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualService/${VirtualServiceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "virtualService" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualNode/${VirtualNodeName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualNode/${VirtualNodeName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "virtualNode" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "virtualRouter" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}/route/${RouteName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}/route/${RouteName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "route" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "virtualGateway" }, { - "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}/gatewayRoute/${GatewayRouteName}", - "condition_keys": [], + "arn": "arn:${Partition}:appmesh:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}/gatewayRoute/${GatewayRouteName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "gatewayRoute" } ], - "service_name": "AWS App Mesh Preview" + "service_name": "AWS App Mesh" }, { - "conditions": [ - { - "condition": "appstream:userId", - "description": "Filters access by the ID of the AppStream 2.0 user", - "type": "String" - }, - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "appstream", + "conditions": [], + "prefix": "appmesh-preview", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate the specified fleet with the specified stack", - "privilege": "AssociateFleet", + "description": "Grants permission to create a gateway route that is associated with a virtual gateway", + "privilege": "CreateGatewayRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "gatewayRoute*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualService" } ] }, { "access_level": "Write", - "description": "Grants permission to associate the specified users with the specified stacks. Users in a user pool cannot be assigned to stacks with fleets that are joined to an Active Directory domain", - "privilege": "BatchAssociateUserStack", + "description": "Grants permission to create a service mesh", + "privilege": "CreateMesh", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate the specified users from the specified stacks", - "privilege": "BatchDisassociateUserStack", + "description": "Grants permission to create a route that is associated with a virtual router", + "privilege": "CreateRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" + "resource_type": "route*" }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to copy the specified image within the same Region or to a new Region within the same AWS account", - "privilege": "CopyImage", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualNode" } ] }, { "access_level": "Write", - "description": "Grants permission to create a Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", - "privilege": "CreateDirectoryConfig", + "description": "Grants permission to create a virtual gateway within a service mesh", + "privilege": "CreateVirtualGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualGateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a fleet. A fleet is a group of streaming instances from which applications are launched and streamed to users", - "privilege": "CreateFleet", + "description": "Grants permission to create a virtual node within a service mesh", + "privilege": "CreateVirtualNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "virtualNode*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualService" } ] }, { "access_level": "Write", - "description": "Grants permission to create an image builder. An image builder is a virtual machine that is used to create an image", - "privilege": "CreateImageBuilder", + "description": "Grants permission to create a virtual router within a service mesh", + "privilege": "CreateVirtualRouter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "image-builder*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualRouter*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a URL to start an image builder streaming session", - "privilege": "CreateImageBuilderStreamingURL", + "description": "Grants permission to create a virtual service within a service mesh", + "privilege": "CreateVirtualService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder*" + "resource_type": "virtualService*" }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a stack to start streaming applications to users. A stack consists of an associated fleet, user access policies, and storage configurations", - "privilege": "CreateStack", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" + "resource_type": "virtualNode" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualRouter" } ] }, { "access_level": "Write", - "description": "Grants permission to create a temporary URL to start an AppStream 2.0 streaming session for the specified user. A streaming URL enables application streaming to be tested without user setup", - "privilege": "CreateStreamingURL", + "description": "Grants permission to delete an existing gateway route", + "privilege": "DeleteGatewayRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stack*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "gatewayRoute*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a usage report subscription. Usage reports are generated daily", - "privilege": "CreateUsageReportSubscription", + "description": "Grants permission to delete an existing service mesh", + "privilege": "DeleteMesh", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new user in the user pool", - "privilege": "CreateUser", + "description": "Grants permission to delete an existing route", + "privilege": "DeleteRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "route*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", - "privilege": "DeleteDirectoryConfig", + "description": "Grants permission to delete an existing virtual gateway", + "privilege": "DeleteVirtualGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualGateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified fleet", - "privilege": "DeleteFleet", + "description": "Grants permission to delete an existing virtual node", + "privilege": "DeleteVirtualNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualNode*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified image. An image cannot be deleted when it is in use", - "privilege": "DeleteImage", + "description": "Grants permission to delete an existing virtual router", + "privilege": "DeleteVirtualRouter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualRouter*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified image builder and release capacity", - "privilege": "DeleteImageBuilder", + "description": "Grants permission to delete an existing virtual service", + "privilege": "DeleteVirtualService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualService*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete permissions for the specified private image", - "privilege": "DeleteImagePermissions", + "access_level": "Read", + "description": "Grants permission to describe an existing gateway route", + "privilege": "DescribeGatewayRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "gatewayRoute*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified stack. After the stack is deleted, the application streaming environment provided by the stack is no longer available to users. Also, any reservations made for application streaming sessions for the stack are released", - "privilege": "DeleteStack", + "access_level": "Read", + "description": "Grants permission to describe an existing service mesh", + "privilege": "DescribeMesh", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable usage report generation", - "privilege": "DeleteUsageReportSubscription", + "access_level": "Read", + "description": "Grants permission to describe an existing route", + "privilege": "DescribeRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "route*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a user from the user pool", - "privilege": "DeleteUser", + "access_level": "Read", + "description": "Grants permission to describe an existing virtual gateway", + "privilege": "DescribeVirtualGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualGateway*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", - "privilege": "DescribeDirectoryConfigs", + "description": "Grants permission to describe an existing virtual node", + "privilege": "DescribeVirtualNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualNode*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described", - "privilege": "DescribeFleets", + "description": "Grants permission to describe an existing virtual router", + "privilege": "DescribeVirtualRouter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" + "resource_type": "virtualRouter*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described", - "privilege": "DescribeImageBuilders", + "description": "Grants permission to describe an existing virtual service", + "privilege": "DescribeVirtualService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder" + "resource_type": "virtualService*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes the permissions for shared AWS account IDs on a private image that you own", - "privilege": "DescribeImagePermissions", + "access_level": "List", + "description": "Grants permission to list existing gateway routes in a service mesh", + "privilege": "ListGatewayRoutes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "virtualGateway*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified images, if the image names or image ARNs are provided. Otherwise, all images in the account are described", - "privilege": "DescribeImages", + "access_level": "List", + "description": "Grants permission to list existing service meshes", + "privilege": "ListMeshes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes the streaming sessions for the specified stack and fleet. If a user ID is provided for the stack and fleet, only the streaming sessions for that user are described", - "privilege": "DescribeSessions", + "access_level": "List", + "description": "Grants permission to list existing routes in a service mesh", + "privilege": "ListRoutes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stack*" + "resource_type": "virtualRouter*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified stacks, if the stack names are provided. Otherwise, all stacks in the account are described", - "privilege": "DescribeStacks", + "access_level": "List", + "description": "Grants permission to list existing virtual gateways in a service mesh", + "privilege": "ListVirtualGateways", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mesh*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more usage report subscriptions", - "privilege": "DescribeUsageReportSubscriptions", + "access_level": "List", + "description": "Grants permission to list existing virtual nodes", + "privilege": "ListVirtualNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes the UserStackAssociation objects", - "privilege": "DescribeUserStackAssociations", + "access_level": "List", + "description": "Grants permission to list existing virtual routers in a service mesh", + "privilege": "ListVirtualRouters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mesh*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes users in the user pool", - "privilege": "DescribeUsers", + "access_level": "List", + "description": "Grants permission to list existing virtual services in a service mesh", + "privilege": "ListVirtualServices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable the specified user in the user pool. This action does not delete the user", - "privilege": "DisableUser", + "access_level": "Read", + "description": "Grants permission to receive streamed resources for an App Mesh endpoint (VirtualNode/VirtualGateway)", + "privilege": "StreamAggregatedResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualNode" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate the specified fleet from the specified stack", - "privilege": "DisassociateFleet", + "description": "Grants permission to update an existing gateway route for a specified service mesh and virtual gateway", + "privilege": "UpdateGatewayRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "gatewayRoute*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualService" } ] }, { "access_level": "Write", - "description": "Grants permission to enable a user in the user pool", - "privilege": "EnableUser", + "description": "Grants permission to update an existing service mesh", + "privilege": "UpdateMesh", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mesh*" } ] }, { "access_level": "Write", - "description": "Grants permission to immediately stop the specified streaming session", - "privilege": "ExpireSession", + "description": "Grants permission to update an existing route for a specified service mesh and virtual router", + "privilege": "UpdateRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described", - "privilege": "GetImageBuilders", - "resource_types": [ + "resource_type": "route*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualNode" } ] }, { "access_level": "Write", - "description": "Grants permission to upload theme assets", - "privilege": "GetParametersForThemeAssetUpload", + "description": "Grants permission to update an existing virtual gateway in a specified service mesh", + "privilege": "UpdateVirtualGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualGateway*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the name of the fleet that is associated with the specified stack", - "privilege": "ListAssociatedFleets", + "access_level": "Write", + "description": "Grants permission to update an existing virtual node in a specified service mesh", + "privilege": "UpdateVirtualNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" + "resource_type": "virtualNode*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the name of the stack with which the specified fleet is associated", - "privilege": "ListAssociatedStacks", + "access_level": "Write", + "description": "Grants permission to update an existing virtual router in a specified service mesh", + "privilege": "UpdateVirtualRouter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "virtualRouter*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to update an existing virtual service in a specified service mesh", + "privilege": "UpdateVirtualService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start the specified fleet", - "privilege": "StartFleet", - "resource_types": [ + "resource_type": "virtualService*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "virtualNode" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "virtualRouter" } ] - }, + } + ], + "resources": [ + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}", + "condition_keys": [], + "resource": "mesh" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualService/${VirtualServiceName}", + "condition_keys": [], + "resource": "virtualService" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualNode/${VirtualNodeName}", + "condition_keys": [], + "resource": "virtualNode" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}", + "condition_keys": [], + "resource": "virtualRouter" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualRouter/${VirtualRouterName}/route/${RouteName}", + "condition_keys": [], + "resource": "route" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}", + "condition_keys": [], + "resource": "virtualGateway" + }, + { + "arn": "arn:${Partition}:appmesh-preview:${Region}:${Account}:mesh/${MeshName}/virtualGateway/${VirtualGatewayName}/gatewayRoute/${GatewayRouteName}", + "condition_keys": [], + "resource": "gatewayRoute" + } + ], + "service_name": "AWS App Mesh Preview" + }, + { + "conditions": [ + { + "condition": "apprunner:AutoScalingConfigurationArn", + "description": "Filters access to the CreateService and UpdateService actions based on the ARN of an associated AutoScalingConfiguration resource", + "type": "ARN" + }, + { + "condition": "apprunner:ConnectionArn", + "description": "Filters access to the CreateService and UpdateService actions based on the ARN of an associated Connection resource", + "type": "ARN" + }, + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "apprunner", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to start the specified image builder", - "privilege": "StartImageBuilder", + "description": "Grants permission to associate your own domain name with the AWS App Runner subdomain URL of your App Runner service", + "privilege": "AssociateCustomDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder*" + "resource_type": "service*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS App Runner automatic scaling configuration resource", + "privilege": "CreateAutoScalingConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "autoscalingconfiguration*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -7018,17 +9319,18 @@ }, { "access_level": "Write", - "description": "Grants permission to stop the specified fleet", - "privilege": "StopFleet", + "description": "Grants permission to create an AWS App Runner connection resource", + "privilege": "CreateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "connection*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -7037,17 +9339,30 @@ }, { "access_level": "Write", - "description": "Grants permission to stop the specified image builder", - "privilege": "StopImageBuilder", + "description": "Grants permission to create an AWS App Runner service", + "privilege": "CreateService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder*" + "resource_type": "service*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "autoscalingconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "apprunner:ConnectionArn", + "apprunner:AutoScalingConfigurationArn" ], "dependent_actions": [], "resource_type": "" @@ -7056,123 +9371,230 @@ }, { "access_level": "Write", - "description": "Grants permission to federated users to sign in by using their existing credentials and stream applications from the specified stack", - "privilege": "Stream", + "description": "Grants permission to delete an AWS App Runner automatic scaling configuration resource", + "privilege": "DeleteAutoScalingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" - }, + "resource_type": "autoscalingconfiguration*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS App Runner connection", + "privilege": "DeleteConnection", + "resource_types": [ { - "condition_keys": [ - "appstream:userId" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "connection*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to delete an AWS App Runner service", + "privilege": "DeleteService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" - }, + "resource_type": "service*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptions of an AWS App Runner automatic scaling configuration resource", + "privilege": "DescribeAutoScalingConfiguration", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image" - }, + "resource_type": "autoscalingconfiguration*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptions of custom domain names associated with an AWS App Runner service", + "privilege": "DescribeCustomDomains", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder" - }, + "resource_type": "service*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve description of an operation that occurred on an AWS App Runner service", + "privilege": "DescribeOperation", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" - }, + "resource_type": "service*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve description of an AWS App Runner service", + "privilege": "DescribeService", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a custom domain name from an AWS App Runner service", + "privilege": "DisassociateCustomDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS App Runner automatic scaling configurations in your AWS account", + "privilege": "ListAutoScalingConfigurations", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS App Runner connections associated with your AWS account", + "privilege": "ListConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of operations that occurred on an AWS App Runner service", + "privilege": "ListOperations", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image" - }, + "resource_type": "service*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of running AWS App Runner services in your AWS account", + "privilege": "ListServices", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-builder" + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags associated with an AWS App Runner resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "autoscalingconfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "connection" }, { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "service" } ] }, { "access_level": "Write", - "description": "Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", - "privilege": "UpdateDirectoryConfig", + "description": "Grants permission to pause an active AWS App Runner service", + "privilege": "PauseService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "service*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state", - "privilege": "UpdateFleet", + "description": "Grants permission to resume an active AWS App Runner service", + "privilege": "ResumeService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "service*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initiate a manual deployemnt to an AWS App Runner service", + "privilege": "StartDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to, or update tag values of, an App Runner resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "autoscalingconfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "image" + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -7180,18 +9602,28 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to add or update permissions for the specified private image", - "privilege": "UpdateImagePermissions", + "access_level": "Tagging", + "description": "Grants permission to remove tags from an App Runner resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "autoscalingconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -7200,17 +9632,28 @@ }, { "access_level": "Write", - "description": "Grants permission to update the specified fields for the specified stack", - "privilege": "UpdateStack", + "description": "Grants permission to update an AWS App Runner service", + "privilege": "UpdateService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack*" + "resource_type": "service*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "autoscalingconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "apprunner:ConnectionArn", + "apprunner:AutoScalingConfigurationArn" ], "dependent_actions": [], "resource_type": "" @@ -7220,38 +9663,36 @@ ], "resources": [ { - "arn": "arn:${Partition}:appstream:${Region}:${Account}:fleet/${FleetName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "fleet" - }, - { - "arn": "arn:${Partition}:appstream:${Region}:${Account}:image/${ImageName}", + "arn": "arn:${Partition}:apprunner:${Region}:${Account}:service/${ServiceName}/${ServiceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "image" + "resource": "service" }, { - "arn": "arn:${Partition}:appstream:${Region}:${Account}:image-builder/${ImageBuilderName}", + "arn": "arn:${Partition}:apprunner:${Region}:${Account}:connection/${ConnectionName}/${ConnectionId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "image-builder" + "resource": "connection" }, { - "arn": "arn:${Partition}:appstream:${Region}:${Account}:stack/${StackName}", + "arn": "arn:${Partition}:apprunner:${Region}:${Account}:autoscalingconfiguration/${AutoscalingConfigurationName}/${AutoscalingConfigurationVersion}/${AutoscalingConfigurationId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "stack" + "resource": "autoscalingconfiguration" } ], - "service_name": "Amazon AppStream 2.0" + "service_name": "AWS App Runner" }, { "conditions": [ + { + "condition": "appstream:userId", + "description": "Filters access by the ID of the AppStream 2.0 user", + "type": "String" + }, { "condition": "aws:RequestTag/${TagKey}", "description": "Filters actions based on the presence of tag key-value pairs in the request", @@ -7268,65 +9709,93 @@ "type": "String" } ], - "prefix": "appsync", + "prefix": "appstream", "privileges": [ { "access_level": "Write", - "description": "Creates a unique key that you can distribute to clients who are executing your API.", - "privilege": "CreateApiKey", + "description": "Grants permission to associate the specified fleet with the specified stack", + "privilege": "AssociateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a DataSource object.", - "privilege": "CreateDataSource", + "description": "Grants permission to associate the specified users with the specified stacks. Users in a user pool cannot be assigned to stacks with fleets that are joined to an Active Directory domain", + "privilege": "BatchAssociateUserStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new Function object.", - "privilege": "CreateFunction", + "description": "Grants permission to disassociate the specified users from the specified stacks", + "privilege": "BatchDisassociateUserStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Creates a GraphqlApi object, which is the top level AppSync resource.", - "privilege": "CreateGraphqlApi", + "access_level": "Write", + "description": "Grants permission to copy the specified image within the same Region or to a new Region within the same AWS account", + "privilege": "CopyImage", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "aws:ResourceTag/${TagKey}" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a Resolver object. A resolver converts incoming requests into a format that a data source can understand, and converts the data source's responses into GraphQL.", - "privilege": "CreateResolver", + "description": "Grants permission to create a Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", + "privilege": "CreateDirectoryConfig", "resource_types": [ { "condition_keys": [], @@ -7337,61 +9806,107 @@ }, { "access_level": "Write", - "description": "Creates a Type object.", - "privilege": "CreateType", + "description": "Grants permission to create a fleet. A fleet is a group of streaming instances from which applications are launched and streamed to users", + "privilege": "CreateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an API key.", - "privilege": "DeleteApiKey", + "description": "Grants permission to create an image builder. An image builder is a virtual machine that is used to create an image", + "privilege": "CreateImageBuilder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "image*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image-builder*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a DataSource object.", - "privilege": "DeleteDataSource", + "description": "Grants permission to create a URL to start an image builder streaming session", + "privilege": "CreateImageBuilderStreamingURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "image-builder*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a Function object.", - "privilege": "DeleteFunction", + "description": "Grants permission to create a stack to start streaming applications to users. A stack consists of an associated fleet, user access policies, and storage configurations", + "privilege": "CreateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a GraphqlApi object. This will also clean up every AppSync resource below that API.", - "privilege": "DeleteGraphqlApi", + "description": "Grants permission to create a temporary URL to start an AppStream 2.0 streaming session for the specified user. A streaming URL enables application streaming to be tested without user setup", + "privilege": "CreateStreamingURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "graphqlapi*" + "resource_type": "fleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" }, { "condition_keys": [ @@ -7404,8 +9919,8 @@ }, { "access_level": "Write", - "description": "Deletes a Resolver object.", - "privilege": "DeleteResolver", + "description": "Grants permission to create a usage report subscription. Usage reports are generated daily", + "privilege": "CreateUsageReportSubscription", "resource_types": [ { "condition_keys": [], @@ -7416,8 +9931,8 @@ }, { "access_level": "Write", - "description": "Deletes a Type object.", - "privilege": "DeleteType", + "description": "Grants permission to create a new user in the user pool", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], @@ -7427,9 +9942,9 @@ ] }, { - "access_level": "Read", - "description": "Retrieves a DataSource object.", - "privilege": "GetDataSource", + "access_level": "Write", + "description": "Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", + "privilege": "DeleteDirectoryConfig", "resource_types": [ { "condition_keys": [], @@ -7439,26 +9954,33 @@ ] }, { - "access_level": "Read", - "description": "Retrieves a Function object.", - "privilege": "GetFunction", + "access_level": "Write", + "description": "Grants permission to delete the specified fleet", + "privilege": "DeleteFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves a GraphqlApi object.", - "privilege": "GetGraphqlApi", + "access_level": "Write", + "description": "Grants permission to delete the specified image. An image cannot be deleted when it is in use", + "privilege": "DeleteImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "graphqlapi*" + "resource_type": "image*" }, { "condition_keys": [ @@ -7470,45 +9992,66 @@ ] }, { - "access_level": "Read", - "description": "Retrieves the introspection schema for a GraphQL API.", - "privilege": "GetIntrospectionSchema", + "access_level": "Write", + "description": "Grants permission to delete the specified image builder and release capacity", + "privilege": "DeleteImageBuilder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "image-builder*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves a Resolver object.", - "privilege": "GetResolver", + "access_level": "Write", + "description": "Grants permission to delete permissions for the specified private image", + "privilege": "DeleteImagePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the current status of a schema creation operation.", - "privilege": "GetSchemaCreationStatus", + "access_level": "Write", + "description": "Grants permission to delete the specified stack. After the stack is deleted, the application streaming environment provided by the stack is no longer available to users. Also, any reservations made for application streaming sessions for the stack are released", + "privilege": "DeleteStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves a Type object.", - "privilege": "GetType", + "access_level": "Write", + "description": "Grants permission to disable usage report generation", + "privilege": "DeleteUsageReportSubscription", "resource_types": [ { "condition_keys": [], @@ -7519,25 +10062,20 @@ }, { "access_level": "Write", - "description": "Sends a GraphQL query to a GraphQL API.", - "privilege": "GraphQL", + "description": "Grants permission to delete a user from the user pool", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "field*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "graphqlapi*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the API keys for a given API.", - "privilege": "ListApiKeys", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", + "privilege": "DescribeDirectoryConfigs", "resource_types": [ { "condition_keys": [], @@ -7547,88 +10085,86 @@ ] }, { - "access_level": "List", - "description": "Lists the data sources for a given API.", - "privilege": "ListDataSources", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described", + "privilege": "DescribeFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet" } ] }, { - "access_level": "List", - "description": "Lists the functions for a given API.", - "privilege": "ListFunctions", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described", + "privilege": "DescribeImageBuilders", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "image-builder" } ] }, { - "access_level": "List", - "description": "Lists your GraphQL APIs.", - "privilege": "ListGraphqlApis", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes the permissions for shared AWS account IDs on a private image that you own", + "privilege": "DescribeImagePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "image*" } ] }, { - "access_level": "List", - "description": "Lists the resolvers for a given API and type.", - "privilege": "ListResolvers", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more specified images, if the image names or image ARNs are provided. Otherwise, all images in the account are described", + "privilege": "DescribeImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "image" } ] }, { - "access_level": "List", - "description": "List the resolvers that are associated with a specific function.", - "privilege": "ListResolversByFunction", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes the streaming sessions for the specified stack and fleet. If a user ID is provided for the stack and fleet, only the streaming sessions for that user are described", + "privilege": "DescribeSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" } ] }, { "access_level": "Read", - "description": "List the tags for a resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to retrieve a list that describes one or more specified stacks, if the stack names are provided. Otherwise, all stacks in the account are described", + "privilege": "DescribeStacks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "graphqlapi" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Lists the types for a given API.", - "privilege": "ListTypes", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes one or more usage report subscriptions", + "privilege": "DescribeUsageReportSubscriptions", "resource_types": [ { "condition_keys": [], @@ -7638,21 +10174,21 @@ ] }, { - "access_level": "Write", - "description": "Gives WebAcl permissions to WAF.", - "privilege": "SetWebACL", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes the UserStackAssociation objects", + "privilege": "DescribeUserStackAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Adds a new schema to your GraphQL API. This operation is asynchronous - GetSchemaCreationStatus can show when it has completed.", - "privilege": "StartSchemaCreation", + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes users in the user pool", + "privilege": "DescribeUsers", "resource_types": [ { "condition_keys": [], @@ -7662,39 +10198,35 @@ ] }, { - "access_level": "Tagging", - "description": "Tag a resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to disable the specified user in the user pool. This action does not delete the user", + "privilege": "DisableUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "graphqlapi" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Untag a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to disassociate the specified fleet from the specified stack", + "privilege": "DisassociateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "graphqlapi" + "resource_type": "fleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" }, { "condition_keys": [ - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -7703,8 +10235,8 @@ }, { "access_level": "Write", - "description": "Updates an API key for a given API.", - "privilege": "UpdateApiKey", + "description": "Grants permission to enable a user in the user pool", + "privilege": "EnableUser", "resource_types": [ { "condition_keys": [], @@ -7715,8 +10247,8 @@ }, { "access_level": "Write", - "description": "Updates a DataSource object.", - "privilege": "UpdateDataSource", + "description": "Grants permission to immediately stop the specified streaming session", + "privilege": "ExpireSession", "resource_types": [ { "condition_keys": [], @@ -7726,42 +10258,33 @@ ] }, { - "access_level": "Write", - "description": "Updates an existing Function object.", - "privilege": "UpdateFunction", + "access_level": "Read", + "description": "Grants permission to retrieve the name of the fleet that is associated with the specified stack", + "privilege": "ListAssociatedFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack*" } ] }, { - "access_level": "Write", - "description": "Updates a GraphqlApi object.", - "privilege": "UpdateGraphqlApi", + "access_level": "Read", + "description": "Grants permission to retrieve the name of the stack with which the specified fleet is associated", + "privilege": "ListAssociatedStacks", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "graphqlapi*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Updates a Resolver object.", - "privilege": "UpdateResolver", + "access_level": "Read", + "description": "Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -7772,278 +10295,275 @@ }, { "access_level": "Write", - "description": "Updates a Type object.", - "privilege": "UpdateType", + "description": "Grants permission to start the specified fleet", + "privilege": "StartFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "fleet*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName}", - "condition_keys": [], - "resource": "datasource" - }, - { - "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "graphqlapi" - }, - { - "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName}", - "condition_keys": [], - "resource": "field" - }, - { - "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}", - "condition_keys": [], - "resource": "type" }, - { - "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId}", - "condition_keys": [], - "resource": "function" - } - ], - "service_name": "AWS AppSync" - }, - { - "conditions": [], - "prefix": "aps", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a workspace", - "privilege": "CreateWorkspace", + "description": "Grants permission to start the specified image builder", + "privilege": "StartImageBuilder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "image-builder*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a workspace", - "privilege": "DeleteWorkspace", + "description": "Grants permission to stop the specified fleet", + "privilege": "StopFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" + "resource_type": "fleet*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a workspace", - "privilege": "DescribeWorkspace", + "access_level": "Write", + "description": "Grants permission to stop the specified image builder", + "privilege": "StopImageBuilder", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" + "resource_type": "image-builder*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve AMP workspace labels", - "privilege": "GetLabels", + "access_level": "Write", + "description": "Grants permission to federated users to sign in by using their existing credentials and stream applications from the specified stack", + "privilege": "Stream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" + "resource_type": "stack*" + }, + { + "condition_keys": [ + "appstream:userId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the metadata for AMP workspace metrics", - "privilege": "GetMetricMetadata", + "access_level": "Tagging", + "description": "Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve AMP workspace time series data", - "privilege": "GetSeries", - "resource_types": [ + "resource_type": "fleet" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list workspaces", - "privilege": "ListWorkspaces", - "resource_types": [ + "resource_type": "image" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image-builder" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to run a query on AMP workspace metrics", - "privilege": "QueryMetrics", + "access_level": "Tagging", + "description": "Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to perform a remote write operation to initiate the streaming of metrics to AMP workspace", - "privilege": "RemoteWrite", - "resource_types": [ + "resource_type": "fleet" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the alias of existing AMP workspace", - "privilege": "UpdateWorkspaceAlias", - "resource_types": [ + "resource_type": "image" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspace*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:aps::${Region}:${Account}:workspace/${ResourceId}", - "condition_keys": [], - "resource": "workspace" - } - ], - "service_name": "Amazon Managed Service for Prometheus" - }, - { - "conditions": [], - "prefix": "arsenal", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to register AWS provided data collectors to the Application Discovery Service", - "privilege": "RegisterOnPremisesAgent", - "resource_types": [ + "resource_type": "image-builder" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "stack" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Application Discovery Arsenal" - }, - { - "conditions": [], - "prefix": "artifact", - "privileges": [ + }, { "access_level": "Write", - "description": "Grants permission to accept an AWS agreement that has not yet been accepted by the customer account.", - "privilege": "AcceptAgreement", + "description": "Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the configuration information required to join fleets and image builders to Microsoft Active Directory domains", + "privilege": "UpdateDirectoryConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "agreement*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to download an AWS agreement that has not yet been accepted or a customer agreement that has been accepted by the customer account.", - "privilege": "DownloadAgreement", + "access_level": "Write", + "description": "Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state", + "privilege": "UpdateFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "agreement" + "resource_type": "fleet*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "customer-agreement" + "resource_type": "image" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to download an AWS compliance report package.", - "privilege": "Get", + "access_level": "Write", + "description": "Grants permission to add or update permissions for the specified private image", + "privilege": "UpdateImagePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "report-package*" + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to terminate a customer agreement that was previously accepted by the customer account.", - "privilege": "TerminateAgreement", + "description": "Grants permission to update the specified fields for the specified stack", + "privilege": "UpdateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customer-agreement*" + "resource_type": "stack*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:artifact:::report-package/*", - "condition_keys": [], - "resource": "report-package" + "arn": "arn:${Partition}:appstream:${Region}:${Account}:fleet/${FleetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "fleet" }, { - "arn": "arn:${Partition}:artifact::${Account}:customer-agreement/*", - "condition_keys": [], - "resource": "customer-agreement" + "arn": "arn:${Partition}:appstream:${Region}:${Account}:image/${ImageName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "image" }, { - "arn": "arn:${Partition}:artifact:::agreement/*", - "condition_keys": [], - "resource": "agreement" + "arn": "arn:${Partition}:appstream:${Region}:${Account}:image-builder/${ImageBuilderName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "image-builder" + }, + { + "arn": "arn:${Partition}:appstream:${Region}:${Account}:stack/${StackName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "stack" } ], - "service_name": "AWS Artifact" + "service_name": "Amazon AppStream 2.0" }, { "conditions": [ @@ -8063,138 +10583,1156 @@ "type": "String" } ], - "prefix": "athena", + "prefix": "appsync", "privileges": [ { - "access_level": "Read", - "description": "Grants permissions to get information about one or more named queries.", - "privilege": "BatchGetNamedQuery", + "access_level": "Write", + "description": "Grants permission to create an API cache in AppSync", + "privilege": "CreateApiCache", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workgroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to get information about one or more query executions.", - "privilege": "BatchGetQueryExecution", + "access_level": "Write", + "description": "Grants permission to create a unique key that you can distribute to clients who are executing your API", + "privilege": "CreateApiKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workgroup*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permissions to create a datacatalog.", - "privilege": "CreateDataCatalog", + "access_level": "Write", + "description": "Grants permission to create a data source", + "privilege": "CreateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datacatalog*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to create a named query.", - "privilege": "CreateNamedQuery", + "description": "Grants permission to create a new function", + "privilege": "CreateFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workgroup*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permissions to create a workgroup.", - "privilege": "CreateWorkGroup", + "access_level": "Write", + "description": "Grants permission to create a GraphQL API, which is the top level AppSync resource", + "privilege": "CreateGraphqlApi", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "workgroup*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a datacatalog.", - "privilege": "DeleteDataCatalog", + "description": "Grants permission to create a resolver. A resolver converts incoming requests into a format that a data source can understand, and converts the data source's responses into GraphQL", + "privilege": "CreateResolver", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datacatalog*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a named query specified.", - "privilege": "DeleteNamedQuery", + "description": "Grants permission to create a type", + "privilege": "CreateType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workgroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a workgroup.", - "privilege": "DeleteWorkGroup", + "description": "Grants permission to delete an API cache in AppSync", + "privilege": "DeleteApiCache", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workgroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to get a datacatalog.", - "privilege": "GetDataCatalog", + "access_level": "Write", + "description": "Grants permission to delete an API key", + "privilege": "DeleteApiKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datacatalog*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to get a database for a given datacatalog.", - "privilege": "GetDatabase", - "resource_types": [ - { + "access_level": "Write", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a function", + "privilege": "DeleteFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a GraphQL Api. This will also clean up every AppSync resource below that API", + "privilege": "DeleteGraphqlApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a resolver", + "privilege": "DeleteResolver", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a type", + "privilege": "DeleteType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to flush an API cache in AppSync", + "privilege": "FlushApiCache", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to read information about an API cache in AppSync", + "privilege": "GetApiCache", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a data source", + "privilege": "GetDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a function", + "privilege": "GetFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a GraphQL API", + "privilege": "GetGraphqlApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the introspection schema for a GraphQL API", + "privilege": "GetIntrospectionSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a resolver", + "privilege": "GetResolver", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the current status of a schema creation operation", + "privilege": "GetSchemaCreationStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a type", + "privilege": "GetType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send a GraphQL query to a GraphQL API", + "privilege": "GraphQL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "field*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the API keys for a given API", + "privilege": "ListApiKeys", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the data sources for a given API", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the functions for a given API", + "privilege": "ListFunctions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list GraphQL APIs", + "privilege": "ListGraphqlApis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the resolvers for a given API and type", + "privilege": "ListResolvers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the resolvers that are associated with a specific function", + "privilege": "ListResolversByFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the types for a given API", + "privilege": "ListTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set a web ACL", + "privilege": "SetWebACL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a new schema to your GraphQL API. This operation is asynchronous - GetSchemaCreationStatus can show when it has completed", + "privilege": "StartSchemaCreation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "graphqlapi" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an API cache in AppSync", + "privilege": "UpdateApiCache", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an API key for a given API", + "privilege": "UpdateApiKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a data source", + "privilege": "UpdateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing function", + "privilege": "UpdateFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a GraphQL API", + "privilege": "UpdateGraphqlApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "graphqlapi*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a resolver", + "privilege": "UpdateResolver", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a type", + "privilege": "UpdateType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/datasources/${DatasourceName}", + "condition_keys": [], + "resource": "datasource" + }, + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "graphqlapi" + }, + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}/fields/${FieldName}", + "condition_keys": [], + "resource": "field" + }, + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/types/${TypeName}", + "condition_keys": [], + "resource": "type" + }, + { + "arn": "arn:${Partition}:appsync:${Region}:${Account}:apis/${GraphQLAPIId}/functions/${FunctionId}", + "condition_keys": [], + "resource": "function" + } + ], + "service_name": "AWS AppSync" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "aps", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a workspace", + "privilege": "CreateWorkspace", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a workspace", + "privilege": "DeleteWorkspace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a workspace", + "privilege": "DescribeWorkspace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve AMP workspace labels", + "privilege": "GetLabels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the metadata for AMP workspace metrics", + "privilege": "GetMetricMetadata", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve AMP workspace time series data", + "privilege": "GetSeries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags on an AMP resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list workspaces", + "privilege": "ListWorkspaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to run a query on AMP workspace metrics", + "privilege": "QueryMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to perform a remote write operation to initiate the streaming of metrics to AMP workspace", + "privilege": "RemoteWrite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag an AMP resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag an AMP resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the alias of existing AMP workspace", + "privilege": "UpdateWorkspaceAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspace*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:aps:${Region}:${Account}:workspace/${ResourceId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "resource": "workspace" + } + ], + "service_name": "Amazon Managed Service for Prometheus" + }, + { + "conditions": [], + "prefix": "arsenal", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to register AWS provided data collectors to the Application Discovery Service", + "privilege": "RegisterOnPremisesAgent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "Application Discovery Arsenal" + }, + { + "conditions": [], + "prefix": "artifact", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept an AWS agreement that has not yet been accepted by the customer account.", + "privilege": "AcceptAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agreement*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download an AWS agreement that has not yet been accepted or a customer agreement that has been accepted by the customer account.", + "privilege": "DownloadAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agreement" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customer-agreement" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download an AWS compliance report package.", + "privilege": "Get", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "report-package*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to terminate a customer agreement that was previously accepted by the customer account.", + "privilege": "TerminateAgreement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customer-agreement*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:artifact:::report-package/*", + "condition_keys": [], + "resource": "report-package" + }, + { + "arn": "arn:${Partition}:artifact::${Account}:customer-agreement/*", + "condition_keys": [], + "resource": "customer-agreement" + }, + { + "arn": "arn:${Partition}:artifact:::agreement/*", + "condition_keys": [], + "resource": "agreement" + } + ], + "service_name": "AWS Artifact" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "athena", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permissions to get information about one or more named queries", + "privilege": "BatchGetNamedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get information about one or more query executions", + "privilege": "BatchGetQueryExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a datacatalog", + "privilege": "CreateDataCatalog", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datacatalog*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a named query", + "privilege": "CreateNamedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a prepared statement.", + "privilege": "CreatePreparedStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a workgroup", + "privilege": "CreateWorkGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a datacatalog", + "privilege": "DeleteDataCatalog", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datacatalog*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a named query specified", + "privilege": "DeleteNamedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a prepared statement specified.", + "privilege": "DeletePreparedStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a workgroup", + "privilege": "DeleteWorkGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get a datacatalog", + "privilege": "GetDataCatalog", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datacatalog*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get a database for a given datacatalog", + "privilege": "GetDatabase", + "resource_types": [ + { "condition_keys": [], "dependent_actions": [], "resource_type": "datacatalog*" @@ -8203,7 +11741,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about the specified named query.", + "description": "Grants permissions to get information about the specified named query", "privilege": "GetNamedQuery", "resource_types": [ { @@ -8215,7 +11753,19 @@ }, { "access_level": "Read", - "description": "Grants permissions to get information about the specified query execution.", + "description": "Grants permissions to get information about the specified prepared statement.", + "privilege": "GetPreparedStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get information about the specified query execution", "privilege": "GetQueryExecution", "resource_types": [ { @@ -8227,7 +11777,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get the query results.", + "description": "Grants permissions to get the query results", "privilege": "GetQueryResults", "resource_types": [ { @@ -8239,7 +11789,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get the query results stream.", + "description": "Grants permissions to get the query results stream", "privilege": "GetQueryResultsStream", "resource_types": [ { @@ -8251,7 +11801,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a metadata about a table for a given datacatalog.", + "description": "Grants permissions to get a metadata about a table for a given datacatalog", "privilege": "GetTableMetadata", "resource_types": [ { @@ -8263,7 +11813,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to get a workgroup.", + "description": "Grants permissions to get a workgroup", "privilege": "GetWorkGroup", "resource_types": [ { @@ -8275,7 +11825,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of datacatalogs for the specified AWS account.", + "description": "Grants permissions to return a list of datacatalogs for the specified AWS account", "privilege": "ListDataCatalogs", "resource_types": [ { @@ -8287,7 +11837,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of databases for a given datacatalog.", + "description": "Grants permissions to return a list of databases for a given datacatalog", "privilege": "ListDatabases", "resource_types": [ { @@ -8297,9 +11847,21 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permissions to return a list of athena engine versions for the specified AWS account", + "privilege": "ListEngineVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", - "description": "Grants permissions to return a list of named queries in Amazon Athena for the specified AWS account.", + "description": "Grants permissions to return a list of named queries in Amazon Athena for the specified AWS account", "privilege": "ListNamedQueries", "resource_types": [ { @@ -8311,7 +11873,19 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of query executions for the specified AWS account.", + "description": "Grants permissions to return a list of prepared statements for the specified workgroup.", + "privilege": "ListPreparedStatements", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to return a list of query executions for the specified AWS account", "privilege": "ListQueryExecutions", "resource_types": [ { @@ -8322,8 +11896,8 @@ ] }, { - "access_level": "List", - "description": "Grants permissions to return a list of table metadata in a database for a given datacatalog.", + "access_level": "Read", + "description": "Grants permissions to return a list of table metadata in a database for a given datacatalog", "privilege": "ListTableMetadata", "resource_types": [ { @@ -8335,7 +11909,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to return a list of tags for a resource.", + "description": "Grants permissions to return a list of tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -8352,7 +11926,7 @@ }, { "access_level": "List", - "description": "Grants permissions to return a list of workgroups for the specified AWS account.", + "description": "Grants permissions to return a list of workgroups for the specified AWS account", "privilege": "ListWorkGroups", "resource_types": [ { @@ -8364,7 +11938,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to start a query execution using an SQL query provided as a string.", + "description": "Grants permissions to start a query execution using an SQL query provided as a string", "privilege": "StartQueryExecution", "resource_types": [ { @@ -8376,7 +11950,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to stop the specified query execution.", + "description": "Grants permissions to stop the specified query execution", "privilege": "StopQueryExecution", "resource_types": [ { @@ -8388,7 +11962,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to add a tag to a resource.", + "description": "Grants permissions to add a tag to a resource", "privilege": "TagResource", "resource_types": [ { @@ -8413,7 +11987,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to remove a tag from a resource.", + "description": "Grants permissions to remove a tag from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -8437,7 +12011,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a datacatalog.", + "description": "Grants permissions to update a datacatalog", "privilege": "UpdateDataCatalog", "resource_types": [ { @@ -8449,7 +12023,19 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a workgroup.", + "description": "Grants permissions to update a prepared statement.", + "privilege": "UpdatePreparedStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update a workgroup", "privilege": "UpdateWorkGroup", "resource_types": [ { @@ -9178,7 +12764,7 @@ "resource": "assessment" }, { - "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${assessmentFrameworkId}", + "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:assessmentFramework/${assessmentFrameworkId}", "condition_keys": [], "resource": "assessmentFramework" }, @@ -9201,92 +12787,92 @@ "conditions": [ { "condition": "autoscaling:ImageId", - "description": "The AMI used to create the instance.", + "description": "Filters access based on the AMI used to create the instance", "type": "String" }, { "condition": "autoscaling:InstanceType", - "description": "The type of instance, in terms of the hardware resources available.", + "description": "Filters access based on the type of instance, in terms of the hardware resources available", "type": "String" }, { "condition": "autoscaling:InstanceTypes", - "description": "The types of instances, in terms of the hardware resources available.", + "description": "Filters access based on the types of instances, in terms of the hardware resources available", "type": "String" }, { "condition": "autoscaling:LaunchConfigurationName", - "description": "The name of a launch configuration.", + "description": "Filters access based on the name of a launch configuration", "type": "String" }, { "condition": "autoscaling:LaunchTemplateVersionSpecified", - "description": "Filters access by whether users can specify any version of a launch template or only the Latest or Default version", + "description": "Filters access based on whether users can specify any version of a launch template or only the Latest or Default version", "type": "Bool" }, { "condition": "autoscaling:LoadBalancerNames", - "description": "The name of the load balancer.", + "description": "Filters access based on the name of the load balancer", "type": "String" }, { "condition": "autoscaling:MaxSize", - "description": "The maximum scaling size.", + "description": "Filters access based on the maximum scaling size", "type": "Numeric" }, { "condition": "autoscaling:MetadataHttpEndpoint", - "description": "Filters access by whether the HTTP endpoint is enabled for the instance metadata service.", + "description": "Filters access based on whether the HTTP endpoint is enabled for the instance metadata service", "type": "String" }, { "condition": "autoscaling:MetadataHttpPutResponseHopLimit", - "description": "Filters access by the allowed number of hops when calling the instance metadata service.", + "description": "Filters access based on the allowed number of hops when calling the instance metadata service", "type": "Numeric" }, { "condition": "autoscaling:MetadataHttpTokens", - "description": "Filters access by whether tokens are required when calling the instance metadata service (optional or required)", + "description": "Filters access based on whether tokens are required when calling the instance metadata service (optional or required)", "type": "String" }, { "condition": "autoscaling:MinSize", - "description": "The minimum scaling size.", + "description": "Filters access based on the minimum scaling size", "type": "Numeric" }, { "condition": "autoscaling:ResourceTag/${TagKey}", - "description": "The value of a tag attached to a resource.", + "description": "Filters access based on the value of a tag attached to a resource", "type": "String" }, { "condition": "autoscaling:SpotPrice", - "description": "The spot price associated with an instance.", + "description": "Filters access based on the spot price associated with an instance", "type": "Numeric" }, { "condition": "autoscaling:TargetGroupARNs", - "description": "The ARN of a target group.", + "description": "Filters access based on the ARN of a target group", "type": "ARN" }, { "condition": "autoscaling:VPCZoneIdentifiers", - "description": "The identifier of a VPC zone.", + "description": "Filters access based on the identifier of a VPC zone", "type": "String" }, { "condition": "aws:RequestTag/${TagKey}", - "description": "The value of a tag associated with the request.", + "description": "Filters access based on the value of a tag associated with the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", + "description": "Filters access based on the tag-value associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", + "description": "Filters create requests based on the presence of mandatory tags in the request", "type": "String" } ], @@ -9294,7 +12880,7 @@ "privileges": [ { "access_level": "Write", - "description": "Attaches one or more EC2 instances to the specified Auto Scaling group.", + "description": "Grants permission to attach one or more EC2 instances to the specified Auto Scaling group", "privilege": "AttachInstances", "resource_types": [ { @@ -9309,7 +12895,7 @@ }, { "access_level": "Write", - "description": "Attaches one or more target groups to the specified Auto Scaling group.", + "description": "Grants permission to attach one or more target groups to the specified Auto Scaling group", "privilege": "AttachLoadBalancerTargetGroups", "resource_types": [ { @@ -9331,7 +12917,7 @@ }, { "access_level": "Write", - "description": "Attaches one or more load balancers to the specified Auto Scaling group.", + "description": "Grants permission to attach one or more load balancers to the specified Auto Scaling group", "privilege": "AttachLoadBalancers", "resource_types": [ { @@ -9353,7 +12939,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified scheduled actions.", + "description": "Grants permission to delete the specified scheduled actions", "privilege": "BatchDeleteScheduledAction", "resource_types": [ { @@ -9368,7 +12954,7 @@ }, { "access_level": "Write", - "description": "Creates or updates multiple scheduled scaling actions for an Auto Scaling group.", + "description": "Grants permission to create or update multiple scheduled scaling actions for an Auto Scaling group", "privilege": "BatchPutScheduledUpdateGroupAction", "resource_types": [ { @@ -9398,7 +12984,7 @@ }, { "access_level": "Write", - "description": "Completes the lifecycle action for the specified token or instance with the specified result.", + "description": "Grants permission to complete the lifecycle action for the specified token or instance with the specified result", "privilege": "CompleteLifecycleAction", "resource_types": [ { @@ -9412,8 +12998,8 @@ ] }, { - "access_level": "Tagging", - "description": "Creates an Auto Scaling group with the specified name and attributes.", + "access_level": "Write", + "description": "Grants permission to create an Auto Scaling group with the specified name and attributes", "privilege": "CreateAutoScalingGroup", "resource_types": [ { @@ -9444,7 +13030,7 @@ }, { "access_level": "Write", - "description": "Creates a launch configuration.", + "description": "Grants permission to create a launch configuration", "privilege": "CreateLaunchConfiguration", "resource_types": [ { @@ -9468,7 +13054,7 @@ }, { "access_level": "Tagging", - "description": "Creates or updates tags for the specified Auto Scaling group.", + "description": "Grants permission to create or update tags for the specified Auto Scaling group", "privilege": "CreateOrUpdateTags", "resource_types": [ { @@ -9491,7 +13077,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified Auto Scaling group.", + "description": "Grants permission to delete the specified Auto Scaling group", "privilege": "DeleteAutoScalingGroup", "resource_types": [ { @@ -9506,7 +13092,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified launch configuration.", + "description": "Grants permission to delete the specified launch configuration", "privilege": "DeleteLaunchConfiguration", "resource_types": [ { @@ -9518,7 +13104,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified lifecycle hook.", + "description": "Grants permission to deletes the specified lifecycle hook", "privilege": "DeleteLifecycleHook", "resource_types": [ { @@ -9533,7 +13119,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified notification.", + "description": "Grants permission to delete the specified notification", "privilege": "DeleteNotificationConfiguration", "resource_types": [ { @@ -9548,7 +13134,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified Auto Scaling policy.", + "description": "Grants permission to delete the specified Auto Scaling policy", "privilege": "DeletePolicy", "resource_types": [ { @@ -9563,7 +13149,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified scheduled action.", + "description": "Grants permission to delete the specified scheduled action", "privilege": "DeleteScheduledAction", "resource_types": [ { @@ -9578,7 +13164,7 @@ }, { "access_level": "Tagging", - "description": "Deletes the specified tags.", + "description": "Grants permission to delete the specified tags", "privilege": "DeleteTags", "resource_types": [ { @@ -9599,9 +13185,24 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the warm pool associated with the Auto Scaling group", + "privilege": "DeleteWarmPool", + "resource_types": [ + { + "condition_keys": [ + "autoscaling:ResourceTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "autoScalingGroup*" + } + ] + }, { "access_level": "List", - "description": "Describes the current Auto Scaling resource limits for your AWS account.", + "description": "Grants permission to describe the current Auto Scaling resource limits for your AWS account", "privilege": "DescribeAccountLimits", "resource_types": [ { @@ -9613,7 +13214,7 @@ }, { "access_level": "List", - "description": "Describes the policy adjustment types for use with PutScalingPolicy.", + "description": "Grants permission to describe the policy adjustment types for use with PutScalingPolicy", "privilege": "DescribeAdjustmentTypes", "resource_types": [ { @@ -9625,7 +13226,7 @@ }, { "access_level": "List", - "description": "Describes one or more Auto Scaling groups. If a list of names is not provided, the call describes all Auto Scaling groups.", + "description": "Grants permission to describe one or more Auto Scaling groups. If a list of names is not provided, the call describes all Auto Scaling groups", "privilege": "DescribeAutoScalingGroups", "resource_types": [ { @@ -9637,7 +13238,7 @@ }, { "access_level": "List", - "description": "Describes one or more Auto Scaling instances. If a list is not provided, the call describes all instances.", + "description": "Grants permission to describe one or more Auto Scaling instances. If a list is not provided, the call describes all instances", "privilege": "DescribeAutoScalingInstances", "resource_types": [ { @@ -9649,7 +13250,7 @@ }, { "access_level": "List", - "description": "Describes the notification types that are supported by Auto Scaling.", + "description": "Grants permission to describe the notification types that are supported by Auto Scaling", "privilege": "DescribeAutoScalingNotificationTypes", "resource_types": [ { @@ -9673,7 +13274,7 @@ }, { "access_level": "List", - "description": "Describes one or more launch configurations. If you omit the list of names, then the call describes all launch configurations.", + "description": "Grants permission to describe one or more launch configurations. If you omit the list of names, then the call describes all launch configurations", "privilege": "DescribeLaunchConfigurations", "resource_types": [ { @@ -9685,7 +13286,7 @@ }, { "access_level": "List", - "description": "Describes the available types of lifecycle hooks.", + "description": "Grants permission to describe the available types of lifecycle hooks", "privilege": "DescribeLifecycleHookTypes", "resource_types": [ { @@ -9697,7 +13298,7 @@ }, { "access_level": "List", - "description": "Describes the lifecycle hooks for the specified Auto Scaling group.", + "description": "Grants permission to describe the lifecycle hooks for the specified Auto Scaling group", "privilege": "DescribeLifecycleHooks", "resource_types": [ { @@ -9709,7 +13310,7 @@ }, { "access_level": "List", - "description": "Describes the target groups for the specified Auto Scaling group.", + "description": "Grants permission to describe the target groups for the specified Auto Scaling group", "privilege": "DescribeLoadBalancerTargetGroups", "resource_types": [ { @@ -9721,7 +13322,7 @@ }, { "access_level": "List", - "description": "Describes the load balancers for the specified Auto Scaling group.", + "description": "Grants permission to describe the load balancers for the specified Auto Scaling group", "privilege": "DescribeLoadBalancers", "resource_types": [ { @@ -9733,7 +13334,7 @@ }, { "access_level": "List", - "description": "Describes the available CloudWatch metrics for Auto Scaling.", + "description": "Grants permission to describe the available CloudWatch metrics for Auto Scaling", "privilege": "DescribeMetricCollectionTypes", "resource_types": [ { @@ -9745,7 +13346,7 @@ }, { "access_level": "List", - "description": "Describes the notification actions associated with the specified Auto Scaling group.", + "description": "Grants permission to describe the notification actions associated with the specified Auto Scaling group", "privilege": "DescribeNotificationConfigurations", "resource_types": [ { @@ -9757,7 +13358,7 @@ }, { "access_level": "List", - "description": "Describes the policies for the specified Auto Scaling group.", + "description": "Grants permission to describe the policies for the specified Auto Scaling group", "privilege": "DescribePolicies", "resource_types": [ { @@ -9769,7 +13370,7 @@ }, { "access_level": "List", - "description": "Describes one or more scaling activities for the specified Auto Scaling group.", + "description": "Grants permission to describe one or more scaling activities for the specified Auto Scaling group", "privilege": "DescribeScalingActivities", "resource_types": [ { @@ -9781,7 +13382,7 @@ }, { "access_level": "List", - "description": "Describes the scaling process types for use with ResumeProcesses and SuspendProcesses.", + "description": "Grants permission to describe the scaling process types for use with ResumeProcesses and SuspendProcesses", "privilege": "DescribeScalingProcessTypes", "resource_types": [ { @@ -9793,7 +13394,7 @@ }, { "access_level": "List", - "description": "Describes the actions scheduled for your Auto Scaling group that haven't run.", + "description": "Grants permission to describe the actions scheduled for your Auto Scaling group that haven't run", "privilege": "DescribeScheduledActions", "resource_types": [ { @@ -9805,7 +13406,7 @@ }, { "access_level": "Read", - "description": "Describes the specified tags.", + "description": "Grants permission to describe the specified tags", "privilege": "DescribeTags", "resource_types": [ { @@ -9817,7 +13418,7 @@ }, { "access_level": "List", - "description": "Describes the termination policies supported by Auto Scaling.", + "description": "Grants permission to describe the termination policies supported by Auto Scaling", "privilege": "DescribeTerminationPolicyTypes", "resource_types": [ { @@ -9827,9 +13428,21 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe the warm pool associated with the Auto Scaling group", + "privilege": "DescribeWarmPool", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Removes one or more instances from the specified Auto Scaling group.", + "description": "Grants permission to remove one or more instances from the specified Auto Scaling group", "privilege": "DetachInstances", "resource_types": [ { @@ -9844,7 +13457,7 @@ }, { "access_level": "Write", - "description": "Detaches one or more target groups from the specified Auto Scaling group.", + "description": "Grants permission to detach one or more target groups from the specified Auto Scaling group", "privilege": "DetachLoadBalancerTargetGroups", "resource_types": [ { @@ -9866,7 +13479,7 @@ }, { "access_level": "Write", - "description": "Removes one or more load balancers from the specified Auto Scaling group.", + "description": "Grants permission to remove one or more load balancers from the specified Auto Scaling group", "privilege": "DetachLoadBalancers", "resource_types": [ { @@ -9888,7 +13501,7 @@ }, { "access_level": "Write", - "description": "Disables monitoring of the specified metrics for the specified Auto Scaling group.", + "description": "Grants permission to disable monitoring of the specified metrics for the specified Auto Scaling group", "privilege": "DisableMetricsCollection", "resource_types": [ { @@ -9903,7 +13516,7 @@ }, { "access_level": "Write", - "description": "Enables monitoring of the specified metrics for the specified Auto Scaling group.", + "description": "Grants permission to enable monitoring of the specified metrics for the specified Auto Scaling group", "privilege": "EnableMetricsCollection", "resource_types": [ { @@ -9918,7 +13531,7 @@ }, { "access_level": "Write", - "description": "Moves the specified instances into Standby mode.", + "description": "Grants permission to move the specified instances into Standby mode", "privilege": "EnterStandby", "resource_types": [ { @@ -9933,7 +13546,7 @@ }, { "access_level": "Write", - "description": "Executes the specified policy.", + "description": "Grants permission to execute the specified policy", "privilege": "ExecutePolicy", "resource_types": [ { @@ -9948,7 +13561,7 @@ }, { "access_level": "Write", - "description": "Moves the specified instances out of Standby mode.", + "description": "Grants permission to move the specified instances out of Standby mode", "privilege": "ExitStandby", "resource_types": [ { @@ -9961,9 +13574,21 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve the forecast data for a predictive scaling policy", + "privilege": "GetPredictiveScalingForecast", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Creates or updates a lifecycle hook for the specified Auto Scaling Group.", + "description": "Grants permission to create or update a lifecycle hook for the specified Auto Scaling Group", "privilege": "PutLifecycleHook", "resource_types": [ { @@ -9978,7 +13603,7 @@ }, { "access_level": "Write", - "description": "Configures an Auto Scaling group to send notifications when specified events take place.", + "description": "Grants permission to configure an Auto Scaling group to send notifications when specified events take place", "privilege": "PutNotificationConfiguration", "resource_types": [ { @@ -9993,7 +13618,7 @@ }, { "access_level": "Write", - "description": "Creates or updates a policy for an Auto Scaling group.", + "description": "Grants permission to create or update a policy for an Auto Scaling group", "privilege": "PutScalingPolicy", "resource_types": [ { @@ -10008,7 +13633,7 @@ }, { "access_level": "Write", - "description": "Creates or updates a scheduled scaling action for an Auto Scaling group.", + "description": "Grants permission to create or update a scheduled scaling action for an Auto Scaling group", "privilege": "PutScheduledUpdateGroupAction", "resource_types": [ { @@ -10031,7 +13656,22 @@ }, { "access_level": "Write", - "description": "Records a heartbeat for the lifecycle action associated with the specified token or instance.", + "description": "Grants permission to create or update the warm pool associated with the specified Auto Scaling group", + "privilege": "PutWarmPool", + "resource_types": [ + { + "condition_keys": [ + "autoscaling:ResourceTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "autoScalingGroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to record a heartbeat for the lifecycle action associated with the specified token or instance", "privilege": "RecordLifecycleActionHeartbeat", "resource_types": [ { @@ -10046,7 +13686,7 @@ }, { "access_level": "Write", - "description": "Resumes the specified suspended Auto Scaling processes, or all suspended process, for the specified Auto Scaling group.", + "description": "Grants permission to resume the specified suspended Auto Scaling processes, or all suspended process, for the specified Auto Scaling group", "privilege": "ResumeProcesses", "resource_types": [ { @@ -10061,7 +13701,7 @@ }, { "access_level": "Write", - "description": "Sets the size of the specified Auto Scaling group.", + "description": "Grants permission to set the size of the specified Auto Scaling group", "privilege": "SetDesiredCapacity", "resource_types": [ { @@ -10076,7 +13716,7 @@ }, { "access_level": "Write", - "description": "Sets the health status of the specified instance.", + "description": "Grants permission to set the health status of the specified instance", "privilege": "SetInstanceHealth", "resource_types": [ { @@ -10091,7 +13731,7 @@ }, { "access_level": "Write", - "description": "Updates the instance protection settings of the specified instances.", + "description": "Grants permission to update the instance protection settings of the specified instances", "privilege": "SetInstanceProtection", "resource_types": [ { @@ -10121,7 +13761,7 @@ }, { "access_level": "Write", - "description": "Suspends the specified Auto Scaling processes, or all processes, for the specified Auto Scaling group.", + "description": "Grants permission to suspend the specified Auto Scaling processes, or all processes, for the specified Auto Scaling group", "privilege": "SuspendProcesses", "resource_types": [ { @@ -10136,7 +13776,7 @@ }, { "access_level": "Write", - "description": "Terminates the specified instance and optionally adjusts the desired group size.", + "description": "Grants permission to terminate the specified instance and optionally adjust the desired group size", "privilege": "TerminateInstanceInAutoScalingGroup", "resource_types": [ { @@ -10151,7 +13791,7 @@ }, { "access_level": "Write", - "description": "Updates the configuration for the specified Auto Scaling group.", + "description": "Grants permission to update the configuration for the specified Auto Scaling group", "privilege": "UpdateAutoScalingGroup", "resource_types": [ { @@ -10274,6 +13914,74 @@ "resources": [], "service_name": "AWS Auto Scaling" }, + { + "conditions": [], + "prefix": "aws-marketplace", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to add new approved products to the Private Marketplace. Also allows to approve a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "privilege": "AssociateProductsWithPrivateMarketplace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new request for a product or products to be associated with the Private Marketplace. This action can be performed by any account in an in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "privilege": "CreatePrivateMarketplaceRequests", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "privilege": "DescribePrivateMarketplaceRequests", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove approved products from the Private Marketplace. Also allows to decline a request for a product to be associated with the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "privilege": "DisassociateProductsFromPrivateMarketplace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a queryable list for requests and associated products in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it.", + "privilege": "ListPrivateMarketplaceRequests", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Marketplace Private Marketplace" + }, { "conditions": [ { @@ -10814,7 +14522,7 @@ "privileges": [ { "access_level": "Write", - "description": "Called from a SaaS application listed on the AWS Marketplace to post metering records for a set of customers.", + "description": "Grants permission to post metering records for a set of customers for SaaS applications", "privilege": "BatchMeterUsage", "resource_types": [ { @@ -10826,7 +14534,7 @@ }, { "access_level": "Write", - "description": "Emits metering records.", + "description": "Grants permission to emit metering records", "privilege": "MeterUsage", "resource_types": [ { @@ -10838,7 +14546,7 @@ }, { "access_level": "Write", - "description": "Allows you to verify that the customer running your paid software is subscribed to your product on AWS Marketplace, enabling you to guard against unauthorized use. Meters software use per ECS task, per hour, with usage prorated to the second.", + "description": "Grants permission to to verify that the customer running your paid software is subscribed to your product on AWS Marketplace, enabling you to guard against unauthorized use. Meters software use per ECS task, per hour, with usage prorated to the second", "privilege": "RegisterUsage", "resource_types": [ { @@ -10850,7 +14558,7 @@ }, { "access_level": "Write", - "description": "Resolves a registration token to obtain a CustomerIdentifier and product code.", + "description": "Grants permission to resolve a registration token to obtain a CustomerIdentifier and product code", "privilege": "ResolveCustomer", "resource_types": [ { @@ -11118,7 +14826,7 @@ } ], "resources": [], - "service_name": "AWS Billing" + "service_name": "AWS Billing and Cost Management" }, { "conditions": [], @@ -11168,27 +14876,27 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access by the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", + "description": "Filters access by the presence of mandatory tags in the request", "type": "String" }, { "condition": "backup:CopyTargetOrgPaths", - "description": "Filters actions based on the organization unit.", + "description": "Filters access by the organization unit", "type": "String" }, { "condition": "backup:CopyTargets", - "description": "Filters actions based on the ARN of an backup vault.", + "description": "Filters access by the ARN of an backup vault", "type": "String" } ], @@ -11196,7 +14904,7 @@ "privileges": [ { "access_level": "Write", - "description": "Allows to copy from a backup vault", + "description": "Grants permission to copy from a backup vault", "privilege": "CopyFromBackupVault", "resource_types": [ { @@ -11211,7 +14919,7 @@ }, { "access_level": "Write", - "description": "Allows to copy into a backup vault", + "description": "Grants permission to copy into a backup vault", "privilege": "CopyIntoBackupVault", "resource_types": [ { @@ -11225,7 +14933,7 @@ }, { "access_level": "Write", - "description": "Creates a new backup plan", + "description": "Grants permission to create a new backup plan", "privilege": "CreateBackupPlan", "resource_types": [ { @@ -11245,7 +14953,7 @@ }, { "access_level": "Write", - "description": "Creates a new resource assignment in a backup plan.", + "description": "Grants permission to create a new resource assignment in a backup plan", "privilege": "CreateBackupSelection", "resource_types": [ { @@ -11259,7 +14967,7 @@ }, { "access_level": "Write", - "description": "Creates a new backup vault.", + "description": "Grants permission to create a new backup vault", "privilege": "CreateBackupVault", "resource_types": [ { @@ -11279,7 +14987,47 @@ }, { "access_level": "Write", - "description": "Deletes a backup plan.", + "description": "Grants permission to create a new framework", + "privilege": "CreateFramework", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new report plan", + "privilege": "CreateReportPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a backup plan", "privilege": "DeleteBackupPlan", "resource_types": [ { @@ -11291,7 +15039,7 @@ }, { "access_level": "Write", - "description": "Deletes a resource assignment from a backup plan.", + "description": "Grants permission to delete a resource assignment from a backup plan", "privilege": "DeleteBackupSelection", "resource_types": [ { @@ -11303,7 +15051,7 @@ }, { "access_level": "Write", - "description": "Deletes a backup vault.", + "description": "Grants permission to delete a backup vault", "privilege": "DeleteBackupVault", "resource_types": [ { @@ -11314,8 +15062,8 @@ ] }, { - "access_level": "Write", - "description": "Deletes backup vault access policy.", + "access_level": "Permissions management", + "description": "Grants permission to delete backup vault access policy", "privilege": "DeleteBackupVaultAccessPolicy", "resource_types": [ { @@ -11327,7 +15075,7 @@ }, { "access_level": "Write", - "description": "Removes notifications from backup vault.", + "description": "Grants permission to remove notifications from backup vault", "privilege": "DeleteBackupVaultNotifications", "resource_types": [ { @@ -11339,7 +15087,19 @@ }, { "access_level": "Write", - "description": "Deletes a recovery point from a backup vault.", + "description": "Grants permission to delete a framework", + "privilege": "DeleteFramework", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a recovery point from a backup vault", "privilege": "DeleteRecoveryPoint", "resource_types": [ { @@ -11349,9 +15109,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a report plan", + "privilege": "DeleteReportPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan*" + } + ] + }, { "access_level": "Read", - "description": "Describes a backup job", + "description": "Grants permission to describe a backup job", "privilege": "DescribeBackupJob", "resource_types": [ { @@ -11363,7 +15135,7 @@ }, { "access_level": "Read", - "description": "Describes a new backup vault with the specified name.", + "description": "Grants permission to describe a new backup vault with the specified name", "privilege": "DescribeBackupVault", "resource_types": [ { @@ -11375,14 +15147,11 @@ }, { "access_level": "Read", - "description": "Describes a copy job", + "description": "Grants permission to describe a copy job", "privilege": "DescribeCopyJob", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -11390,7 +15159,19 @@ }, { "access_level": "Read", - "description": "Describes global settings", + "description": "Grants permission to describe a framework with the specified name", + "privilege": "DescribeFramework", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe global settings", "privilege": "DescribeGlobalSettings", "resource_types": [ { @@ -11402,7 +15183,7 @@ }, { "access_level": "Read", - "description": "Describes a protected resource.", + "description": "Grants permission to describe a protected resource", "privilege": "DescribeProtectedResource", "resource_types": [ { @@ -11414,7 +15195,7 @@ }, { "access_level": "Read", - "description": "Describes a recovery point.", + "description": "Grants permission to describe a recovery point", "privilege": "DescribeRecoveryPoint", "resource_types": [ { @@ -11426,7 +15207,7 @@ }, { "access_level": "Read", - "description": "Describes region settings", + "description": "Grants permission to describe region settings", "privilege": "DescribeRegionSettings", "resource_types": [ { @@ -11438,7 +15219,31 @@ }, { "access_level": "Read", - "description": "Describes a restore job.", + "description": "Grants permission to describe a report job", + "privilege": "DescribeReportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a report plan with the specified name", + "privilege": "DescribeReportPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a restore job", "privilege": "DescribeRestoreJob", "resource_types": [ { @@ -11448,9 +15253,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a recovery point from a backup vault", + "privilege": "DisassociateRecoveryPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoveryPoint*" + } + ] + }, { "access_level": "Read", - "description": "Exports a backup plan as a JSON.", + "description": "Grants permission to export a backup plan as a JSON", "privilege": "ExportBackupPlanTemplate", "resource_types": [ { @@ -11462,7 +15279,7 @@ }, { "access_level": "Read", - "description": "Gets a backup plan.", + "description": "Grants permission to get a backup plan", "privilege": "GetBackupPlan", "resource_types": [ { @@ -11474,7 +15291,7 @@ }, { "access_level": "Read", - "description": "Transforms a JSON to a backup plan.", + "description": "Grants permission to transform a JSON to a backup plan", "privilege": "GetBackupPlanFromJSON", "resource_types": [ { @@ -11486,7 +15303,7 @@ }, { "access_level": "Read", - "description": "Transforms a template to a backup plan.", + "description": "Grants permission to transform a template to a backup plan", "privilege": "GetBackupPlanFromTemplate", "resource_types": [ { @@ -11498,7 +15315,7 @@ }, { "access_level": "Read", - "description": "Gets a backup plan resource assignment.", + "description": "Grants permission to get a backup plan resource assignment", "privilege": "GetBackupSelection", "resource_types": [ { @@ -11510,7 +15327,7 @@ }, { "access_level": "Read", - "description": "Gets backup vault access policy.", + "description": "Grants permission to get backup vault access policy", "privilege": "GetBackupVaultAccessPolicy", "resource_types": [ { @@ -11522,7 +15339,7 @@ }, { "access_level": "Read", - "description": "Gets backup vault notifications.", + "description": "Grants permission to get backup vault notifications", "privilege": "GetBackupVaultNotifications", "resource_types": [ { @@ -11534,7 +15351,7 @@ }, { "access_level": "Read", - "description": "Gets recovery point restore metadata.", + "description": "Grants permission to get recovery point restore metadata", "privilege": "GetRecoveryPointRestoreMetadata", "resource_types": [ { @@ -11546,7 +15363,7 @@ }, { "access_level": "Read", - "description": "Gets supported resource types.", + "description": "Grants permission to get supported resource types", "privilege": "GetSupportedResourceTypes", "resource_types": [ { @@ -11558,7 +15375,7 @@ }, { "access_level": "List", - "description": "Lists backup jobs.", + "description": "Grants permission to list backup jobs", "privilege": "ListBackupJobs", "resource_types": [ { @@ -11570,7 +15387,7 @@ }, { "access_level": "List", - "description": "Lists backup plan templates provided by AWS Backup.", + "description": "Grants permission to list backup plan templates provided by AWS Backup", "privilege": "ListBackupPlanTemplates", "resource_types": [ { @@ -11582,7 +15399,7 @@ }, { "access_level": "List", - "description": "Lists backup plan versions.", + "description": "Grants permission to list backup plan versions", "privilege": "ListBackupPlanVersions", "resource_types": [ { @@ -11594,7 +15411,7 @@ }, { "access_level": "List", - "description": "Lists backup plans.", + "description": "Grants permission to list backup plans", "privilege": "ListBackupPlans", "resource_types": [ { @@ -11606,7 +15423,7 @@ }, { "access_level": "List", - "description": "Lists resource assignments for a specific backup plan.", + "description": "Grants permission to list resource assignments for a specific backup plan", "privilege": "ListBackupSelections", "resource_types": [ { @@ -11618,7 +15435,7 @@ }, { "access_level": "List", - "description": "Lists backup vaults.", + "description": "Grants permission to list backup vaults", "privilege": "ListBackupVaults", "resource_types": [ { @@ -11630,7 +15447,7 @@ }, { "access_level": "List", - "description": "Lists copy jobs", + "description": "Grants permission to list copy jobs", "privilege": "ListCopyJobs", "resource_types": [ { @@ -11642,7 +15459,19 @@ }, { "access_level": "List", - "description": "Lists protected resources by AWS Backup.", + "description": "Grants permission to list frameworks", + "privilege": "ListFrameworks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list protected resources by AWS Backup", "privilege": "ListProtectedResources", "resource_types": [ { @@ -11654,7 +15483,7 @@ }, { "access_level": "List", - "description": "Lists recovery points inside a backup vault.", + "description": "Grants permission to list recovery points inside a backup vault", "privilege": "ListRecoveryPointsByBackupVault", "resource_types": [ { @@ -11666,7 +15495,7 @@ }, { "access_level": "List", - "description": "Lists recovery points for a resource.", + "description": "Grants permission to list recovery points for a resource", "privilege": "ListRecoveryPointsByResource", "resource_types": [ { @@ -11678,8 +15507,8 @@ }, { "access_level": "List", - "description": "Lists restore jobs.", - "privilege": "ListRestoreJobs", + "description": "Grants permission to list report jobs", + "privilege": "ListReportJobs", "resource_types": [ { "condition_keys": [], @@ -11690,7 +15519,31 @@ }, { "access_level": "List", - "description": "Lists tags for a resource.", + "description": "Grants permission to list report plans", + "privilege": "ListReportPlans", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to lists restore jobs", + "privilege": "ListRestoreJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", "privilege": "ListTags", "resource_types": [ { @@ -11703,16 +15556,26 @@ "dependent_actions": [], "resource_type": "backupVault" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "recoveryPoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan" } ] }, { - "access_level": "Write", - "description": "Adds an access policy to the backup vault.", + "access_level": "Permissions management", + "description": "Grants permission to add an access policy to the backup vault", "privilege": "PutBackupVaultAccessPolicy", "resource_types": [ { @@ -11724,7 +15587,7 @@ }, { "access_level": "Write", - "description": "Adds an SNS topic to the backup vault.", + "description": "Grants permission to add an SNS topic to the backup vault", "privilege": "PutBackupVaultNotifications", "resource_types": [ { @@ -11736,7 +15599,7 @@ }, { "access_level": "Write", - "description": "Starts a new backup job.", + "description": "Grants permission to start a new backup job", "privilege": "StartBackupJob", "resource_types": [ { @@ -11750,7 +15613,7 @@ }, { "access_level": "Write", - "description": "Copy a backup from a source backup vault to a destination backup vault.", + "description": "Grants permission to copy a backup from a source backup vault to a destination backup vault", "privilege": "StartCopyJob", "resource_types": [ { @@ -11759,20 +15622,24 @@ "iam:PassRole" ], "resource_type": "recoveryPoint*" - }, + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a new report job", + "privilege": "StartReportJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "reportPlan*" } ] }, { "access_level": "Write", - "description": "Starts a new restore job.", + "description": "Grants permission to start a new restore job", "privilege": "StartRestoreJob", "resource_types": [ { @@ -11786,7 +15653,7 @@ }, { "access_level": "Write", - "description": "Stops a backup job.", + "description": "Grants permission to stop a backup job", "privilege": "StopBackupJob", "resource_types": [ { @@ -11798,7 +15665,7 @@ }, { "access_level": "Tagging", - "description": "Tags a resource.", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { @@ -11811,11 +15678,21 @@ "dependent_actions": [], "resource_type": "backupVault" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "recoveryPoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -11828,7 +15705,7 @@ }, { "access_level": "Tagging", - "description": "Untags a resource.", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { @@ -11841,11 +15718,21 @@ "dependent_actions": [], "resource_type": "backupVault" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "recoveryPoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan" + }, { "condition_keys": [ "aws:TagKeys" @@ -11857,7 +15744,7 @@ }, { "access_level": "Write", - "description": "Updates a backup plan.", + "description": "Grants permission to update a backup plan", "privilege": "UpdateBackupPlan", "resource_types": [ { @@ -11869,7 +15756,19 @@ }, { "access_level": "Write", - "description": "Updates global settings", + "description": "Grants permission to update a framework", + "privilege": "UpdateFramework", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "framework*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the current global settings for the AWS Account", "privilege": "UpdateGlobalSettings", "resource_types": [ { @@ -11881,7 +15780,7 @@ }, { "access_level": "Write", - "description": "Updates the lifecycle of the recovery point.", + "description": "Grants permission to update the lifecycle of the recovery point", "privilege": "UpdateRecoveryPointLifecycle", "resource_types": [ { @@ -11893,7 +15792,7 @@ }, { "access_level": "Write", - "description": "Describes region settings", + "description": "Grants permission to update the current service opt-in settings for the Region", "privilege": "UpdateRegionSettings", "resource_types": [ { @@ -11902,6 +15801,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a report plan", + "privilege": "UpdateReportPlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reportPlan*" + } + ] } ], "resources": [ @@ -11925,6 +15836,20 @@ "aws:ResourceTag/${TagKey}" ], "resource": "recoveryPoint" + }, + { + "arn": "arn:${Partition}:backup:${Region}:${Account}:framework:${FrameworkName}-${FrameworkId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "framework" + }, + { + "arn": "arn:${Partition}:backup:${Region}:${Account}:report-plan:${ReportPlanName}-${ReportPlanId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "reportPlan" } ], "service_name": "AWS Backup" @@ -11953,57 +15878,57 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request.", + "description": "Filters access based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource.", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request.", + "description": "Filters access based on the tag keys that are passed in the request", "type": "String" }, { "condition": "batch:AWSLogsCreateGroup", - "description": "When this parameter is true, the awslogs-group will be created for the logs.", + "description": "Filters access based on the specified logging driver to determine whether awslogs group will be created for the logs", "type": "Boolean" }, { "condition": "batch:AWSLogsGroup", - "description": "The awslogs group where the logs are located.", + "description": "Filters access based on the awslogs group where the logs are located", "type": "String" }, { "condition": "batch:AWSLogsRegion", - "description": "The region where the logs are sent to.", + "description": "Filters access based on the region where the logs are sent to", "type": "String" }, { "condition": "batch:AWSLogsStreamPrefix", - "description": "The awslogs log stream prefix.", + "description": "Filters access based on the awslogs log stream prefix", "type": "String" }, { "condition": "batch:Image", - "description": "The image used to start a container.", + "description": "Filters access based on the image used to start a container", "type": "String" }, { "condition": "batch:LogDriver", - "description": "The log driver used for the container.", + "description": "Filters access based on the log driver used for the container", "type": "String" }, { "condition": "batch:Privileged", - "description": "When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).", + "description": "Filter access based on the specified privileged parameter value that determines whether the container is given elevated privileges on the host container instance (similar to the root user)", "type": "Boolean" }, { "condition": "batch:User", - "description": "The user name or numeric uid to use inside the container.", + "description": "Filters access based on the user name or numeric uid used inside the container", "type": "String" } ], @@ -12011,7 +15936,7 @@ "privileges": [ { "access_level": "Write", - "description": "Cancels a job in an AWS Batch job queue.", + "description": "Grants permission to cancel a job in an AWS Batch job queue in your account", "privilege": "CancelJob", "resource_types": [ { @@ -12023,9 +15948,14 @@ }, { "access_level": "Write", - "description": "Creates an AWS Batch compute environment.", + "description": "Grants permission to create an AWS Batch compute environment in your account", "privilege": "CreateComputeEnvironment", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "compute-environment*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -12038,7 +15968,7 @@ }, { "access_level": "Write", - "description": "Creates an AWS Batch job queue.", + "description": "Grants permission to create an AWS Batch job queue in your account", "privilege": "CreateJobQueue", "resource_types": [ { @@ -12046,6 +15976,11 @@ "dependent_actions": [], "resource_type": "compute-environment*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job-queue*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -12058,7 +15993,7 @@ }, { "access_level": "Write", - "description": "Deletes an AWS Batch compute environment.", + "description": "Grants permission to delete an AWS Batch compute environment in your account", "privilege": "DeleteComputeEnvironment", "resource_types": [ { @@ -12070,7 +16005,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified job queue.", + "description": "Grants permission to delete an AWS Batch job queue in your account", "privilege": "DeleteJobQueue", "resource_types": [ { @@ -12082,7 +16017,7 @@ }, { "access_level": "Write", - "description": "Deregisters an AWS Batch job definition.", + "description": "Grants permission to deregister an AWS Batch job definition in your account", "privilege": "DeregisterJobDefinition", "resource_types": [ { @@ -12094,7 +16029,7 @@ }, { "access_level": "Read", - "description": "Describes one or more of your compute environments.", + "description": "Grants permission to describe one or more AWS Batch compute environments in your account", "privilege": "DescribeComputeEnvironments", "resource_types": [ { @@ -12106,7 +16041,7 @@ }, { "access_level": "Read", - "description": "Describes a list of job definitions.", + "description": "Grants permission to describe one or more AWS Batch job definitions in your account", "privilege": "DescribeJobDefinitions", "resource_types": [ { @@ -12118,7 +16053,7 @@ }, { "access_level": "Read", - "description": "Describes one or more of your job queues.", + "description": "Grants permission to describe one or more AWS Batch job queues in your account", "privilege": "DescribeJobQueues", "resource_types": [ { @@ -12130,7 +16065,7 @@ }, { "access_level": "Read", - "description": "Describes a list of AWS Batch jobs.", + "description": "Grants permission to describe a list of AWS Batch jobs in your account", "privilege": "DescribeJobs", "resource_types": [ { @@ -12142,7 +16077,7 @@ }, { "access_level": "List", - "description": "Returns a list of task jobs for a specified job queue.", + "description": "Grants permission to list jobs for a specified AWS Batch job queue in your account", "privilege": "ListJobs", "resource_types": [ { @@ -12153,8 +16088,8 @@ ] }, { - "access_level": "List", - "description": "List tags for the specified resource.", + "access_level": "Read", + "description": "Grants permission to list tags for an AWS Batch resource in your account", "privilege": "ListTagsForResource", "resource_types": [ { @@ -12181,9 +16116,14 @@ }, { "access_level": "Write", - "description": "Registers an AWS Batch job definition.", + "description": "Grants permission to register an AWS Batch job definition in your account", "privilege": "RegisterJobDefinition", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job-definition*" + }, { "condition_keys": [ "batch:User", @@ -12204,7 +16144,7 @@ }, { "access_level": "Write", - "description": "Submits an AWS Batch job from a job definition.", + "description": "Grants permission to submit an AWS Batch job from a job definition in your account", "privilege": "SubmitJob", "resource_types": [ { @@ -12229,7 +16169,7 @@ }, { "access_level": "Tagging", - "description": "Tags the specified resource.", + "description": "Grants permission to tag an AWS Batch resource in your account", "privilege": "TagResource", "resource_types": [ { @@ -12264,7 +16204,7 @@ }, { "access_level": "Write", - "description": "Terminates a job in an AWS Batch job queue.", + "description": "Grants permission to terminate a job in an AWS Batch job queue in your account", "privilege": "TerminateJob", "resource_types": [ { @@ -12276,7 +16216,7 @@ }, { "access_level": "Tagging", - "description": "Untags the specified resource.", + "description": "Grants permission to untag an AWS Batch resource in your account", "privilege": "UntagResource", "resource_types": [ { @@ -12310,7 +16250,7 @@ }, { "access_level": "Write", - "description": "Updates an AWS Batch compute environment.", + "description": "Grants permission to update an AWS Batch compute environment in your account", "privilege": "UpdateComputeEnvironment", "resource_types": [ { @@ -12322,13 +16262,18 @@ }, { "access_level": "Write", - "description": "Updates a job queue.", + "description": "Grants permission to update an AWS Batch job queue in your account", "privilege": "UpdateJobQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "job-queue*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "compute-environment" } ] } @@ -12671,6 +16616,396 @@ ], "service_name": "AWS Budget Service" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "bugbust", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a BugBust event", + "privilege": "CreateEvent", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to evaluate checked-in profiling groups", + "privilege": "EvaluateProfilingGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view customer details about an event", + "privilege": "GetEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the status of a BugBust player's attempt to join a BugBust event", + "privilege": "GetJoinEventStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to join an event", + "privilege": "JoinEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the bugs that were imported into an event for players to work on", + "privilege": "ListBugs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "codeguru-reviewer:DescribeCodeReview", + "codeguru-reviewer:ListRecommendations" + ], + "resource_type": "Event*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "codereview*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the participants of an event", + "privilege": "ListEventParticipants", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the scores of an event's players", + "privilege": "ListEventScores", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to List BugBust events", + "privilege": "ListEvents", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the profiling groups that were imported into an event for players to work on", + "privilege": "ListProfilingGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the pull requests used by players to submit fixes to their claimed bugs in an event", + "privilege": "ListPullRequests", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to lists tag for a Bugbust resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a Bugbust resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a Bugbust resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a BugBust event", + "privilege": "UpdateEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "codeguru-profiler:DescribeProfilingGroup", + "codeguru-profiler:ListProfilingGroups", + "codeguru-reviewer:DescribeCodeReview", + "codeguru-reviewer:ListCodeReviews", + "codeguru-reviewer:ListRecommendations", + "codeguru-reviewer:TagResource", + "codeguru-reviewer:UnTagResource" + ], + "resource_type": "Event*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ProfilingGroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "codereview*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a work item as claimed or unclaimed (bug or profiling group)", + "privilege": "UpdateWorkItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an event's work item (bug or profiling group)", + "privilege": "UpdateWorkItemAdmin", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Event*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:codeguru-reviewer:${Region}:${Account}:association:${ResourceId}:codereview:${CodeReviewId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "codereview" + }, + { + "arn": "arn:${Partition}:codeguru-profiler:${Region}:${Account}:profilingGroup/${profilingGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ProfilingGroup" + }, + { + "arn": "arn:${Partition}:bugbust:${Region}:${Account}:events/${EventId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Event" + } + ], + "service_name": "AWS BugBust" + }, { "conditions": [ { @@ -13360,12 +17695,18 @@ "service_name": "AWS Cost Explorer Service" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:CalledVia", + "description": "Filters access by the services that make the request on behalf of the IAM principal", + "type": "String" + } + ], "prefix": "chatbot", "privileges": [ { "access_level": "Write", - "description": "Creates an AWS Chatbot Chime Webhook Configuration.", + "description": "Grants permission to create an AWS Chatbot Chime Webhook Configuration", "privilege": "CreateChimeWebhookConfiguration", "resource_types": [ { @@ -13377,7 +17718,7 @@ }, { "access_level": "Write", - "description": "Creates an AWS Chatbot Slack Channel Configuration.", + "description": "Grants permission to create an AWS Chatbot Slack Channel Configuration", "privilege": "CreateSlackChannelConfiguration", "resource_types": [ { @@ -13389,20 +17730,32 @@ }, { "access_level": "Write", - "description": "Deletes an AWS Chatbot Chime Webhook Configuration.", + "description": "Grants permission to delete an AWS Chatbot Chime Webhook Configuration", "privilege": "DeleteChimeWebhookConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ChatbotConfiguration*" } ] }, { "access_level": "Write", - "description": "Deletes an AWS Chatbot Slack Channel Configuration.", + "description": "Grants permission to delete an AWS Chatbot Slack Channel Configuration", "privilege": "DeleteSlackChannelConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ChatbotConfiguration*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the Slack workspace authorization with AWS Chatbot, associated with an AWS account", + "privilege": "DeleteSlackWorkspaceAuthorization", "resource_types": [ { "condition_keys": [], @@ -13413,7 +17766,7 @@ }, { "access_level": "Read", - "description": "Lists all AWS Chatbot Chime Webhook Configurations in an AWS Account.", + "description": "Grants permission to list all AWS Chatbot Chime Webhook Configurations in an AWS Account", "privilege": "DescribeChimeWebhookConfigurations", "resource_types": [ { @@ -13425,7 +17778,7 @@ }, { "access_level": "Read", - "description": "Lists all AWS Chatbot Slack Channel Configurations in an AWS account.", + "description": "Grants permission to list all AWS Chatbot Slack Channel Configurations in an AWS account", "privilege": "DescribeSlackChannelConfigurations", "resource_types": [ { @@ -13437,7 +17790,7 @@ }, { "access_level": "Read", - "description": "Lists all public Slack channels in the Slack workspace connected to the AWS Account onboarded with AWS Chatbot service.", + "description": "Grants permission to list all public Slack channels in the Slack workspace connected to the AWS Account onboarded with AWS Chatbot service", "privilege": "DescribeSlackChannels", "resource_types": [ { @@ -13449,7 +17802,7 @@ }, { "access_level": "Read", - "description": "Lists all authorized Slack workspaces connected to the AWS Account onboarded with AWS Chatbot service.", + "description": "Grants permission to list all authorized Slack workspaces connected to the AWS Account onboarded with AWS Chatbot service", "privilege": "DescribeSlackWorkspaces", "resource_types": [ { @@ -13461,7 +17814,7 @@ }, { "access_level": "Read", - "description": "Generate OAuth parameters to request Slack OAuth code to be used by the AWS Chatbot service.", + "description": "Grants permission to generate OAuth parameters to request Slack OAuth code to be used by the AWS Chatbot service", "privilege": "GetSlackOauthParameters", "resource_types": [ { @@ -13473,7 +17826,7 @@ }, { "access_level": "Write", - "description": "Redeem previously generated parameters with Slack API, to acquire OAuth tokens to be used by the AWS Chatbot service.", + "description": "Grants permission to redeem previously generated parameters with Slack API, to acquire OAuth tokens to be used by the AWS Chatbot service", "privilege": "RedeemSlackOauthCode", "resource_types": [ { @@ -13485,32 +17838,32 @@ }, { "access_level": "Write", - "description": "Updates an AWS Chatbot Chime Webhook Configuration.", + "description": "Grants permission to update an AWS Chatbot Chime Webhook Configuration", "privilege": "UpdateChimeWebhookConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ChatbotConfiguration*" } ] }, { "access_level": "Write", - "description": "Updates an AWS Chatbot Slack Channel Configuration.", + "description": "Grants permission to update an AWS Chatbot Slack Channel Configuration", "privilege": "UpdateSlackChannelConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ChatbotConfiguration*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:chatbot::${account}:${resourceType}/${resourceName}", + "arn": "arn:${Partition}:chatbot::${Account}:chat-configuration/${ChatbotConfigurationName}", "condition_keys": [], "resource": "ChatbotConfiguration" } @@ -13623,7 +17976,7 @@ }, { "access_level": "Write", - "description": "Grants permission to associate the specified sign-in delegate groups with the specified Amazon Chime account.", + "description": "Grants permission to associate the specified sign-in delegate groups with the specified Amazon Chime account", "privilege": "AssociateSigninDelegateGroupsWithAccount", "resource_types": [ { @@ -13657,6 +18010,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to add multiple users to a channel", + "privilege": "BatchCreateChannelMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app-instance-user*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to batch add room members", @@ -13731,13 +18101,13 @@ }, { "access_level": "Write", - "description": "Grants permission to establish a web socket connection to the messaging session endpoint", + "description": "Grants permission to establish a web socket connection for app instance user to the messaging session endpoint", "privilege": "Connect", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "app-instance-user*" } ] }, @@ -13948,6 +18318,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a media capture pipeline", + "privilege": "CreateMediaCapturePipeline", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new Amazon Chime SDK meeting in the specified media Region, with no initial attendees", @@ -14076,7 +18458,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a user under the specified Amazon Chime account.", + "description": "Grants permission to create a user under the specified Amazon Chime account", "privilege": "CreateUser", "resource_types": [ { @@ -14358,6 +18740,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a media capture pipeline", + "privilege": "DeleteMediaCapturePipeline", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete the specified Amazon Chime SDK meeting", @@ -14719,7 +19113,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate the specified sign-in delegate groups from the specified Amazon Chime account.", + "description": "Grants permission to disassociate the specified sign-in delegate groups from the specified Amazon Chime account", "privilege": "DisassociateSigninDelegateGroupsFromAccount", "resource_types": [ { @@ -14908,6 +19302,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get an existing media capture pipeline", + "privilege": "GetMediaCapturePipeline", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the meeting record for a specified meeting ID", @@ -14994,7 +19400,7 @@ }, { "access_level": "Read", - "description": "Gets the retention settings for the specified Amazon Chime account.", + "description": "Grants permission to retrieve the retention settings for the specified Amazon Chime account", "privilege": "GetRetentionSettings", "resource_types": [ { @@ -15443,7 +19849,7 @@ ] }, { - "access_level": "List", + "access_level": "Write", "description": "Grants permission to list all the messages in a channel", "privilege": "ListChannelMessages", "resource_types": [ @@ -15553,6 +19959,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list media capture pipelines", + "privilege": "ListMediaCapturePipelines", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list all events that occurred for a specified meeting", @@ -15567,7 +19985,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the tags applied to an Amazon Chime SDK meeting resource.", + "description": "Grants permission to list the tags applied to an Amazon Chime SDK meeting resource", "privilege": "ListMeetingTags", "resource_types": [ { @@ -15687,7 +20105,19 @@ }, { "access_level": "List", - "description": "Grants permission to list the tags applied to an Amazon Chime resource.", + "description": "Grants permission to list the phone number countries supported by the AWS account", + "privilege": "ListSupportedPhoneNumberCountries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the tags applied to an Amazon Chime resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -15795,7 +20225,7 @@ }, { "access_level": "Write", - "description": "Puts retention settings for the specified Amazon Chime account", + "description": "Grants permission to create or update retention settings for the specified Amazon Chime account", "privilege": "PutRetentionSettings", "resource_types": [ { @@ -15927,7 +20357,7 @@ }, { "access_level": "Write", - "description": "Redacts the specified Chime conversation Message", + "description": "Grants permission to redact the specified Chime conversation Message", "privilege": "RedactConversationMessage", "resource_types": [ { @@ -15939,7 +20369,7 @@ }, { "access_level": "Write", - "description": "Redacts the specified Chime room Message", + "description": "Grants permission to redacts the specified Chime room Message", "privilege": "RedactRoomMessage", "resource_types": [ { @@ -16022,7 +20452,7 @@ ] }, { - "access_level": "List", + "access_level": "Write", "description": "Grants permission to download the file containing links to all user attachments returned as part of the \"Request attachments\" action", "privilege": "RetrieveDataExports", "resource_types": [ @@ -16074,6 +20504,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start transcription for a meeting", + "privilege": "StartMeetingTranscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop transcription for a meeting", + "privilege": "StopMeetingTranscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to submit a customer service support request", @@ -16112,7 +20566,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to apply the specified tags to the specified Amazon Chime SDK meeting.", + "description": "Grants permission to apply the specified tags to the specified Amazon Chime SDK meeting", "privilege": "TagMeeting", "resource_types": [ { @@ -16133,7 +20587,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to apply the specified tags to the specified Amazon Chime resource.", + "description": "Grants permission to apply the specified tags to the specified Amazon Chime resource", "privilege": "TagResource", "resource_types": [ { @@ -16166,7 +20620,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag the specified tags from the specified Amazon Chime SDK attendee.", + "description": "Grants permission to untag the specified tags from the specified Amazon Chime SDK attendee", "privilege": "UntagAttendee", "resource_types": [ { @@ -16178,7 +20632,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag the specified tags from the specified Amazon Chime SDK meeting.", + "description": "Grants permission to untag the specified tags from the specified Amazon Chime SDK meeting", "privilege": "UntagMeeting", "resource_types": [ { @@ -16190,7 +20644,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag the specified tags from the specified Amazon Chime resource.", + "description": "Grants permission to untag the specified tags from the specified Amazon Chime resource", "privilege": "UntagResource", "resource_types": [ { @@ -16435,6 +20889,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an Amazon Chime SIP media application call under the administrator's AWS account", + "privilege": "UpdateSipMediaApplicationCall", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update properties of Amazon Chime SIP rule under the administrator's AWS account", @@ -16541,21 +21007,21 @@ "resource": "meeting" }, { - "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}", + "arn": "arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "app-instance" }, { - "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}/user/${AppInstanceUserId}", + "arn": "arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/user/${AppInstanceUserId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "app-instance-user" }, { - "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}/channel/${ChannelId}", + "arn": "arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/channel/${ChannelId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -16616,7 +21082,19 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an AWS Cloud9 development environment, launches an Amazon Elastic Compute Cloud (Amazon EC2) instance, and then hosts the environment on the instance.", + "description": "Grants permission to start the Amazon EC2 instance that your AWS Cloud9 IDE connects to", + "privilege": "ActivateEC2Remote", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Cloud9 development environment, launches an Amazon Elastic Compute Cloud (Amazon EC2) instance, and then hosts the environment on the instance", "privilege": "CreateEnvironmentEC2", "resource_types": [ { @@ -16624,7 +21102,9 @@ "cloud9:EnvironmentName", "cloud9:InstanceType", "cloud9:SubnetId", - "cloud9:UserArn" + "cloud9:UserArn", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [ "ec2:DescribeSubnets", @@ -16637,7 +21117,7 @@ }, { "access_level": "Write", - "description": "Grants permission to add an environment member to an AWS Cloud9 development environment.", + "description": "Grants permission to add an environment member to an AWS Cloud9 development environment", "privilege": "CreateEnvironmentMembership", "resource_types": [ { @@ -16658,7 +21138,35 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Cloud9 development environment. If the environment is hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance, also terminates the instance.", + "description": "Grants permission to create an AWS Cloud9 SSH development environment", + "privilege": "CreateEnvironmentSSH", + "resource_types": [ + { + "condition_keys": [ + "cloud9:EnvironmentName", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to create an authentication token that allows a connection between the AWS Cloud9 IDE and the user's environment", + "privilege": "CreateEnvironmentToken", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS Cloud9 development environment. If the environment is hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance, also terminates the instance", "privilege": "DeleteEnvironment", "resource_types": [ { @@ -16672,7 +21180,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an environment member from an AWS Cloud9 development environment.", + "description": "Grants permission to delete an environment member from an AWS Cloud9 development environment", "privilege": "DeleteEnvironmentMembership", "resource_types": [ { @@ -16684,7 +21192,19 @@ }, { "access_level": "Read", - "description": "Grants permission to get information about environment members for an AWS Cloud9 development environment.", + "description": "Grants permission to get details about the connection to the EC2 development environment, including host, user, and port", + "privilege": "DescribeEC2Remote", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about environment members for an AWS Cloud9 development environment", "privilege": "DescribeEnvironmentMemberships", "resource_types": [ { @@ -16704,7 +21224,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get status information for an AWS Cloud9 development environment.", + "description": "Grants permission to get status information for an AWS Cloud9 development environment", "privilege": "DescribeEnvironmentStatus", "resource_types": [ { @@ -16716,7 +21236,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get information about AWS Cloud9 development environments.", + "description": "Grants permission to get information about AWS Cloud9 development environments", "privilege": "DescribeEnvironments", "resource_types": [ { @@ -16728,7 +21248,67 @@ }, { "access_level": "Read", - "description": "Grants permission to get IDE-specific settings of an AWS Cloud9 user.", + "description": "Grants permission to get details about the connection to the SSH development environment, including host, user, and port", + "privilege": "DescribeSSHRemote", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get configuration information that's used to initialize the AWS Cloud9 IDE", + "privilege": "GetEnvironmentConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the AWS Cloud9 IDE settings for a specified development environment", + "privilege": "GetEnvironmentSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the AWS Cloud9 IDE settings for a specified environment member", + "privilege": "GetMembershipSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the user's public SSH key, which is used by AWS Cloud9 to connect to SSH development environments", + "privilege": "GetUserPublicKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the AWS Cloud9 IDE settings for a specified user", "privilege": "GetUserSettings", "resource_types": [ { @@ -16740,7 +21320,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get a list of AWS Cloud9 development environment identifiers.", + "description": "Grants permission to get a list of AWS Cloud9 development environment identifiers", "privilege": "ListEnvironments", "resource_types": [ { @@ -16752,7 +21332,7 @@ }, { "access_level": "Read", - "description": "Lists tags for a cloud9 environment", + "description": "Grants permission to list tags for a cloud9 environment", "privilege": "ListTagsForResource", "resource_types": [ { @@ -16764,7 +21344,19 @@ }, { "access_level": "Write", - "description": "Adds tags to a cloud9 environment", + "description": "Grants permission to set AWS managed temporary credentials on the Amazon EC2 instance that's used by the AWS Cloud9 integrated development environment (IDE)", + "privilege": "ModifyTemporaryCredentialsOnEnvironmentEC2", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a cloud9 environment", "privilege": "TagResource", "resource_types": [ { @@ -16783,8 +21375,8 @@ ] }, { - "access_level": "Write", - "description": "Removes tags from a cloud9 environment", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a cloud9 environment", "privilege": "UntagResource", "resource_types": [ { @@ -16794,6 +21386,7 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -16803,7 +21396,7 @@ }, { "access_level": "Write", - "description": "Grants permission to change the settings of an existing AWS Cloud9 development environment.", + "description": "Grants permission to change the settings of an existing AWS Cloud9 development environment", "privilege": "UpdateEnvironment", "resource_types": [ { @@ -16815,7 +21408,7 @@ }, { "access_level": "Write", - "description": "Grants permission to change the settings of an existing environment member for an AWS Cloud9 development environment.", + "description": "Grants permission to change the settings of an existing environment member for an AWS Cloud9 development environment", "privilege": "UpdateEnvironmentMembership", "resource_types": [ { @@ -16836,7 +21429,43 @@ }, { "access_level": "Write", - "description": "Grants permission to update IDE-specific settings of an AWS Cloud9 user.", + "description": "Grants permission to update the AWS Cloud9 IDE settings for a specified development environment", + "privilege": "UpdateEnvironmentSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the AWS Cloud9 IDE settings for a specified environment member", + "privilege": "UpdateMembershipSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update details about the connection to the SSH development environment, including host, user, and port", + "privilege": "UpdateSSHRemote", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update IDE-specific settings of an AWS Cloud9 user", "privilege": "UpdateUserSettings", "resource_types": [ { @@ -16845,6 +21474,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Read", + "description": "Grants permission to validate the environment name during the process of creating an AWS Cloud9 development environment", + "privilege": "ValidateEnvironmentName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -17412,6 +22053,18 @@ } ] }, + { + "access_level": "List", + "description": "Lists the major version families of each managed schema. If a major version ARN is provided as SchemaArn, the minor version revisions in that family are listed instead.", + "privilege": "ListManagedSchemaArns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Lists all attributes associated with an object.", @@ -18263,6 +22916,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to enable users to import existing stacks to a new or existing stackset", + "privilege": "ImportStacksToStackSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stackset*" + } + ] + }, { "access_level": "List", "description": "Grants permission to return the ID and status of each active change set for a stack. For example, AWS CloudFormation lists change sets that are in the CREATE_IN_PROGRESS or CREATE_PENDING state", @@ -18407,6 +23072,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to record the handler progress", + "privilege": "RecordHandlerProgress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to register a new CloudFormation type", @@ -18648,17 +23325,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "description": "Filters access based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "description": "Filters access based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "description": "Filters access based on the presence of tag keys in the request", "type": "String" } ], @@ -18666,7 +23343,19 @@ "privileges": [ { "access_level": "Write", - "description": "This action adds a new cache policy to CloudFront.", + "description": "Grants permission to associate an alias to a CloudFront distribution", + "privilege": "AssociateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "distribution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a new cache policy to CloudFront", "privilege": "CreateCachePolicy", "resource_types": [ { @@ -18678,7 +23367,7 @@ }, { "access_level": "Write", - "description": "This action creates a new CloudFront origin access identity.", + "description": "Grants permission to create a new CloudFront origin access identity", "privilege": "CreateCloudFrontOriginAccessIdentity", "resource_types": [ { @@ -18690,7 +23379,7 @@ }, { "access_level": "Write", - "description": "This action creates a new web distribution.", + "description": "Grants permission to create a new web distribution", "privilege": "CreateDistribution", "resource_types": [ { @@ -18701,8 +23390,8 @@ ] }, { - "access_level": "Tagging", - "description": "This action creates a new web distribution with tags.", + "access_level": "Write", + "description": "Grants permission to create a new web distribution with tags", "privilege": "CreateDistributionWithTags", "resource_types": [ { @@ -18722,7 +23411,7 @@ }, { "access_level": "Write", - "description": "This action creates a new field-level encryption configuration.", + "description": "Grants permission to create a new field-level encryption configuration", "privilege": "CreateFieldLevelEncryptionConfig", "resource_types": [ { @@ -18734,7 +23423,7 @@ }, { "access_level": "Write", - "description": "This action creates a field-level encryption profile.", + "description": "Grants permission to create a field-level encryption profile", "privilege": "CreateFieldLevelEncryptionProfile", "resource_types": [ { @@ -18746,7 +23435,19 @@ }, { "access_level": "Write", - "description": "This action creates a new invalidation batch request.", + "description": "Grants permission to create a CloudFront function", + "privilege": "CreateFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new invalidation batch request", "privilege": "CreateInvalidation", "resource_types": [ { @@ -18758,7 +23459,31 @@ }, { "access_level": "Write", - "description": "This action adds a new origin request policy to CloudFront.", + "description": "Grants permission to add a new key group to CloudFront", + "privilege": "CreateKeyGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost", + "privilege": "CreateMonitoringSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a new origin request policy to CloudFront", "privilege": "CreateOriginRequestPolicy", "resource_types": [ { @@ -18770,7 +23495,7 @@ }, { "access_level": "Write", - "description": "This action adds a new public key to CloudFront.", + "description": "Grants permission to add a new public key to CloudFront", "privilege": "CreatePublicKey", "resource_types": [ { @@ -18782,7 +23507,19 @@ }, { "access_level": "Write", - "description": "This action creates a new RTMP distribution.", + "description": "Grants permission to create a real-time log configuration", + "privilege": "CreateRealtimeLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new RTMP distribution", "privilege": "CreateStreamingDistribution", "resource_types": [ { @@ -18793,8 +23530,8 @@ ] }, { - "access_level": "Tagging", - "description": "This action creates a new RTMP distribution with tags.", + "access_level": "Write", + "description": "Grants permission to create a new RTMP distribution with tags", "privilege": "CreateStreamingDistributionWithTags", "resource_types": [ { @@ -18814,7 +23551,7 @@ }, { "access_level": "Write", - "description": "This action deletes a cache policy.", + "description": "Grants permission to delete a cache policy", "privilege": "DeleteCachePolicy", "resource_types": [ { @@ -18826,7 +23563,7 @@ }, { "access_level": "Write", - "description": "This action deletes a CloudFront origin access identity.", + "description": "Grants permission to delete a CloudFront origin access identity", "privilege": "DeleteCloudFrontOriginAccessIdentity", "resource_types": [ { @@ -18838,7 +23575,7 @@ }, { "access_level": "Write", - "description": "This action deletes a web distribution.", + "description": "Grants permission to delete a web distribution", "privilege": "DeleteDistribution", "resource_types": [ { @@ -18850,7 +23587,7 @@ }, { "access_level": "Write", - "description": "This action deletes a field-level encryption configuration.", + "description": "Grants permission to delete a field-level encryption configuration", "privilege": "DeleteFieldLevelEncryptionConfig", "resource_types": [ { @@ -18862,7 +23599,7 @@ }, { "access_level": "Write", - "description": "This action deletes a field-level encryption profile.", + "description": "Grants permission to delete a field-level encryption profile", "privilege": "DeleteFieldLevelEncryptionProfile", "resource_types": [ { @@ -18874,7 +23611,43 @@ }, { "access_level": "Write", - "description": "This action deletes an origin request policy.", + "description": "Grants permission to delete a CloudFront function", + "privilege": "DeleteFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a key group", + "privilege": "DeleteKeyGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable additional CloudWatch metrics for the specified CloudFront distribution", + "privilege": "DeleteMonitoringSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an origin request policy", "privilege": "DeleteOriginRequestPolicy", "resource_types": [ { @@ -18886,7 +23659,7 @@ }, { "access_level": "Write", - "description": "This action deletes a public key from CloudFront.", + "description": "Grants permission to delete a public key from CloudFront", "privilege": "DeletePublicKey", "resource_types": [ { @@ -18898,7 +23671,19 @@ }, { "access_level": "Write", - "description": "This action deletes an RTMP distribution.", + "description": "Grants permission to delete a real-time log configuration", + "privilege": "DeleteRealtimeLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an RTMP distribution", "privilege": "DeleteStreamingDistribution", "resource_types": [ { @@ -18910,7 +23695,19 @@ }, { "access_level": "Read", - "description": "Get the cache policy", + "description": "Grants permission to get a CloudFront function summary", + "privilege": "DescribeFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the cache policy", "privilege": "GetCachePolicy", "resource_types": [ { @@ -18922,7 +23719,7 @@ }, { "access_level": "Read", - "description": "Get the cache policy configuration", + "description": "Grants permission to get the cache policy configuration", "privilege": "GetCachePolicyConfig", "resource_types": [ { @@ -18934,7 +23731,7 @@ }, { "access_level": "Read", - "description": "Get the information about a CloudFront origin access identity.", + "description": "Grants permission to get the information about a CloudFront origin access identity", "privilege": "GetCloudFrontOriginAccessIdentity", "resource_types": [ { @@ -18946,7 +23743,7 @@ }, { "access_level": "Read", - "description": "Get the configuration information about a Cloudfront origin access identity.", + "description": "Grants permission to get the configuration information about a Cloudfront origin access identity", "privilege": "GetCloudFrontOriginAccessIdentityConfig", "resource_types": [ { @@ -18958,7 +23755,7 @@ }, { "access_level": "Read", - "description": "Get the information about a web distribution.", + "description": "Grants permission to get the information about a web distribution", "privilege": "GetDistribution", "resource_types": [ { @@ -18970,7 +23767,7 @@ }, { "access_level": "Read", - "description": "Get the configuration information about a distribution.", + "description": "Grants permission to get the configuration information about a distribution", "privilege": "GetDistributionConfig", "resource_types": [ { @@ -18982,7 +23779,7 @@ }, { "access_level": "Read", - "description": "Get the field-level encryption configuration information.", + "description": "Grants permission to get the field-level encryption configuration information", "privilege": "GetFieldLevelEncryption", "resource_types": [ { @@ -18994,7 +23791,7 @@ }, { "access_level": "Read", - "description": "Get the field-level encryption configuration information.", + "description": "Grants permission to get the field-level encryption configuration information", "privilege": "GetFieldLevelEncryptionConfig", "resource_types": [ { @@ -19006,7 +23803,7 @@ }, { "access_level": "Read", - "description": "Get the field-level encryption configuration information.", + "description": "Grants permission to get the field-level encryption configuration information", "privilege": "GetFieldLevelEncryptionProfile", "resource_types": [ { @@ -19018,7 +23815,7 @@ }, { "access_level": "Read", - "description": "Get the field-level encryption profile configuration information.", + "description": "Grants permission to get the field-level encryption profile configuration information", "privilege": "GetFieldLevelEncryptionProfileConfig", "resource_types": [ { @@ -19030,7 +23827,19 @@ }, { "access_level": "Read", - "description": "Get the information about an invalidation.", + "description": "Grants permission to get a CloudFront function's code", + "privilege": "GetFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the information about an invalidation", "privilege": "GetInvalidation", "resource_types": [ { @@ -19042,7 +23851,43 @@ }, { "access_level": "Read", - "description": "Get the origin request policy", + "description": "Grants permission to get a key group", + "privilege": "GetKeyGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a key group configuration", + "privilege": "GetKeyGroupConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution", + "privilege": "GetMonitoringSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the origin request policy", "privilege": "GetOriginRequestPolicy", "resource_types": [ { @@ -19054,7 +23899,7 @@ }, { "access_level": "Read", - "description": "Get the origin request policy configuration", + "description": "Grants permission to get the origin request policy configuration", "privilege": "GetOriginRequestPolicyConfig", "resource_types": [ { @@ -19066,7 +23911,7 @@ }, { "access_level": "Read", - "description": "Get the public key information.", + "description": "Grants permission to get the public key information", "privilege": "GetPublicKey", "resource_types": [ { @@ -19078,7 +23923,7 @@ }, { "access_level": "Read", - "description": "Get the public key configuration information.", + "description": "Grants permission to get the public key configuration information", "privilege": "GetPublicKeyConfig", "resource_types": [ { @@ -19090,7 +23935,19 @@ }, { "access_level": "Read", - "description": "Get the information about an RTMP distribution.", + "description": "Grants permission to get a real-time log configuration", + "privilege": "GetRealtimeLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the information about an RTMP distribution", "privilege": "GetStreamingDistribution", "resource_types": [ { @@ -19102,7 +23959,7 @@ }, { "access_level": "Read", - "description": "Get the configuration information about a streaming distribution.", + "description": "Grants permission to get the configuration information about a streaming distribution", "privilege": "GetStreamingDistributionConfig", "resource_types": [ { @@ -19114,7 +23971,7 @@ }, { "access_level": "List", - "description": "List all cache policies that have been created in CloudFront for this account.", + "description": "Grants permission to list all cache policies that have been created in CloudFront for this account", "privilege": "ListCachePolicies", "resource_types": [ { @@ -19126,7 +23983,7 @@ }, { "access_level": "List", - "description": "List your CloudFront origin access identities.", + "description": "Grants permission to list your CloudFront origin access identities", "privilege": "ListCloudFrontOriginAccessIdentities", "resource_types": [ { @@ -19138,7 +23995,19 @@ }, { "access_level": "List", - "description": "List the distributions associated with your AWS account.", + "description": "Grants permission to list all aliases that conflict with the given alias in CloudFront", + "privilege": "ListConflictingAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "distribution*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the distributions associated with your AWS account", "privilege": "ListDistributions", "resource_types": [ { @@ -19150,7 +24019,7 @@ }, { "access_level": "List", - "description": "List distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy.", + "description": "Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy", "privilege": "ListDistributionsByCachePolicyId", "resource_types": [ { @@ -19162,7 +24031,19 @@ }, { "access_level": "List", - "description": "List distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy.", + "description": "Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified key group", + "privilege": "ListDistributionsByKeyGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy", "privilege": "ListDistributionsByOriginRequestPolicyId", "resource_types": [ { @@ -19174,7 +24055,19 @@ }, { "access_level": "List", - "description": "List the distributions associated with your AWS account with given AWS WAF web ACL.", + "description": "Grants permission to get a list of distributions that have a cache behavior that\u2019s associated with the specified real-time log configuration", + "privilege": "ListDistributionsByRealtimeLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the distributions associated with your AWS account with given AWS WAF web ACL", "privilege": "ListDistributionsByWebACLId", "resource_types": [ { @@ -19186,7 +24079,7 @@ }, { "access_level": "List", - "description": "List all field-level encryption configurations that have been created in CloudFront for this account.", + "description": "Grants permission to list all field-level encryption configurations that have been created in CloudFront for this account", "privilege": "ListFieldLevelEncryptionConfigs", "resource_types": [ { @@ -19198,7 +24091,7 @@ }, { "access_level": "List", - "description": "List all field-level encryption profiles that have been created in CloudFront for this account.", + "description": "Grants permission to list all field-level encryption profiles that have been created in CloudFront for this account", "privilege": "ListFieldLevelEncryptionProfiles", "resource_types": [ { @@ -19210,7 +24103,19 @@ }, { "access_level": "List", - "description": "List your invalidation batches.", + "description": "Grants permission to get a list of CloudFront functions", + "privilege": "ListFunctions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list your invalidation batches", "privilege": "ListInvalidations", "resource_types": [ { @@ -19222,7 +24127,19 @@ }, { "access_level": "List", - "description": "List all origin request policies that have been created in CloudFront for this account.", + "description": "Grants permission to list all key groups that have been created in CloudFront for this account", + "privilege": "ListKeyGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all origin request policies that have been created in CloudFront for this account", "privilege": "ListOriginRequestPolicies", "resource_types": [ { @@ -19234,7 +24151,7 @@ }, { "access_level": "List", - "description": "List all public keys that have been added to CloudFront for this account.", + "description": "Grants permission to list all public keys that have been added to CloudFront for this account", "privilege": "ListPublicKeys", "resource_types": [ { @@ -19246,7 +24163,19 @@ }, { "access_level": "List", - "description": "List your RTMP distributions.", + "description": "Grants permission to get a list of real-time log configurations", + "privilege": "ListRealtimeLogConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list your RTMP distributions", "privilege": "ListStreamingDistributions", "resource_types": [ { @@ -19258,7 +24187,7 @@ }, { "access_level": "Read", - "description": "List tags for a CloudFront resource.", + "description": "Grants permission to list tags for a CloudFront resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -19273,9 +24202,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to publish a CloudFront function", + "privilege": "PublishFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", - "description": "Add tags to a CloudFront resource.", + "description": "Grants permission to add tags to a CloudFront resource", "privilege": "TagResource", "resource_types": [ { @@ -19298,9 +24239,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to test a CloudFront function", + "privilege": "TestFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", - "description": "Remove tags from a CloudFront resource.", + "description": "Grants permission to remove tags from a CloudFront resource", "privilege": "UntagResource", "resource_types": [ { @@ -19324,7 +24277,7 @@ }, { "access_level": "Write", - "description": "This action updates a cache policy.", + "description": "Grants permission to update a cache policy", "privilege": "UpdateCachePolicy", "resource_types": [ { @@ -19336,7 +24289,7 @@ }, { "access_level": "Write", - "description": "This action sets the configuration for a CloudFront origin access identity.", + "description": "Grants permission to set the configuration for a CloudFront origin access identity", "privilege": "UpdateCloudFrontOriginAccessIdentity", "resource_types": [ { @@ -19348,7 +24301,7 @@ }, { "access_level": "Write", - "description": "This action updates the configuration for a web distribution.", + "description": "Grants permission to update the configuration for a web distribution", "privilege": "UpdateDistribution", "resource_types": [ { @@ -19360,7 +24313,7 @@ }, { "access_level": "Write", - "description": "This action updates a field-level encryption configuration.", + "description": "Grants permission to update a field-level encryption configuration", "privilege": "UpdateFieldLevelEncryptionConfig", "resource_types": [ { @@ -19372,7 +24325,7 @@ }, { "access_level": "Write", - "description": "This action updates a field-level encryption profile.", + "description": "Grants permission to update a field-level encryption profile", "privilege": "UpdateFieldLevelEncryptionProfile", "resource_types": [ { @@ -19384,7 +24337,31 @@ }, { "access_level": "Write", - "description": "This action updates an origin request policy.", + "description": "Grants permission to update a CloudFront function", + "privilege": "UpdateFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a key group", + "privilege": "UpdateKeyGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an origin request policy", "privilege": "UpdateOriginRequestPolicy", "resource_types": [ { @@ -19396,7 +24373,7 @@ }, { "access_level": "Write", - "description": "This action updates public key information.", + "description": "Grants permission to update public key information", "privilege": "UpdatePublicKey", "resource_types": [ { @@ -19408,7 +24385,19 @@ }, { "access_level": "Write", - "description": "This action updates the configuration for an RTMP distribution.", + "description": "Grants permission to update a real-time log configuration", + "privilege": "UpdateRealtimeLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the configuration for an RTMP distribution", "privilege": "UpdateStreamingDistribution", "resource_types": [ { @@ -19458,6 +24447,16 @@ "arn": "arn:${Partition}:cloudfront::${Account}:origin-request-policy/${Id}", "condition_keys": [], "resource": "origin-request-policy" + }, + { + "arn": "arn:${Partition}:cloudfront::${Account}:realtime-log-config/${Name}", + "condition_keys": [], + "resource": "realtime-log-config" + }, + { + "arn": "arn:${Partition}:cloudfront::${Account}:function/${Name}", + "condition_keys": [], + "resource": "function" } ], "service_name": "Amazon CloudFront" @@ -19791,6 +24790,30 @@ } ] }, + { + "access_level": "Write", + "description": "Modifies attributes for AWS CloudHSM backup", + "privilege": "ModifyBackupAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "backup*" + } + ] + }, + { + "access_level": "Write", + "description": "Modifies AWS CloudHSM cluster.", + "privilege": "ModifyCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, { "access_level": "Write", "description": "Modifies an existing high-availability partition group", @@ -20335,7 +25358,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to connect to a CloudShell environment from the AWS Console", + "description": "Grants permissions to connect to a CloudShell environment from the AWS Management Console", "privilege": "CreateSession", "resource_types": [ { @@ -20345,6 +25368,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a CloudShell environment", + "privilege": "DeleteEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to read a CloudShell environment status", + "privilege": "GetEnvironmentStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Environment*" + } + ] + }, { "access_level": "Write", "description": "Grants permissions to download files from a CloudShell environment", @@ -20380,6 +25427,30 @@ "resource_type": "Environment*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a stopped CloudShell environment", + "privilege": "StartEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Environment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a running CloudShell environment", + "privilege": "StopEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Environment*" + } + ] } ], "resources": [ @@ -20640,6 +25711,11 @@ "description": "Filters actions based on the presence of mandatory tags in the request", "type": "String" }, + { + "condition": "cloudwatch:AlarmActions", + "description": "Filters actions based on defined alarm actions", + "type": "String" + }, { "condition": "cloudwatch:namespace", "description": "Filters actions based on the presence of optional namespace values", @@ -20662,7 +25738,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the specified anomaly detection model from your account.", + "description": "Grants permission to delete the specified anomaly detection model from your account", "privilege": "DeleteAnomalyDetector", "resource_types": [ { @@ -20696,6 +25772,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the CloudWatch metric stream that you specify", + "privilege": "DeleteMetricStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-stream*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the history for the specified alarm", @@ -20734,7 +25822,7 @@ }, { "access_level": "Read", - "description": "Grants permission to lists the anomaly detection models that you have created in your account.", + "description": "Grants permission to list the anomaly detection models that you have created in your account", "privilege": "DescribeAnomalyDetectors", "resource_types": [ { @@ -20852,6 +25940,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return the details of a CloudWatch metric stream", + "privilege": "GetMetricStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-stream*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve snapshots of metric widgets", @@ -20876,6 +25976,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to return a list of all CloudWatch metric streams in your account", + "privilege": "ListMetricStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to retrieve a list of valid metrics stored for the AWS account owner", @@ -20907,7 +26019,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create or update an anomaly detection model for a CloudWatch metric.", + "description": "Grants permission to create or update an anomaly detection model for a CloudWatch metric", "privilege": "PutAnomalyDetector", "resource_types": [ { @@ -20930,7 +26042,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "cloudwatch:AlarmActions" ], "dependent_actions": [], "resource_type": "" @@ -20982,7 +26095,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "cloudwatch:AlarmActions" ], "dependent_actions": [], "resource_type": "" @@ -21003,6 +26117,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a CloudWatch metric stream, or update an existing metric stream if it already exists", + "privilege": "PutMetricStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-stream*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to temporarily set the state of an alarm for testing purposes", @@ -21015,6 +26141,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start all CloudWatch metric streams that you specify", + "privilege": "StartMetricStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop all CloudWatch metric streams that you specify", + "privilege": "StopMetricStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-stream*" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to add tags to an Amazon CloudWatch resource", @@ -21084,6 +26234,13 @@ "aws:ResourceTag/${TagKey}" ], "resource": "insight-rule" + }, + { + "arn": "arn:${Partition}:cloudwatch:${Region}:${Account}:metric-stream/${MetricStreamName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "metric-stream" } ], "service_name": "Amazon CloudWatch" @@ -21934,6 +27091,18 @@ } ] }, + { + "access_level": "Read", + "description": "Analyzes and accumulates test report values for the test reports in the specified report group.", + "privilege": "GetReportGroupTrend", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "report-group*" + } + ] + }, { "access_level": "Read", "description": "Returns a resource policy for the specified project or report group.", @@ -22264,6 +27433,26 @@ } ] }, + { + "access_level": "Write", + "description": "Changes the public visibility of a project and its builds.", + "privilege": "UpdateProjectVisibility", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Updates information about a report.", @@ -23338,7 +28527,7 @@ ] }, { - "access_level": "Write", + "access_level": "Tagging", "description": "Grants permission to attach resource tags to a CodeCommit resource ARN", "privilege": "TagResource", "resource_types": [ @@ -23371,7 +28560,7 @@ ] }, { - "access_level": "Write", + "access_level": "Tagging", "description": "Grants permission to disassociate resource tags from a CodeCommit resource ARN", "privilege": "UntagResource", "resource_types": [ @@ -24573,17 +29762,27 @@ }, { "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, { "condition": "aws:ResourceTag/${TagKey}", "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" } ], "prefix": "codeguru-reviewer", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associates a repository with Amazon CodeGuru Reviewer.", + "description": "Grants permission to associates a repository with Amazon CodeGuru Reviewer", "privilege": "AssociateRepository", "resource_types": [ { @@ -24593,15 +29792,58 @@ "codecommit:TagResource", "events:PutRule", "events:PutTargets", - "iam:CreateServiceLinkedRole" + "iam:CreateServiceLinkedRole", + "s3:CreateBucket", + "s3:ListBucket", + "s3:PutBucketPolicy", + "s3:PutLifecycleConfiguration" ], + "resource_type": "association*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], "resource_type": "repository" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a code review", + "privilege": "CreateCodeReview", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to perform webbased oauth handshake for 3rd party providers.", + "description": "Grants permission to perform webbased oauth handshake for 3rd party providers", "privilege": "CreateConnectionToken", "resource_types": [ { @@ -24613,43 +29855,64 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a code review.", + "description": "Grants permission to describe a code review", "privilege": "DescribeCodeReview", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "codereview*" + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a recommendation feedback on a code review.", + "description": "Grants permission to describe a recommendation feedback on a code review", "privilege": "DescribeRecommendationFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "codereview*" + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a repository association.", + "description": "Grants permission to describe a repository association", "privilege": "DescribeRepositoryAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a repository with Amazon CodeGuru Reviewer.", + "description": "Grants permission to disassociate a repository with Amazon CodeGuru Reviewer", "privilege": "DisassociateRepository", "resource_types": [ { @@ -24660,12 +29923,19 @@ "events:RemoveTargets" ], "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view pull request metrics in console.", + "description": "Grants permission to view pull request metrics in console", "privilege": "GetMetricsData", "resource_types": [ { @@ -24677,7 +29947,7 @@ }, { "access_level": "List", - "description": "Grants permission to list summary of code reviews.", + "description": "Grants permission to list summary of code reviews", "privilege": "ListCodeReviews", "resource_types": [ { @@ -24689,13 +29959,20 @@ }, { "access_level": "List", - "description": "Grants permission to list summary of recommendation feedback on a code review.", + "description": "Grants permission to list summary of recommendation feedback on a code review", "privilege": "ListRecommendationFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "codereview*" + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -24707,13 +29984,20 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "codereview*" + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list summary of repository associations.", + "description": "Grants permission to list summary of repository associations", "privilege": "ListRepositoryAssociations", "resource_types": [ { @@ -24723,9 +30007,28 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list the resource attached to a associated repository ARN", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to list 3rd party providers repositories in console.", + "description": "Grants permission to list 3rd party providers repositories in console", "privilege": "ListThirdPartyRepositories", "resource_types": [ { @@ -24737,25 +30040,70 @@ }, { "access_level": "Write", - "description": "Grants permission to put feedback for a recommendation on a code review.", + "description": "Grants permission to put feedback for a recommendation on a code review", "privilege": "PutRecommendationFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "codereview*" + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to attach resource tags to an associated repository ARN", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to disassociate resource tags from an associated repository ARN", + "privilege": "UnTagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "association*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:codeguru-reviewer::${Account}:association:${ResourceId}", + "arn": "arn:${Partition}:codeguru-reviewer:${Region}:${Account}:association:${ResourceId}", "condition_keys": [], "resource": "association" }, { - "arn": "arn:${Partition}:codeguru-reviewer::${Account}:.+:.+", + "arn": "arn:${Partition}:codeguru-reviewer:${Region}:${Account}:association:${ResourceId}:codereview:${CodeReviewId}", "condition_keys": [], "resource": "codereview" }, @@ -24765,6 +30113,11 @@ "aws:ResourceTag/${TagKey}" ], "resource": "repository" + }, + { + "arn": "arn:${Partition}:codestar-connections:${Region}:${Account}:connection/${ConnectionId}", + "condition_keys": [], + "resource": "connection" } ], "service_name": "Amazon CodeGuru Reviewer" @@ -24814,7 +30167,7 @@ ] }, { - "access_level": "Tagging", + "access_level": "Write", "description": "Grants permission to create a custom action that you can use in the pipelines associated with your AWS account", "privilege": "CreateCustomActionType", "resource_types": [ @@ -24834,7 +30187,7 @@ ] }, { - "access_level": "Tagging", + "access_level": "Write", "description": "Grants permission to create a uniquely named pipeline", "privilege": "CreatePipeline", "resource_types": [ @@ -24925,6 +30278,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view information about an action type", + "privilege": "GetActionType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view information about a job (custom actions only)", @@ -25164,7 +30529,7 @@ ] }, { - "access_level": "Tagging", + "access_level": "Write", "description": "Grants permission to create or update a webhook", "privilege": "PutWebhook", "resource_types": [ @@ -25295,6 +30660,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update an action type", + "privilege": "UpdateActionType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "actiontype*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a pipeline with changes to the structure of the pipeline", @@ -25641,6 +31018,18 @@ "resource_type": "user*" } ] + }, + { + "access_level": "List", + "description": "Verifies whether the AWS CodeStar service role exists in the customer's account.", + "privilege": "VerifyServiceRole", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -26359,17 +31748,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by a key that is present in the request.", + "description": "Filters access by a key that is present in the request", "type": "String" } ], @@ -26377,14 +31766,13 @@ "privileges": [ { "access_level": "Write", - "description": "Creates a new identity pool.", + "description": "Grants permission to create a new identity pool", "privilege": "CreateIdentityPool", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -26393,7 +31781,7 @@ }, { "access_level": "Write", - "description": "Deletes identities from an identity pool. You can specify a list of 1-60 identities that you want to delete.", + "description": "Grants permission to delete identities from an identity pool. You can specify a list of 1-60 identities that you want to delete", "privilege": "DeleteIdentities", "resource_types": [ { @@ -26405,7 +31793,7 @@ }, { "access_level": "Write", - "description": "Deletes a user pool. Once a pool is deleted, users will not be able to authenticate with the pool.", + "description": "Grants permission to delete a user pool. Once a pool is deleted, users will not be able to authenticate with the pool", "privilege": "DeleteIdentityPool", "resource_types": [ { @@ -26417,7 +31805,7 @@ }, { "access_level": "Read", - "description": "Returns metadata related to the given identity, including when the identity was created and any associated linked logins.", + "description": "Grants permission to return metadata related to the given identity, including when the identity was created and any associated linked logins", "privilege": "DescribeIdentity", "resource_types": [ { @@ -26429,7 +31817,7 @@ }, { "access_level": "Read", - "description": "Gets details about a particular identity pool, including the pool name, ID description, creation date, and current number of users.", + "description": "Grants permission to get details about a particular identity pool, including the pool name, ID description, creation date, and current number of users", "privilege": "DescribeIdentityPool", "resource_types": [ { @@ -26441,7 +31829,7 @@ }, { "access_level": "Read", - "description": "Returns credentials for the provided identity ID.", + "description": "Grants permission to return credentials for the provided identity ID", "privilege": "GetCredentialsForIdentity", "resource_types": [ { @@ -26453,7 +31841,7 @@ }, { "access_level": "Write", - "description": "Generates (or retrieves) a Cognito ID. Supplying multiple logins will create an implicit linked account.", + "description": "Grants permission to generate (or retrieve) a Cognito ID. Supplying multiple logins will create an implicit linked account", "privilege": "GetId", "resource_types": [ { @@ -26465,7 +31853,7 @@ }, { "access_level": "Read", - "description": "Gets the roles for an identity pool.", + "description": "Grants permission to get the roles for an identity pool", "privilege": "GetIdentityPoolRoles", "resource_types": [ { @@ -26477,7 +31865,7 @@ }, { "access_level": "Read", - "description": "Gets an OpenID token, using a known Cognito ID.", + "description": "Grants permission to get an OpenID token, using a known Cognito ID", "privilege": "GetOpenIdToken", "resource_types": [ { @@ -26489,7 +31877,7 @@ }, { "access_level": "Read", - "description": "Registers (or retrieves) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process.", + "description": "Grants permission to register (or retrieve) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process", "privilege": "GetOpenIdTokenForDeveloperIdentity", "resource_types": [ { @@ -26499,9 +31887,21 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the principal tags for an identity pool and provider", + "privilege": "GetPrincipalTagAttributeMap", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identitypool*" + } + ] + }, { "access_level": "List", - "description": "Lists the identities in a pool.", + "description": "Grants permission to list the identities in an identity pool", "privilege": "ListIdentities", "resource_types": [ { @@ -26513,7 +31913,7 @@ }, { "access_level": "List", - "description": "Lists all of the Cognito identity pools registered for your account.", + "description": "Grants permission to list all of the Cognito identity pools registered for your account", "privilege": "ListIdentityPools", "resource_types": [ { @@ -26524,27 +31924,20 @@ ] }, { - "access_level": "List", - "description": "Lists the tags that are assigned to an Amazon Cognito identity pool.", + "access_level": "Read", + "description": "Grants permission to list the tags that are assigned to an Amazon Cognito identity pool", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "identitypool" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { "access_level": "Read", - "description": "Retrieves the IdentityID associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity.", + "description": "Grants permission to retrieve the IdentityId associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity", "privilege": "LookupDeveloperIdentity", "resource_types": [ { @@ -26556,7 +31949,7 @@ }, { "access_level": "Write", - "description": "Merges two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider.", + "description": "Grants permission to merge two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider", "privilege": "MergeDeveloperIdentities", "resource_types": [ { @@ -26568,7 +31961,7 @@ }, { "access_level": "Write", - "description": "Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action.", + "description": "Grants permission to set the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action", "privilege": "SetIdentityPoolRoles", "resource_types": [ { @@ -26578,9 +31971,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to set the principal tags for an identity pool and provider. These tags are used when making calls to GetOpenIdToken action", + "privilege": "SetPrincipalTagAttributeMap", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", - "description": "Assigns a set of tags to an Amazon Cognito identity pool.", + "description": "Grants permission to assign a set of tags to an Amazon Cognito identity pool", "privilege": "TagResource", "resource_types": [ { @@ -26591,8 +31996,7 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -26601,7 +32005,7 @@ }, { "access_level": "Write", - "description": "Unlinks a DeveloperUserIdentifier from an existing identity.", + "description": "Grants permission to unlink a DeveloperUserIdentifier from an existing identity", "privilege": "UnlinkDeveloperIdentity", "resource_types": [ { @@ -26613,7 +32017,7 @@ }, { "access_level": "Write", - "description": "Unlinks a federated identity from an existing account.", + "description": "Grants permission to unlink a federated identity from an existing account", "privilege": "UnlinkIdentity", "resource_types": [ { @@ -26625,7 +32029,7 @@ }, { "access_level": "Tagging", - "description": "Removes the specified tags from an Amazon Cognito identity pool.", + "description": "Grants permission to remove the specified tags from an Amazon Cognito identity pool", "privilege": "UntagResource", "resource_types": [ { @@ -26635,8 +32039,7 @@ }, { "condition_keys": [ - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -26645,7 +32048,7 @@ }, { "access_level": "Write", - "description": "Updates a user pool.", + "description": "Grants permission to update an identity pool", "privilege": "UpdateIdentityPool", "resource_types": [ { @@ -28195,24 +33598,29 @@ "description": "Filters access to create requests based on the presence of mandatory tags in the request", "type": "String" }, + { + "condition": "comprehend:ModelKmsKey", + "description": "Filters access by the model KMS key associated with the resource in the request", + "type": "ARN" + }, { "condition": "comprehend:OutputKmsKey", - "description": "Filters access by the output KMS key associated with the resource in the request.", + "description": "Filters access by the output KMS key associated with the resource in the request", "type": "ARN" }, { "condition": "comprehend:VolumeKmsKey", - "description": "Filters access by the volume KMS key associated with the resource in the request.", + "description": "Filters access by the volume KMS key associated with the resource in the request", "type": "ARN" }, { "condition": "comprehend:VpcSecurityGroupIds", - "description": "Filters access by the list of all VPC security group ids associated with the resource in the request.", + "description": "Filters access by the list of all VPC security group ids associated with the resource in the request", "type": "ArrayOfString" }, { "condition": "comprehend:VpcSubnets", - "description": "Filters access by the list of all VPC subnets associated with the resource in the request.", + "description": "Filters access by the list of all VPC subnets associated with the resource in the request", "type": "ArrayOfString" } ], @@ -28290,16 +33698,34 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to classify the personally identifiable information within given documents at realtime", + "privilege": "ContainsPiiEntities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a new document classifier that you can use to categorize documents", "privilege": "CreateDocumentClassifier", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "comprehend:VolumeKmsKey", + "comprehend:ModelKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", "comprehend:VpcSubnets" @@ -28319,11 +33745,21 @@ "dependent_actions": [], "resource_type": "document-classifier*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classifier-endpoint*" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "entity-recognizer*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer-endpoint*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -28339,11 +33775,17 @@ "description": "Grants permission to create an entity recognizer using submitted files", "privilege": "CreateEntityRecognizer", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-recognizer*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "comprehend:VolumeKmsKey", + "comprehend:ModelKmsKey", "comprehend:VpcSecurityGroupIds", "comprehend:VpcSubnets" ], @@ -28401,7 +33843,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "document-classification-job*" } ] }, @@ -28425,7 +33867,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dominant-language-detection-job*" } ] }, @@ -28454,7 +33896,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "entities-detection-job*" } ] }, @@ -28478,7 +33920,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "events-detection-job*" } ] }, @@ -28490,7 +33932,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "key-phrases-detection-job*" } ] }, @@ -28502,7 +33944,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "pii-entities-detection-job*" } ] }, @@ -28514,7 +33956,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "sentiment-detection-job*" } ] }, @@ -28526,7 +33968,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "topics-detection-job*" } ] }, @@ -28603,7 +34045,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of the document classification jobs that you have submitted", "privilege": "ListDocumentClassificationJobs", "resource_types": [ @@ -28615,7 +34057,19 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to get a list of summaries of the document classifiers that you have created", + "privilege": "ListDocumentClassifierSummaries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to get a list of the document classifiers that you have created", "privilege": "ListDocumentClassifiers", "resource_types": [ @@ -28627,7 +34081,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of the dominant language detection jobs that you have submitted", "privilege": "ListDominantLanguageDetectionJobs", "resource_types": [ @@ -28639,7 +34093,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of all existing endpoints that you've created", "privilege": "ListEndpoints", "resource_types": [ @@ -28651,7 +34105,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of the entity detection jobs that you have submitted", "privilege": "ListEntitiesDetectionJobs", "resource_types": [ @@ -28663,7 +34117,19 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to get a list of summaries for the entity recognizers that you have created", + "privilege": "ListEntityRecognizerSummaries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to get a list of the properties of all entity recognizers that you created, including recognizers currently in training", "privilege": "ListEntityRecognizers", "resource_types": [ @@ -28675,7 +34141,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of Events detection jobs that you have submitted", "privilege": "ListEventsDetectionJobs", "resource_types": [ @@ -28687,7 +34153,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of key phrase detection jobs that you have submitted", "privilege": "ListKeyPhrasesDetectionJobs", "resource_types": [ @@ -28699,7 +34165,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of PII entities detection jobs that you have submitted", "privilege": "ListPiiEntitiesDetectionJobs", "resource_types": [ @@ -28711,7 +34177,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of sentiment detection jobs that you have submitted", "privilege": "ListSentimentDetectionJobs", "resource_types": [ @@ -28723,10 +34189,15 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classification-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -28737,6 +34208,16 @@ "dependent_actions": [], "resource_type": "document-classifier-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dominant-language-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entities-detection-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -28746,11 +34227,36 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "entity-recognizer-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "events-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key-phrases-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pii-entities-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "sentiment-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "topics-detection-job" } ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to get a list of the topic detection jobs that you have submitted", "privilege": "ListTopicsDetectionJobs", "resource_types": [ @@ -28766,6 +34272,11 @@ "description": "Grants permission to start an asynchronous document classification job", "privilege": "StartDocumentClassificationJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classification-job*" + }, { "condition_keys": [], "dependent_actions": [], @@ -28773,6 +34284,8 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28788,8 +34301,15 @@ "description": "Grants permission to start an asynchronous dominant language detection job for a collection of documents", "privilege": "StartDominantLanguageDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dominant-language-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28805,6 +34325,11 @@ "description": "Grants permission to start an asynchronous entity detection job for a collection of documents", "privilege": "StartEntitiesDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entities-detection-job*" + }, { "condition_keys": [], "dependent_actions": [], @@ -28812,6 +34337,8 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28827,8 +34354,15 @@ "description": "Grants permission to start an asynchronous Events detection job for a collection of documents", "privilege": "StartEventsDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "events-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:OutputKmsKey" ], "dependent_actions": [], @@ -28841,8 +34375,15 @@ "description": "Grants permission to start an asynchronous key phrase detection job for a collection of documents", "privilege": "StartKeyPhrasesDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key-phrases-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28858,8 +34399,15 @@ "description": "Grants permission to start an asynchronous PII entities detection job for a collection of documents", "privilege": "StartPiiEntitiesDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pii-entities-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:OutputKmsKey" ], "dependent_actions": [], @@ -28872,8 +34420,15 @@ "description": "Grants permission to start an asynchronous sentiment detection job for a collection of documents", "privilege": "StartSentimentDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "sentiment-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28889,8 +34444,15 @@ "description": "Grants permission to start an asynchronous job to detect the most common topics in the collection of documents and the phrases associated with each topic", "privilege": "StartTopicsDetectionJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "topics-detection-job*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", "comprehend:VolumeKmsKey", "comprehend:OutputKmsKey", "comprehend:VpcSecurityGroupIds", @@ -28909,7 +34471,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dominant-language-detection-job*" } ] }, @@ -28921,7 +34483,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "entities-detection-job*" } ] }, @@ -28933,7 +34495,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "events-detection-job*" } ] }, @@ -28945,7 +34507,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "key-phrases-detection-job*" } ] }, @@ -28957,7 +34519,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "pii-entities-detection-job*" } ] }, @@ -28969,7 +34531,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "sentiment-detection-job*" } ] }, @@ -29002,6 +34564,11 @@ "description": "Grants permission to tag a resource with given key value pairs", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classification-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -29012,6 +34579,16 @@ "dependent_actions": [], "resource_type": "document-classifier-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dominant-language-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entities-detection-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -29022,6 +34599,31 @@ "dependent_actions": [], "resource_type": "entity-recognizer-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "events-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key-phrases-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pii-entities-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "sentiment-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "topics-detection-job" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -29037,6 +34639,11 @@ "description": "Grants permission to untag a resource with given key", "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "document-classification-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -29047,6 +34654,16 @@ "dependent_actions": [], "resource_type": "document-classifier-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dominant-language-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entities-detection-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -29057,6 +34674,31 @@ "dependent_actions": [], "resource_type": "entity-recognizer-endpoint" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "events-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key-phrases-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pii-entities-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "sentiment-detection-job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "topics-detection-job" + }, { "condition_keys": [ "aws:TagKeys" @@ -29112,6 +34754,62 @@ "aws:ResourceTag/${TagKey}" ], "resource": "entity-recognizer-endpoint" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:dominant-language-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dominant-language-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:entities-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "entities-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:pii-entities-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "pii-entities-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:events-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "events-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:key-phrases-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "key-phrases-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:sentiment-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "sentiment-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:topics-detection-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "topics-detection-job" + }, + { + "arn": "arn:${Partition}:comprehend:${Region}:${Account}:document-classification-job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "document-classification-job" } ], "service_name": "Amazon Comprehend" @@ -29148,6 +34846,270 @@ "resources": [], "service_name": "Comprehend Medical" }, + { + "conditions": [ + { + "condition": "aws:SourceArn", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "aws:SourceVpc", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "comprehendmedical", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to describe the properties of a medical entity detection job that you have submitted", + "privilege": "DescribeEntitiesDetectionV2Job", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the properties of an ICD-10-CM linking job that you have submitted", + "privilege": "DescribeICD10CMInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the properties of a PHI entity detection job that you have submitted", + "privilege": "DescribePHIDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the properties of an RxNorm linking job that you have submitted", + "privilege": "DescribeRxNormInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to detect the named medical entities, and their relationships and traits within the given text document", + "privilege": "DetectEntitiesV2", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to detect the protected health information (PHI) entities within the given text document", + "privilege": "DetectPHI", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to detect the medical condition entities within the given text document and link them to ICD-10-CM codes", + "privilege": "InferICD10CM", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to detect the medication entities within the given text document and link them to RxCUI concept identifiers from the National Library of Medicine RxNorm database", + "privilege": "InferRxNorm", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the medical entity detection jobs that you have submitted", + "privilege": "ListEntitiesDetectionV2Jobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the ICD-10-CM linking jobs that you have submitted", + "privilege": "ListICD10CMInferenceJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the PHI entity detection jobs that you have submitted", + "privilege": "ListPHIDetectionJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the RxNorm linking jobs that you have submitted", + "privilege": "ListRxNormInferenceJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous medical entity detection job for a collection of documents", + "privilege": "StartEntitiesDetectionV2Job", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous ICD-10-CM linking job for a collection of documents", + "privilege": "StartICD10CMInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous PHI entity detection job for a collection of documents", + "privilege": "StartPHIDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an asynchronous RxNorm linking job for a collection of documents", + "privilege": "StartRxNormInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a medical entity detection job", + "privilege": "StopEntitiesDetectionV2Job", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an ICD-10-CM linking job", + "privilege": "StopICD10CMInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a PHI entity detection job", + "privilege": "StopPHIDetectionJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an RxNorm linking job", + "privilege": "StopRxNormInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "Amazon Comprehend Medical" + }, { "conditions": [], "prefix": "compute-optimizer", @@ -29179,6 +35141,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to export EBS volume recommendations to S3 for the provided accounts", + "privilege": "ExportEBSVolumeRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "compute-optimizer:GetEBSVolumeRecommendations", + "ec2:DescribeVolumes" + ], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to export EC2 instance recommendations to S3 for the provided accounts", @@ -29194,6 +35171,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to export Lambda function recommendations to S3 for the provided accounts", + "privilege": "ExportLambdaFunctionRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "compute-optimizer:GetLambdaFunctionRecommendations", + "lambda:ListFunctions", + "lambda:ListProvisionedConcurrencyConfigs" + ], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to get recommendations for the provided autoscaling groups", @@ -29262,6 +35255,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to get the enrollment statuses for member accounts of the organization", + "privilege": "GetEnrollmentStatusesForOrganization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to get recommendations for the provided lambda functions", @@ -29670,7 +35675,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to return a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules", "privilege": "DescribeAggregateComplianceByConfigRules", "resource_types": [ @@ -29681,6 +35686,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return a list of compliant and noncompliant conformance packs along with count of compliant, non-compliant and total rules within each conformance pack", + "privilege": "DescribeAggregateComplianceByConformancePacks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationAggregator*" + } + ] + }, { "access_level": "List", "description": "Grants permission to return a list of authorizations granted to various aggregator accounts and regions", @@ -29694,7 +35711,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to indicate whether the specified AWS Config rules are compliant", "privilege": "DescribeComplianceByConfigRule", "resource_types": [ @@ -29706,7 +35723,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to indicate whether the specified AWS resources are compliant", "privilege": "DescribeComplianceByResource", "resource_types": [ @@ -29718,7 +35735,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to return status information for each of your AWS managed Config rules", "privilege": "DescribeConfigRuleEvaluationStatus", "resource_types": [ @@ -29742,7 +35759,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to return status information for sources within an aggregator", "privilege": "DescribeConfigurationAggregatorSourcesStatus", "resource_types": [ @@ -29766,7 +35783,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to return the current status of the specified configuration recorder", "privilege": "DescribeConfigurationRecorderStatus", "resource_types": [ @@ -29814,7 +35831,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to return a list of one or more conformance packs", "privilege": "DescribeConformancePacks", "resource_types": [ @@ -29826,7 +35843,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to return the current status of the specified delivery channel", "privilege": "DescribeDeliveryChannelStatus", "resource_types": [ @@ -29862,7 +35879,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to return a list of organization config rules", "privilege": "DescribeOrganizationConfigRules", "resource_types": [ @@ -29886,7 +35903,7 @@ ] }, { - "access_level": "Read", + "access_level": "List", "description": "Grants permission to return a list of organization conformance packs", "privilege": "DescribeOrganizationConformancePacks", "resource_types": [ @@ -29934,7 +35951,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to provide a detailed view of a Remediation Execution for a set of resources including state, timestamps and any error messages for steps that have failed", "privilege": "DescribeRemediationExecutionStatus", "resource_types": [ @@ -29981,6 +35998,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return the number of compliant and noncompliant conformance packs for one or more accounts and regions in an aggregator", + "privilege": "GetAggregateConformancePackComplianceSummary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ConfigurationAggregator*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return the resource counts across accounts and regions that are present in your AWS Config aggregator", @@ -30174,7 +36203,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list the tags for AWS Config resource", "privilege": "ListTagsForResource", "resource_types": [ @@ -30346,7 +36375,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "RemediationConfiguration*" } ] @@ -30454,7 +36485,9 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "RemediationConfiguration*" } ] @@ -30597,32 +36630,32 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request.", + "description": "Filters actions based on the presence of tag keys in the request", "type": "String" }, { "condition": "connect:AttributeType", - "description": "Filters access by the attribute type of the Amazon Connect instance.", + "description": "Filters access by the attribute type of the Amazon Connect instance", "type": "String" }, { "condition": "connect:InstanceId", - "description": "Filters access by restricting federation into specified connect instances .", + "description": "Filters access by restricting federation into specified Amazon Connect instances", "type": "String" }, { "condition": "connect:StorageResourceType", - "description": "Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration.", + "description": "Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration", "type": "String" } ], @@ -30637,6 +36670,57 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "privilege": "AssociateBot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "lex:CreateResourcePolicy", + "lex:DescribeBotAlias", + "lex:GetBot", + "lex:UpdateResourcePolicy" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to associate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "privilege": "AssociateCustomerProfilesDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "profile:GetDomain" + ], + "resource_type": "instance*" } ] }, @@ -30663,7 +36747,8 @@ }, { "condition_keys": [ - "connect:StorageResourceType" + "connect:StorageResourceType", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30681,6 +36766,13 @@ "lambda:AddPermission" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -30698,12 +36790,44 @@ "lex:GetBot" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to associate queues with a routing profile in an Amazon Connect instance.", + "description": "Grants permissions to associate quick connects with a queue in an Amazon Connect instance", + "privilege": "AssociateQueueQuickConnects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "quick-connect*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to associate queues with a routing profile in an Amazon Connect instance", "privilege": "AssociateRoutingProfileQueues", "resource_types": [ { @@ -30718,7 +36842,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30734,12 +36859,40 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create agent status in an Amazon Connect instance", + "privilege": "CreateAgentStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to create a contact flow in an Amazon Connect instance.", + "description": "Grants permissions to create a contact flow in an Amazon Connect instance", "privilege": "CreateContactFlow", "resource_types": [ { @@ -30750,7 +36903,29 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create hours of operation in an Amazon Connect instance", + "privilege": "CreateHoursOfOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30783,7 +36958,80 @@ }, { "access_level": "Write", - "description": "Grants permission to create a quick connect in an Amazon Connect instance.", + "description": "Grants permissions to create an AppIntegration association with an Amazon Connect instance", + "privilege": "CreateIntegrationAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "app-integrations:CreateEventIntegrationAssociation", + "connect:DescribeInstance", + "ds:DescribeDirectories", + "events:PutRule", + "events:PutTargets" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association*" + }, + { + "condition_keys": [ + "connect:InstanceId", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a queue in an Amazon Connect instance", + "privilege": "CreateQueue", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "quick-connect" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a quick connect in an Amazon Connect instance", "privilege": "CreateQuickConnect", "resource_types": [ { @@ -30809,7 +37057,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30818,7 +37067,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a routing profile in an Amazon Connect instance.", + "description": "Grants permission to create a routing profile in an Amazon Connect instance", "privilege": "CreateRoutingProfile", "resource_types": [ { @@ -30833,6 +37082,41 @@ }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create a use case for an AppIntegration association", + "privilege": "CreateUseCase", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeInstance", + "ds:DescribeDirectories" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "use-case*" + }, + { + "condition_keys": [ + "connect:InstanceId", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -30843,7 +37127,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a user for the specified Amazon Connect instance.", + "description": "Grants permission to create a user for the specified Amazon Connect instance", "privilege": "CreateUser", "resource_types": [ { @@ -30869,7 +37153,8 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30878,13 +37163,40 @@ }, { "access_level": "Write", - "description": "Grants permissions to create a user hierarchy group in an Amazon Connect instance.", + "description": "Grants permissions to create a user hierarchy group in an Amazon Connect instance", "privilege": "CreateUserHierarchyGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "hierarchy-group" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete hours of operation in an Amazon Connect instance", + "privilege": "DeleteHoursOfOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -30901,12 +37213,50 @@ "ds:UnauthorizeApplication" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete an AppIntegration association from an Amazon Connect instance. The association must not have any use cases associated with it.", + "privilege": "DeleteIntegrationAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "app-integrations:DeleteEventIntegrationAssociation", + "connect:DescribeInstance", + "ds:DescribeDirectories", + "events:DeleteRule", + "events:ListTargetsByRule", + "events:RemoveTargets" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to delete a quick connect in an Amazon Connect instance.", + "description": "Grants permissions to delete a quick connect in an Amazon Connect instance", "privilege": "DeleteQuickConnect", "resource_types": [ { @@ -30916,7 +37266,35 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a use case from an AppIntegration association", + "privilege": "DeleteUseCase", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeInstance", + "ds:DescribeDirectories" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "use-case*" + }, + { + "condition_keys": [ + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30925,7 +37303,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a user in an Amazon Connect instance.", + "description": "Grants permissions to delete a user in an Amazon Connect instance", "privilege": "DeleteUser", "resource_types": [ { @@ -30935,7 +37313,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30944,19 +37323,46 @@ }, { "access_level": "Write", - "description": "Grants permissions to delete a user hierarchy group in an Amazon Connect instance.", + "description": "Grants permissions to delete a user hierarchy group in an Amazon Connect instance", "privilege": "DeleteUserHierarchyGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "hierarchy-group*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe agent status in an Amazon Connect instance", + "privilege": "DescribeAgentStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to describe a contact flow in an Amazon Connect instance.", + "description": "Grants permissions to describe a contact flow in an Amazon Connect instance", "privilege": "DescribeContactFlow", "resource_types": [ { @@ -30966,7 +37372,28 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to describe hours of operation in an Amazon Connect instance", + "privilege": "DescribeHoursOfOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -30984,12 +37411,19 @@ "ds:DescribeDirectories" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to view the attribute details of an existing Amazon Connect instance.", + "description": "Grants permissions to view the attribute details of an existing Amazon Connect instance", "privilege": "DescribeInstanceAttribute", "resource_types": [ { @@ -30999,7 +37433,8 @@ }, { "condition_keys": [ - "connect:AttributeType" + "connect:AttributeType", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31008,7 +37443,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to view the instance storage configuration for an existing Amazon Connect instance.", + "description": "Grants permissions to view the instance storage configuration for an existing Amazon Connect instance", "privilege": "DescribeInstanceStorageConfig", "resource_types": [ { @@ -31018,7 +37453,28 @@ }, { "condition_keys": [ - "connect:StorageResourceType" + "connect:StorageResourceType", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to describe a queue in an Amazon Connect instance", + "privilege": "DescribeQueue", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31027,7 +37483,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a quick connect in an Amazon Connect instance.", + "description": "Grants permissions to describe a quick connect in an Amazon Connect instance", "privilege": "DescribeQuickConnect", "resource_types": [ { @@ -31037,7 +37493,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31046,7 +37503,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a routing profile in an Amazon Connect instance.", + "description": "Grants permissions to describe a routing profile in an Amazon Connect instance", "privilege": "DescribeRoutingProfile", "resource_types": [ { @@ -31056,7 +37513,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31065,7 +37523,7 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a user in an Amazon Connect instance.", + "description": "Grants permissions to describe a user in an Amazon Connect instance", "privilege": "DescribeUser", "resource_types": [ { @@ -31075,7 +37533,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31084,25 +37543,39 @@ }, { "access_level": "Read", - "description": "Grants permissions to describe a hierarchy group for an Amazon Connect instance.", + "description": "Grants permissions to describe a hierarchy group for an Amazon Connect instance", "privilege": "DescribeUserHierarchyGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "hierarchy-group*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to describe the hierarchy structure for an Amazon Connect instance.", + "description": "Grants permissions to describe the hierarchy structure for an Amazon Connect instance", "privilege": "DescribeUserHierarchyStructure", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -31115,6 +37588,57 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "privilege": "DisassociateBot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "lex:DeleteResourcePolicy", + "lex:UpdateResourcePolicy" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to disassociate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.", + "privilege": "DisassociateCustomerProfilesDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:AttachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRolePolicy" + ], + "resource_type": "instance*" } ] }, @@ -31130,7 +37654,8 @@ }, { "condition_keys": [ - "connect:StorageResourceType" + "connect:StorageResourceType", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31148,6 +37673,13 @@ "lambda:RemovePermission" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -31164,12 +37696,44 @@ "iam:PutRolePolicy" ], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to disassociate quick connects from a queue in an Amazon Connect instance", + "privilege": "DisassociateQueueQuickConnects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "quick-connect*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance.", + "description": "Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance", "privilege": "DisassociateRoutingProfileQueues", "resource_types": [ { @@ -31179,7 +37743,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31195,36 +37760,57 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to retrieve the contact attributes for the specified contact.", + "description": "Grants permissions to retrieve the contact attributes for the specified contact", "privilege": "GetContactAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance.", + "description": "Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance", "privilege": "GetCurrentMetricData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "queue*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Allows federation into an instance when using SAML-based authentication for identity management.", + "description": "Grants permissions to federate into an Amazon Connect instance when using SAML-based authentication for identity management", "privilege": "GetFederationToken", "resource_types": [ { @@ -31243,7 +37829,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to federate in to an Amazon Connect instance (Log in as administrator functionality in the AWS console).", + "description": "Grants permissions to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)", "privilege": "GetFederationTokens", "resource_types": [ { @@ -31259,31 +37845,76 @@ }, { "access_level": "Read", - "description": "Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance.", + "description": "Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance", "privilege": "GetMetricData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "queue*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list agent statuses in an Amazon Connect instance", + "privilege": "ListAgentStatuses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" } ] }, { "access_level": "List", - "description": "Grants permissions to view approved origins of an existing Amazon Connect instance.", + "description": "Grants permissions to view approved origins of an existing Amazon Connect instance", "privilege": "ListApprovedOrigins", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to view the Lex bots of an existing Amazon Connect instance", + "privilege": "ListBots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list contact flow resources in an Amazon Connect instance.", + "description": "Grants permissions to list contact flow resources in an Amazon Connect instance", "privilege": "ListContactFlows", "resource_types": [ { @@ -31295,43 +37926,64 @@ }, { "access_level": "List", - "description": "Grants permissions to list hours of operation resources in an Amazon Connect instance.", + "description": "Grants permissions to list hours of operation resources in an Amazon Connect instance", "privilege": "ListHoursOfOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to view the attributes of an existing Amazon Connect instance.", + "description": "Grants permissions to view the attributes of an existing Amazon Connect instance", "privilege": "ListInstanceAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to view storage configurations of an existing Amazon Connect instance.", + "description": "Grants permissions to view storage configurations of an existing Amazon Connect instance", "privilege": "ListInstanceStorageConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to view the Amazon Connect instances associated with an AWS account.", + "description": "Grants permissions to view the Amazon Connect instances associated with an AWS account", "privilege": "ListInstances", "resource_types": [ { @@ -31345,31 +37997,67 @@ }, { "access_level": "List", - "description": "Grants permissions to view the Lambda functions of an existing Amazon Connect instance.", + "description": "Grants permissions to list summary information about the AppIntegration associations for the specified Amazon Connect instance", + "privilege": "ListIntegrationAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeInstance", + "ds:DescribeDirectories" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to view the Lambda functions of an existing Amazon Connect instance", "privilege": "ListLambdaFunctions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to view the Lex bots of an existing Amazon Connect instance.", + "description": "Grants permissions to view the Lex bots of an existing Amazon Connect instance", "privilege": "ListLexBots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list phone number resources in an Amazon Connect instance.", + "description": "Grants permissions to list phone number resources in an Amazon Connect instance", "privilege": "ListPhoneNumbers", "resource_types": [ { @@ -31381,19 +38069,46 @@ }, { "access_level": "List", - "description": "Grants permissions to list prompt resources in an Amazon Connect instance.", + "description": "Grants permissions to list prompt resources in an Amazon Connect instance", "privilege": "ListPrompts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list quick connect resources in a queue in an Amazon Connect instance", + "privilege": "ListQueueQuickConnects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list queue resources in an Amazon Connect instance.", + "description": "Grants permissions to list queue resources in an Amazon Connect instance", "privilege": "ListQueues", "resource_types": [ { @@ -31405,7 +38120,7 @@ }, { "access_level": "List", - "description": "Grants permissions to list quick connect resources in an Amazon Connect instance.", + "description": "Grants permissions to list quick connect resources in an Amazon Connect instance", "privilege": "ListQuickConnects", "resource_types": [ { @@ -31417,7 +38132,19 @@ }, { "access_level": "Read", - "description": "Grants permissions to list queue resources in a routing profile in an Amazon Connect instance.", + "description": "Grants permission to list the analysis segments for a real-time analysis session", + "privilege": "ListRealtimeContactAnalysisSegments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list queue resources in a routing profile in an Amazon Connect instance", "privilege": "ListRoutingProfileQueues", "resource_types": [ { @@ -31427,7 +38154,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31436,43 +38164,64 @@ }, { "access_level": "List", - "description": "Grants permissions to list routing profile resources in an Amazon Connect instance.", + "description": "Grants permissions to list routing profile resources in an Amazon Connect instance", "privilege": "ListRoutingProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to view the security keys of an existing Amazon Connect instance.", + "description": "Grants permissions to view the security keys of an existing Amazon Connect instance", "privilege": "ListSecurityKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list security profile resources in an Amazon Connect instance.", + "description": "Grants permissions to list security profile resources in an Amazon Connect instance", "privilege": "ListSecurityProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to list tags for an Amazon Connect resource.", + "description": "Grants permissions to list tags for an Amazon Connect resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -31480,6 +38229,16 @@ "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue" + }, { "condition_keys": [], "dependent_actions": [], @@ -31490,6 +38249,11 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "use-case" + }, { "condition_keys": [], "dependent_actions": [], @@ -31506,31 +38270,67 @@ }, { "access_level": "List", - "description": "Grants permissions to list the hierarchy group resources in an Amazon Connect instance.", + "description": "Grants permissions to list the use cases of an AppIntegration association", + "privilege": "ListUseCases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "connect:DescribeInstance", + "ds:DescribeDirectories" + ], + "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list the hierarchy group resources in an Amazon Connect instance", "privilege": "ListUserHierarchyGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permissions to list user resources in an Amazon Connect instance.", + "description": "Grants permissions to list user resources in an Amazon Connect instance", "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to resume recording for the specified contact.", + "description": "Grants permissions to resume recording for the specified contact", "privilege": "ResumeContactRecording", "resource_types": [ { @@ -31542,7 +38342,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to initiate a chat using the Amazon Connect API.", + "description": "Grants permissions to initiate a chat using the Amazon Connect API", "privilege": "StartChatContact", "resource_types": [ { @@ -31554,7 +38354,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to start recording for the specified contact.", + "description": "Grants permissions to start recording for the specified contact", "privilege": "StartContactRecording", "resource_types": [ { @@ -31566,7 +38366,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to initiate outbound calls using the Amazon Connect API.", + "description": "Grants permissions to initiate outbound calls using the Amazon Connect API", "privilege": "StartOutboundVoiceContact", "resource_types": [ { @@ -31578,13 +38378,20 @@ }, { "access_level": "Write", - "description": "Grants permissions to initiate a task using the Amazon Connect API.", + "description": "Grants permissions to initiate a task using the Amazon Connect API", "privilege": "StartTaskContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "contact-flow*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -31597,12 +38404,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to stop recording for the specified contact.", + "description": "Grants permissions to stop recording for the specified contact", "privilege": "StopContactRecording", "resource_types": [ { @@ -31614,7 +38428,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to suspend recording for the specified contact.", + "description": "Grants permissions to suspend recording for the specified contact", "privilege": "SuspendContactRecording", "resource_types": [ { @@ -31626,7 +38440,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to tag an Amazon Connect resource.", + "description": "Grants permissions to tag an Amazon Connect resource", "privilege": "TagResource", "resource_types": [ { @@ -31634,6 +38448,16 @@ "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue" + }, { "condition_keys": [], "dependent_actions": [], @@ -31644,6 +38468,11 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "use-case" + }, { "condition_keys": [], "dependent_actions": [], @@ -31662,7 +38491,7 @@ }, { "access_level": "Tagging", - "description": "Grants permissions to untag an Amazon Connect resource.", + "description": "Grants permissions to untag an Amazon Connect resource", "privilege": "UntagResource", "resource_types": [ { @@ -31670,6 +38499,16 @@ "dependent_actions": [], "resource_type": "contact-flow" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integration-association" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue" + }, { "condition_keys": [], "dependent_actions": [], @@ -31680,6 +38519,11 @@ "dependent_actions": [], "resource_type": "routing-profile" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "use-case" + }, { "condition_keys": [], "dependent_actions": [], @@ -31697,19 +38541,46 @@ }, { "access_level": "Write", - "description": "Grants permissions to create or update the contact attributes associated with the specified contact.", + "description": "Grants permission to update agent status in an Amazon Connect instance", + "privilege": "UpdateAgentStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent-status*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create or update the contact attributes associated with the specified contact", "privilege": "UpdateContactAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "contact*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update contact flow content in an Amazon Connect instance.", + "description": "Grants permissions to update contact flow content in an Amazon Connect instance", "privilege": "UpdateContactFlowContent", "resource_types": [ { @@ -31719,7 +38590,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31728,7 +38600,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the name and description of a contact flow in an Amazon Connect instance.", + "description": "Grants permissions to update the name and description of a contact flow in an Amazon Connect instance", "privilege": "UpdateContactFlowName", "resource_types": [ { @@ -31738,7 +38610,28 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update hours of operation in an Amazon Connect instance", + "privilege": "UpdateHoursOfOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31763,7 +38656,8 @@ }, { "condition_keys": [ - "connect:AttributeType" + "connect:AttributeType", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31793,7 +38687,123 @@ }, { "condition_keys": [ - "connect:StorageResourceType" + "connect:StorageResourceType", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update queue hours of operation in an Amazon Connect instance", + "privilege": "UpdateQueueHoursOfOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hours-of-operation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update queue capacity in an Amazon Connect instance", + "privilege": "UpdateQueueMaxContacts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update a queue name and description in an Amazon Connect instance", + "privilege": "UpdateQueueName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update queue outbound caller config in an Amazon Connect instance", + "privilege": "UpdateQueueOutboundCallerConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-flow" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "phone-number" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to update queue status in an Amazon Connect instance", + "privilege": "UpdateQueueStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queue*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31802,7 +38812,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the configuration of a quick connect in an Amazon Connect instance.", + "description": "Grants permissions to update the configuration of a quick connect in an Amazon Connect instance", "privilege": "UpdateQuickConnectConfig", "resource_types": [ { @@ -31827,7 +38837,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31836,7 +38847,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a quick connect name and description in an Amazon Connect instance.", + "description": "Grants permissions to update a quick connect name and description in an Amazon Connect instance", "privilege": "UpdateQuickConnectName", "resource_types": [ { @@ -31846,7 +38857,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31855,7 +38867,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance.", + "description": "Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileConcurrency", "resource_types": [ { @@ -31865,7 +38877,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31874,7 +38887,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance.", + "description": "Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileDefaultOutboundQueue", "resource_types": [ { @@ -31889,7 +38902,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31898,7 +38912,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a routing profile name and description in an Amazon Connect instance.", + "description": "Grants permissions to update a routing profile name and description in an Amazon Connect instance", "privilege": "UpdateRoutingProfileName", "resource_types": [ { @@ -31908,7 +38922,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31917,7 +38932,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update the queues in routing profile in an Amazon Connect instance.", + "description": "Grants permissions to update the queues in routing profile in an Amazon Connect instance", "privilege": "UpdateRoutingProfileQueues", "resource_types": [ { @@ -31927,7 +38942,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31936,7 +38952,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a hierarchy group for a user in an Amazon Connect instance.", + "description": "Grants permissions to update a hierarchy group for a user in an Amazon Connect instance", "privilege": "UpdateUserHierarchy", "resource_types": [ { @@ -31951,7 +38967,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -31960,31 +38977,45 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a user hierarchy group name in an Amazon Connect instance.", + "description": "Grants permissions to update a user hierarchy group name in an Amazon Connect instance", "privilege": "UpdateUserHierarchyGroupName", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "hierarchy-group*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update user hierarchy structure in an Amazon Connect instance.", + "description": "Grants permissions to update user hierarchy structure in an Amazon Connect instance", "privilege": "UpdateUserHierarchyStructure", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "instance*" + }, + { + "condition_keys": [ + "connect:InstanceId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to update identity information for a user in an Amazon Connect instance.", + "description": "Grants permissions to update identity information for a user in an Amazon Connect instance", "privilege": "UpdateUserIdentityInfo", "resource_types": [ { @@ -31994,7 +39025,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -32003,7 +39035,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update phone configuration settings for a user in an Amazon Connect instance.", + "description": "Grants permissions to update phone configuration settings for a user in an Amazon Connect instance", "privilege": "UpdateUserPhoneConfig", "resource_types": [ { @@ -32013,7 +39045,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -32022,7 +39055,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update a routing profile for a user in an Amazon Connect instance.", + "description": "Grants permissions to update a routing profile for a user in an Amazon Connect instance", "privilege": "UpdateUserRoutingProfile", "resource_types": [ { @@ -32037,7 +39070,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -32046,7 +39080,7 @@ }, { "access_level": "Write", - "description": "Grants permissions to update security profiles for a user in an Amazon Connect instance.", + "description": "Grants permissions to update security profiles for a user in an Amazon Connect instance", "privilege": "UpdateUserSecurityProfiles", "resource_types": [ { @@ -32061,7 +39095,8 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "connect:InstanceId" ], "dependent_actions": [], "resource_type": "" @@ -32106,7 +39141,9 @@ }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "queue" }, { @@ -32125,37 +39162,48 @@ }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "hours-of-operation" }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-status/${AgentStatusId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "agent-status" + }, { "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}", "condition_keys": [], "resource": "phone-number" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "integration-association" + }, + { + "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "use-case" } ], "service_name": "Amazon Connect" }, { "conditions": [], - "prefix": "cur", + "prefix": "controltower", "privileges": [ { "access_level": "Write", - "description": "Delete Cost and Usage Report Definition", - "privilege": "DeleteReportDefinition", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cur*" - } - ] - }, - { - "access_level": "Read", - "description": "Get Cost and Usage Report Definitions", - "privilege": "DescribeReportDefinitions", + "description": "Grants permission to create an account managed by AWS Control Tower.", + "privilege": "CreateManagedAccount", "resource_types": [ { "condition_keys": [], @@ -32166,308 +39214,248 @@ }, { "access_level": "Write", - "description": "Modify Cost and Usage Report Definition", - "privilege": "ModifyReportDefinition", + "description": "Grants permission to deregister an account created through the account factory from AWS Control Tower.", + "privilege": "DeregisterManagedAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cur*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Write Cost and Usage Report Definition", - "privilege": "PutReportDefinition", + "description": "Grants permission to deregister an organizational unit from AWS Control Tower management.", + "privilege": "DeregisterOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cur*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:cur:${Region}:${Account}:definition/${ReportName}", - "condition_keys": [], - "resource": "cur" - } - ], - "service_name": "AWS Cost and Usage Report" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "databrew", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to delete one or more recipe versions", - "privilege": "BatchDeleteRecipeVersion", + "access_level": "Read", + "description": "Grants permission to describe the current account factory configuration.", + "privilege": "DescribeAccountFactoryConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recipe*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataset", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a profile job", - "privilege": "CreateProfileJob", + "access_level": "Read", + "description": "Grants permission to describe resources managed by core accounts in AWS Control Tower.", + "privilege": "DescribeCoreService", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a project", - "privilege": "CreateProject", + "access_level": "Read", + "description": "Grants permission to describe a guardrail.", + "privilege": "DescribeGuardrail", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a recipe", - "privilege": "CreateRecipe", + "access_level": "Read", + "description": "Grants permission to describe a guardrail for a organizational unit.", + "privilege": "DescribeGuardrailForTarget", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a recipe job", - "privilege": "CreateRecipeJob", + "access_level": "Read", + "description": "Grants permission to describe an account created through account factory.", + "privilege": "DescribeManagedAccount", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a schedule", - "privilege": "CreateSchedule", + "access_level": "Read", + "description": "Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower.", + "privilege": "DescribeManagedOrganizationalUnit", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "access_level": "Read", + "description": "Grants permission to describe the current AWS Control Tower SSO configuration.", + "privilege": "DescribeSingleSignOn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Dataset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a job", - "privilege": "DeleteJob", + "description": "Grants permission to disable a guardrail from an organizational unit.", + "privilege": "DisableGuardrail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a project", - "privilege": "DeleteProject", + "description": "Grants permission to enable a guardrail to an organizational unit.", + "privilege": "EnableGuardrail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Project*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a recipe version", - "privilege": "DeleteRecipeVersion", + "access_level": "Read", + "description": "Grants permission to list available updates for the current AWS Control Tower deployment.", + "privilege": "GetAvailableUpdates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recipe*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a schedule", - "privilege": "DeleteSchedule", + "access_level": "Read", + "description": "Grants permission to get the current compliance status of a guardrail.", + "privilege": "GetGuardrailComplianceStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Schedule*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about a dataset", - "privilege": "DescribeDataset", + "description": "Grants permission to get the home region of the AWS Control Tower setup.", + "privilege": "GetHomeRegion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Dataset*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about a job", - "privilege": "DescribeJob", + "description": "Grants permission to get the current status of the landing zone setup.", + "privilege": "GetLandingZoneStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a project", - "privilege": "DescribeProject", + "access_level": "List", + "description": "Grants permission to list the current directory groups available through SSO.", + "privilege": "ListDirectoryGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Project*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a recipe", - "privilege": "DescribeRecipe", + "access_level": "List", + "description": "Grants permission to list currently enabled guardrails.", + "privilege": "ListEnabledGuardrails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recipe*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a schedule", - "privilege": "DescribeSchedule", + "access_level": "List", + "description": "Grants permission to list existing guardrail violations.", + "privilege": "ListGuardrailViolations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Schedule*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list datasets in your account", - "privilege": "ListDatasets", + "description": "Grants permission to list all available guardrails.", + "privilege": "ListGuardrails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Dataset*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list job runs for a given job", - "privilege": "ListJobRuns", + "description": "Grants permission to list guardrails and their current state for a organizational unit.", + "privilege": "ListGuardrailsForTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list jobs in your account", - "privilege": "ListJobs", + "description": "Grants permission to list accounts managed through AWS Control Tower.", + "privilege": "ListManagedAccounts", "resource_types": [ { "condition_keys": [], @@ -32478,8 +39466,8 @@ }, { "access_level": "List", - "description": "Grants permission to list projects in your account", - "privilege": "ListProjects", + "description": "Grants permission to list managed accounts with a specified guardrail applied.", + "privilege": "ListManagedAccountsForGuardrail", "resource_types": [ { "condition_keys": [], @@ -32490,20 +39478,20 @@ }, { "access_level": "List", - "description": "Grants permission to list versions in your recipe", - "privilege": "ListRecipeVersions", + "description": "Grants permission to list managed accounts under an organizational unit.", + "privilege": "ListManagedAccountsForParent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recipe*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list recipes in your account", - "privilege": "ListRecipes", + "description": "Grants permission to list organizational units managed by AWS Control Tower.", + "privilege": "ListManagedOrganizationalUnits", "resource_types": [ { "condition_keys": [], @@ -32514,127 +39502,567 @@ }, { "access_level": "List", - "description": "Grants permission to list schedules in your account", - "privilege": "ListSchedules", + "description": "Grants permission to list managed organizational units that have a specified guardrail applied.", + "privilege": "ListManagedOrganizationalUnitsForGuardrail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Schedule*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve tags associated with a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to set up an organizational unit to be managed by AWS Control Tower.", + "privilege": "ManageOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Job" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Project" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Recipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Schedule" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to publish a major verison of a recipe", - "privilege": "PublishRecipe", + "description": "Grants permission to set up or update AWS Control Tower landing zone.", + "privilege": "SetupLandingZone", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Recipe*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to submit an action to the interactive session for a project", - "privilege": "SendProjectSessionAction", + "description": "Grants permission to update the account factory configuration.", + "privilege": "UpdateAccountFactoryConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Project*" + "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS Control Tower" + }, + { + "conditions": [], + "prefix": "cur", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to start running a job", - "privilege": "StartJobRun", + "description": "Delete Cost and Usage Report Definition", + "privilege": "DeleteReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "cur*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start an interactive session for a project", - "privilege": "StartProjectSession", + "access_level": "Read", + "description": "Get Cost and Usage Report Definitions", + "privilege": "DescribeReportDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Project*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a job run for a job", - "privilege": "StopJobRun", + "description": "Modify Cost and Usage Report Definition", + "privilege": "ModifyReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "cur*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Write Cost and Usage Report Definition", + "privilege": "PutReportDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Job" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Project" + "resource_type": "cur*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:cur:${Region}:${Account}:definition/${ReportName}", + "condition_keys": [], + "resource": "cur" + } + ], + "service_name": "AWS Cost and Usage Report" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "databrew", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to delete one or more recipe versions", + "privilege": "BatchDeleteRecipeVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a profile job", + "privilege": "CreateProfileJob", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a project", + "privilege": "CreateProject", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a recipe", + "privilege": "CreateRecipe", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a recipe job", + "privilege": "CreateRecipeJob", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a schedule", + "privilege": "CreateSchedule", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a job", + "privilege": "DeleteJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a recipe version", + "privilege": "DeleteRecipeVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a schedule", + "privilege": "DeleteSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Schedule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a dataset", + "privilege": "DescribeDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Dataset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a job", + "privilege": "DescribeJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about job run for a given job", + "privilege": "DescribeJobRun", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a project", + "privilege": "DescribeProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a recipe", + "privilege": "DescribeRecipe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view details about a schedule", + "privilege": "DescribeSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Schedule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list datasets in your account", + "privilege": "ListDatasets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list job runs for a given job", + "privilege": "ListJobRuns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list jobs in your account", + "privilege": "ListJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list projects in your account", + "privilege": "ListProjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list versions in your recipe", + "privilege": "ListRecipeVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list recipes in your account", + "privilege": "ListRecipes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list schedules in your account", + "privilege": "ListSchedules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Schedule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve tags associated with a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Schedule" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to publish a major verison of a recipe", + "privilege": "PublishRecipe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recipe*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to submit an action to the interactive session for a project", + "privilege": "SendProjectSessionAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start running a job", + "privilege": "StartJobRun", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an interactive session for a project", + "privilege": "StartProjectSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a job run for a job", + "privilege": "StopJobRun", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Project" }, { "condition_keys": [], @@ -32770,35 +40198,35 @@ ], "resources": [ { - "arn": "arn:${Partition}:databrew::${Account}:project/${ResourceId}", + "arn": "arn:${Partition}:databrew:${Region}:${Account}:project/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "Project" }, { - "arn": "arn:${Partition}:databrew::${Account}:dataset/${ResourceId}", + "arn": "arn:${Partition}:databrew:${Region}:${Account}:dataset/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "Dataset" }, { - "arn": "arn:${Partition}:databrew::${Account}:recipe/${ResourceId}", + "arn": "arn:${Partition}:databrew:${Region}:${Account}:recipe/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "Recipe" }, { - "arn": "arn:${Partition}:databrew::${Account}:job/${ResourceId}", + "arn": "arn:${Partition}:databrew:${Region}:${Account}:job/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], "resource": "Job" }, { - "arn": "arn:${Partition}:databrew::${Account}:schedule/${ResourceId}", + "arn": "arn:${Partition}:databrew:${Region}:${Account}:schedule/${ResourceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -33053,6 +40481,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to publish a data set.", + "privilege": "PublishDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-sets*" + } + ] + }, { "access_level": "Write", "description": "Grants permissions to start a job.", @@ -33993,6 +41433,546 @@ ], "service_name": "DataSync" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters create requests based on the allowed set of values for each of the tags.", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource.", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters create requests based on the presence of mandatory tags in the request.", + "type": "String" + } + ], + "prefix": "datasync", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to cancel execution of a sync task", + "privilege": "CancelTaskExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "taskexecution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate an agent that you have deployed on your host", + "privilege": "CreateAgent", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for an Amazon EFS file system", + "privilege": "CreateLocationEfs", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for an Amazon FSx Windows File Server file system", + "privilege": "CreateLocationFsxWindows", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for a NFS file system", + "privilege": "CreateLocationNfs", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for a self-managed object storage bucket", + "privilege": "CreateLocationObjectStorage", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for an Amazon S3 bucket", + "privilege": "CreateLocationS3", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an endpoint for an SMB file system", + "privilege": "CreateLocationSmb", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a sync task.", + "privilege": "CreateTask", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an agent", + "privilege": "DeleteAgent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a location used by AWS DataSync", + "privilege": "DeleteLocation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a sync task", + "privilege": "DeleteTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata such as name, network interfaces, and the status (that is, whether the agent is running or not) about a sync agent", + "privilege": "DescribeAgent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information about an Amazon EFS sync location", + "privilege": "DescribeLocationEfs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information about an Amazon FSx Windows sync location", + "privilege": "DescribeLocationFsxWindows", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information, about a NFS sync location", + "privilege": "DescribeLocationNfs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata about a self-managed object storage server location", + "privilege": "DescribeLocationObjectStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as bucket name, about an Amazon S3 bucket sync location", + "privilege": "DescribeLocationS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata, such as the path information, about an SMB sync location", + "privilege": "DescribeLocationSmb", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata about a sync task", + "privilege": "DescribeTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view metadata about a sync task that is being executed", + "privilege": "DescribeTaskExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "taskexecution*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list agents owned by an AWS account in a region specified in the request", + "privilege": "ListAgents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list source and destination sync locations", + "privilege": "ListLocations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags that have been added to the specified resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list executed sync tasks", + "privilege": "ListTaskExecutions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list of all the sync tasks", + "privilege": "ListTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a specific invocation of a sync task", + "privilege": "StartTaskExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to apply a key-value pair to an AWS resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from the specified resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the name of an agent.", + "privilege": "UpdateAgent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "agent*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an NFS sync Location", + "privilege": "UpdateLocationNfs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a self-managed object storage server location", + "privilege": "UpdateLocationObjectStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a SMB sync location", + "privilege": "UpdateLocationSmb", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "location*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update metadata associated with a sync task", + "privilege": "UpdateTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update execution of a sync task", + "privilege": "UpdateTaskExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "taskexecution*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:agent/${AgentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "agent" + }, + { + "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "location" + }, + { + "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:task/${TaskId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "task" + }, + { + "arn": "arn:${Partition}:datasync:${Region}:${AccountId}:task/${TaskId}/execution/${ExecutionId}", + "condition_keys": [], + "resource": "taskexecution" + } + ], + "service_name": "AWSDataSync" + }, { "conditions": [ { @@ -34418,7 +42398,7 @@ "privileges": [ { "access_level": "Write", - "description": "Creates a new favorite query", + "description": "Grants permission to create a new favorite query", "privilege": "CreateFavoriteQuery", "resource_types": [ { @@ -34430,7 +42410,7 @@ }, { "access_level": "Write", - "description": "Add a query to the history", + "description": "Grants permission to add a query to the history", "privilege": "CreateQueryHistory", "resource_types": [ { @@ -34442,7 +42422,19 @@ }, { "access_level": "Write", - "description": "Delete saved queries", + "description": "Grants permission to create a new query tab", + "privilege": "CreateTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete saved queries", "privilege": "DeleteFavoriteQueries", "resource_types": [ { @@ -34454,7 +42446,7 @@ }, { "access_level": "Write", - "description": "Delete a historical query", + "description": "Grants permission to delete a historical query", "privilege": "DeleteQueryHistory", "resource_types": [ { @@ -34464,9 +42456,21 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete query tab", + "privilege": "DeleteTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", - "description": "List saved queries and associated metadata", + "description": "Grants permission to list saved queries and associated metadata", "privilege": "DescribeFavoriteQueries", "resource_types": [ { @@ -34478,7 +42482,7 @@ }, { "access_level": "List", - "description": "List history of queries that were run", + "description": "Grants permission to list history of queries that were run", "privilege": "DescribeQueryHistory", "resource_types": [ { @@ -34488,9 +42492,21 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list query tabs and associated metadata", + "privilege": "DescribeTabs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Retrieve favorite or history query string by id", + "description": "Grants permission to retrieve favorite or history query string by id", "privilege": "GetQueryString", "resource_types": [ { @@ -34502,7 +42518,7 @@ }, { "access_level": "Write", - "description": "Update saved query and description", + "description": "Grants permission to update saved query and description", "privilege": "UpdateFavoriteQuery", "resource_types": [ { @@ -34514,7 +42530,7 @@ }, { "access_level": "Write", - "description": "Update the query history", + "description": "Grants permission to update the query history", "privilege": "UpdateQueryHistory", "resource_types": [ { @@ -34523,6 +42539,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update query tab", + "privilege": "UpdateTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [], @@ -34550,7 +42578,7 @@ "privileges": [ { "access_level": "Write", - "description": "Associates a DeepComposer coupon (or DSN) with the account associated with the sender of the request.", + "description": "Grants permission to associate a DeepComposer coupon (or DSN) with the account associated with the sender of the request", "privilege": "AssociateCoupon", "resource_types": [ { @@ -34562,21 +42590,26 @@ }, { "access_level": "Write", - "description": "Creates an audio file by converting the midi composition into a wav or mp3 file.", + "description": "Grants permission to create an audio file by converting the midi composition into a wav or mp3 file", "privilege": "CreateAudio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "composition*" + "resource_type": "audio*" } ] }, { "access_level": "Write", - "description": "Creates a multi-track midi composition.", + "description": "Grants permission to create a multi-track midi composition", "privilege": "CreateComposition", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "composition*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -34589,9 +42622,14 @@ }, { "access_level": "Write", - "description": "Starts creating/training a generative-model that is able to perform inference against the user-provided piano-melody to create a multi-track midi composition.", + "description": "Grants permission to start creating/training a generative-model that is able to perform inference against the user-provided piano-melody to create a multi-track midi composition", "privilege": "CreateModel", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -34604,7 +42642,7 @@ }, { "access_level": "Write", - "description": "Deletes the composition.", + "description": "Grants permission to delete the composition", "privilege": "DeleteComposition", "resource_types": [ { @@ -34616,7 +42654,7 @@ }, { "access_level": "Write", - "description": "Deletes the model.", + "description": "Grants permission to delete the model", "privilege": "DeleteModel", "resource_types": [ { @@ -34628,7 +42666,7 @@ }, { "access_level": "Read", - "description": "Returns information about the composition.", + "description": "Grants permission to get information about the composition", "privilege": "GetComposition", "resource_types": [ { @@ -34647,7 +42685,7 @@ }, { "access_level": "Read", - "description": "Returns information about the model.", + "description": "Grants permission to get information about the model", "privilege": "GetModel", "resource_types": [ { @@ -34666,55 +42704,55 @@ }, { "access_level": "Read", - "description": "Returns information about the sample/pre-trained DeepComposer model.", + "description": "Grants permission to get information about the sample/pre-trained DeepComposer model", "privilege": "GetSampleModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { "access_level": "List", - "description": "Returns a list of all the compositions owned by the sender of the request.", + "description": "Grants permission to list all the compositions owned by the sender of the request", "privilege": "ListCompositions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "composition*" } ] }, { "access_level": "List", - "description": "Returns a list of all the models owned by the sender of the request.", + "description": "Grants permission to list all the models owned by the sender of the request", "privilege": "ListModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { "access_level": "List", - "description": "Returns a list of all the sample/pre-trained models provided by the DeepComposer service.", + "description": "Grants permission to list all the sample/pre-trained models provided by the DeepComposer service", "privilege": "ListSampleModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { "access_level": "List", - "description": "Grants permission to lists tag for a resource.", + "description": "Grants permission to list tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -34738,19 +42776,19 @@ }, { "access_level": "List", - "description": "Returns a list of all the training options or topic for creating/training a model.", + "description": "Grants permission to list all the training options or topic for creating/training a model", "privilege": "ListTrainingTopics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to tag a resource.", + "description": "Grants permission to tag a resource", "privilege": "TagResource", "resource_types": [ { @@ -34776,7 +42814,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag a resource.", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { @@ -34802,7 +42840,7 @@ }, { "access_level": "Write", - "description": "Modifies the mutable properties associated with a composition.", + "description": "Grants permission to modify the mutable properties associated with a composition", "privilege": "UpdateComposition", "resource_types": [ { @@ -34814,7 +42852,7 @@ }, { "access_level": "Write", - "description": "Modifies the mutable properties associated with a model.", + "description": "Grants permission to to modify the mutable properties associated with a model", "privilege": "UpdateModel", "resource_types": [ { @@ -35166,12 +43204,118 @@ "service_name": "AWS DeepLens" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions by tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by tag keys in the request", + "type": "String" + }, + { + "condition": "deepracer:MultiUser", + "description": "Filters access by multiuser flag", + "type": "Bool" + }, + { + "condition": "deepracer:UserToken", + "description": "Filters access by user token in the request", + "type": "String" + } + ], "prefix": "deepracer", "privileges": [ { "access_level": "Write", - "description": "Grants permission to clone existing DeepRacer models", + "description": "Grants permission to add access for a private leaderboard", + "privilege": "AddLeaderboardAccessPermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get current admin multiuser configuration for this account", + "privilege": "AdminGetAccountConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all deepracer users with their associated resources created under this account", + "privilege": "AdminListAssociatedResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list user data for all users associated with this account", + "privilege": "AdminListAssociatedUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to manage a user associated with this account", + "privilege": "AdminManageUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set configuration options for this account", + "privilege": "AdminSetAccountConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to clone an existing DeepRacer model", "privilege": "CloneReinforcementLearningModel", "resource_types": [ { @@ -35183,24 +43327,76 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "track*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a DeepRacer car in your garage", + "privilege": "CreateCar", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create resources needed by DeepRacer on behalf of the user", - "privilege": "CreateAccountResources", + "description": "Grants permission to create a leaderboard", + "privilege": "CreateLeaderboard", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an access token for a private leaderboard", + "privilege": "CreateLeaderboardAccessToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to submit DeepRacer models to be evaluated for leaderboards", + "description": "Grants permission to submit a DeepRacer model to be evaluated for leaderboards", "privilege": "CreateLeaderboardSubmission", "resource_types": [ { @@ -35212,78 +43408,203 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create reinforcement learning models for DeepRacer", + "description": "Grants permission to create ra einforcement learning model for DeepRacer", "privilege": "CreateReinforcementLearningModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "track*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete resources created by DeepRacer on behalf of the user", - "privilege": "DeleteAccountResources", + "description": "Grants permission to delete a leaderboard", + "privilege": "DeleteLeaderboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete DeepRacer models", + "description": "Grants permission to delete a DeepRacer model", "privilege": "DeleteModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the resources created by DeepRacer on behalf of the user", - "privilege": "GetAccountResources", + "access_level": "Write", + "description": "Grants permission to edit a leaderboard", + "privilege": "EditLeaderboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the user's alias for submitting DeepRacer models to leaderboards", + "description": "Grants permission to get current multiuser configuration for this account", + "privilege": "GetAccountConfig", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the user's alias for submitting a DeepRacer model to leaderboards", "privilege": "GetAlias", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download artifacts for an existing DeepRacer model", + "privilege": "GetAssetUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a specific DeepRacer car from your garage", + "privilege": "GetCar", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "car*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view all the DeepRacer cars in your garage", + "privilege": "GetCars", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about existing DeepRacer models' evaluation jobs", + "description": "Grants permission to retrieve information about an existing DeepRacer model's evaluation jobs", "privilege": "GetEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "evaluation_job*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35296,6 +43617,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35308,18 +43637,54 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about existing DeepRacer models", + "description": "Grants permission to retrieve information about an existing DeepRacer model", "privilege": "GetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about private leaderboards", + "privilege": "GetPrivateLeaderboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35332,6 +43697,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35349,66 +43722,207 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about existing DeepRacer models' training job", + "description": "Grants permission to retrieve information about an existing DeepRacer model's training job", "privilege": "GetTrainingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "training_job*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list DeepRacer models' evaluation jobs", + "access_level": "Write", + "description": "Grants permission to import a reinforcement learning model for DeepRacer", + "privilege": "ImportModel", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list a DeepRacer model's evaluation jobs", "privilege": "ListEvaluations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the submissions of DeepRacer models of a user on a leaderboard", + "access_level": "Read", + "description": "Grants permission to list all the DeepRacer model submissions of a user on a leaderboard", "privilege": "ListLeaderboardSubmissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the available leaderboards", "privilege": "ListLeaderboards", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all existing DeepRacer models", "privilege": "ListModels", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve participant information about private leaderboards", + "privilege": "ListPrivateLeaderboardParticipants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to list all the available private leaderboards", + "privilege": "ListPrivateLeaderboards", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all the subscribed private leaderboards", + "privilege": "ListSubscribedPrivateLeaderboards", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to lists tag for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "car" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard_evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reinforcement_learning_model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "training_job" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list all DeepRacer tracks", "privilege": "ListTracks", "resource_types": [ @@ -35420,32 +43934,95 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list DeepRacer models' training jobs", + "access_level": "Read", + "description": "Grants permission to list a DeepRacer model's training jobs", "privilege": "ListTrainingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to set the user's alias for submitting DeepRacer models to leaderboards", - "privilege": "SetAlias", + "description": "Grants permission to migrate previous reinforcement learning models for DeepRacer", + "privilege": "MigrateModels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to performs the leaderboard operation mentioned in the operation attribute", + "privilege": "PerformLeaderboardOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "leaderboard" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove access for a private leaderboard", + "privilege": "RemoveLeaderboardAccessPermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the user's alias for submitting a DeepRacer model to leaderboards", + "privilege": "SetAlias", + "resource_types": [ + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to evaluate DeepRacer models in a simulated environment", + "description": "Grants permission to evaluate a DeepRacer model in a simulated environment", "privilege": "StartEvaluation", "resource_types": [ { @@ -35457,6 +44034,16 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "track*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35469,18 +44056,82 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "evaluation_job*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stop training DeepRacer models", + "description": "Grants permission to stop training a DeepRacer model", "privilege": "StopTrainingReinforcementLearningModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reinforcement_learning_model*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "car" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard_evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reinforcement_learning_model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "training_job" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -35495,44 +44146,145 @@ "resource_type": "" } ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "car" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "leaderboard_evaluation_job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reinforcement_learning_model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "training_job" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a DeepRacer car in your garage", + "privilege": "UpdateCar", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "car*" + }, + { + "condition_keys": [ + "deepracer:UserToken", + "deepracer:MultiUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ { - "arn": "arn:${Partition}:deepracer:${Region}:${Account}:model/reinforcement_learning/${ResourceId}", - "condition_keys": [], - "resource": "reinforcement_learning_model" - }, - { - "arn": "arn:${Partition}:deepracer:${Region}:${Account}:training_job/${ResourceId}", - "condition_keys": [], - "resource": "training_job" + "arn": "arn:${Partition}:deepracer:${Region}:${Account}:car/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "car" }, { "arn": "arn:${Partition}:deepracer:${Region}:${Account}:evaluation_job/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "evaluation_job" }, + { + "arn": "arn:${Partition}:deepracer:${Region}::leaderboard/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "leaderboard" + }, { "arn": "arn:${Partition}:deepracer:${Region}:${Account}:leaderboard_evaluation_job/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "leaderboard_evaluation_job" }, + { + "arn": "arn:${Partition}:deepracer:${Region}:${Account}:model/reinforcement_learning/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "reinforcement_learning_model" + }, { "arn": "arn:${Partition}:deepracer:${Region}::track/${ResourceId}", "condition_keys": [], "resource": "track" }, { - "arn": "arn:${Partition}:deepracer:${Region}::leaderboard/${ResourceId}", - "condition_keys": [], - "resource": "leaderboard" + "arn": "arn:${Partition}:deepracer:${Region}:${Account}:training_job/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "training_job" } ], "service_name": "AWS DeepRacer" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], "prefix": "detective", "privileges": [ { @@ -35543,7 +44295,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Graph*" + "resource_type": "" } ] }, @@ -35553,7 +44305,10 @@ "privilege": "CreateGraph", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -35603,7 +44358,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Graph*" + "resource_type": "" } ] }, @@ -35703,6 +44458,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list the tag values that are assigned to a behavior graph", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to reject an invitation to become a member of a behavior graph", @@ -35711,7 +44485,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Graph*" + "resource_type": "" } ] }, @@ -35738,12 +44512,54 @@ "resource_type": "Graph*" } ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to assign tag values to a behavior graph", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tag values from a behavior graph", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Graph*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ { "arn": "arn:${Partition}:detective:${Region}:${Account}:graph:${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "Graph" } ], @@ -35806,7 +44622,7 @@ ] }, { - "access_level": "Tagging", + "access_level": "Write", "description": "Grants permission to create a project for mobile testing", "privilege": "CreateProject", "resource_types": [ @@ -35854,7 +44670,13 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:CreateServiceLinkedRole" + ], "resource_type": "" } ] @@ -36892,7 +45714,13 @@ "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:CreateServiceLinkedRole" + ], "resource_type": "testgrid-project*" } ] @@ -37088,6 +45916,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view the feedback details of a specified insight", + "privilege": "DescribeFeedback", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list the details of a specified insight", @@ -37124,6 +45964,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list service resource cost estimates", + "privilege": "GetCostEstimation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to list AWS CloudFormation stacks that DevOps Guru is configured to use", @@ -37235,6 +46087,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to start the creation of an estimate of the monthly cost", + "privilege": "StartCostEstimation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the list of AWS CloudFormation stacks that are used to specify which AWS resources in your account are analyzed by DevOps Guru", @@ -37452,6 +46316,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to associate a MAC Security (MACsec) Connection Key Name (CKN)/ Connectivity Association Key (CAK) pair with an AWS Direct Connect dedicated connection", + "privilege": "AssociateMacSecKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxcon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxlag" + } + ] + }, { "access_level": "Write", "description": "Associates a virtual interface with a specified link aggregation group (LAG) or connection.", @@ -38040,6 +46921,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove the association between a MAC Security (MACsec) security key and an AWS Direct Connect dedicated connection", + "privilege": "DisassociateMacSecKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxcon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxlag" + } + ] + }, { "access_level": "List", "description": "Lists the virtual interface failover test history.", @@ -38135,6 +47033,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the AWS Direct Connect dedicated connection configuration. You can update the following parameters for a connection: The connection name or The connection's MAC Security (MACsec) encryption mode", + "privilege": "UpdateConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dxcon*" + } + ] + }, { "access_level": "Write", "description": "Updates the specified attributes of the Direct Connect gateway association.", @@ -38868,6 +47778,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified connection between a replication instance and an endpoint", + "privilege": "DeleteConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Endpoint*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationInstance*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete the specified endpoint", @@ -38993,6 +47920,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to return the possible endpoint settings available when you create an endpoint for a specific database engine", + "privilege": "DescribeEndpointSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to return information about the type of endpoints available", @@ -39224,7 +48163,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all tags for an AWS DMS resource", "privilege": "ListTagsForResource", "resource_types": [ @@ -39325,6 +48264,23 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to move the specified replication task to a different replication instance", + "privilege": "MoveReplicationTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationInstance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ReplicationTask*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to reboot a replication instance. Rebooting results in a momentary outage, until the replication instance becomes available again", @@ -39586,6 +48542,18 @@ } ] }, + { + "access_level": "Write", + "description": "Adds two domain controllers in the specified Region for the specified directory.", + "privilege": "AddRegion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, { "access_level": "Tagging", "description": "Adds or overwrites one or more tags for the specified Amazon Directory Services directory.", @@ -39965,6 +48933,18 @@ } ] }, + { + "access_level": "Read", + "description": "Provides information about the Regions that are configured for multi-Region replication.", + "privilege": "DescribeRegions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, { "access_level": "Read", "description": "Returns the shared directories in your account.", @@ -40001,6 +48981,18 @@ } ] }, + { + "access_level": "Write", + "description": "Disables alternative client authentication methods for the specified directory.", + "privilege": "DisableClientAuthentication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, { "access_level": "Write", "description": "Deactivates LDAP secure calls for the specified directory.", @@ -40037,6 +49029,18 @@ } ] }, + { + "access_level": "Write", + "description": "Enables alternative client authentication methods for the specified directory.", + "privilege": "EnableClientAuthentication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, { "access_level": "Write", "description": "Activates the switch for the specific directory to always use LDAP secure calls.", @@ -40231,6 +49235,18 @@ } ] }, + { + "access_level": "Write", + "description": "Stops all replication and removes the domain controllers from the specified Region. You cannot remove the primary Region with this operation.", + "privilege": "RemoveRegion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directory*" + } + ] + }, { "access_level": "Tagging", "description": "Removes tags from an Amazon Directory Services directory.", @@ -41391,6 +50407,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -41403,6 +50426,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -41415,6 +50445,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -41427,6 +50464,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -41439,6 +50483,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -41455,7 +50506,11 @@ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ebs:Description", + "ebs:ParentSnapshot", + "ebs:VolumeSize" ], "dependent_actions": [], "resource_type": "" @@ -41631,6 +50686,11 @@ "description": "Filters access by whether users are able to override resources that are specified in the launch template", "type": "Bool" }, + { + "condition": "ec2:KeyPairName", + "description": "Filters access by key pair name", + "type": "String" + }, { "condition": "ec2:LaunchTemplate", "description": "Filters access by the ARN of a launch template", @@ -41651,6 +50711,16 @@ "description": "Filters access by whether tokens are required when calling the instance metadata service (optional or required)", "type": "String" }, + { + "condition": "ec2:NewInstanceProfile", + "description": "Filters access by the ARN of the instance profile being attached", + "type": "ARN" + }, + { + "condition": "ec2:OutpostArn", + "description": "Filters access by the ARN of the Outpost", + "type": "ARN" + }, { "condition": "ec2:Owner", "description": "Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)", @@ -41811,6 +50881,11 @@ "description": "Filters access by the ARN of the instance from which the request originated", "type": "ARN" }, + { + "condition": "ec2:SourceOutpostArn", + "description": "Filters access by the ARN of the Outpost from which the request originated", + "type": "ARN" + }, { "condition": "ec2:Subnet", "description": "Filters access by the ARN of the subnet", @@ -41880,7 +50955,7 @@ "ec2:Tenancy" ], "dependent_actions": [], - "resource_type": "reserved-instances" + "resource_type": "reserved-instances*" } ] }, @@ -42025,7 +51100,9 @@ "resource_types": [ { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", + "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -42041,16 +51118,14 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region" ], "dependent_actions": [], "resource_type": "dedicated-host*" @@ -42065,14 +51140,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -42107,13 +51182,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -42128,13 +51203,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -42174,13 +51249,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -42195,14 +51270,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -42266,6 +51341,7 @@ "ec2:EbsOptimized", "ec2:InstanceProfile", "ec2:InstanceType", + "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -42279,6 +51355,52 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to associate one or more targets with an event window", + "privilege": "AssociateInstanceEventWindow", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AutoPlacement", + "ec2:AvailabilityZone", + "ec2:HostRecovery", + "ec2:InstanceType", + "ec2:Quantity", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "dedicated-host" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:PlacementGroup", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance" + } + ] + }, { "access_level": "Write", "description": "Grants permission to associate a subnet or gateway with a route table", @@ -42404,6 +51526,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to associate a branch network interface with a trunk network interface", + "privilege": "AssociateTrunkInterface", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to associate a CIDR block with a VPC", @@ -42523,13 +51657,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -42609,14 +51743,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -42839,44 +51973,46 @@ }, { "access_level": "Write", - "description": "Grants permission to copy a source Amazon FPGA image (AFI) to the current Region", + "description": "Grants permission to copy a source Amazon FPGA image (AFI) to the current Region. Resource-level permissions specified for this action apply to the new AFI only. They do not apply to the source AFI", "privilege": "CopyFpgaImage", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Owner", + "ec2:Region" + ], "dependent_actions": [], - "resource_type": "" + "resource_type": "fpga-image*" } ] }, { "access_level": "Write", - "description": "Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region", + "description": "Grants permission to copy an Amazon Machine Image (AMI) from a source Region to the current Region. Resource-level permissions specified for this action apply to the new AMI only. They do not apply to the source AMI", "privilege": "CopyImage", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "ec2:Owner", + "ec2:Region" + ], "dependent_actions": [], - "resource_type": "" + "resource_type": "image*" } ] }, { "access_level": "Write", - "description": "Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3", + "description": "Grants permission to copy a point-in-time snapshot of an EBS volume and store it in Amazon S3. Resource-level permissions specified for this action apply to the new snapshot only. They do not apply to the source snapshot", "privilege": "CopySnapshot", "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Owner", - "ec2:ParentVolume", + "ec2:OutpostArn", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:SnapshotTime", - "ec2:VolumeSize" + "ec2:SourceOutpostArn" ], "dependent_actions": [], "resource_type": "snapshot*" @@ -42890,11 +52026,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "capacity-reservation*" @@ -42903,18 +52037,16 @@ }, { "access_level": "Write", - "description": "Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers.", + "description": "Grants permission to create a carrier gateway and provides CSP connectivity to VPC customers", "privilege": "CreateCarrierGateway", "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "carrier-gateway*" @@ -42922,8 +52054,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -42940,17 +52070,15 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -42958,8 +52086,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -42970,8 +52096,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -42989,14 +52113,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -43020,9 +52144,13 @@ "privilege": "CreateCustomerGateway", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], "dependent_actions": [], - "resource_type": "" + "resource_type": "customer-gateway*" } ] }, @@ -43057,11 +52185,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "dhcp-options*" @@ -43075,11 +52201,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "egress-only-internet-gateway*" @@ -43087,8 +52211,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -43105,11 +52227,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "fleet*" @@ -43117,8 +52237,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:ImageType", "ec2:Owner", "ec2:Public", @@ -43132,8 +52250,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43143,8 +52260,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43154,15 +52269,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -43170,8 +52283,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -43182,8 +52293,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", @@ -43197,8 +52306,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -43216,11 +52323,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [ "iam:PassRole" @@ -43230,15 +52335,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -43246,8 +52349,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -43259,8 +52360,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -43277,13 +52376,11 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:Public", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "fpga-image*" @@ -43295,6 +52392,19 @@ "description": "Grants permission to create an Amazon EBS-backed AMI from a stopped or running Amazon EBS-backed instance", "privilege": "CreateImage", "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -43313,6 +52423,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an event window in which scheduled events for the associated Amazon EC2 instances can run", + "privilege": "CreateInstanceEventWindow", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "instance-event-window*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to export a running or stopped instance to an Amazon S3 bucket", @@ -43320,11 +52446,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "export-instance-task*" @@ -43332,8 +52456,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -43356,11 +52478,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "internet-gateway*" @@ -43374,11 +52494,10 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:KeyPairName", + "ec2:Region" ], "dependent_actions": [], "resource_type": "key-pair*" @@ -43392,11 +52511,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "launch-template*" @@ -43404,8 +52521,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43415,150 +52530,15 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" - ], - "dependent_actions": [], - "resource_type": "dedicated-host" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:ImageType", - "ec2:Owner", - "ec2:Public", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:RootDeviceType" - ], - "dependent_actions": [], - "resource_type": "image" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "key-pair" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:AuthorizedService", - "ec2:AvailabilityZone", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" - ], - "dependent_actions": [], - "resource_type": "network-interface" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:PlacementGroupStrategy", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "placement-group" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" - ], - "dependent_actions": [], - "resource_type": "security-group" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Owner", - "ec2:ParentVolume", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:SnapshotTime", - "ec2:VolumeSize" - ], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:AvailabilityZone", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" - ], - "dependent_actions": [], - "resource_type": "subnet" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new version of a launch template", - "privilege": "CreateLaunchTemplateVersion", - "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "launch-template*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], - "resource_type": "capacity-reservation" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:AutoPlacement", - "ec2:AvailabilityZone", - "ec2:InstanceType", - "ec2:Quantity", - "ec2:HostRecovery" - ], - "dependent_actions": [], "resource_type": "dedicated-host" }, { @@ -43577,6 +52557,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43586,13 +52567,133 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "network-interface" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:PlacementGroupStrategy", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "placement-group" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "security-group" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Owner", + "ec2:ParentVolume", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotTime", + "ec2:VolumeSize" + ], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "subnet" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new version of a launch template", + "privilege": "CreateLaunchTemplateVersion", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "launch-template*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "capacity-reservation" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AutoPlacement", + "ec2:AvailabilityZone", + "ec2:HostRecovery", + "ec2:InstanceType", + "ec2:Quantity", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "dedicated-host" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "key-pair" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", + "ec2:AuthorizedService", + "ec2:AvailabilityZone", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:Subnet", + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -43676,8 +52777,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43686,11 +52785,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], "dependent_actions": [], @@ -43699,8 +52796,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -43717,11 +52812,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "prefix-list*" @@ -43736,8 +52829,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -43746,11 +52837,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "natgateway*" @@ -43758,8 +52847,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -43777,11 +52864,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], @@ -43790,8 +52875,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -43824,7 +52907,11 @@ "privilege": "CreateNetworkInsightsPath", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" + ], "dependent_actions": [], "resource_type": "network-insights-path*" } @@ -43837,16 +52924,14 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -43854,8 +52939,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -43867,8 +52950,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -43886,13 +52967,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -43906,12 +52987,10 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:PlacementGroupStrategy", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "placement-group*" @@ -43920,59 +52999,9 @@ }, { "access_level": "Write", - "description": "Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace", - "privilege": "CreateReservedInstancesListing", - "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AvailabilityZone", - "ec2:InstanceType", - "ec2:Region", - "ec2:ReservedInstancesOfferingType", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" - ], - "dependent_actions": [], - "resource_type": "reserved-instances*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a route in a VPC route table", - "privilege": "CreateRoute", + "description": "Grants permission to create a root volume replacement task", + "privilege": "CreateReplaceRootVolumeTask", "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" - ], - "dependent_actions": [], - "resource_type": "route-table*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc", - "ec2:Tenancy" - ], - "dependent_actions": [], - "resource_type": "carrier-gateway" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "egress-only-internet-gateway" - }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -43987,86 +53016,95 @@ "ec2:Tenancy" ], "dependent_actions": [], - "resource_type": "instance" + "resource_type": "instance*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" ], "dependent_actions": [], - "resource_type": "internet-gateway" + "resource_type": "replace-root-volume-task*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" ], "dependent_actions": [], - "resource_type": "local-gateway" + "resource_type": "volume*" }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Owner", + "ec2:ParentVolume", "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:SnapshotTime", + "ec2:VolumeSize" ], "dependent_actions": [], - "resource_type": "natgateway" - }, + "resource_type": "snapshot" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a listing for Standard Reserved Instances to be sold in the Reserved Instance Marketplace", + "privilege": "CreateReservedInstancesListing", + "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:AuthorizedService", "ec2:AvailabilityZone", + "ec2:InstanceType", "ec2:Region", + "ec2:ReservedInstancesOfferingType", "ec2:ResourceTag/${TagKey}", - "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" - ], - "dependent_actions": [], - "resource_type": "network-interface" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "prefix-list" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Tenancy" ], "dependent_actions": [], - "resource_type": "transit-gateway" - }, + "resource_type": "reserved-instances*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a task that restores an AMI from an S3 object previously created by using CreateStoreImageTask", + "privilege": "CreateRestoreImageTask", + "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AccepterVpc", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", "ec2:Region", - "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:RootDeviceType" ], "dependent_actions": [], - "resource_type": "vpc-peering-connection" - }, + "resource_type": "image*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a route in a VPC route table", + "privilege": "CreateRoute", + "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:Vpc" ], "dependent_actions": [], - "resource_type": "vpn-gateway" + "resource_type": "route-table*" } ] }, @@ -44077,10 +53115,18 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "route-table*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" ], @@ -44096,12 +53142,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" + "ec2:Region" ], "dependent_actions": [], "resource_type": "security-group*" @@ -44109,8 +53152,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -44127,14 +53168,14 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", + "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], @@ -44143,9 +53184,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:Region", @@ -44168,8 +53206,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -44185,14 +53221,14 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", + "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], @@ -44201,9 +53237,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:Region", @@ -44230,6 +53263,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to store an AMI as a single object in an S3 bucket", + "privilege": "CreateStoreImageTask", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a subnet in a VPC", @@ -44237,12 +53290,10 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:Vpc" ], "dependent_actions": [], @@ -44251,8 +53302,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -44262,6 +53311,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create a subnet CIDR reservation", + "privilege": "CreateSubnetCidrReservation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to add or overwrite one or more tags for Amazon EC2 resources", @@ -44279,14 +53340,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" @@ -44303,13 +53364,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host" @@ -44335,9 +53396,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ElasticGpuType", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ElasticGpuType" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-gpu" @@ -44445,6 +53506,15 @@ "dependent_actions": [], "resource_type": "instance" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -44475,6 +53545,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -44567,13 +53638,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -44597,6 +53668,15 @@ "dependent_actions": [], "resource_type": "prefix-list" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "replace-root-volume-task" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -44630,6 +53710,15 @@ "dependent_actions": [], "resource_type": "security-group" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "security-group-rule" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -44812,24 +53901,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -44860,11 +53949,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "traffic-mirror-filter*" @@ -44902,15 +53989,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -44918,8 +54003,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -44928,11 +54011,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "traffic-mirror-session*" @@ -44940,8 +54021,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -44957,11 +54036,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "traffic-mirror-target*" @@ -44969,15 +54046,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -44991,11 +54066,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway*" @@ -45009,9 +54082,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" @@ -45025,9 +54098,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" @@ -45042,8 +54115,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45052,11 +54123,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-multicast-domain*" @@ -45071,8 +54140,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45081,11 +54148,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" @@ -45159,8 +54224,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45169,11 +54232,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-route-table*" @@ -45188,8 +54249,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45198,11 +54257,9 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "transit-gateway-attachment*" @@ -45210,8 +54267,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -45222,8 +54277,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -45241,14 +54294,12 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -45256,21 +54307,6 @@ ], "dependent_actions": [], "resource_type": "volume*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Owner", - "ec2:ParentVolume", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:SnapshotTime", - "ec2:VolumeSize" - ], - "dependent_actions": [], - "resource_type": "snapshot" } ] }, @@ -45281,12 +54317,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Tenancy" + "ec2:Region" ], "dependent_actions": [], "resource_type": "vpc*" @@ -45294,8 +54327,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45312,8 +54343,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -45325,11 +54354,11 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:VpceServiceName", + "ec2:VpceServiceOwner" ], "dependent_actions": [], "resource_type": "vpc-endpoint*" @@ -45337,8 +54366,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -45349,8 +54376,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -45361,8 +54386,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -45406,11 +54429,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" ], "dependent_actions": [], @@ -45426,8 +54447,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -45437,13 +54456,11 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ec2:AccepterVpc", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:AccepterVpc", "ec2:Region", - "ec2:RequesterVpc", - "ec2:ResourceTag/${TagKey}" + "ec2:RequesterVpc" ], "dependent_actions": [], "resource_type": "vpc-peering-connection*" @@ -45458,8 +54475,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45468,25 +54483,23 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", "ec2:RoutingType" @@ -45497,8 +54510,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45508,8 +54519,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45526,24 +54535,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -45558,11 +54567,9 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:Region" ], "dependent_actions": [], "resource_type": "vpn-gateway*" @@ -45579,8 +54586,8 @@ "aws:ResourceTag/${TagKey}", "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Vpc", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "carrier-gateway*" @@ -45595,14 +54602,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -45617,14 +54624,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -45740,6 +54747,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified event window.", + "privilege": "DeleteInstanceEventWindow", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete an internet gateway", @@ -45764,6 +54787,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -45912,8 +54936,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-analysis*" @@ -45929,8 +54952,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-path*" @@ -45945,13 +54967,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -46070,11 +55092,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", + "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "dependent_actions": [], @@ -46112,6 +55136,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a subnet CIDR reservation", + "privilege": "DeleteSubnetCidrReservation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to delete one or more tags from Amazon EC2 resources", @@ -46129,14 +55165,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint" @@ -46153,13 +55189,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host" @@ -46185,9 +55221,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:ElasticGpuType", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ElasticGpuType" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-gpu" @@ -46295,6 +55331,15 @@ "dependent_actions": [], "resource_type": "instance" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -46325,6 +55370,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -46417,13 +55463,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -46447,6 +55493,15 @@ "dependent_actions": [], "resource_type": "prefix-list" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "replace-root-volume-task" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -46480,6 +55535,15 @@ "dependent_actions": [], "resource_type": "security-group" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "security-group-rule" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -46662,24 +55726,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -46717,6 +55781,15 @@ "description": "Grants permission to delete a traffic mirror filter rule", "privilege": "DeleteTrafficMirrorFilterRule", "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "traffic-mirror-filter*" + }, { "condition_keys": [ "ec2:Region" @@ -47003,7 +56076,8 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Region", - "ec2:ResourceTag/${TagKey}" + "ec2:ResourceTag/${TagKey}", + "ec2:VpceServiceName" ], "dependent_actions": [], "resource_type": "vpc-endpoint*" @@ -47036,24 +56110,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -47069,24 +56143,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -47162,13 +56236,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -47192,13 +56266,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -47238,6 +56312,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe the attributes of the specified Elastic IP addresses", + "privilege": "DescribeAddressesAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe the longer ID format settings for all resource types", @@ -47718,6 +56804,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe the specified event windows or all event windows", + "privilege": "DescribeInstanceEventWindows", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe the status of one or more instances", @@ -48066,6 +57164,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe a root volume replacement task", + "privilege": "DescribeReplaceRootVolumeTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe one or more purchased Reserved Instances in your account", @@ -48162,6 +57272,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe one or more of your security group rules", + "privilege": "DescribeSecurityGroupRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe one or more security groups", @@ -48282,6 +57404,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe the progress of the AMI store tasks", + "privilege": "DescribeStoreImageTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe one or more subnets", @@ -48438,6 +57572,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to describe one or more network interface trunk associations", + "privilege": "DescribeTrunkInterfaceAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to describe an attribute of an EBS volume", @@ -48725,13 +57871,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -48835,6 +57981,38 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to cancel the deprecation of the specified AMI", + "privilege": "DisableImageDeprecation", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable access to the EC2 serial console of all instances for your account", + "privilege": "DisableSerialConsoleAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to disable a resource attachment from propagating routes to the specified propagation route table", @@ -48953,13 +58131,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -48974,14 +58152,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -49028,6 +58206,52 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate one or more targets from an event window", + "privilege": "DisassociateInstanceEventWindow", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AutoPlacement", + "ec2:AvailabilityZone", + "ec2:HostRecovery", + "ec2:InstanceType", + "ec2:Quantity", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "dedicated-host" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:EbsOptimized", + "ec2:InstanceProfile", + "ec2:InstanceType", + "ec2:PlacementGroup", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType", + "ec2:Tenancy" + ], + "dependent_actions": [], + "resource_type": "instance" + } + ] + }, { "access_level": "Write", "description": "Grants permission to disassociate a subnet from a route table", @@ -49135,6 +58359,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a branch network interface to a trunk network interface", + "privilege": "DisassociateTrunkInterface", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to disassociate a CIDR block from a VPC", @@ -49179,6 +58415,38 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to enable deprecation of the specified AMI at the specified date and time", + "privilege": "EnableImageDeprecation", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable access to the EC2 serial console of all instances for your account", + "privilege": "EnableSerialConsoleAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to enable an attachment to propagate routes to a propagation route table", @@ -49288,21 +58556,21 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to download the client certificate revocation list for a Client VPN endpoint", "privilege": "ExportClientVpnClientCertificateRevocationList", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -49310,21 +58578,21 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to download the contents of the Client VPN endpoint configuration file for a Client VPN endpoint", "privilege": "ExportClientVpnClientConfiguration", "resource_types": [ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -49338,9 +58606,16 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "export-image-task*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ImageType", "ec2:Owner", "ec2:Public", @@ -49507,6 +58782,22 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to generate a CloudFormation template to streamline the integration of VPC flow logs with Amazon Athena", + "privilege": "GetFlowLogsIntegrationTemplate", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "vpc-flow-log*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the resource groups to which a Capacity Reservation has been added", @@ -49531,13 +58822,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" @@ -49642,6 +58933,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the access status of your account to the EC2 serial console of all instances", + "privilege": "GetSerialConsoleAccessStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about the subnet CIDR reservations", + "privilege": "GetSubnetCidrReservations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the route tables to which a resource attachment propagates routes", @@ -49730,14 +59045,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -49751,9 +59066,20 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:ImageType", + "ec2:Owner", + "ec2:Public", + "ec2:Region", + "ec2:RootDeviceType" + ], + "dependent_actions": [], + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", @@ -49800,9 +59126,14 @@ "privilege": "ImportKeyPair", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ec2:KeyPairName", + "ec2:Region" + ], "dependent_actions": [], - "resource_type": "" + "resource_type": "key-pair*" } ] }, @@ -49813,13 +59144,11 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", "ec2:VolumeSize" ], @@ -49840,6 +59169,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify an attribute of the specified Elastic IP address", + "privilege": "ModifyAddressAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account", @@ -49860,6 +59201,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -49876,14 +59218,15 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", + "ec2:Attribute/${AttributeName}", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -49942,6 +59285,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -49964,6 +59308,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -49982,13 +59327,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -50037,6 +59382,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:Public", "ec2:Region", @@ -50055,13 +59401,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" @@ -50100,6 +59447,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:ImageType", "ec2:Owner", "ec2:Public", @@ -50120,6 +59468,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50169,6 +59518,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50201,6 +59551,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50224,6 +59575,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50239,6 +59591,22 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify the specified event window", + "privilege": "ModifyInstanceEventWindow", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "instance-event-window*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to modify the metadata options for an instance", @@ -50247,6 +59615,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50270,6 +59639,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:EbsOptimized", "ec2:InstanceProfile", @@ -50286,13 +59656,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host" @@ -50317,6 +59687,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50333,6 +59704,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50349,13 +59721,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", + "ec2:Attribute/${AttributeName}", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -50396,6 +59769,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:InstanceType", "ec2:Region", @@ -50408,6 +59782,41 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to modify the rules of a security group", + "privilege": "ModifySecurityGroupRules", + "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "security-group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "prefix-list" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "security-group-rule" + } + ] + }, { "access_level": "Permissions management", "description": "Grants permission to add or remove permission settings for a snapshot", @@ -50416,6 +59825,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", @@ -50436,11 +59846,21 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "spot-fleet-request*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "launch-template" } ] }, @@ -50452,6 +59872,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -50470,6 +59891,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50486,6 +59908,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50494,6 +59917,7 @@ }, { "condition_keys": [ + "ec2:Attribute/${AttributeName}", "ec2:Region" ], "dependent_actions": [], @@ -50509,6 +59933,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50543,6 +59968,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50568,6 +59994,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50577,6 +60004,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50602,6 +60030,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50629,6 +60058,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", @@ -50652,6 +60082,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", @@ -50675,6 +60106,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -50692,6 +60124,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50739,6 +60172,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -50748,6 +60182,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" @@ -50765,6 +60200,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" @@ -50782,6 +60218,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:VpceServicePrivateDnsName" @@ -50800,6 +60237,7 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:AccepterVpc", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:RequesterVpc", "ec2:ResourceTag/${TagKey}" @@ -50817,6 +60255,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Tenancy" @@ -50834,24 +60273,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -50894,24 +60334,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -50927,24 +60368,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -50960,24 +60402,25 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", + "ec2:Attribute/${AttributeName}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -51040,15 +60483,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" @@ -51061,9 +60502,17 @@ "privilege": "PurchaseReservedInstancesOffering", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:InstanceType", + "ec2:Region", + "ec2:ReservedInstancesOfferingType", + "ec2:ResourceTag/${TagKey}", + "ec2:Tenancy" + ], "dependent_actions": [], - "resource_type": "" + "resource_type": "reserved-instances*" } ] }, @@ -51134,13 +60583,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -51164,13 +60613,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -51194,8 +60643,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -51324,13 +60771,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AutoPlacement", "ec2:AvailabilityZone", + "ec2:HostRecovery", "ec2:InstanceType", "ec2:Quantity", - "ec2:HostRecovery" + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "dedicated-host*" @@ -51349,6 +60796,7 @@ "ec2:EbsOptimized", "ec2:InstanceProfile", "ec2:InstanceType", + "ec2:NewInstanceProfile", "ec2:PlacementGroup", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -51376,6 +60824,17 @@ ], "dependent_actions": [], "resource_type": "network-acl*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:AvailabilityZone", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", + "ec2:Vpc" + ], + "dependent_actions": [], + "resource_type": "subnet*" } ] }, @@ -51416,8 +60875,8 @@ "aws:ResourceTag/${TagKey}", "ec2:Region", "ec2:ResourceTag/${TagKey}", - "ec2:Vpc", - "ec2:Tenancy" + "ec2:Tenancy", + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "carrier-gateway" @@ -51459,8 +60918,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -51479,13 +60936,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -51508,6 +60965,15 @@ "dependent_actions": [], "resource_type": "transit-gateway" }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "vpc-endpoint" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -51600,6 +61066,15 @@ "description": "Grants permission to create a Spot Fleet request", "privilege": "RequestSpotFleet", "resource_types": [ + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "launch-template" + }, { "condition_keys": [ "aws:ResourceTag/${TagKey}", @@ -51619,9 +61094,16 @@ "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:Region" + ], + "dependent_actions": [], + "resource_type": "spot-instances-request*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", "ec2:ImageType", "ec2:Owner", "ec2:Public", @@ -51635,8 +61117,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -51646,8 +61127,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -51658,8 +61137,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -51670,6 +61147,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to reset the attribute of the specified IP address", + "privilege": "ResetAddressAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to reset the default customer master key (CMK) for EBS encryption for your account to use the AWS-managed CMK for EBS", @@ -51751,13 +61240,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -51820,14 +61309,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -51876,8 +61365,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:ImageType", "ec2:Owner", "ec2:Public", @@ -51890,7 +61377,6 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", @@ -51899,7 +61385,6 @@ "ec2:InstanceType", "ec2:PlacementGroup", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:RootDeviceType", "ec2:Tenancy" ], @@ -51908,16 +61393,14 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -51925,8 +61408,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Vpc" @@ -51937,8 +61418,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", @@ -51949,14 +61428,12 @@ }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", "aws:RequestTag/${TagKey}", "aws:TagKeys", "ec2:AvailabilityZone", "ec2:Encrypted", "ec2:ParentSnapshot", "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:VolumeIops", "ec2:VolumeSize", "ec2:VolumeThroughput", @@ -51968,8 +61445,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -51979,11 +61454,9 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:ElasticGpuType", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ElasticGpuType" + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "elastic-gpu" @@ -51996,8 +61469,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -52007,8 +61479,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -52018,8 +61488,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:PlacementGroupStrategy", "ec2:Region", "ec2:ResourceTag/${TagKey}" @@ -52030,8 +61498,6 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", @@ -52065,6 +61531,7 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -52074,13 +61541,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface" @@ -52234,8 +61701,16 @@ "condition_keys": [ "aws:ResourceTag/${TagKey}", "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:Vpc" + "ec2:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "network-insights-analysis*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "network-insights-path*" @@ -52290,14 +61765,14 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", - "ec2:ServerCertificateArn", "ec2:ClientRootCertificateChainArn", + "ec2:CloudwatchLogGroupArn", + "ec2:CloudwatchLogStreamArn", "ec2:DirectoryArn", + "ec2:Region", + "ec2:ResourceTag/${TagKey}", "ec2:SamlProviderArn", - "ec2:CloudwatchLogGroupArn", - "ec2:CloudwatchLogStreamArn" + "ec2:ServerCertificateArn" ], "dependent_actions": [], "resource_type": "client-vpn-endpoint*" @@ -52305,24 +61780,24 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", - "ec2:Region", - "ec2:ResourceTag/${TagKey}", "ec2:AuthenticationType", "ec2:DPDTimeoutSeconds", "ec2:GatewayType", "ec2:IKEVersions", "ec2:InsideTunnelCidr", "ec2:Phase1DHGroupNumbers", - "ec2:Phase2DHGroupNumbers", "ec2:Phase1EncryptionAlgorithms", - "ec2:Phase2EncryptionAlgorithms", "ec2:Phase1IntegrityAlgorithms", - "ec2:Phase2IntegrityAlgorithms", "ec2:Phase1LifetimeSeconds", + "ec2:Phase2DHGroupNumbers", + "ec2:Phase2EncryptionAlgorithms", + "ec2:Phase2IntegrityAlgorithms", "ec2:Phase2LifetimeSeconds", "ec2:PresharedKeys", + "ec2:Region", "ec2:RekeyFuzzPercentage", "ec2:RekeyMarginTimeSeconds", + "ec2:ResourceTag/${TagKey}", "ec2:RoutingType" ], "dependent_actions": [], @@ -52361,13 +61836,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -52382,13 +61857,13 @@ { "condition_keys": [ "aws:ResourceTag/${TagKey}", + "ec2:AssociatePublicIpAddress", "ec2:AuthorizedService", "ec2:AvailabilityZone", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:Subnet", - "ec2:Vpc", - "ec2:AssociatePublicIpAddress" + "ec2:Vpc" ], "dependent_actions": [], "resource_type": "network-interface*" @@ -52683,6 +62158,17 @@ ], "resource": "import-snapshot-task" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance-event-window/${InstanceEventWindowId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "instance-event-window" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}", "condition_keys": [ @@ -52740,6 +62226,7 @@ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:KeyPairName", "ec2:Region", "ec2:ResourceTag/${TagKey}" ], @@ -52907,6 +62394,17 @@ ], "resource": "prefix-list" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:replace-root-volume-task/${ReplaceRootVolumeTaskId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "replace-root-volume-task" + }, { "arn": "arn:${Partition}:ec2:${Region}:${Account}:reserved-instances/${ReservationId}", "condition_keys": [ @@ -52951,17 +62449,30 @@ ], "resource": "security-group" }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "ec2:Region", + "ec2:ResourceTag/${TagKey}" + ], + "resource": "security-group-rule" + }, { "arn": "arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}", "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:ResourceTag/${TagKey}", "aws:TagKeys", + "ec2:OutpostArn", "ec2:Owner", "ec2:ParentVolume", "ec2:Region", "ec2:ResourceTag/${TagKey}", "ec2:SnapshotTime", + "ec2:SourceOutpostArn", "ec2:VolumeSize" ], "resource": "snapshot" @@ -53219,12 +62730,12 @@ "conditions": [ { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { "condition": "ec2:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { @@ -53237,7 +62748,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to push the SSH public key to the instance metadata where it remains for 60 seconds.", + "description": "Grants access to push an SSH public key to the specified EC2 instance to be used for standard SSH", "privilege": "SendSSHPublicKey", "resource_types": [ { @@ -53253,6 +62764,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants access to push an SSH public key to the specified EC2 instance to be used for serial console SSH", + "privilege": "SendSerialConsoleSSHPublicKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "instance*" + } + ] } ], "resources": [ @@ -53273,7 +62796,7 @@ "privileges": [ { "access_level": "Write", - "description": "Acknowledges a message, ensuring it will not be delivered again", + "description": "Grants permission to acknowledge a message, ensuring it will not be delivered again", "privilege": "AcknowledgeMessage", "resource_types": [ { @@ -53285,7 +62808,7 @@ }, { "access_level": "Write", - "description": "Deletes a message", + "description": "Grants permission to delete a message", "privilege": "DeleteMessage", "resource_types": [ { @@ -53297,7 +62820,7 @@ }, { "access_level": "Write", - "description": "Fails a message, signifying the message could not be processed successfully, ensuring it cannot be replied to or delivered again", + "description": "Grants permission to fail a message, signifying the message could not be processed successfully, ensuring it cannot be replied to or delivered again", "privilege": "FailMessage", "resource_types": [ { @@ -53309,7 +62832,7 @@ }, { "access_level": "Read", - "description": "Routes traffic to the correct endpoint based on the given destination for the messages", + "description": "Grants permission to route traffic to the correct endpoint based on the given destination for the messages", "privilege": "GetEndpoint", "resource_types": [ { @@ -53321,7 +62844,7 @@ }, { "access_level": "Read", - "description": "Delivers messages to clients/instances using long polling", + "description": "Grants permission to deliver messages to clients/instances using long polling", "privilege": "GetMessages", "resource_types": [ { @@ -53333,7 +62856,7 @@ }, { "access_level": "Write", - "description": "Sends replies from clients/instances to upstream service", + "description": "Grants permission to send replies from clients/instances to upstream service", "privilege": "SendReply", "resource_types": [ { @@ -53822,7 +63345,28 @@ "service_name": "Amazon Elastic Container Registry" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters create requests based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters create requests based on the presence of mandatory tags in the request", + "type": "String" + }, + { + "condition": "ecr-public:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" + } + ], "prefix": "ecr-public", "privileges": [ { @@ -53870,6 +63414,14 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -54005,6 +63557,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list the tags for an Amazon ECR resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create or update the image manifest associated with an image", @@ -54053,6 +63617,46 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to tag an Amazon ECR resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag an Amazon ECR resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "repository*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to upload an image layer part to Amazon ECR Public", @@ -54069,7 +63673,10 @@ "resources": [ { "arn": "arn:${Partition}:ecr-public::${Account}:repository/${RepositoryName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ecr-public:ResourceTag/${TagKey}" + ], "resource": "repository" }, { @@ -54084,47 +63691,62 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", + "description": "Filters access by the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters access based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request.", + "description": "Filters access based on tag keys that are passed in the request", "type": "String" }, { "condition": "ecs:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters access based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "ecs:capacity-provider", - "description": "The ARN of an Amazon ECS capacity provider.", + "description": "Filters access based on the ARN of an Amazon ECS capacity provider", "type": "ARN" }, { "condition": "ecs:cluster", - "description": "The ARN of an Amazon ECS cluster.", + "description": "Filters access based on the ARN of an Amazon ECS cluster", "type": "ARN" }, { "condition": "ecs:container-instances", - "description": "The ARN of an Amazon ECS container instance.", + "description": "Filters access based on the ARN of an Amazon ECS container instance", "type": "ARN" }, + { + "condition": "ecs:container-name", + "description": "Filters access based on the name of an Amazon ECS container which is defined in the ECS task definition", + "type": "String" + }, + { + "condition": "ecs:enable-execute-command", + "description": "Filters access based on execute-command capability of your Amazon ECS task or Amazon ECS service", + "type": "String" + }, { "condition": "ecs:service", - "description": "The ARN of an Amazon ECS service.", + "description": "Filters access based on the ARN of an Amazon ECS service", + "type": "ARN" + }, + { + "condition": "ecs:task", + "description": "Filters access based on the ARN of an Amazon ECS task", "type": "ARN" }, { "condition": "ecs:task-definition", - "description": "The ARN of an Amazon ECS task definition.", + "description": "Filters access based on the ARN of an Amazon ECS task definition", "type": "ARN" } ], @@ -54132,7 +63754,7 @@ "privileges": [ { "access_level": "Write", - "description": "Creates a new capacity provider. Capacity providers are associated with an Amazon ECS cluster and are used in capacity provider strategies to facilitate cluster auto scaling.", + "description": "Grants permission to create a new capacity provider. Capacity providers are associated with an Amazon ECS cluster and are used in capacity provider strategies to facilitate cluster auto scaling", "privilege": "CreateCapacityProvider", "resource_types": [ { @@ -54147,7 +63769,7 @@ }, { "access_level": "Write", - "description": "Creates a new Amazon ECS cluster.", + "description": "Grants permission to create a new Amazon ECS cluster", "privilege": "CreateCluster", "resource_types": [ { @@ -54163,7 +63785,7 @@ }, { "access_level": "Write", - "description": "Runs and maintains a desired number of tasks from a specified task definition.", + "description": "Grants permission to run and maintain a desired number of tasks from a specified task definition via service creation", "privilege": "CreateService", "resource_types": [ { @@ -54176,6 +63798,7 @@ "ecs:cluster", "ecs:capacity-provider", "ecs:task-definition", + "ecs:enable-execute-command", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -54186,12 +63809,13 @@ }, { "access_level": "Write", - "description": "Creates a new Amazon ECS task set.", + "description": "Grants permission to create a new Amazon ECS task set", "privilege": "CreateTaskSet", "resource_types": [ { "condition_keys": [ "ecs:cluster", + "ecs:capacity-provider", "ecs:service", "ecs:task-definition" ], @@ -54202,7 +63826,7 @@ }, { "access_level": "Write", - "description": "Modifies the ARN and resource ID format of a resource for a specified IAM user, IAM role, or the root user for an account. You can specify whether the new ARN and resource ID format are disabled for new resources that are created.", + "description": "Grants permission to modify the ARN and resource ID format of a resource for a specified IAM user, IAM role, or the root user for an account. You can specify whether the new ARN and resource ID format are disabled for new resources that are created", "privilege": "DeleteAccountSetting", "resource_types": [ { @@ -54214,7 +63838,7 @@ }, { "access_level": "Write", - "description": "Deletes one or more custom attributes from an Amazon ECS resource.", + "description": "Grants permission to delete one or more custom attributes from an Amazon ECS resource", "privilege": "DeleteAttributes", "resource_types": [ { @@ -54233,7 +63857,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified capacity provider.", + "description": "Grants permission to delete the specified capacity provider", "privilege": "DeleteCapacityProvider", "resource_types": [ { @@ -54245,7 +63869,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified cluster.", + "description": "Grants permission to delete the specified cluster", "privilege": "DeleteCluster", "resource_types": [ { @@ -54257,7 +63881,7 @@ }, { "access_level": "Write", - "description": "Deletes a specified service within a cluster.", + "description": "Grants permission to delete a specified service within a cluster", "privilege": "DeleteService", "resource_types": [ { @@ -54276,7 +63900,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified task set.", + "description": "Grants permission to delete the specified task set", "privilege": "DeleteTaskSet", "resource_types": [ { @@ -54296,7 +63920,7 @@ }, { "access_level": "Write", - "description": "Deregisters an Amazon ECS container instance from the specified cluster.", + "description": "Grants permission to deregister an Amazon ECS container instance from the specified cluster", "privilege": "DeregisterContainerInstance", "resource_types": [ { @@ -54308,7 +63932,7 @@ }, { "access_level": "Write", - "description": "Deregisters the specified task definition by family and revision.", + "description": "Grants permission to deregister the specified task definition by family and revision", "privilege": "DeregisterTaskDefinition", "resource_types": [ { @@ -54320,7 +63944,7 @@ }, { "access_level": "Read", - "description": "Describes one or more Amazon ECS capacity providers.", + "description": "Grants permission to describe one or more Amazon ECS capacity providers", "privilege": "DescribeCapacityProviders", "resource_types": [ { @@ -54332,7 +63956,7 @@ }, { "access_level": "Read", - "description": "Describes one or more of your clusters.", + "description": "Grants permission to describes one or more of your clusters", "privilege": "DescribeClusters", "resource_types": [ { @@ -54344,7 +63968,7 @@ }, { "access_level": "Read", - "description": "Describes Amazon ECS container instances.", + "description": "Grants permission to describes Amazon ECS container instances", "privilege": "DescribeContainerInstances", "resource_types": [ { @@ -54363,7 +63987,7 @@ }, { "access_level": "Read", - "description": "Describes the specified services running in your cluster.", + "description": "Grants permission to describe the specified services running in your cluster", "privilege": "DescribeServices", "resource_types": [ { @@ -54382,7 +64006,7 @@ }, { "access_level": "Read", - "description": "Describes a task definition. You can specify a family and revision to find information about a specific task definition, or you can simply specify the family to find the latest ACTIVE revision in that family.", + "description": "Grants permission to describe a task definition. You can specify a family and revision to find information about a specific task definition, or you can simply specify the family to find the latest ACTIVE revision in that family", "privilege": "DescribeTaskDefinition", "resource_types": [ { @@ -54394,7 +64018,7 @@ }, { "access_level": "Read", - "description": "Describes Amazon ECS task sets.", + "description": "Grants permission to describe Amazon ECS task sets", "privilege": "DescribeTaskSets", "resource_types": [ { @@ -54414,7 +64038,7 @@ }, { "access_level": "Read", - "description": "Describes a specified task or tasks.", + "description": "Grants permission to describe a specified task or tasks", "privilege": "DescribeTasks", "resource_types": [ { @@ -54433,7 +64057,7 @@ }, { "access_level": "Write", - "description": "Returns an endpoint for the Amazon ECS agent to poll for updates.", + "description": "Grants permission to get an endpoint for the Amazon ECS agent to poll for updates", "privilege": "DiscoverPollEndpoint", "resource_types": [ { @@ -54444,8 +64068,34 @@ ] }, { - "access_level": "List", - "description": "Lists the account settings for an Amazon ECS resource for a specified principal.", + "access_level": "Write", + "description": "Grants permission to run a command remotely on an Amazon ECS container", + "privilege": "ExecuteCommand", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "ecs:cluster", + "ecs:container-name", + "ecs:task" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the account settings for an Amazon ECS resource for a specified principal", "privilege": "ListAccountSettings", "resource_types": [ { @@ -54457,7 +64107,7 @@ }, { "access_level": "List", - "description": "Lists the attributes for Amazon ECS resources within a specified target type and cluster.", + "description": "Grants permission to lists the attributes for Amazon ECS resources within a specified target type and cluster", "privilege": "ListAttributes", "resource_types": [ { @@ -54469,7 +64119,7 @@ }, { "access_level": "List", - "description": "Returns a list of existing clusters.", + "description": "Grants permission to get a list of existing clusters", "privilege": "ListClusters", "resource_types": [ { @@ -54481,7 +64131,7 @@ }, { "access_level": "List", - "description": "Returns a list of container instances in a specified cluster.", + "description": "Grants permission to get a list of container instances in a specified cluster", "privilege": "ListContainerInstances", "resource_types": [ { @@ -54493,7 +64143,7 @@ }, { "access_level": "List", - "description": "Lists the services that are running in a specified cluster.", + "description": "Grants permission to get a list of services that are running in a specified cluster", "privilege": "ListServices", "resource_types": [ { @@ -54506,8 +64156,8 @@ ] }, { - "access_level": "List", - "description": "List tags for the specified resource.", + "access_level": "Read", + "description": "Grants permission to get a list of tags for the specified resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -54534,7 +64184,7 @@ }, { "access_level": "List", - "description": "Returns a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definitions).", + "description": "Grants permission to get a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definitions)", "privilege": "ListTaskDefinitionFamilies", "resource_types": [ { @@ -54546,7 +64196,7 @@ }, { "access_level": "List", - "description": "Returns a list of task definitions that are registered to your account.", + "description": "Grants permission to get a list of task definitions that are registered to your account", "privilege": "ListTaskDefinitions", "resource_types": [ { @@ -54558,7 +64208,7 @@ }, { "access_level": "List", - "description": "Returns a list of tasks for a specified cluster.", + "description": "Grants permission to get a list of tasks for a specified cluster", "privilege": "ListTasks", "resource_types": [ { @@ -54577,7 +64227,7 @@ }, { "access_level": "Write", - "description": "Grants permission to an agent to connect with the Amazon ECS service to report status and get commands.", + "description": "Grants permission to an agent to connect with the Amazon ECS service to report status and get commands", "privilege": "Poll", "resource_types": [ { @@ -54596,7 +64246,7 @@ }, { "access_level": "Write", - "description": "Modifies the ARN and resource ID format of a resource for a specified IAM user, IAM role, or the root user for an account. You can specify whether the new ARN and resource ID format are enabled for new resources that are created. Enabling this setting is required to use new Amazon ECS features such as resource tagging.", + "description": "Grants permission to modify the ARN and resource ID format of a resource for a specified IAM user, IAM role, or the root user for an account. You can specify whether the new ARN and resource ID format are enabled for new resources that are created. Enabling this setting is required to use new Amazon ECS features such as resource tagging", "privilege": "PutAccountSetting", "resource_types": [ { @@ -54608,7 +64258,7 @@ }, { "access_level": "Write", - "description": "Modifies the ARN and resource ID format of a resource type for all IAM users on an account for which no individual account setting has been set. Enabling this setting is required to use new Amazon ECS features such as resource tagging.", + "description": "Grants permission to modify the ARN and resource ID format of a resource type for all IAM users on an account for which no individual account setting has been set. Enabling this setting is required to use new Amazon ECS features such as resource tagging", "privilege": "PutAccountSettingDefault", "resource_types": [ { @@ -54620,7 +64270,7 @@ }, { "access_level": "Write", - "description": "Create or update an attribute on an Amazon ECS resource.", + "description": "Grants permission to create or update an attribute on an Amazon ECS resource", "privilege": "PutAttributes", "resource_types": [ { @@ -54639,7 +64289,7 @@ }, { "access_level": "Write", - "description": "Modifies the available capacity providers and the default capacity provider strategy for a cluster.", + "description": "Grants permission to modify the available capacity providers and the default capacity provider strategy for a cluster", "privilege": "PutClusterCapacityProviders", "resource_types": [ { @@ -54658,7 +64308,7 @@ }, { "access_level": "Write", - "description": "Registers an EC2 instance into the specified cluster.", + "description": "Grants permission to register an EC2 instance into the specified cluster", "privilege": "RegisterContainerInstance", "resource_types": [ { @@ -54678,7 +64328,7 @@ }, { "access_level": "Write", - "description": "Registers a new task definition from the supplied family and containerDefinitions.", + "description": "Grants permission to register a new task definition from the supplied family and containerDefinitions", "privilege": "RegisterTaskDefinition", "resource_types": [ { @@ -54693,7 +64343,7 @@ }, { "access_level": "Write", - "description": "Start a task using random placement and the default Amazon ECS scheduler.", + "description": "Grants permission to start a task using random placement and the default Amazon ECS scheduler", "privilege": "RunTask", "resource_types": [ { @@ -54705,6 +64355,7 @@ "condition_keys": [ "ecs:cluster", "ecs:capacity-provider", + "ecs:enable-execute-command", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -54715,7 +64366,7 @@ }, { "access_level": "Write", - "description": "Starts a new task from the specified task definition on the specified container instance or instances.", + "description": "Grants permission to start a new task from the specified task definition on the specified container instance or instances", "privilege": "StartTask", "resource_types": [ { @@ -54727,6 +64378,7 @@ "condition_keys": [ "ecs:cluster", "ecs:container-instances", + "ecs:enable-execute-command", "aws:RequestTag/${TagKey}", "aws:TagKeys" ], @@ -54737,7 +64389,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start a telemetry session.", + "description": "Grants permission to start a telemetry session", "privilege": "StartTelemetrySession", "resource_types": [ { @@ -54756,7 +64408,7 @@ }, { "access_level": "Write", - "description": "Stops a running task.", + "description": "Grants permission to stop a running task", "privilege": "StopTask", "resource_types": [ { @@ -54775,7 +64427,7 @@ }, { "access_level": "Write", - "description": "Sent to acknowledge that attachments changed states.", + "description": "Grants permission to send an acknowledgement that attachments changed states", "privilege": "SubmitAttachmentStateChanges", "resource_types": [ { @@ -54787,7 +64439,7 @@ }, { "access_level": "Write", - "description": "Sent to acknowledge that a container changed states.", + "description": "Grants permission to send an acknowledgement that a container changed states", "privilege": "SubmitContainerStateChange", "resource_types": [ { @@ -54799,7 +64451,7 @@ }, { "access_level": "Write", - "description": "Sent to acknowledge that a task changed states.", + "description": "Grants permission to send an acknowledgement that a task changed states", "privilege": "SubmitTaskStateChange", "resource_types": [ { @@ -54811,7 +64463,7 @@ }, { "access_level": "Tagging", - "description": "Tags the specified resource.", + "description": "Grants permission to tag the specified resource", "privilege": "TagResource", "resource_types": [ { @@ -54851,7 +64503,7 @@ }, { "access_level": "Tagging", - "description": "Untags the specified resource.", + "description": "Grants permission to untag the specified resource", "privilege": "UntagResource", "resource_types": [ { @@ -54890,7 +64542,31 @@ }, { "access_level": "Write", - "description": "Modifies the settings to use for a cluster.", + "description": "Grants permission to update the specified capacity provider", + "privilege": "UpdateCapacityProvider", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "capacity-provider*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the configuration or settings to use for a cluster", + "privilege": "UpdateCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the settings to use for a cluster", "privilege": "UpdateClusterSettings", "resource_types": [ { @@ -54902,7 +64578,7 @@ }, { "access_level": "Write", - "description": "Updates the Amazon ECS container agent on a specified container instance.", + "description": "Grants permission to update the Amazon ECS container agent on a specified container instance", "privilege": "UpdateContainerAgent", "resource_types": [ { @@ -54921,7 +64597,7 @@ }, { "access_level": "Write", - "description": "Enables the user to modify the status of an Amazon ECS container instance.", + "description": "Grants permission to the user to modify the status of an Amazon ECS container instance", "privilege": "UpdateContainerInstancesState", "resource_types": [ { @@ -54940,7 +64616,7 @@ }, { "access_level": "Write", - "description": "Modifies the parameters of a service.", + "description": "Grants permission to modify the parameters of a service", "privilege": "UpdateService", "resource_types": [ { @@ -54952,6 +64628,7 @@ "condition_keys": [ "ecs:cluster", "ecs:capacity-provider", + "ecs:enable-execute-command", "ecs:task-definition" ], "dependent_actions": [], @@ -54961,7 +64638,7 @@ }, { "access_level": "Write", - "description": "Modifies the primary task set used in a service.", + "description": "Grants permission to modify the primary task set used in a service", "privilege": "UpdateServicePrimaryTaskSet", "resource_types": [ { @@ -54980,7 +64657,7 @@ }, { "access_level": "Write", - "description": "Updates the specified task set.", + "description": "Grants permission to update the specified task set", "privilege": "UpdateTaskSet", "resource_types": [ { @@ -55555,13 +65232,611 @@ ], "service_name": "Amazon Elastic Container Service for Kubernetes" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the EKS service", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the EKS service", + "type": "String" + }, + { + "condition": "eks:clientId", + "description": "Filters access by the clientId present in the associateIdentityProviderConfig request the user makes to the EKS service", + "type": "String" + }, + { + "condition": "eks:issuerUrl", + "description": "Filters access by the issuerUrl present in the associateIdentityProviderConfig request the user makes to the EKS service", + "type": "String" + } + ], + "prefix": "eks", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to view Kubernetes objects via AWS EKS console", + "privilege": "AccessKubernetesApi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate encryption configuration to a cluster", + "privilege": "AssociateEncryptionConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate an identity provider configuration to a cluster", + "privilege": "AssociateIdentityProviderConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "eks:clientId", + "eks:issuerUrl" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon EKS add-on", + "privilege": "CreateAddon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon EKS cluster", + "privilege": "CreateCluster", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Fargate profile", + "privilege": "CreateFargateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon EKS Nodegroup", + "privilege": "CreateNodegroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon EKS add-on", + "privilege": "DeleteAddon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon EKS cluster", + "privilege": "DeleteCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an AWS Fargate profile", + "privilege": "DeleteFargateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fargateprofile*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon EKS Nodegroup", + "privilege": "DeleteNodegroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive information about an Amazon EKS add-on", + "privilege": "DescribeAddon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive version information about the add-ons that Amazon EKS Add-ons supports", + "privilege": "DescribeAddonVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive information about an Amazon EKS cluster", + "privilege": "DescribeCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive information about an AWS Fargate profile associated with a cluster", + "privilege": "DescribeFargateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fargateprofile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive information about an Idp config associated with a cluster", + "privilege": "DescribeIdentityProviderConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identityproviderconfig*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve descriptive information about an Amazon EKS nodegroup", + "privilege": "DescribeNodegroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a given update for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region)", + "privilege": "DescribeUpdate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an asssociated Idp config", + "privilege": "DisassociateIdentityProviderConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identityproviderconfig*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Amazon EKS add-ons in your AWS account (in the specified or default region) for a given cluster", + "privilege": "ListAddons", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Amazon EKS clusters in your AWS account (in the specified or default region)", + "privilege": "ListClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the AWS Fargate profiles in your AWS account (in the specified or default region) associated with a given cluster", + "privilege": "ListFargateProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Idp configs in your AWS account (in the specified or default region) associated with a given cluster", + "privilege": "ListIdentityProviderConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Amazon EKS nodegroups in your AWS account (in the specified or default region) attached to given cluster", + "privilege": "ListNodegroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for the specified resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fargateprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identityproviderconfig" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the updates for a given Amazon EKS cluster/nodegroup/add-on (in the specified or default region)", + "privilege": "ListUpdates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag the specified resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fargateprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identityproviderconfig" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag the specified resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fargateprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identityproviderconfig" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update Amazon EKS add-on configurations, such as the VPC-CNI version", + "privilege": "UpdateAddon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "addon*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update Amazon EKS cluster configurations (eg: API server endpoint access)", + "privilege": "UpdateClusterConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the Kubernetes version of an Amazon EKS cluster", + "privilege": "UpdateClusterVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update Amazon EKS nodegroup configurations (eg: min/max/desired capacity or labels)", + "privilege": "UpdateNodegroupConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the Kubernetes version of an Amazon EKS nodegroup", + "privilege": "UpdateNodegroupVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "nodegroup*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:eks:${Region}:${Account}:cluster/${ClusterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:eks:${Region}:${Account}:nodegroup/${ClusterName}/${NodegroupName}/${UUID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "nodegroup" + }, + { + "arn": "arn:${Partition}:eks:${Region}:${Account}:addon/${ClusterName}/${AddonName}/${UUID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "addon" + }, + { + "arn": "arn:${Partition}:eks:${Region}:${Account}:fargateprofile/${ClusterName}/${FargateProfileName}/${UUID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "fargateprofile" + }, + { + "arn": "arn:${Partition}:eks:${Region}:${Account}:identityproviderconfig/${ClusterName}/${IdentityProviderType}/${IdentityProviderConfigName}/${UUID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "identityproviderconfig" + } + ], + "service_name": "Amazon Elastic Kubernetes Service" + }, { "conditions": [], "prefix": "elastic-inference", "privileges": [ { "access_level": "Write", - "description": "Connects customer to Elastic Inference accelerator", + "description": "Grants permission to customer for connecting to Elastic Inference accelerator", "privilege": "Connect", "resource_types": [ { @@ -55570,6 +65845,78 @@ "resource_type": "accelerator*" } ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the locations in which a given accelerator type or set of types is present in a given region", + "privilege": "DescribeAcceleratorOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the accelerator types available in a given region, as well as their characteristics, such as memory and throughput", + "privilege": "DescribeAcceleratorTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe information over a provided set of accelerators belonging to an account", + "privilege": "DescribeAccelerators", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all tags on an Amazon RDS resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to assign one or more tags (key-value pairs) to the specified QuickSight resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove a tag or tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -55582,12 +65929,98 @@ "service_name": "Amazon Elastic Inference" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + }, + { + "condition": "elasticache:AtRestEncryptionEnabled", + "description": "Filters access by the AtRestEncryptionEnabled parameter present in the request or default false value if parameter is not present", + "type": "Bool" + }, + { + "condition": "elasticache:AuthTokenEnabled", + "description": "Filters access by the presence of non empty AuthToken parameter in the request", + "type": "Bool" + }, + { + "condition": "elasticache:AutomaticFailoverEnabled", + "description": "Filters access by the AutomaticFailoverEnabled parameter in the request", + "type": "Bool" + }, + { + "condition": "elasticache:CacheNodeType", + "description": "Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations", + "type": "String" + }, + { + "condition": "elasticache:CacheParameterGroupName", + "description": "Filters access by the the CacheParameterGroupName parameter in the request", + "type": "String" + }, + { + "condition": "elasticache:ClusterModeEnabled", + "description": "Filters access by the cluster mode parameter present in the request. Default value for single node group (shard) creations is false", + "type": "Bool" + }, + { + "condition": "elasticache:EngineType", + "description": "Filters access by the engine type present in creation requests. For replication group creations, default engine \u2018redis\u2019 is used as key if parameter is not present", + "type": "String" + }, + { + "condition": "elasticache:EngineVersion", + "description": "Filters access by the engineVersion parameter present in creation or cluster modification requests", + "type": "String" + }, + { + "condition": "elasticache:KmsKeyId", + "description": "Filters access by the KmsKeyId parameter in the request", + "type": "String" + }, + { + "condition": "elasticache:MultiAZEnabled", + "description": "Filters access by the AZMode parameter, MultiAZEnabled parameter or the number of availability zones that the cluster or replication group can be placed in", + "type": "Bool" + }, + { + "condition": "elasticache:NumNodeGroups", + "description": "Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations", + "type": "Numeric" + }, + { + "condition": "elasticache:ReplicasPerNodeGroup", + "description": "Filters access by the number of replicas per node group (shards) specified in creations or scaling requests", + "type": "Numeric" + }, + { + "condition": "elasticache:SnapshotRetentionLimit", + "description": "Filters access by the SnapshotRetentionLimit parameter in the request", + "type": "Numeric" + }, + { + "condition": "elasticache:TransitEncryptionEnabled", + "description": "Filters access by the TransitEncryptionEnabled parameter present in the request or default false value if parameter is not present", + "type": "Bool" + } + ], "prefix": "elasticache", "privileges": [ { "access_level": "Tagging", - "description": "The AddTagsToResource action adds up to 10 cost allocation tags to the named resource.", + "description": "Grants permission to add tags to an ElastiCache resource", "privilege": "AddTagsToResource", "resource_types": [ { @@ -55595,16 +66028,60 @@ "dependent_actions": [], "resource_type": "cluster" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replicationgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reserved-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usergroup" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The AuthorizeCacheSecurityGroupIngress action allows network ingress to a cache security group.", + "description": "Grants permission to authorize an EC2 security group on a ElastiCache security group", "privilege": "AuthorizeCacheSecurityGroupIngress", "resource_types": [ { @@ -55613,12 +66090,19 @@ "ec2:AuthorizeSecurityGroupIngress" ], "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Apply the service update.", + "description": "Grants permission to apply ElastiCache service updates to sets of clusters and replication groups", "privilege": "BatchApplyUpdateAction", "resource_types": [ { @@ -55637,12 +66121,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Stop the service update.", + "description": "Grants permission to stop ElastiCache service updates from being executed on a set of clusters", "privilege": "BatchStopUpdateAction", "resource_types": [ { @@ -55654,12 +66145,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Stop the service update.", + "description": "Grants permission to complete an online migration of data from hosted Redis on Amazon EC2 to ElastiCache", "privilege": "CompleteMigration", "resource_types": [ { @@ -55671,12 +66169,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CopySnapshot action makes a copy of an existing snapshot.", + "description": "Grants permission to make a copy of an existing snapshot", "privilege": "CopySnapshot", "resource_types": [ { @@ -55688,12 +66193,22 @@ "s3:PutObject" ], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:KmsKeyId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateCacheCluster action creates a cache cluster.", + "description": "Grants permission to create a cache cluster", "privilege": "CreateCacheCluster", "resource_types": [ { @@ -55733,12 +66248,28 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "subnetgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateCacheParameterGroup action creates a new cache parameter group.", + "description": "Grants permission to create a parameter group", "privilege": "CreateCacheParameterGroup", "resource_types": [ { @@ -55747,12 +66278,21 @@ "elasticache:AddTagsToResource" ], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateCacheSecurityGroup action creates a new cache security group.", + "description": "Grants permission to create a cache security group", "privilege": "CreateCacheSecurityGroup", "resource_types": [ { @@ -55761,12 +66301,20 @@ "elasticache:AddTagsToResource" ], "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateCacheSubnetGroup action creates a new cache subnet group.", + "description": "Grants permission to create a cache subnet group", "privilege": "CreateCacheSubnetGroup", "resource_types": [ { @@ -55775,12 +66323,20 @@ "elasticache:AddTagsToResource" ], "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateGlobalReplicationGroup action creates a global datastore.", + "description": "Grants permission to create a global replication group", "privilege": "CreateGlobalReplicationGroup", "resource_types": [ { @@ -55792,12 +66348,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateReplicationGroup action creates a replication group.", + "description": "Grants permission to create a replication group", "privilege": "CreateReplicationGroup", "resource_types": [ { @@ -55847,12 +66410,35 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:NumNodeGroups", + "elasticache:CacheNodeType", + "elasticache:ReplicasPerNodeGroup", + "elasticache:EngineVersion", + "elasticache:EngineType", + "elasticache:AtRestEncryptionEnabled", + "elasticache:TransitEncryptionEnabled", + "elasticache:AutomaticFailoverEnabled", + "elasticache:MultiAZEnabled", + "elasticache:ClusterModeEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:KmsKeyId", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateSnapshot action creates a copy of an entire cache cluster at a specific moment in time.", + "description": "Grants permission to create a copy of an entire Redis cluster at a specific moment in time", "privilege": "CreateSnapshot", "resource_types": [ { @@ -55874,53 +66460,91 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticache:KmsKeyId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateUser action creates a new user.", + "description": "Grants permission to create a Redis user for Redis engine version 6.x and onwards", "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "elasticache:AddTagsToResource" + ], "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateUserGroup action creates a new user group.", + "description": "Grants permission to create a Redis user group for Redis engine version 6.x and onwards", "privilege": "CreateUserGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "elasticache:AddTagsToResource" + ], "resource_type": "user*" }, { "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DecreaseNodeGroupsInGlobalReplicationGroup action dec a global datastore.", + "description": "Grants permission to decrease the number of node groups in global replication groups", "privilege": "DecreaseNodeGroupsInGlobalReplicationGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "globalreplicationgroup*" + }, + { + "condition_keys": [ + "elasticache:NumNodeGroups" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DecreaseReplicaCount action decreases the number of replicas in a Redis replication group.", + "description": "Grants permission to decrease the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group", "privilege": "DecreaseReplicaCount", "resource_types": [ { @@ -55933,12 +66557,20 @@ "ec2:DescribeVpcs" ], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:ReplicasPerNodeGroup" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteCacheCluster action deletes a previously provisioned cache cluster.", + "description": "Grants permission to delete a previously provisioned cluster", "privilege": "DeleteCacheCluster", "resource_types": [ { @@ -55956,36 +66588,58 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteCacheParameterGroup action deletes the specified cache parameter group.", + "description": "Grants permission to delete the specified cache parameter group", "privilege": "DeleteCacheParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteCacheSecurityGroup action deletes a cache security group.", + "description": "Grants permission to delete a cache security group", "privilege": "DeleteCacheSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteCacheSubnetGroup action deletes a cache subnet group.", + "description": "Grants permission to delete a cache subnet group", "privilege": "DeleteCacheSubnetGroup", "resource_types": [ { @@ -55998,12 +66652,19 @@ "ec2:DescribeVpcs" ], "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteGlobalReplicationGroup action deletes a global datastore.", + "description": "Grants permission to delete an existing global replication group", "privilege": "DeleteGlobalReplicationGroup", "resource_types": [ { @@ -56015,7 +66676,7 @@ }, { "access_level": "Write", - "description": "The DeleteReplicationGroup action deletes an existing replication group.", + "description": "Grants permission to delete an existing replication group", "privilege": "DeleteReplicationGroup", "resource_types": [ { @@ -56033,60 +66694,95 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteSnapshot action deletes an existing snapshot.", + "description": "Grants permission to delete an existing snapshot", "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteUser action deletes an existing user.", + "description": "Grants permission to delete an existing user and thus remove it from all user groups and replication groups where it was assigned", "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteUserGroup action deletes an existing user group.", + "description": "Grants permission to delete an existing user group", "privilege": "DeleteUserGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeCacheClusters action returns information about all provisioned cache clusters if no cache cluster identifier is specified, or about a specific cache cluster if a cache cluster identifier is supplied.", + "description": "Grants permission to list information about provisioned cache clusters", "privilege": "DescribeCacheClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeCacheEngineVersions action returns a list of the available cache engines and their versions.", + "description": "Grants permission list available cache engines and their versions", "privilege": "DescribeCacheEngineVersions", "resource_types": [ { @@ -56098,55 +66794,83 @@ }, { "access_level": "List", - "description": "The DescribeCacheParameterGroups action returns information about parameter groups for this account, or a particular parameter group.", + "description": "Grants permission to list cache parameter group descriptions", "privilege": "DescribeCacheParameterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeCacheParameters action returns the detailed parameter list for a particular cache parameter group.", + "description": "Grants permission to retrieve the detailed parameter list for a particular cache parameter group", "privilege": "DescribeCacheParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeCacheSecurityGroups action returns a list of cache security group descriptions, or the description of the specified security group.", + "description": "Grants permission to list cache security group descriptions", "privilege": "DescribeCacheSecurityGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeCacheSubnetGroups action returns a list of cache subnet group descriptions, or the description of the specified subnet group.", + "description": "Grants permission to list cache subnet group descriptions", "privilege": "DescribeCacheSubnetGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeEngineDefaultParameters action returns the default engine and system parameter information for the specified cache engine.", + "description": "Grants permission to retrieve the default engine and system parameter information for the specified cache engine", "privilege": "DescribeEngineDefaultParameters", "resource_types": [ { @@ -56158,7 +66882,7 @@ }, { "access_level": "List", - "description": "The DescribeEvents action returns events related to cache clusters, cache security groups, and cache parameter groups.", + "description": "Grants permission to list events related to clusters, cache security groups, and cache parameter groups", "privilege": "DescribeEvents", "resource_types": [ { @@ -56170,7 +66894,7 @@ }, { "access_level": "List", - "description": "The DescribeGlobalReplicationGroups action returns information about global datastores for this account, or a particular global datastore.", + "description": "Grants permission to list information about global replication groups", "privilege": "DescribeGlobalReplicationGroups", "resource_types": [ { @@ -56182,31 +66906,45 @@ }, { "access_level": "List", - "description": "The DescribeReplicationGroups action returns information about replication groups for this account, or a particular replication group.", + "description": "Grants permission to list information about provisioned replication groups", "privilege": "DescribeReplicationGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeReservedCacheNodes action returns information about reserved cache nodes for this account, or a particular reserved cache node.", + "description": "Grants permission to list information about purchased reserved cache nodes", "privilege": "DescribeReservedCacheNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "reserved-instance*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeReservedCacheNodesOfferings action lists available reserved cache node offerings.", + "description": "Grants permission to list available reserved cache node offerings", "privilege": "DescribeReservedCacheNodesOfferings", "resource_types": [ { @@ -56218,7 +66956,7 @@ }, { "access_level": "List", - "description": "Returns details of the service updates", + "description": "Grants permission to list details of the service updates", "privilege": "DescribeServiceUpdates", "resource_types": [ { @@ -56230,19 +66968,26 @@ }, { "access_level": "List", - "description": "The DescribeSnapshots action returns information about cache cluster snapshots.", + "description": "Grants permission to list information about cluster or replication group snapshots", "privilege": "DescribeSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Returns details of the update actions.", + "description": "Grants permission to list details of the update actions for a set of clusters or replication groups", "privilege": "DescribeUpdateActions", "resource_types": [ { @@ -56254,36 +66999,57 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeUserGroups action returns information about all user groups for this account, or a particular user group.", + "description": "Grants permission to list information about Redis user groups", "privilege": "DescribeUserGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "The DescribeUsers action returns information about all users for this account, or a particular user.", + "description": "Grants permission to list information about Redis users", "privilege": "DescribeUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DisassociateGlobalReplicationGroup action removes a secondary Replication Group from the Global Datastore.", + "description": "Grants permission to remove a secondary replication group from the global replication group", "privilege": "DisassociateGlobalReplicationGroup", "resource_types": [ { @@ -56295,7 +67061,7 @@ }, { "access_level": "Write", - "description": "The FailoverGlobalReplicationGroup action removes a secondary Replication Group from the Global Datastore.", + "description": "Grants permission to failover the primary region to a selected secondary region of a global replication group", "privilege": "FailoverGlobalReplicationGroup", "resource_types": [ { @@ -56307,19 +67073,26 @@ }, { "access_level": "Write", - "description": "The IncreaseNodeGroupsInGlobalReplicationGroup action increases the number of node groups in the Global Datastore.", + "description": "Grants permission to increase the number of node groups in a global replication group", "privilege": "IncreaseNodeGroupsInGlobalReplicationGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "globalreplicationgroup*" + }, + { + "condition_keys": [ + "elasticache:NumNodeGroups" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The IncreaseReplicaCount action increases the number of replicas in a Redis replication group.", + "description": "Grants permission to increase the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group", "privilege": "IncreaseReplicaCount", "resource_types": [ { @@ -56332,12 +67105,20 @@ "ec2:DescribeVpcs" ], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:ReplicasPerNodeGroup" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "List Allowed Node Type Modifications", + "description": "Grants permission to list available node type that can be used to scale a particular Redis cluster or replication group", "privilege": "ListAllowedNodeTypeModifications", "resource_types": [ { @@ -56349,12 +67130,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "The ListTagsForResource action lists all cost allocation tags currently on the named resource.", + "description": "Grants permission to list tags for an ElastiCache resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -56366,12 +67154,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyCacheCluster action modifies the settings for a cache cluster.", + "description": "Grants permission to modify settings for a cluster", "privilege": "ModifyCacheCluster", "resource_types": [ { @@ -56388,48 +67183,85 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "securitygroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyCacheParameterGroup action modifies the parameters of a cache parameter group.", + "description": "Grants permission to modify parameters of a cache parameter group", "privilege": "ModifyCacheParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyCacheSubnetGroup action modifies an existing cache subnet group.", + "description": "Grants permission to modify an existing cache subnet group", "privilege": "ModifyCacheSubnetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyGlobalReplicationGroup action modifies the settings for a Global Datastore.", + "description": "Grants permission to modify settings for a global replication group", "privilege": "ModifyGlobalReplicationGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "globalreplicationgroup*" + }, + { + "condition_keys": [ + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:AutomaticFailoverEnabled" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyReplicationGroup action modifies the settings for a replication group.", + "description": "Grants permission to modify the settings for a replication group", "privilege": "ModifyReplicationGroup", "resource_types": [ { @@ -56457,12 +67289,26 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:CacheNodeType", + "elasticache:EngineVersion", + "elasticache:AutomaticFailoverEnabled", + "elasticache:MultiAZEnabled", + "elasticache:AuthTokenEnabled", + "elasticache:SnapshotRetentionLimit", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyReplicationGroupShardConfiguration action allows you to add shards, remove shards, or rebalance the keyspaces among exisiting shards.", + "description": "Grants permission to add shards, remove shards, or rebalance the keyspaces among existing shards of a replication group", "privilege": "ModifyReplicationGroupShardConfiguration", "resource_types": [ { @@ -56475,24 +67321,39 @@ "ec2:DescribeVpcs" ], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:NumNodeGroups" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyUser action modifies an existing user.", + "description": "Grants permission to change Redis user password(s) and/or access string", "privilege": "ModifyUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ModifyUserGroup action modifies an existing user group.", + "description": "Grants permission to change list of users that belong to the user group", "privilege": "ModifyUserGroup", "resource_types": [ { @@ -56504,12 +67365,19 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "usergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The PurchaseReservedCacheNodesOffering action allows you to purchase a reserved cache node offering.", + "description": "Grants permission to purchase a reserved cache node offering", "privilege": "PurchaseReservedCacheNodesOffering", "resource_types": [ { @@ -56518,12 +67386,20 @@ "elasticache:AddTagsToResource" ], "resource_type": "reserved-instance*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The RebalanceSlotsInGlobalReplicationGroup action redistributes slots to ensure uniform distribution across existing shards in the cluster.", + "description": "Grants permission to perform a key space rebalance operation to redistribute slots and ensure uniform key distribution across existing shards in a global replication group", "privilege": "RebalanceSlotsInGlobalReplicationGroup", "resource_types": [ { @@ -56535,19 +67411,26 @@ }, { "access_level": "Write", - "description": "The RebootCacheCluster action reboots some, or all, of the cache nodes within a provisioned cache cluster.", + "description": "Grants permission to reboot some, or all, of the cache nodes within a provisioned cache cluster or replication group (cluster mode disabled)", "privilege": "RebootCacheCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "The RemoveTagsFromResource action removes the tags identified by the TagKeys list from the named resource.", + "description": "Grants permission to remove tags from a ElastiCache resource", "privilege": "RemoveTagsFromResource", "resource_types": [ { @@ -56555,52 +67438,117 @@ "dependent_actions": [], "resource_type": "cluster" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replicationgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reserved-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usergroup" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ResetCacheParameterGroup action modifies the parameters of a cache parameter group to the engine or system default value.", + "description": "Grants permission to modify parameters of a cache parameter group back to their default values", "privilege": "ResetCacheParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticache:CacheParameterGroupName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The RevokeCacheSecurityGroupIngress action revokes ingress from a cache security group.", + "description": "Grants permission to remove an EC2 security group ingress from a ElastiCache security group", "privilege": "RevokeCacheSecurityGroupIngress", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Start the migration of data.", + "description": "Grants permission to start a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis", "privilege": "StartMigration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The TestFailover action allows you to test automatic failover on a specified node group in a replication group", + "description": "Grants permission to test automatic failover on a specified node group in a replication group", "privilege": "TestFailover", "resource_types": [ { @@ -56613,6 +67561,13 @@ "ec2:DescribeVpcs" ], "resource_type": "replicationgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] } @@ -56620,37 +67575,51 @@ "resources": [ { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "parametergroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "securitygroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "subnetgroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "replicationgroup" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "cluster" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "reserved-instance" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "snapshot" }, { @@ -56660,12 +67629,16 @@ }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "user" }, { "arn": "arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "usergroup" } ], @@ -56675,52 +67648,52 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request.", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource.", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request.", + "description": "Filters actions based on the presence of tag keys in the request", "type": "String" }, { "condition": "elasticbeanstalk:FromApplication", - "description": "Filters access by an application as a dependency or a constraint on an input parameter.", + "description": "Filters access by an application as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:FromApplicationVersion", - "description": "Filters access by an application version as a dependency or a constraint on an input parameter.", + "description": "Filters access by an application version as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:FromConfigurationTemplate", - "description": "Filters access by a configuration template as a dependency or a constraint on an input parameter.", + "description": "Filters access by a configuration template as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:FromEnvironment", - "description": "Filters access by an environment as a dependency or a constraint on an input parameter.", + "description": "Filters access by an environment as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:FromPlatform", - "description": "Filters access by a platform as a dependency or a constraint on an input parameter.", + "description": "Filters access by a platform as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:FromSolutionStack", - "description": "Filters access by a solution stack as a dependency or a constraint on an input parameter.", + "description": "Filters access by a solution stack as a dependency or a constraint on an input parameter", "type": "ARN" }, { "condition": "elasticbeanstalk:InApplication", - "description": "Filters access by the application that contains the resource that the action operates on.", + "description": "Filters access by the application that contains the resource that the action operates on", "type": "ARN" } ], @@ -56728,7 +67701,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel in-progress environment configuration update or application version deployment.", + "description": "Grants permission to cancel in-progress environment configuration update or application version deployment", "privilege": "AbortEnvironmentUpdate", "resource_types": [ { @@ -56742,7 +67715,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to add tags to an Elastic Beanstalk resource and to update tag values.", + "description": "Grants permission to add tags to an Elastic Beanstalk resource and to update tag values", "privilege": "AddTags", "resource_types": [ { @@ -56782,7 +67755,7 @@ }, { "access_level": "Write", - "description": "Grants permission to apply a scheduled managed action immediately.", + "description": "Grants permission to apply a scheduled managed action immediately", "privilege": "ApplyEnvironmentManagedAction", "resource_types": [ { @@ -56796,7 +67769,7 @@ }, { "access_level": "Write", - "description": "Grants permission to associate an operations role with an environment.", + "description": "Grants permission to associate an operations role with an environment", "privilege": "AssociateEnvironmentOperationsRole", "resource_types": [ { @@ -56808,7 +67781,7 @@ }, { "access_level": "Read", - "description": "Grants permission to check CNAME availability.", + "description": "Grants permission to check CNAME availability", "privilege": "CheckDNSAvailability", "resource_types": [ { @@ -56820,7 +67793,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create or update a group of environments, each running a separate component of a single application.", + "description": "Grants permission to create or update a group of environments, each running a separate component of a single application", "privilege": "ComposeEnvironments", "resource_types": [ { @@ -56839,7 +67812,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new application.", + "description": "Grants permission to create a new application", "privilege": "CreateApplication", "resource_types": [ { @@ -56859,7 +67832,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create an application version for an application.", + "description": "Grants permission to create an application version for an application", "privilege": "CreateApplicationVersion", "resource_types": [ { @@ -56886,7 +67859,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a configuration template.", + "description": "Grants permission to create a configuration template", "privilege": "CreateConfigurationTemplate", "resource_types": [ { @@ -56914,7 +67887,7 @@ }, { "access_level": "Write", - "description": "Grants permission to launch an environment for an application.", + "description": "Grants permission to launch an environment for an application", "privilege": "CreateEnvironment", "resource_types": [ { @@ -56940,7 +67913,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new version of a custom platform.", + "description": "Grants permission to create a new version of a custom platform", "privilege": "CreatePlatformVersion", "resource_types": [ { @@ -56960,7 +67933,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create the Amazon S3 storage location for the account.", + "description": "Grants permission to create the Amazon S3 storage location for the account", "privilege": "CreateStorageLocation", "resource_types": [ { @@ -56972,7 +67945,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an application along with all associated versions and configurations.", + "description": "Grants permission to delete an application along with all associated versions and configurations", "privilege": "DeleteApplication", "resource_types": [ { @@ -56984,7 +67957,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an application version from an application.", + "description": "Grants permission to delete an application version from an application", "privilege": "DeleteApplicationVersion", "resource_types": [ { @@ -56998,7 +67971,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a configuration template.", + "description": "Grants permission to delete a configuration template", "privilege": "DeleteConfigurationTemplate", "resource_types": [ { @@ -57012,7 +67985,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the draft configuration associated with the running environment.", + "description": "Grants permission to delete the draft configuration associated with the running environment", "privilege": "DeleteEnvironmentConfiguration", "resource_types": [ { @@ -57026,7 +67999,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a version of a custom platform.", + "description": "Grants permission to delete a version of a custom platform", "privilege": "DeletePlatformVersion", "resource_types": [ { @@ -57038,7 +68011,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of account attributes, including resource quotas.", + "description": "Grants permission to retrieve a list of account attributes, including resource quotas", "privilege": "DescribeAccountAttributes", "resource_types": [ { @@ -57050,7 +68023,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of application versions stored in an AWS Elastic Beanstalk storage bucket.", + "description": "Grants permission to retrieve a list of application versions stored in an AWS Elastic Beanstalk storage bucket", "privilege": "DescribeApplicationVersions", "resource_types": [ { @@ -57064,7 +68037,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve the descriptions of existing applications.", + "description": "Grants permission to retrieve the descriptions of existing applications", "privilege": "DescribeApplications", "resource_types": [ { @@ -57076,7 +68049,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve descriptions of environment configuration options.", + "description": "Grants permission to retrieve descriptions of environment configuration options", "privilege": "DescribeConfigurationOptions", "resource_types": [ { @@ -57102,7 +68075,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a description of the settings for a configuration set.", + "description": "Grants permission to retrieve a description of the settings for a configuration set", "privilege": "DescribeConfigurationSettings", "resource_types": [ { @@ -57123,7 +68096,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the overall health of an environment.", + "description": "Grants permission to retrieve information about the overall health of an environment", "privilege": "DescribeEnvironmentHealth", "resource_types": [ { @@ -57135,7 +68108,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of an environment's completed and failed managed actions.", + "description": "Grants permission to retrieve a list of an environment's completed and failed managed actions", "privilege": "DescribeEnvironmentManagedActionHistory", "resource_types": [ { @@ -57149,7 +68122,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of an environment's upcoming and in-progress managed actions.", + "description": "Grants permission to retrieve a list of an environment's upcoming and in-progress managed actions", "privilege": "DescribeEnvironmentManagedActions", "resource_types": [ { @@ -57163,7 +68136,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of AWS resources for an environment.", + "description": "Grants permission to retrieve a list of AWS resources for an environment", "privilege": "DescribeEnvironmentResources", "resource_types": [ { @@ -57177,7 +68150,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve descriptions for existing environments.", + "description": "Grants permission to retrieve descriptions for existing environments", "privilege": "DescribeEnvironments", "resource_types": [ { @@ -57191,7 +68164,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of event descriptions matching a set of criteria.", + "description": "Grants permission to retrieve a list of event descriptions matching a set of criteria", "privilege": "DescribeEvents", "resource_types": [ { @@ -57224,7 +68197,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve more detailed information about the health of environment instances.", + "description": "Grants permission to retrieve more detailed information about the health of environment instances", "privilege": "DescribeInstancesHealth", "resource_types": [ { @@ -57236,7 +68209,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a description of a platform version.", + "description": "Grants permission to retrieve a description of a platform version", "privilege": "DescribePlatformVersion", "resource_types": [ { @@ -57248,7 +68221,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate an operations role with an environment.", + "description": "Grants permission to disassociate an operations role with an environment", "privilege": "DisassociateEnvironmentOperationsRole", "resource_types": [ { @@ -57260,7 +68233,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of the available solution stack names.", + "description": "Grants permission to retrieve a list of the available solution stack names", "privilege": "ListAvailableSolutionStacks", "resource_types": [ { @@ -57272,7 +68245,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of the available platform branches.", + "description": "Grants permission to retrieve a list of the available platform branches", "privilege": "ListPlatformBranches", "resource_types": [ { @@ -57284,7 +68257,7 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of the available platforms.", + "description": "Grants permission to retrieve a list of the available platforms", "privilege": "ListPlatformVersions", "resource_types": [ { @@ -57296,7 +68269,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of tags of an Elastic Beanstalk resource.", + "description": "Grants permission to retrieve a list of tags of an Elastic Beanstalk resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -57328,7 +68301,7 @@ }, { "access_level": "Write", - "description": "Grants permission to submit instance statistics for enhanced health.", + "description": "Grants permission to submit instance statistics for enhanced health", "privilege": "PutInstanceStatistics", "resource_types": [ { @@ -57345,7 +68318,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete and recreate all of the AWS resources for an environment and to force a restart.", + "description": "Grants permission to delete and recreate all of the AWS resources for an environment and to force a restart", "privilege": "RebuildEnvironment", "resource_types": [ { @@ -57359,7 +68332,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from an Elastic Beanstalk resource.", + "description": "Grants permission to remove tags from an Elastic Beanstalk resource", "privilege": "RemoveTags", "resource_types": [ { @@ -57398,7 +68371,7 @@ }, { "access_level": "Read", - "description": "Grants permission to initiate a request to compile information of the deployed environment.", + "description": "Grants permission to initiate a request to compile information of the deployed environment", "privilege": "RequestEnvironmentInfo", "resource_types": [ { @@ -57412,7 +68385,7 @@ }, { "access_level": "Write", - "description": "Grants permission to request an environment to restart the application container server running on each Amazon EC2 instance.", + "description": "Grants permission to request an environment to restart the application container server running on each Amazon EC2 instance", "privilege": "RestartAppServer", "resource_types": [ { @@ -57426,7 +68399,7 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the compiled information from a RequestEnvironmentInfo request.", + "description": "Grants permission to retrieve the compiled information from a RequestEnvironmentInfo request", "privilege": "RetrieveEnvironmentInfo", "resource_types": [ { @@ -57440,7 +68413,7 @@ }, { "access_level": "Write", - "description": "Grants permission to swap the CNAMEs of two environments.", + "description": "Grants permission to swap the CNAMEs of two environments", "privilege": "SwapEnvironmentCNAMEs", "resource_types": [ { @@ -57461,7 +68434,7 @@ }, { "access_level": "Write", - "description": "Grants permission to terminate an environment.", + "description": "Grants permission to terminate an environment", "privilege": "TerminateEnvironment", "resource_types": [ { @@ -57475,7 +68448,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an application with specified properties.", + "description": "Grants permission to update an application with specified properties", "privilege": "UpdateApplication", "resource_types": [ { @@ -57487,7 +68460,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the application version lifecycle policy associated with the application.", + "description": "Grants permission to update the application version lifecycle policy associated with the application", "privilege": "UpdateApplicationResourceLifecycle", "resource_types": [ { @@ -57499,7 +68472,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an application version with specified properties.", + "description": "Grants permission to update an application version with specified properties", "privilege": "UpdateApplicationVersion", "resource_types": [ { @@ -57513,7 +68486,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update a configuration template with specified properties or configuration option values.", + "description": "Grants permission to update a configuration template with specified properties or configuration option values", "privilege": "UpdateConfigurationTemplate", "resource_types": [ { @@ -57539,7 +68512,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an environment.", + "description": "Grants permission to update an environment", "privilege": "UpdateEnvironment", "resource_types": [ { @@ -57561,9 +68534,49 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to an Elastic Beanstalk resource, remove tags, and to update tag values", + "privilege": "UpdateTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "applicationversion" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurationtemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "platform" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Grants permission to check the validity of a set of configuration settings for a configuration template or an environment.", + "description": "Grants permission to check the validity of a set of configuration settings for a configuration template or an environment", "privilege": "ValidateConfigurationSettings", "resource_types": [ { @@ -57820,7 +68833,7 @@ ] }, { - "access_level": "Write", + "access_level": "Permissions management", "description": "Grants permission to delete the resource-level policy for a file system", "privilege": "DeleteFileSystemPolicy", "resource_types": [ @@ -57879,6 +68892,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to view the account preferences in effect for an account", + "privilege": "DescribeAccountPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view the BackupPolicy object for an Amazon EFS file system", @@ -57997,6 +69022,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to set the account preferences of an account", + "privilege": "PutAccountPreferences", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to enable or disable automatic backups with AWS Backup by creating a new BackupPolicy object", @@ -58010,7 +69047,7 @@ ] }, { - "access_level": "Write", + "access_level": "Permissions management", "description": "Grants permission to apply a resource-level policy that defines the actions allowed or denied from given actors for the specified file system", "privilege": "PutFileSystemPolicy", "resource_types": [ @@ -59357,6 +70394,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an EMR Notebook repository", + "privilege": "CreateRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to create a security configuration.", @@ -59369,6 +70418,34 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create an EMR studio.", + "privilege": "CreateStudio", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticmapreduce:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an EMR studio session mapping.", + "privilege": "CreateStudioSessionMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete an EMR notebook.", @@ -59381,6 +70458,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an EMR Notebook repository.", + "privilege": "DeleteRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a security configuration.", @@ -59393,6 +70482,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete an EMR studio.", + "privilege": "DeleteStudio", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an EMR studio session mapping.", + "privilege": "DeleteStudioSessionMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on.", @@ -59429,6 +70542,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view information about a notebook execution.", + "privilege": "DescribeNotebookExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook-execution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an EMR Notebook repository.", + "privilege": "DescribeRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get details of a security configuration.", @@ -59453,6 +70590,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view information about an EMR studio.", + "privilege": "DescribeStudio", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve the EMR block public access configuration for the AWS account in the Region.", @@ -59477,6 +70626,30 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view information about an EMR studio session mapping.", + "privilege": "GetStudioSessionMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to link an EMR Notebook repository to EMR notebooks.", + "privilege": "LinkRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get details about the bootstrap actions associated with a cluster.", @@ -59549,6 +70722,30 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list summary information for notebook executions.", + "privilege": "ListNotebookExecutions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing EMR Notebook repositories.", + "privilege": "ListRepositories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list available security configurations in this account by name, along with creation dates and times.", @@ -59573,6 +70770,30 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list summary information about EMR studio session mappings.", + "privilege": "ListStudioSessionMappings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list summary information about EMR studios.", + "privilege": "ListStudios", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to change cluster settings such as number of steps that can be executed concurrently for a cluster.", @@ -59755,6 +70976,32 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start an EMR notebook execution.", + "privilege": "StartNotebookExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "editor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "elasticmapreduce:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to shut down an EMR notebook.", @@ -59767,6 +71014,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to stop notebook execution.", + "privilege": "StopNotebookExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "notebook-execution*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to terminate a cluster (job flow).", @@ -59779,6 +71038,54 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to unlink an EMR Notebook repository from EMR notebooks.", + "privilege": "UnlinkRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an EMR Notebook repository.", + "privilege": "UpdateRepository", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update information about an EMR studio.", + "privilege": "UpdateStudio", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an EMR studio session mapping.", + "privilege": "UpdateStudioSessionMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio*" + } + ] + }, { "access_level": "List", "description": "Grants permission to use the EMR management console to view events from all clusters.", @@ -59808,6 +71115,22 @@ "elasticmapreduce:ResourceTag/${TagKey}" ], "resource": "editor" + }, + { + "arn": "arn:${Partition}:elasticmapreduce:${Region}:${Account}:notebook-execution/${NotebookExecutionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticmapreduce:ResourceTag/${TagKey}" + ], + "resource": "notebook-execution" + }, + { + "arn": "arn:${Partition}:elasticmapreduce:${Region}:${Account}:studio/${StudioId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "elasticmapreduce:ResourceTag/${TagKey}" + ], + "resource": "studio" } ], "service_name": "Amazon Elastic MapReduce" @@ -60066,7 +71389,19 @@ "prefix": "elemental-activations", "privileges": [ { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to complete the process of registering customer account for AWS Elemental Appliances and Software Purchases", + "privilege": "CompleteAccountRegistration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to complete the process of uploading a Software file for AWS Elemental Appliances and Software Purchases", "privilege": "CompleteFileUpload", "resource_types": [ @@ -60078,7 +71413,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to download the Software files for AWS Elemental Appliances and Software Purchases", "privilege": "DownloadSoftware", "resource_types": [ @@ -60090,7 +71425,162 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to generate Software Licenses for AWS Elemental Appliances and Software Purchases", + "privilege": "GenerateLicenses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an activation", + "privilege": "GetActivation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "activation*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for an AWS Elemental Activations resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "activation" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to start the process of registering customer account for AWS Elemental Appliances and Software Purchases", + "privilege": "StartAccountRegistration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to start the process of uploading a Software file for AWS Elemental Appliances and Software Purchases", + "privilege": "StartFileUpload", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add a tag for an AWS Elemental Activations resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "activation" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove a tag from an AWS Elemental Activations resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "activation" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:elemental-activations:${Region}:${Account}:activation/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "activation" + } + ], + "service_name": "AWS Elemental Appliances and Software Activation Service" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "Arn" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "elemental-activations", + "privileges": [ + { + "access_level": "List", + "description": "Grants permission to complete the process of uploading a Software file for AWS Elemental Appliances and Software Purchases", + "privilege": "CompleteFileUpload", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to download the Software files for AWS Elemental Appliances and Software Purchases", + "privilege": "DownloadSoftware", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", "description": "Grants permission to generate Software Licenses for AWS Elemental Appliances and Software Purchases", "privilege": "GenerateLicenses", "resource_types": [ @@ -60331,6 +71821,18 @@ "conditions": [], "prefix": "elemental-support-cases", "privileges": [ + { + "access_level": "Write", + "description": "Verify whether the caller has the permissions to perform support case operations", + "privilege": "CheckCasePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grant the permission to create a support case", @@ -60437,11 +71939,27 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "jobRun*" - }, + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a managed endpoint", + "privilege": "CreateManagedEndpoint", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "virtualCluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "emr-containers:ExecutionRoleArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -60460,6 +71978,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to delete a managed endpoint", + "privilege": "DeleteManagedEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedEndpoint*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to delete a virtual cluster", @@ -60481,11 +72011,18 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "jobRun*" - }, + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a managed endpoint", + "privilege": "DescribeManagedEndpoint", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "virtualCluster*" + "resource_type": "managedEndpoint*" } ] }, @@ -60513,6 +72050,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list managed endpoints associated with a virtual cluster", + "privilege": "ListManagedEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "virtualCluster*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list tags for the specified resource", @@ -60523,6 +72072,11 @@ "dependent_actions": [], "resource_type": "jobRun" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedEndpoint" + }, { "condition_keys": [], "dependent_actions": [], @@ -60573,6 +72127,11 @@ "dependent_actions": [], "resource_type": "jobRun" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedEndpoint" + }, { "condition_keys": [], "dependent_actions": [], @@ -60598,6 +72157,11 @@ "dependent_actions": [], "resource_type": "jobRun" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managedEndpoint" + }, { "condition_keys": [], "dependent_actions": [], @@ -60624,10 +72188,16 @@ { "arn": "arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${virtualClusterId}/jobruns/${jobRunId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "emr-containers:ExecutionRoleArn" + "aws:ResourceTag/${TagKey}" ], "resource": "jobRun" + }, + { + "arn": "arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${virtualClusterId}/endpoints/${endpointId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "managedEndpoint" } ], "service_name": "Amazon EMR on EKS (EMR Containers)" @@ -61094,122 +72664,55 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters access based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", - "type": "String" - }, - { - "condition": "aws:SourceAccount", - "description": "Filters actions based on whether the source of the request comes from a specific account", - "type": "String" - }, - { - "condition": "aws:SourceArn", - "description": "Filters actions based on the Amazon Resource Name (ARN) of the source making the request", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - }, - { - "condition": "events:ManagedBy", - "description": "Used internally by AWS services. If a rule is created by an AWS service on your behalf, the value is the principal name of the service that created the rule.", - "type": "String" - }, - { - "condition": "events:TargetArn", - "description": "The ARN of a target that can be put to a rule.", - "type": "ARN" - }, - { - "condition": "events:creatorAccount", - "description": "Filters actions based on the account the rule was created in", - "type": "String" - }, - { - "condition": "events:detail-type", - "description": "Matches the literal string of the detail-type filed of the event.", - "type": "String" - }, - { - "condition": "events:detail.eventTypeCode", - "description": "Matches the literal string for the detail.eventTypeCode field of the event.", - "type": "String" - }, - { - "condition": "events:detail.service", - "description": "Matches the literal string for the detail.service field of the event.", - "type": "String" - }, - { - "condition": "events:detail.userIdentity.principalId", - "description": "Matches the literal string for the detail.useridentity.principalid field of the event.", - "type": "String" - }, - { - "condition": "events:eventBusInvocation", - "description": "Filters actions based on whether the event was generated via API or cross-account bus invocation", - "type": "String" - }, - { - "condition": "events:source", - "description": "The AWS service or AWS partner event source that generated the event. Matches the literal string of the source field of the event.", + "description": "Filters access based on the tag keys that are passed in the request", "type": "String" } ], - "prefix": "events", + "prefix": "es", "privileges": [ { "access_level": "Write", - "description": "Grants permission to activate partner event sources", - "privilege": "ActivateEventSource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "event-source*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to cancel a replay", - "privilege": "CancelReplay", + "description": "Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request", + "privilege": "AcceptInboundConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "replay*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new archive", - "privilege": "CreateArchive", + "description": "Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request", + "privilege": "AcceptInboundCrossClusterSearchConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "archive*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create event buses", - "privilege": "CreateEventBus", + "access_level": "Tagging", + "description": "Grants permission to attach resource tags to an Amazon OpenSearch domain", + "privilege": "AddTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus*" + "resource_type": "domain*" }, { "condition_keys": [ @@ -61223,77 +72726,74 @@ }, { "access_level": "Write", - "description": "Grants permission to create partner event sources", - "privilege": "CreatePartnerEventSource", + "description": "Grants permission to associate a package with an Amazon ES domain", + "privilege": "AssociatePackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to deactivate event sources", - "privilege": "DeactivateEventSource", + "description": "Grants permission to cancel elastic search software update of a domain to given version", + "privilege": "CancelElasticsearchServiceSoftwareUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an archive", - "privilege": "DeleteArchive", + "description": "Grants permission to cancel OpenSearch software update of a domain to given version", + "privilege": "CancelServiceSoftwareUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "archive*" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete event buses", - "privilege": "DeleteEventBus", + "description": "Grants permission to create an Amazon OpenSearch Service domain", + "privilege": "CreateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete partner event sources", - "privilege": "DeletePartnerEventSource", - "resource_types": [ + "resource_type": "domain" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete rules", - "privilege": "DeleteRule", + "description": "Grants permission to create an Amazon OpenSearch domain", + "privilege": "CreateElasticsearchDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "domain" }, { "condition_keys": [ - "events:creatorAccount" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -61301,126 +72801,93 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about an archive", - "privilege": "DescribeArchive", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "archive*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve details about event buses", - "privilege": "DescribeEventBus", + "access_level": "Write", + "description": "Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access", + "privilege": "CreateElasticsearchServiceRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about event sources", - "privilege": "DescribeEventSource", + "access_level": "Write", + "description": "Grants permission to create a new cross-cluster search connection from a source domain to a destination domain", + "privilege": "CreateOutboundConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about partner event sources", - "privilege": "DescribePartnerEventSource", + "access_level": "Write", + "description": "Grants permission to create a new cross-cluster search connection from a source domain to a destination domain", + "privilege": "CreateOutboundCrossClusterSearchConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the details of a replay", - "privilege": "DescribeReplay", + "access_level": "Write", + "description": "Grants permission to add a package for use with Amazon ES domains", + "privilege": "CreatePackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "replay*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about rules", - "privilege": "DescribeRule", + "access_level": "Write", + "description": "Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access", + "privilege": "CreateServiceRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disable rules", - "privilege": "DisableRule", + "description": "Grants permission to delete an Amazon OpenSearch domain and all of its data", + "privilege": "DeleteDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permissions to enable rules", - "privilege": "EnableRule", + "description": "Grants permission to delete an Amazon OpenSearch domain and all of its data", + "privilege": "DeleteElasticsearchDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of archives", - "privilege": "ListArchives", + "access_level": "Write", + "description": "Grants permission to delete the service-linked role required for Amazon OpenSearch domains that use VPC access", + "privilege": "DeleteElasticsearchServiceRole", "resource_types": [ { "condition_keys": [], @@ -61430,9 +72897,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to to retrieve a list of the event buses in your account", - "privilege": "ListEventBuses", + "access_level": "Write", + "description": "Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection", + "privilege": "DeleteInboundConnection", "resource_types": [ { "condition_keys": [], @@ -61442,9 +72909,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to to retrieve a list of event sources shared with this account", - "privilege": "ListEventSources", + "access_level": "Write", + "description": "Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection", + "privilege": "DeleteInboundCrossClusterSearchConnection", "resource_types": [ { "condition_keys": [], @@ -61454,21 +72921,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of AWS account IDs associated with an event source", - "privilege": "ListPartnerEventSourceAccounts", + "access_level": "Write", + "description": "Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection", + "privilege": "DeleteOutboundConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-source*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list partner event sources", - "privilege": "ListPartnerEventSources", + "access_level": "Write", + "description": "Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection", + "privilege": "DeleteOutboundCrossClusterSearchConnection", "resource_types": [ { "condition_keys": [], @@ -61478,9 +72945,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of replays", - "privilege": "ListReplays", + "access_level": "Write", + "description": "Grants permission to delete a package from Amazon ES. The package must not be associated with any Amazon ES domain", + "privilege": "DeletePackage", "resource_types": [ { "condition_keys": [], @@ -61490,169 +72957,117 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of the names of the rules associated with a target", - "privilege": "ListRuleNamesByTarget", + "access_level": "Read", + "description": "Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN", + "privilege": "DescribeDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of the Amazon EventBridge rules in the account", - "privilege": "ListRules", + "access_level": "Read", + "description": "Grants permission to view the AutoTune configuration of the domain for the specified Amazon OpenSearch domain, including the AutoTune state and maintenance schedules", + "privilege": "DescribeDomainAutoTunes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of tags associated with an Amazon EventBridge resource", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain", + "privilege": "DescribeDomainConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of targets defined for a rule", - "privilege": "ListTargetsByRule", + "description": "Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domain", + "privilege": "DescribeDomains", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to send custom events to Amazon EventBridge", - "privilege": "PutEvents", + "access_level": "Read", + "description": "Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN", + "privilege": "DescribeElasticsearchDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus*" - }, - { - "condition_keys": [ - "events:detail-type", - "events:source", - "events:eventBusInvocation", - "aws:SourceArn", - "aws:SourceAccount" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to sends custom events to Amazon EventBridge", - "privilege": "PutPartnerEvents", + "access_level": "Read", + "description": "Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain", + "privilege": "DescribeElasticsearchDomainConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to use the PutPermission action to grants permission to another AWS account to put events to your default event bus", - "privilege": "PutPermission", + "access_level": "List", + "description": "Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domains", + "privilege": "DescribeElasticsearchDomains", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to create or updates rules", - "privilege": "PutRule", + "access_level": "List", + "description": "Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type", + "privilege": "DescribeElasticsearchInstanceTypeLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:detail.userIdentity.principalId", - "events:detail-type", - "events:source", - "events:detail.service", - "events:detail.eventTypeCode", - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add targets to a rule", - "privilege": "PutTargets", + "access_level": "List", + "description": "Grants permission to list all the inbound cross-cluster search connections for a destination domain", + "privilege": "DescribeInboundConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:TargetArn", - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to revoke the permission of another AWS account to put events to your default event bus", - "privilege": "RemovePermission", + "access_level": "List", + "description": "Grants permission to list all the inbound cross-cluster search connections for a destination domain", + "privilege": "DescribeInboundCrossClusterSearchConnections", "resource_types": [ { "condition_keys": [], @@ -61662,66 +73077,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to removes targets from a rule", - "privilege": "RemoveTargets", + "access_level": "List", + "description": "Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type", + "privilege": "DescribeInstanceTypeLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" - }, - { - "condition_keys": [ - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a replay of an archive", - "privilege": "StartReplay", + "access_level": "List", + "description": "Grants permission to list all the outbound cross-cluster search connections for a source domain", + "privilege": "DescribeOutboundConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "archive*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add a tag to an Amazon EventBridge resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to list all the outbound cross-cluster search connections for a source domain", + "privilege": "DescribeOutboundCrossClusterSearchConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permissions to test whether an event pattern matches the provided event", - "privilege": "TestEventPattern", + "description": "Grants permission to describe all packages available to Amazon ES domain", + "privilege": "DescribePackages", "resource_types": [ { "condition_keys": [], @@ -61731,349 +73125,213 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove a tag from an Amazon EventBridge resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to fetch reserved instance offerings for OpenSearch", + "privilege": "DescribeReservedElasticsearchInstanceOfferings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-bus" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [ - "aws:TagKeys", - "events:creatorAccount" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an archive", - "privilege": "UpdateArchive", + "access_level": "List", + "description": "Grants permission to fetch OpenSearch reserved instances already purchased by customer", + "privilege": "DescribeReservedElasticsearchInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "archive*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:events:${Region}::event-source/${EventSourceName}", - "condition_keys": [], - "resource": "event-source" - }, - { - "arn": "arn:${Partition}:events:${Region}:${Account}:event-bus/${EventBusName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "event-bus" - }, - { - "arn": "arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "rule" }, { - "arn": "arn:${Partition}:events:${Region}:${Account}:archive/${ArchiveName}", - "condition_keys": [], - "resource": "archive" - }, - { - "arn": "arn:${Partition}:events:${Region}:${Account}:replay/${ReplayName}", - "condition_keys": [], - "resource": "replay" - } - ], - "service_name": "Amazon EventBridge" - }, - { - "conditions": [], - "prefix": "execute-api", - "privileges": [ - { - "access_level": "Write", - "description": "Used to invalidate API cache upon a client request", - "privilege": "InvalidateCache", + "access_level": "List", + "description": "Grants permission to fetch reserved instance offerings for OpenSearch", + "privilege": "DescribeReservedInstanceOfferings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "execute-api-general*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Used to invoke an API upon a client request", - "privilege": "Invoke", + "access_level": "List", + "description": "Grants permission to fetch OpenSearch reserved instances already purchased by customer", + "privilege": "DescribeReservedInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "execute-api-general*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "ManageConnections controls access to the @connections API", - "privilege": "ManageConnections", + "description": "Grants permission to remove a package from the specified Amazon ES domain", + "privilege": "DissociatePackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "execute-api-general*" + "resource_type": "domain*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:execute-api:${Region}:${Account}:${ApiId}/${Stage}/${Method}/${ApiSpecificResourcePath}", - "condition_keys": [], - "resource": "execute-api-general" - } - ], - "service_name": "Amazon API Gateway" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "firehose", - "privileges": [ - { - "access_level": "Write", - "description": "Creates a delivery stream.", - "privilege": "CreateDeliveryStream", + "access_level": "Read", + "description": "Grants permission to send cross-cluster requests to a destination domain", + "privilege": "ESCrossClusterGet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain" } ] }, { "access_level": "Write", - "description": "Deletes a delivery stream and its data.", - "privilege": "DeleteDeliveryStream", + "description": "Grants permission to send HTTP DELETE requests to the OpenSearch APIs", + "privilege": "ESHttpDelete", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain" } ] }, { - "access_level": "List", - "description": "Describes the specified delivery stream and gets the status.", - "privilege": "DescribeDeliveryStream", + "access_level": "Read", + "description": "Grants permission to send HTTP GET requests to the OpenSearch APIs", + "privilege": "ESHttpGet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain" } ] }, { - "access_level": "List", - "description": "Lists your delivery streams.", - "privilege": "ListDeliveryStreams", + "access_level": "Read", + "description": "Grants permission to send HTTP HEAD requests to the OpenSearch APIs", + "privilege": "ESHttpHead", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain" } ] }, { - "access_level": "List", - "description": "Lists the tags for the specified delivery stream.", - "privilege": "ListTagsForDeliveryStream", + "access_level": "Write", + "description": "Grants permission to send HTTP PATCH requests to the OpenSearch APIs", + "privilege": "ESHttpPatch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain" } ] }, { "access_level": "Write", - "description": "Writes a single data record into an Amazon Kinesis Firehose delivery stream.", - "privilege": "PutRecord", + "description": "Grants permission to send HTTP POST requests to the OpenSearch APIs", + "privilege": "ESHttpPost", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain" } ] }, { "access_level": "Write", - "description": "Writes multiple data records into a delivery stream in a single call, which can achieve higher throughput per producer than when writing single records.", - "privilege": "PutRecordBatch", + "description": "Grants permission to send HTTP PUT requests to the OpenSearch APIs", + "privilege": "ESHttpPut", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain" } ] }, { - "access_level": "Write", - "description": "Enables server-side encryption (SSE) for the delivery stream.", - "privilege": "StartDeliveryStreamEncryption", + "access_level": "List", + "description": "Grants permission to fetch list of compatible elastic search versions to which Amazon OpenSearch domain can be upgraded", + "privilege": "GetCompatibleElasticsearchVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Disables the specified destination of the specified delivery stream.", - "privilege": "StopDeliveryStreamEncryption", + "access_level": "List", + "description": "Grants permission to fetch list of compatible OpenSearch versions to which Amazon OpenSearch domain can be upgraded", + "privilege": "GetCompatibleVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Adds or updates tags for the specified delivery stream.", - "privilege": "TagDeliveryStream", + "access_level": "Read", + "description": "Grants permission to fetch the version history for a package", + "privilege": "GetPackageVersionHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Removes tags from the specified delivery stream.", - "privilege": "UntagDeliveryStream", + "access_level": "Read", + "description": "Grants permission to fetch upgrade history for given OpenSearch domain", + "privilege": "GetUpgradeHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Updates the specified destination of the specified delivery stream.", - "privilege": "UpdateDestination", + "access_level": "Read", + "description": "Grants permission to fetch upgrade status for given OpenSearch domain", + "privilege": "GetUpgradeStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverystream*" + "resource_type": "domain*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:firehose:${Region}:${Account}:deliverystream/${DeliveryStreamName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deliverystream" - } - ], - "service_name": "Amazon Kinesis Firehose" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "fms", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to set the AWS Firewall Manager administrator account and enables the service in all organization accounts", - "privilege": "AssociateAdminAccount", + "access_level": "List", + "description": "Grants permission to display the names of all Amazon OpenSearch domains that the current user owns", + "privilege": "ListDomainNames", "resource_types": [ { "condition_keys": [], @@ -62083,21 +73341,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to permanently deletes an AWS Firewall Manager applications list", - "privilege": "DeleteAppsList", + "access_level": "List", + "description": "Grants permission to list all Amazon ES domains that a package is associated with", + "privilege": "ListDomainsForPackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications-list*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to notify the FM administrator about major FM events and errors across the organization", - "privilege": "DeleteNotificationChannel", + "access_level": "List", + "description": "Grants permission to list all instance types and available features for a given OpenSearch version", + "privilege": "ListElasticsearchInstanceTypeDetails", "resource_types": [ { "condition_keys": [], @@ -62107,40 +73365,33 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to permanently delete an AWS Firewall Manager policy", - "privilege": "DeletePolicy", + "access_level": "List", + "description": "Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version", + "privilege": "ListElasticsearchInstanceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to permanently deletes an AWS Firewall Manager protocols list", - "privilege": "DeleteProtocolsList", + "access_level": "List", + "description": "Grants permission to list all supported OpenSearch versions on Amazon OpenSearch", + "privilege": "ListElasticsearchVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "protocols-list*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts", - "privilege": "DisassociateAdminAccount", + "access_level": "List", + "description": "Grants permission to list all instance types and available features for a given OpenSearch version", + "privilege": "ListInstanceTypeDetails", "resource_types": [ { "condition_keys": [], @@ -62150,9 +73401,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator", - "privilege": "GetAdminAccount", + "access_level": "List", + "description": "Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version", + "privilege": "ListInstanceTypes", "resource_types": [ { "condition_keys": [], @@ -62162,33 +73413,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return information about the specified AWS Firewall Manager applications list", - "privilege": "GetAppsList", + "access_level": "List", + "description": "Grants permission to list all packages associated with the Amazon ES domain", + "privilege": "ListPackagesForDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications-list*" + "resource_type": "domain*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy", - "privilege": "GetComplianceDetail", + "description": "Grants permission to display all of the tags for an Amazon OpenSearch domain", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the Amazon Simple Notification Service (SNS) topic that is used to record AWS Firewall Manager SNS logs", - "privilege": "GetNotificationChannel", + "access_level": "List", + "description": "Grants permission to list all supported OpenSearch versions on Amazon OpenSearch", + "privilege": "ListVersions", "resource_types": [ { "condition_keys": [], @@ -62198,57 +73449,45 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the specified AWS Firewall Manager policy", - "privilege": "GetPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve policy-level attack summary information in the event of a potential DDoS attack", - "privilege": "GetProtectionStatus", + "access_level": "Write", + "description": "Grants permission to purchase OpenSearch reserved instances", + "privilege": "PurchaseReservedElasticsearchInstanceOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about the specified AWS Firewall Manager protocols list", - "privilege": "GetProtocolsList", + "access_level": "Write", + "description": "Grants permission to purchase OpenSearch reserved instances", + "privilege": "PurchaseReservedInstanceOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "protocols-list*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve violations for a resource based on the specified AWS Firewall Manager policy and AWS account", - "privilege": "GetViolationDetails", + "access_level": "Write", + "description": "Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request", + "privilege": "RejectInboundConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return an array of AppsListDataSummary objects", - "privilege": "ListAppsLists", + "access_level": "Write", + "description": "Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request", + "privilege": "RejectInboundCrossClusterSearchConnection", "resource_types": [ { "condition_keys": [], @@ -62258,89 +73497,76 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve an array of PolicyComplianceStatus objects in the response. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy", - "privilege": "ListComplianceStatus", + "access_level": "Tagging", + "description": "Grants permission to remove tags from Amazon OpenSearch domains", + "privilege": "RemoveTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve an array of member account ids if the caller is FMS admin account", - "privilege": "ListMemberAccounts", - "resource_types": [ + "resource_type": "domain*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve an array of PolicySummary objects in the response", - "privilege": "ListPolicies", + "access_level": "Write", + "description": "Grants permission to start elastic search software update of a domain to given version", + "privilege": "StartElasticsearchServiceSoftwareUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to return an array of ProtocolsListDataSummary objects", - "privilege": "ListProtocolsLists", + "access_level": "Write", + "description": "Grants permission to start OpenSearch software update of a domain to given version", + "privilege": "StartServiceSoftwareUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list Tags for a given resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances", + "privilege": "UpdateDomainConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Firewall Manager applications list", - "privilege": "PutAppsList", + "description": "Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances", + "privilege": "UpdateElasticsearchDomainConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications-list*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to designate the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager (FM) could use to notify the FM administrator about major FM events and errors across the organization", - "privilege": "PutNotificationChannel", + "description": "Grants permission to update a package for use with Amazon ES domains", + "privilege": "UpdatePackage", "resource_types": [ { "condition_keys": [], @@ -62351,238 +73577,203 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Firewall Manager policy", - "privilege": "PutPolicy", + "description": "Grants permission to initiate upgrade of open search domain to given version", + "privilege": "UpgradeDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to creates an AWS Firewall Manager protocols list", - "privilege": "PutProtocolsList", + "description": "Grants permission to initiate upgrade of elastic search domain to given version", + "privilege": "UpgradeElasticsearchDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "protocols-list*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:es:${Region}:${Account}:domain/${DomainName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "domain" }, { - "access_level": "Tagging", - "description": "Grants permission to add a Tag to a given resource", - "privilege": "TagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:iam::${Account}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "es_role" }, { - "access_level": "Tagging", - "description": "Grants permission to remove a Tag from a given resource", - "privilege": "UntagResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:fms:${Region}:${Account}:policy/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "policy" - }, - { - "arn": "arn:${Partition}:fms:${Region}:${Account}:applications-list/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "applications-list" - }, - { - "arn": "arn:${Partition}:fms:${Region}:${Account}:protocols-list/${Id}", + "arn": "arn:${Partition}:iam::${Account}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "protocols-list" + "resource": "opensearchservice_role" } ], - "service_name": "AWS Firewall Manager" + "service_name": "Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access to event bus and rule actions based on the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access to event bus and rule actions based on tag-value associated with the resource", + "type": "String" + }, + { + "condition": "aws:SourceAccount", + "description": "Filters access to PutEvents actions based on whether the source of the request comes from a specific account", + "type": "String" + }, + { + "condition": "aws:SourceArn", + "description": "Filters access to PutEvents actions based on the Amazon Resource Name (ARN) of the source making the request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", + "description": "Filters access to event bus and rule actions based on the presence of mandatory tags in the request", + "type": "String" + }, + { + "condition": "events:ManagedBy", + "description": "Used internally by AWS services. If a rule is created by an AWS service on your behalf, the value is the principal name of the service that created the rule", + "type": "String" + }, + { + "condition": "events:TargetArn", + "description": "Filters access to PutTargets actions based on the ARN of a target that can be put to a rule", + "type": "ARN" + }, + { + "condition": "events:creatorAccount", + "description": "Filters access to rule actions based on the account the rule was created in", + "type": "String" + }, + { + "condition": "events:detail-type", + "description": "Filters access to PutEvents and PutRule actions based on the literal string of the detail-type of the event", + "type": "String" + }, + { + "condition": "events:detail.eventTypeCode", + "description": "Filters access to PutRule actions based on the literal string for the detail.eventTypeCode field of the event", + "type": "String" + }, + { + "condition": "events:detail.service", + "description": "Filters access to PutRule actions based on the literal string for the detail.service field of the event", + "type": "String" + }, + { + "condition": "events:detail.userIdentity.principalId", + "description": "Filters access to PutRule actions based on the literal string for the detail.useridentity.principalid field of the event", + "type": "String" + }, + { + "condition": "events:eventBusInvocation", + "description": "Filters access to PutEvents actions based on whether the event was generated via API or cross-account bus invocation", + "type": "String" + }, + { + "condition": "events:source", + "description": "Filters access to PutEvents and PutRule actions based on the AWS service or AWS partner event source that generated the event. Matches the literal string of the source field of the event", "type": "String" } ], - "prefix": "forecast", + "prefix": "events", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataset", + "description": "Grants permission to activate partner event sources", + "privilege": "ActivateEventSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "event-source*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset group", - "privilege": "CreateDatasetGroup", + "description": "Grants permission to cancel a replay", + "privilege": "CancelReplay", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "replay*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset import job", - "privilege": "CreateDatasetImportJob", + "description": "Grants permission to create a new api destination", + "privilege": "CreateApiDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "api-destination*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a forecast", - "privilege": "CreateForecast", + "description": "Grants permission to create a new archive", + "privilege": "CreateArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "archive*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a forecast export job using a forecast resource", - "privilege": "CreateForecastExportJob", + "description": "Grants permission to create a new connection", + "privilege": "CreateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecast*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a predictor", - "privilege": "CreatePredictor", + "description": "Grants permission to create event buses", + "privilege": "CreateEventBus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "event-bus*" }, { "condition_keys": [ @@ -62596,244 +73787,281 @@ }, { "access_level": "Write", - "description": "Grants permission to create a predictor backtest export job using a predictor", - "privilege": "CreatePredictorBacktestExportJob", + "description": "Grants permission to create partner event sources", + "privilege": "CreatePartnerEventSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor*" - }, + "resource_type": "event-source*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate event sources", + "privilege": "DeactivateEventSource", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "event-source*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "description": "Grants permission to deauthorize a connection, deleting its stored authorization secrets", + "privilege": "DeauthorizeConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset group", - "privilege": "DeleteDatasetGroup", + "description": "Grants permission to delete an api destination", + "privilege": "DeleteApiDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "api-destination*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset import job", - "privilege": "DeleteDatasetImportJob", + "description": "Grants permission to delete an archive", + "privilege": "DeleteArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "archive*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a forecast", - "privilege": "DeleteForecast", + "description": "Grants permission to delete a connection", + "privilege": "DeleteConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecast*" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a forecast export job", - "privilege": "DeleteForecastExportJob", + "description": "Grants permission to delete event buses", + "privilege": "DeleteEventBus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecastExport*" + "resource_type": "event-bus*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a predictor", - "privilege": "DeletePredictor", + "description": "Grants permission to delete partner event sources", + "privilege": "DeletePartnerEventSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor*" + "resource_type": "event-source*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a predictor backtest export job", - "privilege": "DeletePredictorBacktestExportJob", + "description": "Grants permission to delete rules", + "privilege": "DeleteRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictorBacktestExportJob*" + "resource_type": "rule*" + }, + { + "condition_keys": [ + "events:creatorAccount" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a dataset", - "privilege": "DescribeDataset", + "description": "Grants permission to retrieve details about an api destination", + "privilege": "DescribeApiDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "api-destination*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a dataset group", - "privilege": "DescribeDatasetGroup", + "description": "Grants permission to retrieve details about an archive", + "privilege": "DescribeArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "archive*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a dataset import job", - "privilege": "DescribeDatasetImportJob", + "description": "Grants permission to retrieve details about a conection", + "privilege": "DescribeConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "connection*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a forecast", - "privilege": "DescribeForecast", + "description": "Grants permission to retrieve details about event buses", + "privilege": "DescribeEventBus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecast*" + "resource_type": "event-bus" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a forecast export job", - "privilege": "DescribeForecastExportJob", + "description": "Grants permission to retrieve details about event sources", + "privilege": "DescribeEventSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecastExport*" + "resource_type": "event-source*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a predictor", - "privilege": "DescribePredictor", + "description": "Grants permission to retrieve details about partner event sources", + "privilege": "DescribePartnerEventSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor*" + "resource_type": "event-source*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a predictor backtest export job", - "privilege": "DescribePredictorBacktestExportJob", + "description": "Grants permission to retrieve the details of a replay", + "privilege": "DescribeReplay", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictorBacktestExportJob*" + "resource_type": "replay*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the Accuracy Metrics for a predictor", - "privilege": "GetAccuracyMetrics", + "description": "Grants permission to retrieve details about rules", + "privilege": "DescribeRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor*" + "resource_type": "rule*" + }, + { + "condition_keys": [ + "events:creatorAccount" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the dataset groups", - "privilege": "ListDatasetGroups", + "access_level": "Write", + "description": "Grants permission to disable rules", + "privilege": "DisableRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "events:creatorAccount" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the dataset import jobs", - "privilege": "ListDatasetImportJobs", + "access_level": "Write", + "description": "Grants permissions to enable rules", + "privilege": "EnableRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "events:creatorAccount" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the datasets", - "privilege": "ListDatasets", + "access_level": "Write", + "description": "Grants permission to invoke an api destination", + "privilege": "InvokeApiDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "api-destination*" } ] }, { "access_level": "List", - "description": "Grants permission to list all the forecast export jobs", - "privilege": "ListForecastExportJobs", + "description": "Grants permission to retrieve a list of api destinations", + "privilege": "ListApiDestinations", "resource_types": [ { "condition_keys": [], @@ -62844,8 +74072,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the forecasts", - "privilege": "ListForecasts", + "description": "Grants permission to retrieve a list of archives", + "privilege": "ListArchives", "resource_types": [ { "condition_keys": [], @@ -62856,8 +74084,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the predictor backtest export jobs", - "privilege": "ListPredictorBacktestExportJobs", + "description": "Grants permission to retrieve a list of connections", + "privilege": "ListConnections", "resource_types": [ { "condition_keys": [], @@ -62868,8 +74096,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the predictors", - "privilege": "ListPredictors", + "description": "Grants permission to to retrieve a list of the event buses in your account", + "privilege": "ListEventBuses", "resource_types": [ { "condition_keys": [], @@ -62880,102 +74108,94 @@ }, { "access_level": "List", - "description": "Grants permission to list the tags for an Amazon Forecast resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to to retrieve a list of event sources shared with this account", + "privilege": "ListEventSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetImportJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "forecast" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "forecastExport" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "predictor" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "predictorBacktestExportJob" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a forecast for a single item", - "privilege": "QueryForecast", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS account IDs associated with an event source", + "privilege": "ListPartnerEventSourceAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecast*" + "resource_type": "event-source*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to associate the specified tags to a resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to retrieve a list partner event sources", + "privilege": "ListPartnerEventSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetGroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of replays", + "privilege": "ListReplays", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of the names of the rules associated with a target", + "privilege": "ListRuleNamesByTarget", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecast" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of the Amazon EventBridge rules in the account", + "privilege": "ListRules", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "forecastExport" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of tags associated with an Amazon EventBridge resource", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictor" + "resource_type": "event-bus" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "predictorBacktestExportJob" + "resource_type": "rule" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" @@ -62983,48 +74203,18 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete the specified tags for a resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to retrieve a list of targets defined for a rule", + "privilege": "ListTargetsByRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetImportJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "forecast" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "forecastExport" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "predictor" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "predictorBacktestExportJob" + "resource_type": "rule*" }, { "condition_keys": [ - "aws:TagKeys" + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" @@ -63033,141 +74223,71 @@ }, { "access_level": "Write", - "description": "Grants permission to update a dataset group", - "privilege": "UpdateDatasetGroup", + "description": "Grants permission to send custom events to Amazon EventBridge", + "privilege": "PutEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "event-bus*" }, { - "condition_keys": [], + "condition_keys": [ + "events:detail-type", + "events:source", + "events:eventBusInvocation", + "aws:SourceArn", + "aws:SourceAccount" + ], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset-group/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "datasetGroup" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset-import-job/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "datasetImportJob" - }, - { - "arn": "arn:${Partition}:forecast:::algorithm/${ResourceId}", - "condition_keys": [], - "resource": "algorithm" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:predictor/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "predictor" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:predictor-backtest-export-job/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "predictorBacktestExportJob" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:forecast/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "forecast" - }, - { - "arn": "arn:${Partition}:forecast:${Region}:${Account}:forecast-export-job/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "forecastExport" - } - ], - "service_name": "Amazon Forecast" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "frauddetector", - "privileges": [ { "access_level": "Write", - "description": "Creates a batch of variables.", - "privilege": "BatchCreateVariable", + "description": "Grants permission to sends custom events to Amazon EventBridge", + "privilege": "PutPartnerEvents", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Gets a batch of variables.", - "privilege": "BatchGetVariable", + "access_level": "Permissions management", + "description": "Grants permission to use the PutPermission action to grants permission to another AWS account to put events to your default event bus", + "privilege": "PutPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a detector version. The detector version starts in a DRAFT status.", - "privilege": "CreateDetectorVersion", + "description": "Grants permission to create or updates rules", + "privilege": "PutRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "rule*" }, { "condition_keys": [ + "events:detail.userIdentity.principalId", + "events:detail-type", + "events:source", + "events:detail.service", + "events:detail.eventTypeCode", "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" @@ -63176,38 +74296,49 @@ }, { "access_level": "Write", - "description": "Creates a model using the specified model type.", - "privilege": "CreateModel", + "description": "Grants permission to add targets to a rule", + "privilege": "PutTargets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "rule*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "events:TargetArn", + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to revoke the permission of another AWS account to put events to your default event bus", + "privilege": "RemovePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Creates a version of the model using the specified model type and model id.", - "privilege": "CreateModelVersion", + "description": "Grants permission to removes targets from a rule", + "privilege": "RemoveTargets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "rule*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" @@ -63216,18 +74347,36 @@ }, { "access_level": "Write", - "description": "Creates a rule for use with the specified detector.", - "privilege": "CreateRule", + "description": "Grants permission to start a replay of an archive", + "privilege": "StartReplay", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "archive*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add a tag to an Amazon EventBridge resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule" }, { "condition_keys": [ + "aws:TagKeys", "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "events:creatorAccount" ], "dependent_actions": [], "resource_type": "" @@ -63235,415 +74384,544 @@ ] }, { - "access_level": "Write", - "description": "Creates a variable.", - "privilege": "CreateVariable", + "access_level": "Read", + "description": "Grants permissions to test whether an event pattern matches the provided event", + "privilege": "TestEventPattern", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector.", - "privilege": "DeleteDetector", + "access_level": "Tagging", + "description": "Grants permission to remove a tag from an Amazon EventBridge resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "event-bus" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule" + }, + { + "condition_keys": [ + "aws:TagKeys", + "events:creatorAccount" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the detector version. You cannot delete detector versions that are in ACTIVE status.", - "privilege": "DeleteDetectorVersion", + "description": "Grants permission to update an api destination", + "privilege": "UpdateApiDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector-version*" + "resource_type": "api-destination*" } ] }, { "access_level": "Write", - "description": "Deletes an entity type. You cannot delete an entity type that is included in an event type.", - "privilege": "DeleteEntityType", + "description": "Grants permission to update an archive", + "privilege": "UpdateArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "entity-type*" + "resource_type": "archive*" } ] }, { "access_level": "Write", - "description": "Deletes the specified event.", - "privilege": "DeleteEvent", + "description": "Grants permission to update a connection", + "privilege": "UpdateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "connection*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:events:${Region}::event-source/${EventSourceName}", + "condition_keys": [], + "resource": "event-source" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:event-bus/${EventBusName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "event-bus" }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rule" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:archive/${ArchiveName}", + "condition_keys": [], + "resource": "archive" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:replay/${ReplayName}", + "condition_keys": [], + "resource": "replay" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:connection/${ConnectionName}", + "condition_keys": [], + "resource": "connection" + }, + { + "arn": "arn:${Partition}:events:${Region}:${Account}:api-destination/${ApiDestinationName}", + "condition_keys": [], + "resource": "api-destination" + } + ], + "service_name": "Amazon EventBridge" + }, + { + "conditions": [], + "prefix": "execute-api", + "privileges": [ { "access_level": "Write", - "description": "Deletes an event type. You cannot delete an event type that is used in a detector or a model.", - "privilege": "DeleteEventType", + "description": "Used to invalidate API cache upon a client request", + "privilege": "InvalidateCache", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-type*" + "resource_type": "execute-api-general*" } ] }, { "access_level": "Write", - "description": "Removes a SageMaker model from Amazon Fraud Detector. You can remove an Amazon SageMaker model if it is not associated with a detector version.", - "privilege": "DeleteExternalModel", + "description": "Used to invoke an API upon a client request", + "privilege": "Invoke", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "external-model*" + "resource_type": "execute-api-general*" } ] }, { "access_level": "Write", - "description": "Deletes a label. You cannot delete labels that are included in an event type in Amazon Fraud Detector. You cannot delete a label assigned to an event ID. You must first delete the relevant event ID.", - "privilege": "DeleteLabel", + "description": "ManageConnections controls access to the @connections API", + "privilege": "ManageConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "label*" + "resource_type": "execute-api-general*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:execute-api:${Region}:${Account}:${ApiId}/${Stage}/${Method}/${ApiSpecificResourcePath}", + "condition_keys": [], + "resource": "execute-api-general" + } + ], + "service_name": "Amazon API Gateway" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "finspace", + "privileges": [ { "access_level": "Write", - "description": "Deletes a model. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version.", - "privilege": "DeleteModel", + "description": "Grants permissions to create a FinSpace environment", + "privilege": "CreateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "environment*" } ] }, { "access_level": "Write", - "description": "Deletes a model version. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version.", - "privilege": "DeleteModelVersion", + "description": "Grants permissions to create a FinSpace user.", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-version*" + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Deletes an outcome. You cannot delete an outcome that is used in a rule version.", - "privilege": "DeleteOutcome", + "description": "Grants permissions to delete a FinSpace environment.", + "privilege": "DeleteEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "outcome*" + "resource_type": "environment*" } ] }, { "access_level": "Write", - "description": "Deletes the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version.", - "privilege": "DeleteRule", + "description": "Grants permissions to delete a FinSpace user.", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" } ] }, { - "access_level": "Write", - "description": "Deletes a variable. You cannot delete variables that are included in an event type in Amazon Fraud Detector.", - "privilege": "DeleteVariable", + "access_level": "Read", + "description": "Grants permissions to describe a FinSpace environment.", + "privilege": "GetEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable*" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Gets all versions for a specified detector.", - "privilege": "DescribeDetector", + "description": "Grants permissions to request status of the loading of sample data bundle.", + "privilege": "GetLoadSampleDataSetGroupIntoEnvironmentStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "environment*" } ] }, { "access_level": "Read", - "description": "Gets all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version.", - "privilege": "DescribeModelVersions", + "description": "Grants permissions to describe a FinSpace user.", + "privilege": "GetUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-version" + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Gets a particular detector version.", - "privilege": "GetDetectorVersion", + "description": "Grants permissions to list FinSpace environments in the AWS account.", + "privilege": "ListEnvironments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector-version*" + "resource_type": "environment*" } ] }, { - "access_level": "List", - "description": "Gets all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetDetectors", + "access_level": "Read", + "description": "Grants permissions to return a list of tags for a resource.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" + "resource_type": "environment*" } ] }, { "access_level": "List", - "description": "Gets all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetEntityTypes", + "description": "Grants permissions to list FinSpace users in an environment.", + "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "entity-type" + "resource_type": "environment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Evaluates an event against a detector version. If a version ID is not provided, the detector\u2019s (ACTIVE) version is used.", - "privilege": "GetEventPrediction", + "access_level": "Write", + "description": "Grants permissions to load sample data bundle into your FinSpace environment.", + "privilege": "LoadSampleDataSetGroupIntoEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] }, { - "access_level": "List", - "description": "Gets all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetEventTypes", + "access_level": "Tagging", + "description": "Grants permissions to tag a resource.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-type" + "resource_type": "environment*" } ] }, { - "access_level": "List", - "description": "Gets the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetExternalModels", + "access_level": "Tagging", + "description": "Grants permissions to untag a resource.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "external-model" + "resource_type": "environment*" } ] }, { - "access_level": "Read", - "description": "Gets the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector.", - "privilege": "GetKMSEncryptionKey", + "access_level": "Write", + "description": "Grants permissions to update a FinSpace environment", + "privilege": "UpdateEnvironment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "environment*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:finspace:${Region}:${Account}:environment/${environmentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment" }, { - "access_level": "List", - "description": "Gets all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetLabels", + "arn": "arn:${Partition}:finspace:${Region}:${Account}:user/${userId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "user" + } + ], + "service_name": "Amazon FinSpace" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "firehose", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permissions to create a delivery stream", + "privilege": "CreateDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "label" + "resource_type": "deliverystream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Gets the details of the specified model version.", - "privilege": "GetModelVersion", + "access_level": "Write", + "description": "Grants permission to delete a delivery stream and its data", + "privilege": "DeleteDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-version*" + "resource_type": "deliverystream*" } ] }, { - "access_level": "List", - "description": "Gets one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified.", - "privilege": "GetModels", + "access_level": "Read", + "description": "Grants permission to describe the specified delivery stream and gets the status", + "privilege": "DescribeDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "deliverystream*" } ] }, { "access_level": "List", - "description": "Gets one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "GetOutcomes", + "description": "Grants permissions to list your delivery streams", + "privilege": "ListDeliveryStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "outcome" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified.", - "privilege": "GetRules", + "description": "Grants permissions to list the tags for the specified delivery stream", + "privilege": "ListTagsForDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule" + "resource_type": "deliverystream*" } ] }, { - "access_level": "List", - "description": "Gets all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning.", - "privilege": "GetVariables", + "access_level": "Write", + "description": "Grants permissions to write a single data record into an Amazon Kinesis Firehose delivery stream", + "privilege": "PutRecord", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable" + "resource_type": "deliverystream*" } ] }, { - "access_level": "List", - "description": "Lists all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permissions to write multiple data records into a delivery stream in a single call, which can achieve higher throughput per producer than when writing single records", + "privilege": "PutRecordBatch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "entity-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "event-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "external-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "label" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "outcome" - }, + "resource_type": "deliverystream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to enable server-side encryption (SSE) for the delivery stream", + "privilege": "StartDeliveryStreamEncryption", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule" - }, + "resource_type": "deliverystream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to disable the specified destination of the specified delivery stream", + "privilege": "StopDeliveryStreamEncryption", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable" + "resource_type": "deliverystream*" } ] }, { - "access_level": "Write", - "description": "Creates or updates a detector.", - "privilege": "PutDetector", + "access_level": "Tagging", + "description": "Grants permissions to add or update tags for the specified delivery stream", + "privilege": "TagDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "deliverystream*" }, { "condition_keys": [ @@ -63656,18 +74934,17 @@ ] }, { - "access_level": "Write", - "description": "Creates or updates an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account.", - "privilege": "PutEntityType", + "access_level": "Tagging", + "description": "Grants permissions to remove tags from the specified delivery stream", + "privilege": "UntagDeliveryStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "entity-type*" + "resource_type": "deliverystream*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -63677,33 +74954,82 @@ }, { "access_level": "Write", - "description": "Creates or updates an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications.", - "privilege": "PutEventType", + "description": "Grants permissions to update the specified destination of the specified delivery stream", + "privilege": "UpdateDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event-type*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "deliverystream*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:firehose:${Region}:${Account}:deliverystream/${DeliveryStreamName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deliverystream" + } + ], + "service_name": "Amazon Kinesis Firehose" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key and value pair that is allowed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair of a resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "String" + }, + { + "condition": "fis:Operations", + "description": "Filters access by the list of operations on the AWS service that is being affected by the AWS FIS action", + "type": "ArrayOfString" + }, + { + "condition": "fis:Percentage", + "description": "Filters access by the percentage of calls being affected by the AWS FIS action", + "type": "Numeric" }, + { + "condition": "fis:Service", + "description": "Filters access by the AWS service that is being affected by the AWS FIS action", + "type": "String" + }, + { + "condition": "fis:Targets", + "description": "Filters access by the list of resource ARNs being targeted by the AWS FIS action", + "type": "ArrayOfString" + } + ], + "prefix": "fis", + "privileges": [ { "access_level": "Write", - "description": "Creates or updates an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables.", - "privilege": "PutExternalModel", + "description": "Grants permission to create an AWS FIS experiment template", + "privilege": "CreateExperimentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "external-model*" + "resource_type": "action*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment-template*" }, { "condition_keys": [ @@ -63717,30 +75043,29 @@ }, { "access_level": "Write", - "description": "Specifies the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector.", - "privilege": "PutKMSEncryptionKey", + "description": "Grants permission to delete the AWS FIS experiment template", + "privilege": "DeleteExperimentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-template*" } ] }, { - "access_level": "Write", - "description": "Creates or updates label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector.", - "privilege": "PutLabel", + "access_level": "Read", + "description": "Grants permission to retrieve an AWS FIS action", + "privilege": "GetAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "label*" + "resource_type": "action*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -63748,19 +75073,18 @@ ] }, { - "access_level": "Write", - "description": "Creates or updates an outcome.", - "privilege": "PutOutcome", + "access_level": "Read", + "description": "Grants permission to retrieve an AWS FIS experiment", + "privilege": "GetExperiment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "outcome*" + "resource_type": "experiment*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -63768,69 +75092,18 @@ ] }, { - "access_level": "Tagging", - "description": "Assigns tags to a resource.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve an AWS FIS Experiment Template", + "privilege": "GetExperimentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "entity-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "event-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "external-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "label" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "outcome" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "variable" + "resource_type": "experiment-template*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -63838,69 +75111,65 @@ ] }, { - "access_level": "Tagging", - "description": "Removes tags from a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to inject an API internal error on the provided AWS service from an FIS Experiment", + "privilege": "InjectApiInternalError", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector-version" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "entity-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "event-type" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "external-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "label" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model" + "resource_type": "experiment*" }, { - "condition_keys": [], + "condition_keys": [ + "fis:Service", + "fis:Operations", + "fis:Percentage", + "fis:Targets" + ], "dependent_actions": [], - "resource_type": "model-version" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to inject an API throttle error on the provided AWS service from an FIS Experiment", + "privilege": "InjectApiThrottleError", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "outcome" + "resource_type": "experiment*" }, { - "condition_keys": [], + "condition_keys": [ + "fis:Service", + "fis:Operations", + "fis:Percentage", + "fis:Targets" + ], "dependent_actions": [], - "resource_type": "rule" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to inject an API unavailable error on the provided AWS service from an FIS Experiment", + "privilege": "InjectApiUnavailableError", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable" + "resource_type": "experiment*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "fis:Service", + "fis:Operations", + "fis:Percentage", + "fis:Targets" ], "dependent_actions": [], "resource_type": "" @@ -63908,62 +75177,79 @@ ] }, { - "access_level": "Write", - "description": "Updates a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version.", - "privilege": "UpdateDetectorVersion", + "access_level": "List", + "description": "Grants permission to list all available AWS FIS actions", + "privilege": "ListActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE).", - "privilege": "UpdateDetectorVersionMetadata", + "access_level": "List", + "description": "Grants permission to list all available AWS FIS experiment templates", + "privilege": "ListExperimentTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector-version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates the detector version\u2019s status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE.", - "privilege": "UpdateDetectorVersionStatus", + "access_level": "List", + "description": "Grants permission to list all available AWS FIS experiments", + "privilege": "ListExperiments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector-version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a model. You can update the description attribute using this action.", - "privilege": "UpdateModel", + "access_level": "Read", + "description": "Grants permission to list the tags for an AWS FIS resource.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "action" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment-template" } ] }, { "access_level": "Write", - "description": "Updates a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03.", - "privilege": "UpdateModelVersion", + "description": "Grants permission to run an AWS FIS experiment", + "privilege": "StartExperiment", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "experiment*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "experiment-template*" }, { "condition_keys": [ @@ -63977,42 +75263,70 @@ }, { "access_level": "Write", - "description": "Updates the status of a model version.", - "privilege": "UpdateModelVersionStatus", + "description": "Grants permission to stop an AWS FIS experiment", + "privilege": "StopExperiment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment*" } ] }, { - "access_level": "Write", - "description": "Updates a rule's metadata. The description attribute can be updated.", - "privilege": "UpdateRuleMetadata", + "access_level": "Tagging", + "description": "Grants permission to tag AWS FIS resources", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "action" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment-template" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...).", - "privilege": "UpdateRuleVersion", + "access_level": "Tagging", + "description": "Grants permission to untag AWS FIS resources", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "action" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment-template" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -64021,154 +75335,103 @@ }, { "access_level": "Write", - "description": "Updates a variable.", - "privilege": "UpdateVariable", + "description": "Grants permission to update the specified AWS FIS experiment template", + "privilege": "UpdateExperimentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "variable*" + "resource_type": "experiment-template*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "action" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:detector/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "detector" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "detector-version" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "entity-type" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "external-model" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "event-type" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:label/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "label" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:model/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${resourcePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model-version" - }, - { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${resourcePath}", + "arn": "arn:${Partition}:fis:${Region}:${Account}:action/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "outcome" + "resource": "action" }, { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:rule/${resourcePath}", + "arn": "arn:${Partition}:fis:${Region}:${Account}:experiment/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "rule" + "resource": "experiment" }, { - "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:variable/${resourcePath}", + "arn": "arn:${Partition}:fis:${Region}:${Account}:experiment-template/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "variable" + "resource": "experiment-template" } ], - "service_name": "Amazon Fraud Detector" + "service_name": "AWS Fault Injection Simulator" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to Amazon FreeRTOS.", + "description": "Filters actions based on the allowed set of values for each of the tags", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag key component of a tag attached to an Amazon FreeRTOS resource.", + "description": "Filters actions based on tag-value assoicated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the resource in the request.", + "description": "Filters actions based on the presence of mandatory tags in the request", "type": "String" } ], - "prefix": "freertos", + "prefix": "fms", "privileges": [ { "access_level": "Write", - "description": "Creates a software configuration.", - "privilege": "CreateSoftwareConfiguration", + "description": "Grants permission to set the AWS Firewall Manager administrator account and enables the service in all organization accounts", + "privilege": "AssociateAdminAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the software configuration.", - "privilege": "DeleteSoftwareConfiguration", + "description": "Grants permission to permanently deletes an AWS Firewall Manager applications list", + "privilege": "DeleteAppsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration*" + "resource_type": "applications-list*" } ] }, { - "access_level": "Read", - "description": "Describes the hardware platform.", - "privilege": "DescribeHardwarePlatform", + "access_level": "Write", + "description": "Grants permission to delete an AWS Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to notify the FM administrator about major FM events and errors across the organization", + "privilege": "DeleteNotificationChannel", "resource_types": [ { "condition_keys": [], @@ -64178,33 +75441,40 @@ ] }, { - "access_level": "Read", - "description": "Describes the software configuration.", - "privilege": "DescribeSoftwareConfiguration", + "access_level": "Write", + "description": "Grants permission to permanently delete an AWS Firewall Manager policy", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Get the URL for Amazon FreeRTOS software download.", - "privilege": "GetSoftwareURL", + "access_level": "Write", + "description": "Grants permission to permanently deletes an AWS Firewall Manager protocols list", + "privilege": "DeleteProtocolsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "protocols-list*" } ] }, { - "access_level": "Read", - "description": "Get the URL for Amazon FreeRTOS software download based on the configuration.", - "privilege": "GetSoftwareURLForConfiguration", + "access_level": "Write", + "description": "Grants permission to disassociate the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts", + "privilege": "DisassociateAdminAccount", "resource_types": [ { "condition_keys": [], @@ -64214,9 +75484,9 @@ ] }, { - "access_level": "List", - "description": "Lists versions of AmazonFreeRTOS.", - "privilege": "ListFreeRTOSVersions", + "access_level": "Read", + "description": "Grants permission to retrieve the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator", + "privilege": "GetAdminAccount", "resource_types": [ { "condition_keys": [], @@ -64226,33 +75496,33 @@ ] }, { - "access_level": "List", - "description": "Lists the hardware platforms.", - "privilege": "ListHardwarePlatforms", + "access_level": "Read", + "description": "Grants permission to return information about the specified AWS Firewall Manager applications list", + "privilege": "GetAppsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "applications-list*" } ] }, { - "access_level": "List", - "description": "Lists the hardware vendors.", - "privilege": "ListHardwareVendors", + "access_level": "Read", + "description": "Grants permission to retrieve detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy", + "privilege": "GetComplianceDetail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "List", - "description": "Lists the software configurations.", - "privilege": "ListSoftwareConfigurations", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Simple Notification Service (SNS) topic that is used to record AWS Firewall Manager SNS logs", + "privilege": "GetNotificationChannel", "resource_types": [ { "condition_keys": [], @@ -64262,208 +75532,149 @@ ] }, { - "access_level": "Write", - "description": "Updates the software configuration.", - "privilege": "UpdateSoftwareConfiguration", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified AWS Firewall Manager policy", + "privilege": "GetPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration*" + "resource_type": "policy*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:freertos:${Region}:${Account}:configuration/${configurationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "configuration" - } - ], - "service_name": "Amazon FreeRTOS" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "", - "type": "String" - } - ], - "prefix": "fsx", - "privileges": [ - { - "access_level": "Write", - "description": "This action cancels a data repository task", - "privilege": "CancelDataRepositoryTask", + "access_level": "Read", + "description": "Grants permission to retrieve policy-level attack summary information in the event of a potential DDoS attack", + "privilege": "GetProtectionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "task*" + "resource_type": "policy*" } ] }, { - "access_level": "Tagging", - "description": "This action creates a new backup.", - "privilege": "CreateBackup", + "access_level": "Read", + "description": "Grants permission to return information about the specified AWS Firewall Manager protocols list", + "privilege": "GetProtocolsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "file-system*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "protocols-list*" } ] }, { - "access_level": "Tagging", - "description": "This action creates a new task.", - "privilege": "CreateDataRepositoryTask", + "access_level": "Read", + "description": "Grants permission to retrieve violations for a resource based on the specified AWS Firewall Manager policy and AWS account", + "privilege": "GetViolationDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "file-system*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "Tagging", - "description": "This action creates a new, empty, Amazon FSx file system", - "privilege": "CreateFileSystem", + "access_level": "List", + "description": "Grants permission to return an array of AppsListDataSummary objects", + "privilege": "ListAppsLists", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "file-system*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "This action creates a new Amazon FSx file system from an existing backup.", - "privilege": "CreateFileSystemFromBackup", + "access_level": "List", + "description": "Grants permission to retrieve an array of PolicyComplianceStatus objects in the response. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy", + "privilege": "ListComplianceStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup*" - }, + "resource_type": "policy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve an array of member account ids if the caller is FMS admin account", + "privilege": "ListMemberAccounts", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "file-system*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "This action deletes a backup, deleting its contents. After deletion, the backup no longer exists, and its data is gone.", - "privilege": "DeleteBackup", + "access_level": "List", + "description": "Grants permission to retrieve an array of PolicySummary objects in the response", + "privilege": "ListPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "This action deletes a file system, deleting its contents.", - "privilege": "DeleteFileSystem", + "access_level": "List", + "description": "Grants permission to return an array of ProtocolsListDataSummary objects", + "privilege": "ListProtocolsLists", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "file-system*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "This action returns the description of specific Amazon FSx backups, if one or more BackupIds are provided for that backup. Otherwise, it returns all backups owned by your AWS account in the AWS Region of the endpoint that you're calling.", - "privilege": "DescribeBackups", + "description": "Grants permission to list Tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "This action returns the description of specific Amazon FSx data repository task, if one or more TaskIds are provided for that data repository task. Otherwise, it returns all data repository task owned by your AWS account in the AWS Region of the endpoint that you're calling.", - "privilege": "DescribeDataRepositoryTasks", + "access_level": "Write", + "description": "Grants permission to create an AWS Firewall Manager applications list", + "privilege": "PutAppsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "applications-list*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "This action returns the description of specific Amazon FSx file systems, if a FileSystemIds value is provided for that file system. Otherwise, it returns descriptions of all file systems owned by your AWS account in the AWS Region of the endpoint that you're calling.", - "privilege": "DescribeFileSystems", + "access_level": "Write", + "description": "Grants permission to designate the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager (FM) could use to notify the FM administrator about major FM events and errors across the organization", + "privilege": "PutNotificationChannel", "resource_types": [ { "condition_keys": [], @@ -64473,51 +75684,39 @@ ] }, { - "access_level": "Read", - "description": "This action lists tags for an Amazon FSx resource.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to create an AWS Firewall Manager policy", + "privilege": "PutPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "file-system" + "resource_type": "policy*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "task" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "This action tags an Amazon FSx resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to creates an AWS Firewall Manager protocols list", + "privilege": "PutProtocolsList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "file-system" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task" + "resource_type": "protocols-list*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -64526,26 +75725,17 @@ }, { "access_level": "Tagging", - "description": "This action removes a tag from an Amazon FSx resource.", - "privilege": "UntagResource", + "description": "Grants permission to add a Tag to a given resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "backup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "file-system" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "task" + "resource_type": "policy*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -64554,42 +75744,49 @@ ] }, { - "access_level": "Write", - "description": "This action updates file system configuration.", - "privilege": "UpdateFileSystem", + "access_level": "Tagging", + "description": "Grants permission to remove a Tag from a given resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "file-system*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:fsx:${Region}:${Account}:file-system/*", + "arn": "arn:${Partition}:fms:${Region}:${Account}:policy/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "file-system" + "resource": "policy" }, { - "arn": "arn:${Partition}:fsx:${Region}:${Account}:backup/*", + "arn": "arn:${Partition}:fms:${Region}:${Account}:applications-list/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "backup" + "resource": "applications-list" }, { - "arn": "arn:${Partition}:fsx:${Region}:${Account}:task/*", + "arn": "arn:${Partition}:fms:${Region}:${Account}:protocols-list/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "task" + "resource": "protocols-list" } ], - "service_name": "Amazon FSx" + "service_name": "AWS Firewall Manager" }, { "conditions": [ @@ -64609,37 +75806,18 @@ "type": "String" } ], - "prefix": "gamelift", + "prefix": "forecast", "privileges": [ { "access_level": "Write", - "description": "Registers player acceptance or rejection of a proposed FlexMatch match.", - "privilege": "AcceptMatch", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Locates and reserves a game server to host a new game session.", - "privilege": "ClaimGameServer", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Defines a new alias for a fleet.", - "privilege": "CreateAlias", - "resource_types": [ + "resource_type": "dataset*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64652,24 +75830,14 @@ }, { "access_level": "Write", - "description": "Creates a new game build using files stored in an Amazon S3 bucket.", - "privilege": "CreateBuild", + "description": "Grants permission to create a dataset group", + "privilege": "CreateDatasetGroup", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new fleet of computing resources to run your game servers.", - "privilege": "CreateFleet", - "resource_types": [ + "resource_type": "datasetGroup*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64682,9 +75850,14 @@ }, { "access_level": "Write", - "description": "Creates a new game server group, sets up a corresponding Auto Scaling group, and launches instances to host game servers.", - "privilege": "CreateGameServerGroup", + "description": "Grants permission to create a dataset import job", + "privilege": "CreateDatasetImportJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64697,21 +75870,14 @@ }, { "access_level": "Write", - "description": "Starts a new game session on a specified fleet.", - "privilege": "CreateGameSession", + "description": "Grants permission to create a forecast", + "privilege": "CreateForecast", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Sets up a new queue for processing new game session placement requests.", - "privilege": "CreateGameSessionQueue", - "resource_types": [ + "resource_type": "predictor*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64724,9 +75890,14 @@ }, { "access_level": "Write", - "description": "Creates a new FlexMatch matchmaker.", - "privilege": "CreateMatchmakingConfiguration", + "description": "Grants permission to create a forecast export job using a forecast resource", + "privilege": "CreateForecastExportJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64739,9 +75910,14 @@ }, { "access_level": "Write", - "description": "Creates a new matchmaking rule set for FlexMatch.", - "privilege": "CreateMatchmakingRuleSet", + "description": "Grants permission to create a predictor", + "privilege": "CreatePredictor", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64754,33 +75930,14 @@ }, { "access_level": "Write", - "description": "Reserves an available game session slot for a player.", - "privilege": "CreatePlayerSession", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Reserves available game session slots for multiple players.", - "privilege": "CreatePlayerSessions", + "description": "Grants permission to create a predictor backtest export job using a predictor", + "privilege": "CreatePredictorBacktestExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new Realtime Servers script.", - "privilege": "CreateScript", - "resource_types": [ + "resource_type": "predictor*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -64793,308 +75950,266 @@ }, { "access_level": "Write", - "description": "Allows GameLift to create or delete a peering connection between a GameLift fleet VPC and a VPC on another AWS account.", - "privilege": "CreateVpcPeeringAuthorization", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Establishes a peering connection between your GameLift fleet VPC and a VPC on another account.", - "privilege": "CreateVpcPeeringConnection", + "description": "Grants permission to delete a dataset group", + "privilege": "DeleteDatasetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasetGroup*" } ] }, { "access_level": "Write", - "description": "Deletes an alias.", - "privilege": "DeleteAlias", + "description": "Grants permission to delete a dataset import job", + "privilege": "DeleteDatasetImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "datasetImportJob*" } ] }, { "access_level": "Write", - "description": "Deletes a game build.", - "privilege": "DeleteBuild", + "description": "Grants permission to delete a forecast", + "privilege": "DeleteForecast", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build*" + "resource_type": "forecast*" } ] }, { "access_level": "Write", - "description": "Deletes an empty fleet.", - "privilege": "DeleteFleet", + "description": "Grants permission to delete a forecast export job", + "privilege": "DeleteForecastExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "forecastExport*" } ] }, { "access_level": "Write", - "description": "Permanently deletes a game server group and terminates FleetIQ activity for the corresponding Auto Scaling group.", - "privilege": "DeleteGameServerGroup", + "description": "Grants permission to delete a predictor", + "privilege": "DeletePredictor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "predictor*" } ] }, { "access_level": "Write", - "description": "Deletes an existing game session queue.", - "privilege": "DeleteGameSessionQueue", + "description": "Grants permission to delete a predictor backtest export job", + "privilege": "DeletePredictorBacktestExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue*" + "resource_type": "predictorBacktestExportJob*" } ] }, { "access_level": "Write", - "description": "Deletes an existing FlexMatch matchmaker.", - "privilege": "DeleteMatchmakingConfiguration", + "description": "Grants permission to delete a resource and its child resources", + "privilege": "DeleteResourceTree", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingConfiguration*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes an existing FlexMatch matchmaking rule set.", - "privilege": "DeleteMatchmakingRuleSet", - "resource_types": [ + "resource_type": "dataset*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingRuleSet*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes a set of auto-scaling rules.", - "privilege": "DeleteScalingPolicy", - "resource_types": [ + "resource_type": "datasetGroup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes a Realtime Servers script.", - "privilege": "DeleteScript", - "resource_types": [ + "resource_type": "datasetImportJob*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "script*" - } - ] - }, - { - "access_level": "Write", - "description": "Cancels a VPC peering authorization.", - "privilege": "DeleteVpcPeeringAuthorization", - "resource_types": [ + "resource_type": "forecast*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Removes a peering connection between VPCs.", - "privilege": "DeleteVpcPeeringConnection", - "resource_types": [ + "resource_type": "forecastExport*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Removes a game server from a game server group.", - "privilege": "DeregisterGameServer", - "resource_types": [ + "resource_type": "predictor*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "predictorBacktestExportJob*" } ] }, { "access_level": "Read", - "description": "Retrieves properties for an alias.", - "privilege": "DescribeAlias", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "dataset*" } ] }, { "access_level": "Read", - "description": "Retrieves properties for a game build.", - "privilege": "DescribeBuild", + "description": "Grants permission to describe a dataset group", + "privilege": "DescribeDatasetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build*" + "resource_type": "datasetGroup*" } ] }, { "access_level": "Read", - "description": "Retrieves the maximum allowed and current usage for EC2 instance types.", - "privilege": "DescribeEC2InstanceLimits", + "description": "Grants permission to describe a dataset import job", + "privilege": "DescribeDatasetImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasetImportJob*" } ] }, { "access_level": "Read", - "description": "Retrieves general properties, including status, for fleets.", - "privilege": "DescribeFleetAttributes", + "description": "Grants permission to describe a forecast", + "privilege": "DescribeForecast", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "forecast*" } ] }, { "access_level": "Read", - "description": "Retrieves the current capacity setting for fleets.", - "privilege": "DescribeFleetCapacity", + "description": "Grants permission to describe a forecast export job", + "privilege": "DescribeForecastExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "forecastExport*" } ] }, { "access_level": "Read", - "description": "Retrieves entries from a fleet's event log.", - "privilege": "DescribeFleetEvents", + "description": "Grants permission to describe a predictor", + "privilege": "DescribePredictor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "predictor*" } ] }, { "access_level": "Read", - "description": "Retrieves the inbound connection permissions for a fleet.", - "privilege": "DescribeFleetPortSettings", + "description": "Grants permission to describe a predictor backtest export job", + "privilege": "DescribePredictorBacktestExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "predictorBacktestExportJob*" } ] }, { "access_level": "Read", - "description": "Retrieves utilization statistics for fleets.", - "privilege": "DescribeFleetUtilization", + "description": "Grants permission to get the Accuracy Metrics for a predictor", + "privilege": "GetAccuracyMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "predictor*" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for a game server.", - "privilege": "DescribeGameServer", + "access_level": "List", + "description": "Grants permission to list all the dataset groups", + "privilege": "ListDatasetGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for a game server group.", - "privilege": "DescribeGameServerGroup", + "access_level": "List", + "description": "Grants permission to list all the dataset import jobs", + "privilege": "ListDatasetImportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the status of EC2 instances in a game server group.", - "privilege": "DescribeGameServerInstances", + "access_level": "List", + "description": "Grants permission to list all the datasets", + "privilege": "ListDatasets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for game sessions in a fleet, including the protection policy.", - "privilege": "DescribeGameSessionDetails", + "access_level": "List", + "description": "Grants permission to list all the forecast export jobs", + "privilege": "ListForecastExportJobs", "resource_types": [ { "condition_keys": [], @@ -65104,9 +76219,9 @@ ] }, { - "access_level": "Read", - "description": "Retrieves details of a game session placement request.", - "privilege": "DescribeGameSessionPlacement", + "access_level": "List", + "description": "Grants permission to list all the forecasts", + "privilege": "ListForecasts", "resource_types": [ { "condition_keys": [], @@ -65116,9 +76231,9 @@ ] }, { - "access_level": "Read", - "description": "Retrieves properties for game session queues.", - "privilege": "DescribeGameSessionQueues", + "access_level": "List", + "description": "Grants permission to list all the predictor backtest export jobs", + "privilege": "ListPredictorBacktestExportJobs", "resource_types": [ { "condition_keys": [], @@ -65128,9 +76243,9 @@ ] }, { - "access_level": "Read", - "description": "Retrieves properties for game sessions in a fleet.", - "privilege": "DescribeGameSessions", + "access_level": "List", + "description": "Grants permission to list all the predictors", + "privilege": "ListPredictors", "resource_types": [ { "condition_keys": [], @@ -65141,403 +76256,740 @@ }, { "access_level": "Read", - "description": "Retrieves information about instances in a fleet.", - "privilege": "DescribeInstances", + "description": "Grants permission to list the tags for an Amazon Forecast resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecastExport" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictorBacktestExportJob" } ] }, { "access_level": "Read", - "description": "Retrieves details of matchmaking tickets.", - "privilege": "DescribeMatchmaking", + "description": "Grants permission to retrieve a forecast for a single item", + "privilege": "QueryForecast", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "forecast*" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for FlexMatch matchmakers.", - "privilege": "DescribeMatchmakingConfigurations", + "access_level": "Write", + "description": "Grants permission to stop Amazon Forecast resource jobs", + "privilege": "StopResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "datasetImportJob*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecastExport*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictorBacktestExportJob*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for FlexMatch matchmaking rule sets.", - "privilege": "DescribeMatchmakingRuleSets", + "access_level": "Tagging", + "description": "Grants permission to associate the specified tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecastExport" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictorBacktestExportJob" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for player sessions in a game session.", - "privilege": "DescribePlayerSessions", + "access_level": "Tagging", + "description": "Grants permission to delete the specified tags for a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecast" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "forecastExport" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictor" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "predictorBacktestExportJob" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the current runtime configuration for a fleet.", - "privilege": "DescribeRuntimeConfiguration", + "access_level": "Write", + "description": "Grants permission to update a dataset group", + "privilege": "UpdateDatasetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "dataset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataset" }, { - "access_level": "Read", - "description": "Retrieves all scaling policies that are applied to a fleet.", - "privilege": "DescribeScalingPolicies", + "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset-group/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datasetGroup" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:dataset-import-job/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datasetImportJob" + }, + { + "arn": "arn:${Partition}:forecast:::algorithm/${ResourceId}", + "condition_keys": [], + "resource": "algorithm" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:predictor/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "predictor" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:predictor-backtest-export-job/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "predictorBacktestExportJob" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:forecast/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "forecast" + }, + { + "arn": "arn:${Partition}:forecast:${Region}:${Account}:forecast-export-job/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "forecastExport" + } + ], + "service_name": "Amazon Forecast" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "frauddetector", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a batch of variables", + "privilege": "BatchCreateVariable", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves properties for a Realtime Servers script.", - "privilege": "DescribeScript", + "access_level": "List", + "description": "Grants permission to get a batch of variables", + "privilege": "BatchGetVariable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "script*" + "resource_type": "variable" } ] }, { - "access_level": "Read", - "description": "Retrieves valid VPC peering authorizations.", - "privilege": "DescribeVpcPeeringAuthorizations", + "access_level": "Write", + "description": "Grants permission to cancel the specified batch prediction job", + "privilege": "CancelBatchPredictionJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batch-prediction*" } ] }, { - "access_level": "Read", - "description": "Retrieves details on active or pending VPC peering connections.", - "privilege": "DescribeVpcPeeringConnections", + "access_level": "Write", + "description": "Grants permission to create a batch prediction job", + "privilege": "CreateBatchPredictionJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "batch-prediction*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the location of stored logs for a game session.", - "privilege": "GetGameSessionLogUrl", + "access_level": "Write", + "description": "Grants permission to create a detector version. The detector version starts in a DRAFT status", + "privilege": "CreateDetectorVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "detector*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Requests remote access to a specified fleet instance.", - "privilege": "GetInstanceAccess", + "access_level": "Write", + "description": "Grants permission to create a model using the specified model type", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves all aliases that are defined in the current region.", - "privilege": "ListAliases", + "access_level": "Write", + "description": "Grants permission to create a version of the model using the specified model type and model id", + "privilege": "CreateModelVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves all game build in the current region.", - "privilege": "ListBuilds", + "access_level": "Write", + "description": "Grants permission to create a rule for use with the specified detector", + "privilege": "CreateRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "detector*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves a list of fleet IDs for all fleets in the current region.", - "privilege": "ListFleets", + "access_level": "Write", + "description": "Grants permission to create a variable", + "privilege": "CreateVariable", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves all game server groups that are defined in the current region.", - "privilege": "ListGameServerGroups", + "access_level": "Write", + "description": "Grants permission to delete a batch prediction job", + "privilege": "DeleteBatchPredictionJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batch-prediction*" } ] }, { - "access_level": "List", - "description": "Retrieves all game servers that are currently running in a game server group.", - "privilege": "ListGameServers", + "access_level": "Write", + "description": "Grants permission to delete the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector", + "privilege": "DeleteDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "detector*" } ] }, { - "access_level": "List", - "description": "Retrieves properties for all Realtime Servers scripts in the current region.", - "privilege": "ListScripts", + "access_level": "Write", + "description": "Grants permission to delete the detector version. You cannot delete detector versions that are in ACTIVE status", + "privilege": "DeleteDetectorVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "detector-version*" } ] }, { - "access_level": "List", - "description": "Lists tags for GameLift resources", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete an entity type. You cannot delete an entity type that is included in an event type", + "privilege": "DeleteEntityType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias" - }, + "resource_type": "entity-type*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes the specified event", + "privilege": "DeleteEvent", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build" - }, + "resource_type": "event-type*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an event type. You cannot delete an event type that is used in a detector or a model", + "privilege": "DeleteEventType", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" - }, + "resource_type": "event-type*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a SageMaker model from Amazon Fraud Detector. You can remove an Amazon SageMaker model if it is not associated with a detector version", + "privilege": "DeleteExternalModel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup" - }, + "resource_type": "external-model*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a label. You cannot delete labels that are included in an event type in Amazon Fraud Detector. You cannot delete a label assigned to an event ID. You must first delete the relevant event ID", + "privilege": "DeleteLabel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue" - }, + "resource_type": "label*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a model. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version", + "privilege": "DeleteModel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingConfiguration" - }, + "resource_type": "model*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a model version. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version", + "privilege": "DeleteModelVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingRuleSet" - }, + "resource_type": "model-version*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an outcome. You cannot delete an outcome that is used in a rule version", + "privilege": "DeleteOutcome", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "script" + "resource_type": "outcome*" } ] }, { "access_level": "Write", - "description": "Creates or updates a fleet auto-scaling policy.", - "privilege": "PutScalingPolicy", + "description": "Grants permission to delete the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version", + "privilege": "DeleteRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "rule*" } ] }, { "access_level": "Write", - "description": "Notifies GameLift FleetIQ when a new game server is ready to host gameplay.", - "privilege": "RegisterGameServer", + "description": "Grants permission to delete a variable. You cannot delete variables that are included in an event type in Amazon Fraud Detector", + "privilege": "DeleteVariable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "variable*" } ] }, { "access_level": "Read", - "description": "Retrieves fresh upload credentials to use when uploading a new game build.", - "privilege": "RequestUploadCredentials", + "description": "Grants permission to get all versions for a specified detector", + "privilege": "DescribeDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build*" + "resource_type": "detector*" } ] }, { "access_level": "Read", - "description": "Retrieves the fleet ID associated with an alias.", - "privilege": "ResolveAlias", + "description": "Grants permission to get all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version", + "privilege": "DescribeModelVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "model-version" } ] }, { - "access_level": "Write", - "description": "Reinstates suspended FleetIQ activity for a game server group.", - "privilege": "ResumeGameServerGroup", + "access_level": "List", + "description": "Grants permission to get all batch prediction jobs or a specific job if you specify a job ID. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 1 and 50. To get the next page results, provide the pagination token from the GetBatchPredictionJobsResponse as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetBatchPredictionJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "batch-prediction" } ] }, { - "access_level": "Read", - "description": "Retrieves game sessions that match a set of search criteria.", - "privilege": "SearchGameSessions", + "access_level": "List", + "description": "Grants permission to get a particular detector version", + "privilege": "GetDetectorVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "detector-version*" } ] }, { - "access_level": "Write", - "description": "Resumes auto-scaling activity on a fleet after it was suspended with StopFleetActions().", - "privilege": "StartFleetActions", + "access_level": "List", + "description": "Grants permission to get all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetDetectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "detector" } ] }, { - "access_level": "Write", - "description": "Sends a game session placement request to a game session queue.", - "privilege": "StartGameSessionPlacement", + "access_level": "List", + "description": "Grants permission to get all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetEntityTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue*" + "resource_type": "entity-type" } ] }, { - "access_level": "Write", - "description": "Requests FlexMatch matchmaking to fill available player slots in an existing game session.", - "privilege": "StartMatchBackfill", + "access_level": "Read", + "description": "Grants permission to evaluate an event against a detector version. If a version ID is not provided, the detector\u2019s (ACTIVE) version is used", + "privilege": "GetEventPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "detector*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type*" } ] }, { - "access_level": "Write", - "description": "Requests FlexMatch matchmaking for one or a group of players and game session placement for a resulting match.", - "privilege": "StartMatchmaking", + "access_level": "List", + "description": "Grants permission to get all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetEventTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "event-type" } ] }, { - "access_level": "Write", - "description": "Suspends auto-scaling activity on a fleet.", - "privilege": "StopFleetActions", + "access_level": "List", + "description": "Grants permission to get the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetExternalModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "external-model" } ] }, { - "access_level": "Write", - "description": "Cancels a game session placement request that is in progress.", - "privilege": "StopGameSessionPlacement", + "access_level": "Read", + "description": "Grants permission to get the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector", + "privilege": "GetKMSEncryptionKey", "resource_types": [ { "condition_keys": [], @@ -65547,131 +76999,172 @@ ] }, { - "access_level": "Write", - "description": "Cancels a matchmaking or match backfill request that is in progress.", - "privilege": "StopMatchmaking", + "access_level": "List", + "description": "Grants permission to get all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetLabels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "label" } ] }, { - "access_level": "Write", - "description": "Temporarily stops FleetIQ activity for a game server group.", - "privilege": "SuspendGameServerGroup", + "access_level": "List", + "description": "Grants permission to get the details of the specified model version", + "privilege": "GetModelVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "model-version*" } ] }, { - "access_level": "Tagging", - "description": "Tags GameLift resources", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to get one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified", + "privilege": "GetModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias" - }, + "resource_type": "model" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "GetOutcomes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build" - }, + "resource_type": "outcome" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified", + "privilege": "GetRules", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" - }, + "resource_type": "rule" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning", + "privilege": "GetVariables", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup" - }, + "resource_type": "variable" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue" + "resource_type": "detector" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingConfiguration" + "resource_type": "detector-version" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingRuleSet" + "resource_type": "entity-type" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "script" + "resource_type": "event-type" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Untags GameLift resources", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "external-model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias" + "resource_type": "label" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "build" + "resource_type": "model" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet" + "resource_type": "model-version" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup" + "resource_type": "outcome" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue" + "resource_type": "rule" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingConfiguration" - }, + "resource_type": "variable" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or update a detector", + "privilege": "PutDetector", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingRuleSet" + "resource_type": "detector*" }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or update an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account", + "privilege": "PutEntityType", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "script" + "resource_type": "entity-type*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -65681,577 +77174,1010 @@ }, { "access_level": "Write", - "description": "Updates the properties of an existing alias.", - "privilege": "UpdateAlias", + "description": "Grants permission to create or update an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications", + "privilege": "PutEventType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "event-type*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an existing build's metadata.", - "privilege": "UpdateBuild", + "description": "Grants permission to create or update an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables", + "privilege": "PutExternalModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "build*" + "resource_type": "external-model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the general properties of an existing fleet.", - "privilege": "UpdateFleetAttributes", + "description": "Grants permission to specify the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector", + "privilege": "PutKMSEncryptionKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Adjusts a fleet's capacity settings.", - "privilege": "UpdateFleetCapacity", + "description": "Grants permission to create or update label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector", + "privilege": "PutLabel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "label*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Adjusts a fleet's port settings.", - "privilege": "UpdateFleetPortSettings", + "description": "Grants permission to create or update an outcome", + "privilege": "PutOutcome", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "outcome*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to assign tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-prediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-type" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "external-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "label" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "outcome" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "variable" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batch-prediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "detector-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "entity-type" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "event-type" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "external-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "label" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "outcome" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "variable" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Changes game server properties, health status, or utilization status.", - "privilege": "UpdateGameServer", + "description": "Grants permission to update a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version", + "privilege": "UpdateDetectorVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "detector*" } ] }, { "access_level": "Write", - "description": "Updates properties for game server group, including allowed instance types.", - "privilege": "UpdateGameServerGroup", + "description": "Grants permission to update the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE)", + "privilege": "UpdateDetectorVersionMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameServerGroup*" + "resource_type": "detector-version*" } ] }, { "access_level": "Write", - "description": "Updates the properties of an existing game session.", - "privilege": "UpdateGameSession", + "description": "Grants permission to update the detector version\u2019s status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE", + "privilege": "UpdateDetectorVersionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "detector-version*" } ] }, { "access_level": "Write", - "description": "Updates properties of an existing game session queue.", - "privilege": "UpdateGameSessionQueue", + "description": "Grants permission to update a model. You can update the description attribute using this action", + "privilege": "UpdateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gameSessionQueue*" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Updates properties of an existing FlexMatch matchmaking configuration.", - "privilege": "UpdateMatchmakingConfiguration", + "description": "Grants permission to update a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03", + "privilege": "UpdateModelVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "matchmakingConfiguration*" + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates how server processes are configured on instances in an existing fleet.", - "privilege": "UpdateRuntimeConfiguration", + "description": "Grants permission to update the status of a model version", + "privilege": "UpdateModelVersionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleet*" + "resource_type": "model-version*" } ] }, { "access_level": "Write", - "description": "Updates the metadata and content of an existing Realtime Servers script.", - "privilege": "UpdateScript", + "description": "Grants permission to update a rule's metadata. The description attribute can be updated", + "privilege": "UpdateRuleMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "script*" + "resource_type": "rule*" } ] }, { - "access_level": "Read", - "description": "Validates the syntax of a FlexMatch matchmaking rule set.", - "privilege": "ValidateMatchmakingRuleSet", + "access_level": "Write", + "description": "Grants permission to update a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...)", + "privilege": "UpdateRuleVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a variable", + "privilege": "UpdateVariable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "variable*" + } + ] } ], "resources": [ { - "arn": "arn:${Partition}:gamelift:${Region}::alias/${AliasId}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:batch-prediction/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "alias" + "resource": "batch-prediction" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${AccountId}:build/${BuildId}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:detector/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "build" + "resource": "detector" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${AccountId}:script/${ScriptId}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "script" + "resource": "detector-version" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${Account}:fleet/${FleetId}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "fleet" + "resource": "entity-type" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${Account}:gamesessionqueue/${GameSessionQueueName}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "gameSessionQueue" + "resource": "external-model" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${Account}:matchmakingconfiguration/${MatchmakingConfigurationName}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "matchmakingConfiguration" + "resource": "event-type" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${Account}:matchmakingruleset/${MatchmakingRuleSetName}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:label/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "matchmakingRuleSet" + "resource": "label" }, { - "arn": "arn:${Partition}:gamelift:${Region}:${Account}:gameservergroup/${GameServerGroupName}", + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:model/${resourcePath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "gameServerGroup" + "resource": "model" + }, + { + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${resourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "model-version" + }, + { + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${resourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "outcome" + }, + { + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:rule/${resourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rule" + }, + { + "arn": "arn:${Partition}:frauddetector:${Region}:${Account}:variable/${resourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "variable" } ], - "service_name": "Amazon GameLift" + "service_name": "Amazon Fraud Detector" }, { - "conditions": [], - "prefix": "geo", + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "A tag key that is present in the request that the user makes to Amazon FreeRTOS.", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "The tag key component of a tag attached to an Amazon FreeRTOS resource.", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "The list of all the tag key names associated with the resource in the request.", + "type": "String" + } + ], + "prefix": "freertos", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an association between a geofence-collection and a tracker resource", - "privilege": "AssociateTrackerConsumer", + "description": "Creates a software configuration.", + "privilege": "CreateSoftwareConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a batch of geofences from a geofence collection", - "privilege": "BatchDeleteGeofence", - "resource_types": [ + "resource_type": "configuration*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to evaluate device positions against the position of geofences in a given geofence collection", - "privilege": "BatchEvaluateGeofences", + "description": "Deletes the software configuration.", + "privilege": "DeleteSoftwareConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "configuration*" } ] }, { "access_level": "Read", - "description": "Grants permission to send a batch request to retrieve device positions", - "privilege": "BatchGetDevicePosition", + "description": "Describes the hardware platform.", + "privilege": "DescribeHardwarePlatform", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to send a batch request for adding geofences into a given geofence collection", - "privilege": "BatchPutGeofence", + "access_level": "Read", + "description": "Describes the software configuration.", + "privilege": "DescribeSoftwareConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "configuration*" } ] }, { - "access_level": "Write", - "description": "Grants permission to upload a position update for one or more devices to a tracker resource", - "privilege": "BatchUpdateDevicePosition", + "access_level": "Read", + "description": "Get the URL for Amazon FreeRTOS software download.", + "privilege": "GetSoftwareURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a geofence-collection", - "privilege": "CreateGeofenceCollection", + "access_level": "Read", + "description": "Get the URL for Amazon FreeRTOS software download based on the configuration.", + "privilege": "GetSoftwareURLForConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a map resource", - "privilege": "CreateMap", + "access_level": "List", + "description": "Lists versions of AmazonFreeRTOS.", + "privilege": "ListFreeRTOSVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a place index resource", - "privilege": "CreatePlaceIndex", + "access_level": "List", + "description": "Lists the hardware platforms.", + "privilege": "ListHardwarePlatforms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "place-index*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a tracker resource", - "privilege": "CreateTracker", + "access_level": "List", + "description": "Lists the hardware vendors.", + "privilege": "ListHardwareVendors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to deletes a geofence-collection", - "privilege": "DeleteGeofenceCollection", + "access_level": "List", + "description": "Lists the software configurations.", + "privilege": "ListSoftwareConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a map resource", - "privilege": "DeleteMap", + "description": "Updates the software configuration.", + "privilege": "UpdateSoftwareConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "configuration*" } ] - }, - { + } + ], + "resources": [ + { + "arn": "arn:${Partition}:freertos:${Region}:${Account}:configuration/${configurationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "configuration" + } + ], + "service_name": "Amazon FreeRTOS" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + }, + { + "condition": "fsx:IsBackupCopyDestination", + "description": "Filters access by whether the backup is a destination backup for a CopyBackup operation", + "type": "Bool" + }, + { + "condition": "fsx:IsBackupCopySource", + "description": "Filters access by whether the backup is a source backup for a CopyBackup operation", + "type": "Bool" + }, + { + "condition": "fsx:StorageVirtualMachineId", + "description": "Filters access by the containing storage virtual machine for a volume for mutating volume operations", + "type": "String" + } + ], + "prefix": "fsx", + "privileges": [ + { "access_level": "Write", - "description": "Grants permission to delete a place index resource", - "privilege": "DeletePlaceIndex", + "description": "Grants permission to associate a File Gateway instance with an Amazon FSx for Windows File Server file system", + "privilege": "AssociateFileGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "place-index*" + "resource_type": "file-system*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a tracker resource", - "privilege": "DeleteTracker", + "description": "Grants permission to associate DNS aliases with an Amazon FSx for Windows File Server file system", + "privilege": "AssociateFileSystemAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "file-system*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a geofence collection details", - "privilege": "DescribeGeofenceCollection", + "access_level": "Write", + "description": "Grants permission to cancel a data repository task", + "privilege": "CancelDataRepositoryTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "task*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a map resource details", - "privilege": "DescribeMap", + "access_level": "Write", + "description": "Grants permission to copy a backup", + "privilege": "CopyBackup", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "backup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a a place-index resource details", - "privilege": "DescribePlaceIndex", + "access_level": "Write", + "description": "Grants permission to create a new backup of an Amazon FSx file system or an Amazon FSx volume", + "privilege": "CreateBackup", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "backup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "place-index*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a tracker resource details", - "privilege": "DescribeTracker", - "resource_types": [ + "resource_type": "file-system" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "volume" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove the association between a tracker resource and a geofence-collection", - "privilege": "DisassociateTrackerConsumer", + "description": "Grants permission to create a new data respository task for an Amazon FSx for Lustre file system", + "privilege": "CreateDataRepositoryTask", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "file-system*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "task*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the latest device position", - "privilege": "GetDevicePosition", + "access_level": "Write", + "description": "Grants permission to create a new, empty, Amazon FSx file system", + "privilege": "CreateFileSystem", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "file-system*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grant permission to retrieve the device position history", - "privilege": "GetDevicePositionHistory", + "access_level": "Write", + "description": "Grants permission to create a new Amazon FSx file system from an existing backup", + "privilege": "CreateFileSystemFromBackup", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "backup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "file-system*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the geofence details from a geofence-collection.", - "privilege": "GetGeofence", + "access_level": "Write", + "description": "Grants permission to create a new storage virtual machine in an Amazon FSx for Ontap file system", + "privilege": "CreateStorageVirtualMachine", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "file-system*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "storage-virtual-machine*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the glyph file for a map resource", - "privilege": "GetMapGlyphs", + "access_level": "Write", + "description": "Grants permission to create a new volume", + "privilege": "CreateVolume", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "fsx:StorageVirtualMachineId" + ], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the sprite file for a map resource", - "privilege": "GetMapSprites", + "access_level": "Write", + "description": "Grants permission to create a new volume from backup", + "privilege": "CreateVolumeFromBackup", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:TagResource" + ], + "resource_type": "backup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "storage-virtual-machine*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "fsx:StorageVirtualMachineId" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the map style descriptor from a map resource", - "privilege": "GetMapStyleDescriptor", + "access_level": "Write", + "description": "Grants permission to delete a backup, deleting its contents. After deletion, the backup no longer exists, and its data is no longer available.", + "privilege": "DeleteBackup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "backup*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the map tile from the map resource", - "privilege": "GetMapTile", + "access_level": "Write", + "description": "Grants permission to delete a file system, deleting its contents and any existing automatic backups of the file system", + "privilege": "DeleteFileSystem", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "fsx:CreateBackup", + "fsx:TagResource" + ], + "resource_type": "file-system*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "backup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieves the map TileJSON details from a given map resource", - "privilege": "GetMapTileJson", + "access_level": "Write", + "description": "Grants permission to delete a storage virtual machine, deleting its contents.", + "privilege": "DeleteStorageVirtualMachine", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "map*" + "resource_type": "storage-virtual-machine*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to lists geofence-collections", - "privilege": "ListGeofenceCollections", + "access_level": "Write", + "description": "Grants permission to delete a volume, deleting its contents and any existing automatic backups of the volume.", + "privilege": "DeleteVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "volume*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "fsx:StorageVirtualMachineId" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list geofences stored in a given geofence collection", - "privilege": "ListGeofences", + "description": "Grants permission to describe the File Gateway instances associated with an Amazon FSx for Windows File Server file system", + "privilege": "DescribeAssociatedFileGateways", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "file-system*" } ] }, { - "access_level": "List", - "description": "Grants permission to list map resources", - "privilege": "ListMaps", + "access_level": "Read", + "description": "Grants permission to return the descriptions of all backups owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeBackups", "resource_types": [ { "condition_keys": [], @@ -66261,9 +78187,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return a list of place index resources", - "privilege": "ListPlaceIndexes", + "access_level": "Read", + "description": "Grants permission to return the descriptions of all data repository task owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeDataRepositoryTasks", "resource_types": [ { "condition_keys": [], @@ -66274,20 +78200,20 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of geofence collections currently associated to the given tracker resource", - "privilege": "ListTrackerConsumers", + "description": "Grants permission to return the description of all DNS aliases owned by your Amazon FSx for Windows File Server file system", + "privilege": "DescribeFileSystemAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" + "resource_type": "file-system*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of tracker resources", - "privilege": "ListTrackers", + "access_level": "Read", + "description": "Grants permission to return the descriptions of all file systems owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeFileSystems", "resource_types": [ { "condition_keys": [], @@ -66297,190 +78223,201 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to add a new geofence or update an existing geofence to a given geofence-collection", - "privilege": "PutGeofence", + "access_level": "Read", + "description": "Grants permission to return the descriptions of all storage virtual machines owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeStorageVirtualMachines", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to reverse geocodes a given coordinate", - "privilege": "SearchPlaceIndexForPosition", + "description": "Grants permission to return the descriptions of all volumes owned by your AWS account in the AWS Region of the endpoint that you're calling", + "privilege": "DescribeVolumes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "place-index*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to geocode free-form text, such as an address, name, city or region", - "privilege": "SearchPlaceIndexForText", + "access_level": "Write", + "description": "Grants permission to disassociate a File Gateway instance from an Amazon FSx for Windows File Server file system", + "privilege": "DisassociateFileGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "place-index*" + "resource_type": "file-system*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the description of a geofence collection", - "privilege": "UpdateGeofenceCollection", + "description": "Grants permission to disassociate file system aliases with an Amazon FSx for Windows File Server file system", + "privilege": "DisassociateFileSystemAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "geofence-collection*" + "resource_type": "file-system*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the description of a tracker resource", - "privilege": "UpdateTracker", + "access_level": "Read", + "description": "Grants permission to list tags for an Amazon FSx resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tracker*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:geo:${Region}:${Account}:geofence-collection/${GeofenceCollectionName}", - "condition_keys": [], - "resource": "geofence-collection" - }, - { - "arn": "arn:${Partition}:geo:${Region}:${Account}:map/${MapName}", - "condition_keys": [], - "resource": "map" - }, - { - "arn": "arn:${Partition}:geo:${Region}:${Account}:place-index/${IndexName}", - "condition_keys": [], - "resource": "place-index" - }, - { - "arn": "arn:${Partition}:geo:${Region}:${Account}:tracker/${TrackerName}", - "condition_keys": [], - "resource": "tracker" - } - ], - "service_name": "Amazon Location" - }, - { - "conditions": [ - { - "condition": "glacier:ArchiveAgeInDays", - "description": "How long an archive has been stored in the vault, in days.", - "type": "String" - }, - { - "condition": "glacier:ResourceTag/", - "description": "A customer-defined tag.", - "type": "String" - } - ], - "prefix": "glacier", - "privileges": [ - { - "access_level": "Write", - "description": "Aborts a multipart upload identified by the upload ID", - "privilege": "AbortMultipartUpload", - "resource_types": [ + "resource_type": "backup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "file-system" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage-virtual-machine" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume" } ] }, { "access_level": "Permissions management", - "description": "Aborts the vault locking process if the vault lock is not in the Locked state", - "privilege": "AbortVaultLock", + "description": "Grants permission to manage backup principal associations through AWS Backup", + "privilege": "ManageBackupPrincipalAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "backup*" } ] }, { "access_level": "Tagging", - "description": "Adds the specified tags to a vault", - "privilege": "AddTagsToVault", + "description": "Grants permission to tag an Amazon FSx resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" - } - ] - }, - { - "access_level": "Write", - "description": "Completes a multipart upload process", - "privilege": "CompleteMultipartUpload", - "resource_types": [ + "resource_type": "backup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "file-system" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage-virtual-machine" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Completes the vault locking process", - "privilege": "CompleteVaultLock", + "access_level": "Tagging", + "description": "Grants permission to remove a tag from an Amazon FSx resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "backup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "file-system" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storage-virtual-machine" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "volume" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a new vault with the specified name", - "privilege": "CreateVault", + "description": "Grants permission to update file system configuration", + "privilege": "UpdateFileSystem", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "file-system*" } ] }, { "access_level": "Write", - "description": "Deletes an archive from a vault", - "privilege": "DeleteArchive", + "description": "Grants permission to update storage virtual machine configuration", + "privilege": "UpdateStorageVirtualMachine", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "storage-virtual-machine*" }, { "condition_keys": [ - "glacier:ArchiveAgeInDays" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -66489,137 +78426,201 @@ }, { "access_level": "Write", - "description": "Deletes a vault", - "privilege": "DeleteVault", + "description": "Grants permission to update volume configuration", + "privilege": "UpdateVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Deletes the access policy associated with the specified vault", - "privilege": "DeleteVaultAccessPolicy", - "resource_types": [ + "resource_type": "volume*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "fsx:StorageVirtualMachineId" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:file-system/${FileSystemId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "file-system" + }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:backup/${BackupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "backup" + }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:storage-virtual-machine/${FileSystemId}/${StorageVirtualMachineId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "storage-virtual-machine" + }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:task/${TaskId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "task" + }, + { + "arn": "arn:${Partition}:fsx:${Region}:${Account}:volume/${FileSystemId}/${VolumeId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "volume" + } + ], + "service_name": "Amazon FSx" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "gamelift", + "privileges": [ { "access_level": "Write", - "description": "Deletes the notification configuration set for a vault", - "privilege": "DeleteVaultNotifications", + "description": "Grants permission to register player acceptance or rejection of a proposed FlexMatch match", + "privilege": "AcceptMatch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a job you previously initiated", - "privilege": "DescribeJob", + "access_level": "Write", + "description": "Grants permission to locate and reserve a game server to host a new game session", + "privilege": "ClaimGameServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "gameServerGroup*" } ] }, { - "access_level": "Read", - "description": "Returns information about a vault", - "privilege": "DescribeVault", + "access_level": "Write", + "description": "Grants permission to define a new alias for a fleet", + "privilege": "CreateAlias", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns the current data retrieval policy for the account and region specified in the GET request", - "privilege": "GetDataRetrievalPolicy", + "access_level": "Write", + "description": "Grants permission to create a new game build using files stored in an Amazon S3 bucket", + "privilege": "CreateBuild", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Downloads the output of the job you initiated", - "privilege": "GetJobOutput", + "access_level": "Write", + "description": "Grants permission to create a new fleet of computing resources to run your game servers", + "privilege": "CreateFleet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the access-policy subresource set on the vault", - "privilege": "GetVaultAccessPolicy", + "access_level": "Write", + "description": "Grants permission to specify additional locations for a fleet", + "privilege": "CreateFleetLocations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "fleet*" } ] }, { - "access_level": "Read", - "description": "Retrieves attributes from the lock-policy subresource set on the specified vault", - "privilege": "GetVaultLock", + "access_level": "Write", + "description": "Grants permission to create a new game server group, set up a corresponding Auto Scaling group, and launche instances to host game servers", + "privilege": "CreateGameServerGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves the notification-configuration subresource set on the vault", - "privilege": "GetVaultNotifications", + "access_level": "Write", + "description": "Grants permission to start a new game session on a specified fleet", + "privilege": "CreateGameSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Initiates a job of the specified type", - "privilege": "InitiateJob", + "description": "Grants permission to set up a new queue for processing game session placement requests", + "privilege": "CreateGameSessionQueue", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "vault*" - }, { "condition_keys": [ - "glacier:ArchiveAgeInDays" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -66628,68 +78629,77 @@ }, { "access_level": "Write", - "description": "Initiates a multipart upload", - "privilege": "InitiateMultipartUpload", + "description": "Grants permission to create a new FlexMatch matchmaker", + "privilege": "CreateMatchmakingConfiguration", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Initiates the vault locking process", - "privilege": "InitiateVaultLock", + "access_level": "Write", + "description": "Grants permission to create a new matchmaking rule set for FlexMatch", + "privilege": "CreateMatchmakingRuleSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists jobs for a vault that are in-progress and jobs that have recently finished", - "privilege": "ListJobs", + "access_level": "Write", + "description": "Grants permission to reserve an available game session slot for a player", + "privilege": "CreatePlayerSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists in-progress multipart uploads for the specified vault", - "privilege": "ListMultipartUploads", + "access_level": "Write", + "description": "Grants permission to reserve available game session slots for multiple players", + "privilege": "CreatePlayerSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the parts of an archive that have been uploaded in a specific multipart upload", - "privilege": "ListParts", + "access_level": "Write", + "description": "Grants permission to create a new Realtime Servers script", + "privilege": "CreateScript", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "This operation lists the provisioned capacity for the specified AWS account.", - "privilege": "ListProvisionedCapacity", + "access_level": "Write", + "description": "Grants permission to allow GameLift to create or delete a peering connection between a GameLift fleet VPC and a VPC on another AWS account", + "privilege": "CreateVpcPeeringAuthorization", "resource_types": [ { "condition_keys": [], @@ -66699,189 +78709,156 @@ ] }, { - "access_level": "List", - "description": "Lists all the tags attached to a vault", - "privilege": "ListTagsForVault", + "access_level": "Write", + "description": "Grants permission to establish a peering connection between your GameLift fleet VPC and a VPC on another account", + "privilege": "CreateVpcPeeringConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists all vaults", - "privilege": "ListVaults", + "access_level": "Write", + "description": "Grants permission to delete an alias", + "privilege": "DeleteAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "alias*" } ] }, { "access_level": "Write", - "description": "This operation purchases a provisioned capacity unit for an AWS account.", - "privilege": "PurchaseProvisionedCapacity", + "description": "Grants permission to delete a game build", + "privilege": "DeleteBuild", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "build*" } ] }, { - "access_level": "Tagging", - "description": "Removes one or more tags from the set of tags attached to a vault", - "privilege": "RemoveTagsFromVault", + "access_level": "Write", + "description": "Grants permission to delete an empty fleet", + "privilege": "DeleteFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "fleet*" } ] }, { - "access_level": "Permissions management", - "description": "Sets and then enacts a data retrieval policy in the region specified in the PUT request", - "privilege": "SetDataRetrievalPolicy", + "access_level": "Write", + "description": "Grants permission to delete locations for a fleet", + "privilege": "DeleteFleetLocations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { - "access_level": "Permissions management", - "description": "Configures an access policy for a vault and will overwrite an existing policy", - "privilege": "SetVaultAccessPolicy", + "access_level": "Write", + "description": "Grants permission to permanently delete a game server group and terminate FleetIQ activity for the corresponding Auto Scaling group", + "privilege": "DeleteGameServerGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Write", - "description": "Configures vault notifications", - "privilege": "SetVaultNotifications", + "description": "Grants permission to delete an existing game session queue", + "privilege": "DeleteGameSessionQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "gameSessionQueue*" } ] }, { "access_level": "Write", - "description": "Adds an archive to a vault", - "privilege": "UploadArchive", + "description": "Grants permission to delete an existing FlexMatch matchmaker", + "privilege": "DeleteMatchmakingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "matchmakingConfiguration*" } ] }, { "access_level": "Write", - "description": "Uploads a part of an archive", - "privilege": "UploadMultipartPart", + "description": "Grants permission to delete an existing FlexMatch matchmaking rule set", + "privilege": "DeleteMatchmakingRuleSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "vault*" + "resource_type": "matchmakingRuleSet*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:glacier:${Region}:${Account}:vaults/${VaultName}", - "condition_keys": [], - "resource": "vault" - } - ], - "service_name": "Amazon Glacier" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "globalaccelerator", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to add a virtual private cloud (VPC) subnet endpoint to a custom routing accelerator endpoint group.", - "privilege": "AddCustomRoutingEndpoints", + "description": "Grants permission to delete a set of auto-scaling rules", + "privilege": "DeleteScalingPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", - "privilege": "AdvertiseByoipCidr", + "description": "Grants permission to delete a Realtime Servers script", + "privilege": "DeleteScript", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "script*" } ] }, { "access_level": "Write", - "description": "Grants permission to allows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", - "privilege": "AllowCustomRoutingTraffic", + "description": "Grants permission to cancel a VPC peering authorization", + "privilege": "DeleteVpcPeeringAuthorization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a standard accelerator.", - "privilege": "CreateAccelerator", + "description": "Grants permission to remove a peering connection between VPCs", + "privilege": "DeleteVpcPeeringConnection", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -66889,263 +78866,260 @@ }, { "access_level": "Write", - "description": "Grants permission to create a Custom Routing accelerator", - "privilege": "CreateCustomRoutingAccelerator", + "description": "Grants permission to remove a game server from a game server group", + "privilege": "DeregisterGameServer", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameServerGroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an endpoint group for the specified listener for a custom routing accelerator.", - "privilege": "CreateCustomRoutingEndpointGroup", + "access_level": "Read", + "description": "Grants permission to retrieve properties for an alias", + "privilege": "DescribeAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "alias*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a listener to process inbound connections from clients to a custom routing accelerator.", - "privilege": "CreateCustomRoutingListener", + "access_level": "Read", + "description": "Grants permission to retrieve properties for a game build", + "privilege": "DescribeBuild", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "build*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add an endpoint group to a standard accelerator listener.", - "privilege": "CreateEndpointGroup", + "access_level": "Read", + "description": "Grants permission to retrieve the maximum allowed and current usage for EC2 instance types", + "privilege": "DescribeEC2InstanceLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add a listener to a standard accelerator.", - "privilege": "CreateListener", + "access_level": "Read", + "description": "Grants permission to retrieve general properties, including status, for fleets", + "privilege": "DescribeFleetAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a standard accelerator.", - "privilege": "DeleteAccelerator", + "access_level": "Read", + "description": "Grants permission to retrieve the current capacity setting for fleets", + "privilege": "DescribeFleetCapacity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a custom routing accelerator.", - "privilege": "DeleteCustomRoutingAccelerator", + "access_level": "Read", + "description": "Grants permission to retrieve entries from a fleet's event log", + "privilege": "DescribeFleetEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an endpoint group from a listener for a custom routing accelerator.", - "privilege": "DeleteCustomRoutingEndpointGroup", + "access_level": "Read", + "description": "Grants permission to retrieve general properties, including statuses, for a fleet's locations", + "privilege": "DescribeFleetLocationAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a listener for a custom routing accelerator.", - "privilege": "DeleteCustomRoutingListener", + "access_level": "Read", + "description": "Grants permission to retrieve the current capacity setting for a fleet's location", + "privilege": "DescribeFleetLocationCapacity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an endpoint group associated with a standard accelerator listener.", - "privilege": "DeleteEndpointGroup", + "access_level": "Read", + "description": "Grants permission to retrieve utilization statistics for fleet's location", + "privilege": "DescribeFleetLocationUtilization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a listener from a standard accelerator.", - "privilege": "DeleteListener", + "access_level": "Read", + "description": "Grants permission to retrieve the inbound connection permissions for a fleet", + "privilege": "DescribeFleetPortSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disallows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", - "privilege": "DenyCustomRoutingTraffic", + "access_level": "Read", + "description": "Grants permission to retrieve utilization statistics for fleets", + "privilege": "DescribeFleetUtilization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", - "privilege": "DeprovisionByoipCidr", + "access_level": "Read", + "description": "Grants permission to retrieve properties for a game server", + "privilege": "DescribeGameServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Read", - "description": "Grants permissions to describe a standard accelerator.", - "privilege": "DescribeAccelerator", + "description": "Grants permission to retrieve properties for a game server group", + "privilege": "DescribeGameServerGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator attributes.", - "privilege": "DescribeAcceleratorAttributes", + "description": "Grants permission to retrieve the status of EC2 instances in a game server group", + "privilege": "DescribeGameServerInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a custom routing accelerator.", - "privilege": "DescribeCustomRoutingAccelerator", + "description": "Grants permission to retrieve properties for game sessions in a fleet, including the protection policy", + "privilege": "DescribeGameSessionDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the attributes of a custom routing accelerator.", - "privilege": "DescribeCustomRoutingAcceleratorAttributes", + "description": "Grants permission to retrieve details of a game session placement request", + "privilege": "DescribeGameSessionPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an endpoint group for a custom routing accelerator.", - "privilege": "DescribeCustomRoutingEndpointGroup", + "description": "Grants permission to retrieve properties for game session queues", + "privilege": "DescribeGameSessionQueues", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a listener for a custom routing accelerator.", - "privilege": "DescribeCustomRoutingListener", + "description": "Grants permission to retrieve properties for game sessions in a fleet", + "privilege": "DescribeGameSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator endpoint group.", - "privilege": "DescribeEndpointGroup", + "description": "Grants permission to retrieve information about instances in a fleet", + "privilege": "DescribeInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "fleet*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a standard accelerator listener.", - "privilege": "DescribeListener", + "description": "Grants permission to retrieve details of matchmaking tickets", + "privilege": "DescribeMatchmaking", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all standard accelerators.", - "privilege": "ListAccelerators", + "access_level": "Read", + "description": "Grants permission to retrieve properties for FlexMatch matchmakers", + "privilege": "DescribeMatchmakingConfigurations", "resource_types": [ { "condition_keys": [], @@ -67155,9 +79129,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the BYOIP cidrs.", - "privilege": "ListByoipCidrs", + "access_level": "Read", + "description": "Grants permission to retrieve properties for FlexMatch matchmaking rule sets", + "privilege": "DescribeMatchmakingRuleSets", "resource_types": [ { "condition_keys": [], @@ -67167,9 +79141,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the custom routing accelerators for an AWS account.", - "privilege": "ListCustomRoutingAccelerators", + "access_level": "Read", + "description": "Grants permission to retrieve properties for player sessions in a game session", + "privilege": "DescribePlayerSessions", "resource_types": [ { "condition_keys": [], @@ -67179,45 +79153,45 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the endpoint groups that are associated with a listener for a custom routing accelerator.", - "privilege": "ListCustomRoutingEndpointGroups", + "access_level": "Read", + "description": "Grants permission to retrieve the current runtime configuration for a fleet", + "privilege": "DescribeRuntimeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "fleet*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the listeners for a custom routing accelerator.", - "privilege": "ListCustomRoutingListeners", + "access_level": "Read", + "description": "Grants permission to retrieve all scaling policies that are applied to a fleet", + "privilege": "DescribeScalingPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "fleet*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the port mappings for a custom routing accelerator.", - "privilege": "ListCustomRoutingPortMappings", + "access_level": "Read", + "description": "Grants permission to retrieve properties for a Realtime Servers script", + "privilege": "DescribeScript", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "script*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the port mappings for a specific endpoint IP address (a destination address) in a subnet", - "privilege": "ListCustomRoutingPortMappingsByDestination", + "access_level": "Read", + "description": "Grants permission to retrieve valid VPC peering authorizations", + "privilege": "DescribeVpcPeeringAuthorizations", "resource_types": [ { "condition_keys": [], @@ -67227,45 +79201,45 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all endpoint groups associated with a standard accelerator listener.", - "privilege": "ListEndpointGroups", + "access_level": "Read", + "description": "Grants permission to retrieve details on active or pending VPC peering connections", + "privilege": "DescribeVpcPeeringConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all listeners associated with a standard accelerator.", - "privilege": "ListListeners", + "access_level": "Read", + "description": "Grants permission to retrieve the location of stored logs for a game session", + "privilege": "GetGameSessionLogUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list tags for a globalaccelerator resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to request remote access to a specified fleet instance", + "privilege": "GetInstanceAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator" + "resource_type": "fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP).", - "privilege": "ProvisionByoipCidr", + "access_level": "List", + "description": "Grants permission to retrieve all aliases that are defined in the current region", + "privilege": "ListAliases", "resource_types": [ { "condition_keys": [], @@ -67275,324 +79249,176 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove virtual private cloud (VPC) subnet endpoints from a custom routing accelerator endpoint group.", - "privilege": "RemoveCustomRoutingEndpoints", + "access_level": "List", + "description": "Grants permission to retrieve all game build in the current region", + "privilege": "ListBuilds", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a globalaccelerator resource.", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to retrieve a list of fleet IDs for all fleets in the current region", + "privilege": "ListFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a globalaccelerator resource.", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to retrieve all game server groups that are defined in the current region", + "privilege": "ListGameServerGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a standard accelerator.", - "privilege": "UpdateAccelerator", + "access_level": "List", + "description": "Grants permission to retrieve all game servers that are currently running in a game server group", + "privilege": "ListGameServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "gameServerGroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a standard accelerator attributes.", - "privilege": "UpdateAcceleratorAttributes", + "access_level": "List", + "description": "Grants permission to retrieve properties for all Realtime Servers scripts in the current region", + "privilege": "ListScripts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a custom routing accelerator.", - "privilege": "UpdateCustomRoutingAccelerator", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "accelerator*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the attributes for a custom routing accelerator.", - "privilege": "UpdateCustomRoutingAcceleratorAttributes", + "access_level": "Read", + "description": "Grants permission to retrieve tags for GameLift resources", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accelerator*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a listener for a custom routing accelerator.", - "privilege": "UpdateCustomRoutingListener", - "resource_types": [ + "resource_type": "alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an endpoint group on a standard accelerator listener.", - "privilege": "UpdateEndpointGroup", - "resource_types": [ + "resource_type": "build" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpointgroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a listener on a standard accelerator.", - "privilege": "UpdateListener", - "resource_types": [ + "resource_type": "fleet" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "listener*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to stops advertising a BYOIP IPv4 address.", - "privilege": "WithdrawByoipCidr", - "resource_types": [ + "resource_type": "gameServerGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "accelerator" - }, - { - "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}/listener/${ListenerId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "listener" - }, - { - "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}/listener/${ListenerId}/endpoint-group/${EndpointGroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "endpointgroup" - } - ], - "service_name": "AWS Global Accelerator" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "glue", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create one or more partitions", - "privilege": "BatchCreatePartition", - "resource_types": [ + "resource_type": "gameSessionQueue" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "matchmakingConfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "matchmakingRuleSet" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "script" } ] }, { "access_level": "Write", - "description": "Grants permission to delete one or more connections", - "privilege": "BatchDeleteConnection", + "description": "Grants permission to create or update a fleet auto-scaling policy", + "privilege": "PutScalingPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete one or more partitions", - "privilege": "BatchDeletePartition", + "description": "Grants permission to notify GameLift FleetIQ when a new game server is ready to host gameplay", + "privilege": "RegisterGameServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "gameServerGroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete one or more tables", - "privilege": "BatchDeleteTable", + "access_level": "Read", + "description": "Grants permission to retrieve fresh upload credentials to use when uploading a new game build", + "privilege": "RequestUploadCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "build*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete one or more versions of a table", - "privilege": "BatchDeleteTableVersion", + "access_level": "Read", + "description": "Grants permission to retrieve the fleet ID associated with an alias", + "privilege": "ResolveAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tableversion*" + "resource_type": "alias*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve one or more crawlers", - "privilege": "BatchGetCrawlers", + "access_level": "Write", + "description": "Grants permission to reinstate suspended FleetIQ activity for a game server group", + "privilege": "ResumeGameServerGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve one or more development endpoints", - "privilege": "BatchGetDevEndpoints", + "description": "Grants permission to retrieve game sessions that match a set of search criteria", + "privilege": "SearchGameSessions", "resource_types": [ { "condition_keys": [], @@ -67602,43 +79428,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve one or more jobs", - "privilege": "BatchGetJobs", + "access_level": "Write", + "description": "Grants permission to resume auto-scaling activity on a fleet after it was suspended with StopFleetActions()", + "privilege": "StartFleetActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve one or more partitions", - "privilege": "BatchGetPartition", + "access_level": "Write", + "description": "Grants permission to send a game session placement request to a game session queue", + "privilege": "StartGameSessionPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "gameSessionQueue*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve one or more triggers", - "privilege": "BatchGetTriggers", + "access_level": "Write", + "description": "Grants permission to request FlexMatch matchmaking to fill available player slots in an existing game session", + "privilege": "StartMatchBackfill", "resource_types": [ { "condition_keys": [], @@ -67648,9 +79464,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve one or more workflows", - "privilege": "BatchGetWorkflows", + "access_level": "Write", + "description": "Grants permission to request FlexMatch matchmaking for one or a group of players and initiate game session placement", + "privilege": "StartMatchmaking", "resource_types": [ { "condition_keys": [], @@ -67661,32 +79477,32 @@ }, { "access_level": "Write", - "description": "Grants permission to stop one or more job runs for a job", - "privilege": "BatchStopJobRun", + "description": "Grants permission to suspend auto-scaling activity on a fleet", + "privilege": "StopFleetActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a running ML Task Run", - "privilege": "CancelMLTaskRun", + "description": "Grants permission to cancel a game session placement request that is in progress", + "privilege": "StopGameSessionPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a check the validity of schema version", - "privilege": "CheckSchemaVersionValidity", + "access_level": "Write", + "description": "Grants permission to cancel a matchmaking or match backfill request that is in progress", + "privilege": "StopMatchmaking", "resource_types": [ { "condition_keys": [], @@ -67697,85 +79513,61 @@ }, { "access_level": "Write", - "description": "Grants permission to create a classifier", - "privilege": "CreateClassifier", + "description": "Grants permission to temporarily stop FleetIQ activity for a game server group", + "privilege": "SuspendGameServerGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameServerGroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a connection", - "privilege": "CreateConnection", + "access_level": "Tagging", + "description": "Grants permission to tag GameLift resources", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a crawler", - "privilege": "CreateCrawler", - "resource_types": [ + "resource_type": "build" + }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a database", - "privilege": "CreateDatabase", - "resource_types": [ + "resource_type": "fleet" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "gameServerGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a development endpoint", - "privilege": "CreateDevEndpoint", - "resource_types": [ + "resource_type": "gameSessionQueue" + }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a job", - "privilege": "CreateJob", - "resource_types": [ + "resource_type": "matchmakingConfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "matchmakingRuleSet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "script" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -67787,161 +79579,150 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create an ML Transform", - "privilege": "CreateMLTransform", + "access_level": "Tagging", + "description": "Grants permission to untag GameLift resources", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a partition", - "privilege": "CreatePartition", - "resource_types": [ + "resource_type": "alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "build" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "fleet" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "gameServerGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gameSessionQueue" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "matchmakingConfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "matchmakingRuleSet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "script" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new schema registry", - "privilege": "CreateRegistry", + "description": "Grants permission to update the properties of an existing alias", + "privilege": "UpdateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new schema container", - "privilege": "CreateSchema", + "description": "Grants permission to update an existing build's metadata", + "privilege": "UpdateBuild", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "build*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a script", - "privilege": "CreateScript", + "description": "Grants permission to update the general properties of an existing fleet", + "privilege": "UpdateFleetAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a security configuration", - "privilege": "CreateSecurityConfiguration", + "description": "Grants permission to adjust a fleet's capacity settings", + "privilege": "UpdateFleetCapacity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a table", - "privilege": "CreateTable", + "description": "Grants permission to adjust a fleet's port settings", + "privilege": "UpdateFleetPortSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a trigger", - "privilege": "CreateTrigger", + "description": "Grants permission to change game server properties, health status, or utilization status", + "privilege": "UpdateGameServer", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a function definition", - "privilege": "CreateUserDefinedFunction", + "description": "Grants permission to update properties for game server group, including allowed instance types", + "privilege": "UpdateGameServerGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "userdefinedfunction*" + "resource_type": "gameServerGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a workflow", - "privilege": "CreateWorkflow", + "description": "Grants permission to update the properties of an existing game session", + "privilege": "UpdateGameSession", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -67949,66 +79730,56 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a classifier", - "privilege": "DeleteClassifier", + "description": "Grants permission to update properties of an existing game session queue", + "privilege": "UpdateGameSessionQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gameSessionQueue*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a connection", - "privilege": "DeleteConnection", + "description": "Grants permission to update properties of an existing FlexMatch matchmaking configuration", + "privilege": "UpdateMatchmakingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "matchmakingConfiguration*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a crawler", - "privilege": "DeleteCrawler", + "description": "Grants permission to update how server processes are configured on instances in an existing fleet", + "privilege": "UpdateRuntimeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a database", - "privilege": "DeleteDatabase", + "description": "Grants permission to update the metadata and content of an existing Realtime Servers script", + "privilege": "UpdateScript", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "resource_type": "script*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a development endpoint", - "privilege": "DeleteDevEndpoint", + "access_level": "Read", + "description": "Grants permission to validate the syntax of a FlexMatch matchmaking rule set", + "privilege": "ValidateMatchmakingRuleSet", "resource_types": [ { "condition_keys": [], @@ -68016,506 +79787,552 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:gamelift:${Region}::alias/${AliasId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "alias" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${AccountId}:build/${BuildId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "build" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${AccountId}:script/${ScriptId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "script" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${Account}:fleet/${FleetId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "fleet" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${Account}:gamesessionqueue/${GameSessionQueueName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "gameSessionQueue" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${Account}:matchmakingconfiguration/${MatchmakingConfigurationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "matchmakingConfiguration" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${Account}:matchmakingruleset/${MatchmakingRuleSetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "matchmakingRuleSet" + }, + { + "arn": "arn:${Partition}:gamelift:${Region}:${Account}:gameservergroup/${GameServerGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "gameServerGroup" + } + ], + "service_name": "Amazon GameLift" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag's key and value in a request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys in a request", + "type": "String" + } + ], + "prefix": "geo", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete a job", - "privilege": "DeleteJob", + "description": "Grants permission to create an association between a geofence-collection and a tracker resource", + "privilege": "AssociateTrackerConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tracker*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an ML Transform", - "privilege": "DeleteMLTransform", + "description": "Grants permission to delete a batch of device position histories from a tracker resource", + "privilege": "BatchDeleteDevicePositionHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "tracker*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a partition", - "privilege": "DeletePartition", + "description": "Grants permission to delete a batch of geofences from a geofence collection", + "privilege": "BatchDeleteGeofence", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "geofence-collection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a schema registry", - "privilege": "DeleteRegistry", + "description": "Grants permission to evaluate device positions against the position of geofences in a given geofence collection", + "privilege": "BatchEvaluateGeofences", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "geofence-collection*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a resource policy", - "privilege": "DeleteResourcePolicy", + "access_level": "Read", + "description": "Grants permission to send a batch request to retrieve device positions", + "privilege": "BatchGetDevicePosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "tracker*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a schema container", - "privilege": "DeleteSchema", + "description": "Grants permission to send a batch request for adding geofences into a given geofence collection", + "privilege": "BatchPutGeofence", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "geofence-collection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a range of schema versions", - "privilege": "DeleteSchemaVersions", + "description": "Grants permission to upload a position update for one or more devices to a tracker resource", + "privilege": "BatchUpdateDevicePosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "tracker*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a security configuration", - "privilege": "DeleteSecurityConfiguration", + "access_level": "Read", + "description": "Grants permission to calculate routes using a given route calculator resource", + "privilege": "CalculateRoute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "route-calculator*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a table", - "privilege": "DeleteTable", + "description": "Grants permission to create a geofence-collection", + "privilege": "CreateGeofenceCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "resource_type": "geofence-collection*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a version of a table", - "privilege": "DeleteTableVersion", + "description": "Grants permission to create a map resource", + "privilege": "CreateMap", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "map*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "tableversion*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a trigger", - "privilege": "DeleteTrigger", + "description": "Grants permission to create a place index resource", + "privilege": "CreatePlaceIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "place-index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a function definition", - "privilege": "DeleteUserDefinedFunction", + "description": "Grants permission to create a route calculator resource", + "privilege": "CreateRouteCalculator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "resource_type": "route-calculator*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "userdefinedfunction*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a workflow", - "privilege": "DeleteWorkflow", + "description": "Grants permission to create a tracker resource", + "privilege": "CreateTracker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "tracker*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the catalog import status", - "privilege": "GetCatalogImportStatus", + "access_level": "Write", + "description": "Grants permission to delete a geofence-collection", + "privilege": "DeleteGeofenceCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "geofence-collection*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a classifier", - "privilege": "GetClassifier", + "access_level": "Write", + "description": "Grants permission to delete a map resource", + "privilege": "DeleteMap", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all classifiers", - "privilege": "GetClassifiers", + "access_level": "Write", + "description": "Grants permission to delete a place index resource", + "privilege": "DeletePlaceIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "place-index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a connection", - "privilege": "GetConnection", + "access_level": "Write", + "description": "Grants permission to delete a route calculator resource", + "privilege": "DeleteRouteCalculator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "route-calculator*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of connections", - "privilege": "GetConnections", + "access_level": "Write", + "description": "Grants permission to delete a tracker resource", + "privilege": "DeleteTracker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "tracker*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a crawler", - "privilege": "GetCrawler", + "description": "Grants permission to retrieve geofence collection details", + "privilege": "DescribeGeofenceCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "geofence-collection*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve metrics about crawlers", - "privilege": "GetCrawlerMetrics", + "description": "Grants permission to retrieve map resource details", + "privilege": "DescribeMap", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve all crawlers", - "privilege": "GetCrawlers", + "description": "Grants permission to retrieve place-index resource details", + "privilege": "DescribePlaceIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "place-index*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve catalog encryption settings", - "privilege": "GetDataCatalogEncryptionSettings", + "description": "Grants permission to retrieve route calculator resource details", + "privilege": "DescribeRouteCalculator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "route-calculator*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a database", - "privilege": "GetDatabase", + "description": "Grants permission to retrieve a tracker resource details", + "privilege": "DescribeTracker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "resource_type": "tracker*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve all databases", - "privilege": "GetDatabases", + "access_level": "Write", + "description": "Grants permission to remove the association between a tracker resource and a geofence-collection", + "privilege": "DisassociateTrackerConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" + "resource_type": "tracker*" } ] }, { "access_level": "Read", - "description": "Grants permission to transform a script into a directed acyclic graph (DAG)", - "privilege": "GetDataflowGraph", + "description": "Grants permission to retrieve the latest device position", + "privilege": "GetDevicePosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tracker*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a development endpoint", - "privilege": "GetDevEndpoint", + "description": "Grant permission to retrieve the device position history", + "privilege": "GetDevicePositionHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tracker*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve all development endpoints", - "privilege": "GetDevEndpoints", + "description": "Grants permission to retrieve the geofence details from a geofence-collection.", + "privilege": "GetGeofence", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "geofence-collection*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a job", - "privilege": "GetJob", + "description": "Grants permission to retrieve the glyph file for a map resource", + "privilege": "GetMapGlyphs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a job bookmark", - "privilege": "GetJobBookmark", + "description": "Grants permission to retrieve the sprite file for a map resource", + "privilege": "GetMapSprites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a job run", - "privilege": "GetJobRun", + "description": "Grants permission to retrieve the map style descriptor from a map resource", + "privilege": "GetMapStyleDescriptor", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve all job runs of a job", - "privilege": "GetJobRuns", + "description": "Grants permission to retrieve the map tile from the map resource", + "privilege": "GetMapTile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "map*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve all current jobs", - "privilege": "GetJobs", + "access_level": "List", + "description": "Grants permission to retrieve a list of devices and their latest positions from the given tracker resource", + "privilege": "ListDevicePositions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tracker*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an ML Task Run", - "privilege": "GetMLTaskRun", + "access_level": "List", + "description": "Grants permission to lists geofence-collections", + "privilege": "ListGeofenceCollections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve all ML Task Runs", - "privilege": "GetMLTaskRuns", + "access_level": "Read", + "description": "Grants permission to list geofences stored in a given geofence collection", + "privilege": "ListGeofences", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "geofence-collection*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an ML Transform", - "privilege": "GetMLTransform", + "access_level": "List", + "description": "Grants permission to list map resources", + "privilege": "ListMaps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve all ML Transforms", - "privilege": "GetMLTransforms", + "description": "Grants permission to return a list of place index resources", + "privilege": "ListPlaceIndexes", "resource_types": [ { "condition_keys": [], @@ -68525,9 +80342,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to create a mapping", - "privilege": "GetMapping", + "access_level": "List", + "description": "Grants permission to return a list of route calculator resources", + "privilege": "ListRouteCalculators", "resource_types": [ { "condition_keys": [], @@ -68538,498 +80355,549 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve a partition", - "privilege": "GetPartition", + "description": "Grants permission to list the tags (metadata) which you have assigned to the resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "geofence-collection" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "map" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the partitions of a table", - "privilege": "GetPartitions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "place-index" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "route-calculator" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "tracker" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a mapping for a script", - "privilege": "GetPlan", + "description": "Grants permission to retrieve a list of geofence collections currently associated to the given tracker resource", + "privilege": "ListTrackerConsumers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tracker*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a schema registry", - "privilege": "GetRegistry", + "access_level": "List", + "description": "Grants permission to return a list of tracker resources", + "privilege": "ListTrackers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve resource policies", - "privilege": "GetResourcePolicies", + "access_level": "Write", + "description": "Grants permission to add a new geofence or update an existing geofence to a given geofence-collection", + "privilege": "PutGeofence", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "geofence-collection*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a resource policy", - "privilege": "GetResourcePolicy", + "description": "Grants permission to reverse geocodes a given coordinate", + "privilege": "SearchPlaceIndexForPosition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "place-index*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a schema container", - "privilege": "GetSchema", + "description": "Grants permission to geocode free-form text, such as an address, name, city or region", + "privilege": "SearchPlaceIndexForText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "place-index*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a schema version based on schema definition", - "privilege": "GetSchemaByDefinition", + "access_level": "Tagging", + "description": "Grants permission to adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "geofence-collection" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a schema version", - "privilege": "GetSchemaVersion", - "resource_types": [ + "resource_type": "map" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry" + "resource_type": "place-index" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to compare two schema versions in schema registry", - "privilege": "GetSchemaVersionsDiff", - "resource_types": [ + "resource_type": "route-calculator" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "tracker" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a security configuration", - "privilege": "GetSecurityConfiguration", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags (metadata) from the resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve one or more security configurations", - "privilege": "GetSecurityConfigurations", - "resource_types": [ + "resource_type": "geofence-collection" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a table", - "privilege": "GetTable", - "resource_types": [ + "resource_type": "map" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "place-index" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "route-calculator" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "tracker" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a version of a table", - "privilege": "GetTableVersion", + "access_level": "Write", + "description": "Grants permission to update the description of a geofence collection", + "privilege": "UpdateGeofenceCollection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "tableversion*" + "resource_type": "geofence-collection*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of versions of a table", - "privilege": "GetTableVersions", + "access_level": "Write", + "description": "Grants permission to update the description of a tracker resource", + "privilege": "UpdateTracker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, + "resource_type": "tracker*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:geo:${Region}:${Account}:geofence-collection/${GeofenceCollectionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "geofence-collection" + }, + { + "arn": "arn:${Partition}:geo:${Region}:${Account}:map/${MapName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "map" + }, + { + "arn": "arn:${Partition}:geo:${Region}:${Account}:place-index/${IndexName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "place-index" + }, + { + "arn": "arn:${Partition}:geo:${Region}:${Account}:route-calculator/${CalculatorName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "route-calculator" + }, + { + "arn": "arn:${Partition}:geo:${Region}:${Account}:tracker/${TrackerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "tracker" + } + ], + "service_name": "Amazon Location" + }, + { + "conditions": [ + { + "condition": "glacier:ArchiveAgeInDays", + "description": "How long an archive has been stored in the vault, in days.", + "type": "String" + }, + { + "condition": "glacier:ResourceTag/", + "description": "A customer-defined tag.", + "type": "String" + } + ], + "prefix": "glacier", + "privileges": [ + { + "access_level": "Write", + "description": "Aborts a multipart upload identified by the upload ID", + "privilege": "AbortMultipartUpload", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Aborts the vault locking process if the vault lock is not in the Locked state", + "privilege": "AbortVaultLock", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Adds the specified tags to a vault", + "privilege": "AddTagsToVault", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tableversion*" + "resource_type": "vault*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the tables in a database", - "privilege": "GetTables", + "access_level": "Write", + "description": "Completes a multipart upload process", + "privilege": "CompleteMultipartUpload", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Completes the vault locking process", + "privilege": "CompleteVaultLock", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Write", + "description": "Creates a new vault with the specified name", + "privilege": "CreateVault", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "vault*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve all tags associated with a resource", - "privilege": "GetTags", + "access_level": "Write", + "description": "Deletes an archive from a vault", + "privilege": "DeleteArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "crawler" + "resource_type": "vault*" }, { - "condition_keys": [], + "condition_keys": [ + "glacier:ArchiveAgeInDays" + ], "dependent_actions": [], - "resource_type": "devendpoint" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes a vault", + "privilege": "DeleteVault", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Deletes the access policy associated with the specified vault", + "privilege": "DeleteVaultAccessPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trigger" - }, + "resource_type": "vault*" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes the notification configuration set for a vault", + "privilege": "DeleteVaultNotifications", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workflow" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a trigger", - "privilege": "GetTrigger", + "description": "Returns information about a job you previously initiated", + "privilege": "DescribeJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the triggers associated with a job", - "privilege": "GetTriggers", + "description": "Returns information about a vault", + "privilege": "DescribeVault", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a function definition.", - "privilege": "GetUserDefinedFunction", + "description": "Returns the current data retrieval policy for the account and region specified in the GET request", + "privilege": "GetDataRetrievalPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "userdefinedfunction*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve multiple function definitions", - "privilege": "GetUserDefinedFunctions", + "description": "Downloads the output of the job you initiated", + "privilege": "GetJobOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "userdefinedfunction*" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a workflow", - "privilege": "GetWorkflow", + "description": "Retrieves the access-policy subresource set on the vault", + "privilege": "GetVaultAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a workflow run", - "privilege": "GetWorkflowRun", + "description": "Retrieves attributes from the lock-policy subresource set on the specified vault", + "privilege": "GetVaultLock", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve workflow run properties", - "privilege": "GetWorkflowRunProperties", + "description": "Retrieves the notification-configuration subresource set on the vault", + "privilege": "GetVaultNotifications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve all runs of a workflow", - "privilege": "GetWorkflowRuns", + "access_level": "Write", + "description": "Initiates a job of the specified type", + "privilege": "InitiateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "vault*" + }, + { + "condition_keys": [ + "glacier:ArchiveAgeInDays" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to import an Athena data catalog into AWS Glue", - "privilege": "ImportCatalogToGlue", + "description": "Initiates a multipart upload", + "privilege": "InitiateMultipartUpload", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "vault*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve all crawlers", - "privilege": "ListCrawlers", + "access_level": "Permissions management", + "description": "Initiates the vault locking process", + "privilege": "InitiateVaultLock", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve all development endpoints", - "privilege": "ListDevEndpoints", + "description": "Lists jobs for a vault that are in-progress and jobs that have recently finished", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve all current jobs", - "privilege": "ListJobs", + "description": "Lists in-progress multipart uploads for the specified vault", + "privilege": "ListMultipartUploads", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve all ML Transforms", - "privilege": "ListMLTransforms", + "description": "Lists the parts of an archive that have been uploaded in a specific multipart upload", + "privilege": "ListParts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of schema registries", - "privilege": "ListRegistries", + "description": "This operation lists the provisioned capacity for the specified AWS account.", + "privilege": "ListProvisionedCapacity", "resource_types": [ { "condition_keys": [], @@ -69040,37 +80908,32 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of schema versions", - "privilege": "ListSchemaVersions", + "description": "Lists all the tags attached to a vault", + "privilege": "ListTagsForVault", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "vault*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of schema containers", - "privilege": "ListSchemas", + "description": "Lists all vaults", + "privilege": "ListVaults", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve all triggers", - "privilege": "ListTriggers", + "access_level": "Write", + "description": "This operation purchases a provisioned capacity unit for an AWS account.", + "privilege": "PurchaseProvisionedCapacity", "resource_types": [ { "condition_keys": [], @@ -69080,21 +80943,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve all workflows", - "privilege": "ListWorkflows", + "access_level": "Tagging", + "description": "Removes one or more tags from the set of tags attached to a vault", + "privilege": "RemoveTagsFromVault", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update catalog encryption settings", - "privilege": "PutDataCatalogEncryptionSettings", + "access_level": "Permissions management", + "description": "Sets and then enacts a data retrieval policy in the region specified in the PUT request", + "privilege": "SetDataRetrievalPolicy", "resource_types": [ { "condition_keys": [], @@ -69104,267 +80967,285 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a resource policy", - "privilege": "PutResourcePolicy", + "access_level": "Permissions management", + "description": "Configures an access policy for a vault and will overwrite an existing policy", + "privilege": "SetVaultAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "vault*" } ] }, { "access_level": "Write", - "description": "Grants permission to add metadata to schema version", - "privilege": "PutSchemaVersionMetadata", + "description": "Configures vault notifications", + "privilege": "SetVaultNotifications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema" + "resource_type": "vault*" } ] }, { "access_level": "Write", - "description": "Grants permission to update workflow run properties", - "privilege": "PutWorkflowRunProperties", + "description": "Adds an archive to a vault", + "privilege": "UploadArchive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "vault*" } ] }, { - "access_level": "List", - "description": "Grants permission to fetch metadata for a schema version", - "privilege": "QuerySchemaVersionMetadata", + "access_level": "Write", + "description": "Uploads a part of an archive", + "privilege": "UploadMultipartPart", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema" + "resource_type": "vault*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:glacier:${Region}:${Account}:vaults/${VaultName}", + "condition_keys": [], + "resource": "vault" + } + ], + "service_name": "Amazon Glacier" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "globalaccelerator", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a new schema version", - "privilege": "RegisterSchemaVersion", + "description": "Grants permission to add a virtual private cloud (VPC) subnet endpoint to a custom routing accelerator endpoint group.", + "privilege": "AddCustomRoutingEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove metadata from schema version", - "privilege": "RemoveSchemaVersionMetadata", + "description": "Grants permission to advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", + "privilege": "AdvertiseByoipCidr", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to allows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", + "privilege": "AllowCustomRoutingTraffic", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to reset a job bookmark", - "privilege": "ResetJobBookmark", + "description": "Grants permission to create a standard accelerator.", + "privilege": "CreateAccelerator", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the tables in the catalog", - "privilege": "SearchTables", + "access_level": "Write", + "description": "Grants permission to create a Custom Routing accelerator", + "privilege": "CreateCustomRoutingAccelerator", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to start a crawler", - "privilege": "StartCrawler", + "description": "Grants permission to create an endpoint group for the specified listener for a custom routing accelerator.", + "privilege": "CreateCustomRoutingEndpointGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "listener*" } ] }, { "access_level": "Write", - "description": "Grants permission to change the schedule state of a crawler to SCHEDULED", - "privilege": "StartCrawlerSchedule", + "description": "Grants permission to create a listener to process inbound connections from clients to a custom routing accelerator.", + "privilege": "CreateCustomRoutingListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to start an Export Labels ML Task Run", - "privilege": "StartExportLabelsTaskRun", + "description": "Grants permission to add an endpoint group to a standard accelerator listener.", + "privilege": "CreateEndpointGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "listener*" } ] }, { "access_level": "Write", - "description": "Grants permission to start an Import Labels ML Task Run", - "privilege": "StartImportLabelsTaskRun", + "description": "Grants permission to add a listener to a standard accelerator.", + "privilege": "CreateListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to start running a job", - "privilege": "StartJobRun", + "description": "Grants permission to delete a standard accelerator.", + "privilege": "DeleteAccelerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to start an Evaluation ML Task Run", - "privilege": "StartMLEvaluationTaskRun", + "description": "Grants permission to delete a custom routing accelerator.", + "privilege": "DeleteCustomRoutingAccelerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to start a Labeling Set Generation ML Task Run", - "privilege": "StartMLLabelingSetGenerationTaskRun", + "description": "Grants permission to delete an endpoint group from a listener for a custom routing accelerator.", + "privilege": "DeleteCustomRoutingEndpointGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to start a trigger", - "privilege": "StartTrigger", + "description": "Grants permission to delete a listener for a custom routing accelerator.", + "privilege": "DeleteCustomRoutingListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "listener*" } ] }, { "access_level": "Write", - "description": "Grants permission to start running a workflow", - "privilege": "StartWorkflowRun", + "description": "Grants permission to delete an endpoint group associated with a standard accelerator listener.", + "privilege": "DeleteEndpointGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a running crawler", - "privilege": "StopCrawler", + "description": "Grants permission to delete a listener from a standard accelerator.", + "privilege": "DeleteListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "listener*" } ] }, { "access_level": "Write", - "description": "Grants permission to set the schedule state of a crawler to NOT_SCHEDULED", - "privilege": "StopCrawlerSchedule", + "description": "Grants permission to disallows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.", + "privilege": "DenyCustomRoutingTraffic", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a trigger", - "privilege": "StopTrigger", + "description": "Grants permission to releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP).", + "privilege": "DeprovisionByoipCidr", "resource_types": [ { "condition_keys": [], @@ -69374,88 +81255,129 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permissions to describe a standard accelerator.", + "privilege": "DescribeAccelerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "crawler" - }, + "resource_type": "accelerator*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a standard accelerator attributes.", + "privilege": "DescribeAcceleratorAttributes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "devendpoint" - }, + "resource_type": "accelerator*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a custom routing accelerator.", + "privilege": "DescribeCustomRoutingAccelerator", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job" - }, + "resource_type": "accelerator*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the attributes of a custom routing accelerator.", + "privilege": "DescribeCustomRoutingAcceleratorAttributes", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trigger" - }, + "resource_type": "accelerator*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an endpoint group for a custom routing accelerator.", + "privilege": "DescribeCustomRoutingEndpointGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workflow" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "endpointgroup*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags associated with a resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to describe a listener for a custom routing accelerator.", + "privilege": "DescribeCustomRoutingListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "crawler" - }, + "resource_type": "listener*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a standard accelerator endpoint group.", + "privilege": "DescribeEndpointGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "devendpoint" - }, + "resource_type": "endpointgroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a standard accelerator listener.", + "privilege": "DescribeListener", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job" - }, + "resource_type": "listener*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all standard accelerators.", + "privilege": "ListAccelerators", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trigger" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the BYOIP cidrs.", + "privilege": "ListByoipCidrs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workflow" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a classifier", - "privilege": "UpdateClassifier", + "access_level": "List", + "description": "Grants permission to list the custom routing accelerators for an AWS account.", + "privilege": "ListCustomRoutingAccelerators", "resource_types": [ { "condition_keys": [], @@ -69465,38 +81387,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a connection", - "privilege": "UpdateConnection", + "access_level": "List", + "description": "Grants permission to list the endpoint groups that are associated with a listener for a custom routing accelerator.", + "privilege": "ListCustomRoutingEndpointGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, + "resource_type": "listener*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the listeners for a custom routing accelerator.", + "privilege": "ListCustomRoutingListeners", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" + "resource_type": "accelerator*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a crawler", - "privilege": "UpdateCrawler", + "access_level": "List", + "description": "Grants permission to list the port mappings for a custom routing accelerator.", + "privilege": "ListCustomRoutingPortMappings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "accelerator*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the schedule of a crawler", - "privilege": "UpdateCrawlerSchedule", + "access_level": "List", + "description": "Grants permission to list the port mappings for a specific endpoint IP address (a destination address) in a subnet", + "privilege": "ListCustomRoutingPortMappingsByDestination", "resource_types": [ { "condition_keys": [], @@ -69506,38 +81435,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a database", - "privilege": "UpdateDatabase", + "access_level": "List", + "description": "Grants permission to list all endpoint groups associated with a standard accelerator listener.", + "privilege": "ListEndpointGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, + "resource_type": "listener*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all listeners associated with a standard accelerator.", + "privilege": "ListListeners", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "accelerator*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a development endpoint", - "privilege": "UpdateDevEndpoint", + "access_level": "Read", + "description": "Grants permission to list tags for a globalaccelerator resource.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "accelerator" } ] }, { "access_level": "Write", - "description": "Grants permission to update a job", - "privilege": "UpdateJob", + "description": "Grants permission to provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP).", + "privilege": "ProvisionByoipCidr", "resource_types": [ { "condition_keys": [], @@ -69548,461 +81484,336 @@ }, { "access_level": "Write", - "description": "Grants permission to update an ML Transform", - "privilege": "UpdateMLTransform", + "description": "Grants permission to remove virtual private cloud (VPC) subnet endpoints from a custom routing accelerator endpoint group.", + "privilege": "RemoveCustomRoutingEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "endpointgroup*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a partition", - "privilege": "UpdatePartition", + "access_level": "Tagging", + "description": "Grants permission to add tags to a globalaccelerator resource.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" + "resource_type": "accelerator" }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a globalaccelerator resource.", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "accelerator" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a schema registry", - "privilege": "UpdateRegistry", + "description": "Grants permission to update a standard accelerator.", + "privilege": "UpdateAccelerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a schema container", - "privilege": "UpdateSchema", + "description": "Grants permission to update a standard accelerator attributes.", + "privilege": "UpdateAcceleratorAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a table", - "privilege": "UpdateTable", + "description": "Grants permission to update a custom routing accelerator.", + "privilege": "UpdateCustomRoutingAccelerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a trigger", - "privilege": "UpdateTrigger", + "description": "Grants permission to update the attributes for a custom routing accelerator.", + "privilege": "UpdateCustomRoutingAcceleratorAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "accelerator*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a function definition", - "privilege": "UpdateUserDefinedFunction", + "description": "Grants permission to update a listener for a custom routing accelerator.", + "privilege": "UpdateCustomRoutingListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "catalog*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "database*" - }, + "resource_type": "listener*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an endpoint group on a standard accelerator listener.", + "privilege": "UpdateEndpointGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "userdefinedfunction*" + "resource_type": "endpointgroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a workflow", - "privilege": "UpdateWorkflow", + "description": "Grants permission to update a listener on a standard accelerator.", + "privilege": "UpdateListener", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "listener*" } ] }, { "access_level": "Write", - "description": "Grants permission to use an ML Transform from within a Glue ETL Script", - "privilege": "UseMLTransforms", + "description": "Grants permission to stops advertising a BYOIP IPv4 address.", + "privilege": "WithdrawByoipCidr", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlTransform*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:glue:${Region}:${Account}:catalog", - "condition_keys": [], - "resource": "catalog" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}", - "condition_keys": [], - "resource": "database" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}", - "condition_keys": [], - "resource": "table" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}", - "condition_keys": [], - "resource": "tableversion" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}", - "condition_keys": [], - "resource": "connection" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}", - "condition_keys": [], - "resource": "userdefinedfunction" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:devendpoint/${DevEndpointName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "devendpoint" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:job/${JobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "job" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "trigger" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "crawler" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "workflow" - }, - { - "arn": "arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}", + "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "mlTransform" + "resource": "accelerator" }, { - "arn": "arn:${Partition}:glue:${Region}:${Account}:registry/${RegistryName}", + "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}/listener/${ListenerId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "registry" + "resource": "listener" }, { - "arn": "arn:${Partition}:glue:${Region}:${Account}:schema/${SchemaName}", + "arn": "arn:${Partition}:globalaccelerator::${Account}:accelerator/${AcceleratorId}/listener/${ListenerId}/endpoint-group/${EndpointGroupId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "schema" + "resource": "endpointgroup" } ], - "service_name": "AWS Glue" + "service_name": "AWS Global Accelerator" }, { "conditions": [ { - "condition": "aws:CurrentTime", - "description": "Filters access by checking date/time conditions for the current date and time", - "type": "Date" - }, - { - "condition": "aws:EpochTime", - "description": "Filters access by checking date/time conditions for the current date and time in epoch or Unix time", - "type": "Date" + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "condition": "aws:MultiFactorAuthAge", - "description": "Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA", - "type": "Numeric" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, { - "condition": "aws:MultiFactorAuthPresent", - "description": "Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request", - "type": "Boolean" + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" }, { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the mandatory tags", + "condition": "glue:CredentialIssuingService", + "description": "Filters access by the service from which the credentials of the request is issued", "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", + "condition": "glue:RoleAssumedBy", + "description": "Filters access by the service from which the credentials of the request is obtained by assuming the customer role", "type": "String" }, { - "condition": "aws:SecureTransport", - "description": "Filters access by checking whether the request was sent using SSL", - "type": "Boolean" + "condition": "glue:SecurityGroupIds", + "description": "Filters access by the ID of security groups configured for the Glue job", + "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request", + "condition": "glue:SubnetIds", + "description": "Filters access by the ID of subnets configured for the Glue job", "type": "String" }, { - "condition": "aws:UserAgent", - "description": "Filters access by the requester's client application", + "condition": "glue:VpcIds", + "description": "Filters access by the ID of the VPC configured for the Glue job", "type": "String" } ], - "prefix": "greengrass", + "prefix": "glue", "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel a deployment", - "privilege": "CancelDeployment", + "description": "Grants permission to create one or more partitions", + "privilege": "BatchCreatePartition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:CancelJob", - "iot:DeleteThingShadow", - "iot:DescribeJob", - "iot:DescribeThing", - "iot:DescribeThingGroup", - "iot:GetThingShadow", - "iot:UpdateJob", - "iot:UpdateThingShadow" - ], - "resource_type": "deployment*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a component", - "privilege": "CreateComponentVersion", - "resource_types": [ + "dependent_actions": [], + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "component*" + "resource_type": "database*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a deployment", - "privilege": "CreateDeployment", + "description": "Grants permission to delete one or more connections", + "privilege": "BatchDeleteConnection", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iot:CancelJob", - "iot:CreateJob", - "iot:DeleteThingShadow", - "iot:DescribeJob", - "iot:DescribeThing", - "iot:DescribeThingGroup", - "iot:GetThingShadow", - "iot:UpdateJob", - "iot:UpdateThingShadow" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a component", - "privilege": "DeleteComponent", + "description": "Grants permission to delete one or more partitions", + "privilege": "BatchDeletePartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "componentVersion*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a AWS IoT Greengrass core device, which is an AWS IoT thing. This operation removes the core device from the list of core devices. This operation doesn't delete the AWS IoT thing", - "privilege": "DeleteCoreDevice", + "description": "Grants permission to delete one or more tables", + "privilege": "BatchDeleteTable", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeJobExecution" - ], - "resource_type": "coreDevice*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve metadata for a version of a component", - "privilege": "DescribeComponent", - "resource_types": [ + "dependent_actions": [], + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "componentVersion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get the recipe for a version of a component", - "privilege": "GetComponent", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "componentVersion*" + "resource_type": "table*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieves metadata for a AWS IoT Greengrass core device", - "privilege": "GetCoreDevice", + "access_level": "Write", + "description": "Grants permission to delete one or more versions of a table", + "privilege": "BatchDeleteTableVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDevice*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get a deployment", - "privilege": "GetDeployment", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeJob", - "iot:DescribeThing", - "iot:DescribeThingGroup", - "iot:GetThingShadow" - ], - "resource_type": "deployment*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a paginated list of all versions for a component", - "privilege": "ListComponentVersions", - "resource_types": [ + "dependent_actions": [], + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "component*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a paginated list of component summaries", - "privilege": "ListComponents", - "resource_types": [ + "resource_type": "table*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tableversion*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a paginated list of AWS IoT Greengrass core devices", - "privilege": "ListCoreDevices", + "access_level": "Read", + "description": "Grants permission to retrieve one or more crawlers", + "privilege": "BatchGetCrawlers", "resource_types": [ { "condition_keys": [], @@ -70012,256 +81823,103 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieves a paginated list of deployments", - "privilege": "ListDeployments", + "access_level": "Read", + "description": "Grants permission to retrieve one or more development endpoints", + "privilege": "BatchGetDevEndpoints", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeJob", - "iot:DescribeThing", - "iot:DescribeThingGroup", - "iot:GetThingShadow" - ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieves a paginated list of deployment jobs that AWS IoT Greengrass sends to AWS IoT Greengrass core devices", - "privilege": "ListEffectiveDeployments", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeJob", - "iot:DescribeJobExecution", - "iot:DescribeThing", - "iot:DescribeThingGroup", - "iot:GetThingShadow" - ], - "resource_type": "coreDevice*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a paginated list of the components that a AWS IoT Greengrass core device runs", - "privilege": "ListInstalledComponents", + "access_level": "Read", + "description": "Grants permission to retrieve one or more jobs", + "privilege": "BatchGetJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDevice*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to retrieve one or more partitions", + "privilege": "BatchGetPartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "componentVersion" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDevice" - }, + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve one or more triggers", + "privilege": "BatchGetTriggers", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve one or more workflows", + "privilege": "BatchGetWorkflows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "componentVersion" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "coreDevice" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deployment" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to stop one or more job runs for a job", + "privilege": "BatchStopJobRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "componentVersion" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "coreDevice" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deployment" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "component" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}:versions:${ComponentVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "componentVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:coreDevices:${CoreDeviceThingName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "coreDevice" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:deployments:${DeploymentId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deployment" - } - ], - "service_name": "AWS IoT Greengrass V2" - }, - { - "conditions": [ - { - "condition": "aws:CurrentTime", - "description": "Filters access by checking date/time conditions for the current date and time.", - "type": "Date" - }, - { - "condition": "aws:EpochTime", - "description": "Filters access by checking date/time conditions for the current date and time in epoch or Unix time.", - "type": "Date" - }, - { - "condition": "aws:MultiFactorAuthAge", - "description": "Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA.", - "type": "Numeric" - }, - { - "condition": "aws:MultiFactorAuthPresent", - "description": "Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request.", - "type": "Boolean" }, - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the mandatory tags.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource.", - "type": "String" - }, - { - "condition": "aws:SecureTransport", - "description": "Filters access by checking whether the request was sent using SSL.", - "type": "Boolean" - }, - { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request.", - "type": "String" - }, - { - "condition": "aws:UserAgent", - "description": "Filters access by the requester's client application.", - "type": "String" - } - ], - "prefix": "greengrass", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a role with a group. The role's permissions must allow Greengrass core Lambda functions and connectors to perform actions in other AWS services.", - "privilege": "AssociateRoleToGroup", + "description": "Grants permission to stop a running ML Task Run", + "privilege": "CancelMLTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "mlTransform*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources.", - "privilege": "AssociateServiceRoleToAccount", + "access_level": "Read", + "description": "Grants permission to retrieve a check the validity of schema version", + "privilege": "CheckSchemaVersionValidity", "resource_types": [ { "condition_keys": [], @@ -70272,14 +81930,11 @@ }, { "access_level": "Write", - "description": "Grants permission to create a connector definition.", - "privilege": "CreateConnectorDefinition", + "description": "Grants permission to create a classifier", + "privilege": "CreateClassifier", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -70287,20 +81942,25 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing connector definition.", - "privilege": "CreateConnectorDefinitionVersion", + "description": "Grants permission to create a connection", + "privilege": "CreateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a core definition.", - "privilege": "CreateCoreDefinition", + "description": "Grants permission to create a crawler", + "privilege": "CreateCrawler", "resource_types": [ { "condition_keys": [ @@ -70314,32 +81974,25 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing core definition. Greengrass groups must each contain exactly one Greengrass core.", - "privilege": "CreateCoreDefinitionVersion", + "description": "Grants permission to create a database", + "privilege": "CreateDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a deployment.", - "privilege": "CreateDeployment", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a device definition.", - "privilege": "CreateDeviceDefinition", + "description": "Grants permission to create a development endpoint", + "privilege": "CreateDevEndpoint", "resource_types": [ { "condition_keys": [ @@ -70353,26 +82006,29 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing device definition.", - "privilege": "CreateDeviceDefinitionVersion", + "description": "Grants permission to create a job", + "privilege": "CreateJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "glue:VpcIds", + "glue:SubnetIds", + "glue:SecurityGroupIds" + ], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a Lambda function definition to be used in a group that contains a list of Lambda functions and their configurations.", - "privilege": "CreateFunctionDefinition", + "description": "Grants permission to create an ML Transform", + "privilege": "CreateMLTransform", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -70380,65 +82036,74 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing Lambda function definition.", - "privilege": "CreateFunctionDefinitionVersion", + "description": "Grants permission to create a partition", + "privilege": "CreatePartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a group.", - "privilege": "CreateGroup", + "description": "Grants permission to create a new schema registry", + "privilege": "CreateRegistry", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a CA for the group, or rotate the existing CA.", - "privilege": "CreateGroupCertificateAuthority", + "description": "Grants permission to create a new schema container", + "privilege": "CreateSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a version of a group that has already been defined.", - "privilege": "CreateGroupVersion", + "description": "Grants permission to create a script", + "privilege": "CreateScript", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a logger definition.", - "privilege": "CreateLoggerDefinition", + "description": "Grants permission to create a security configuration", + "privilege": "CreateSecurityConfiguration", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -70446,20 +82111,30 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing logger definition.", - "privilege": "CreateLoggerDefinitionVersion", + "description": "Grants permission to create a table", + "privilege": "CreateTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a resource definition that contains a list of resources to be used in a group.", - "privilege": "CreateResourceDefinition", + "description": "Grants permission to create a trigger", + "privilege": "CreateTrigger", "resource_types": [ { "condition_keys": [ @@ -70473,32 +82148,30 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing resource definition.", - "privilege": "CreateResourceDefinitionVersion", + "description": "Grants permission to create a function definition", + "privilege": "CreateUserDefinedFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create an AWS IoT job that will trigger your Greengrass cores to update the software they are running.", - "privilege": "CreateSoftwareUpdateJob", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "userdefinedfunction*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a subscription definition.", - "privilege": "CreateSubscriptionDefinition", + "description": "Grants permission to create a workflow", + "privilege": "CreateWorkflow", "resource_types": [ { "condition_keys": [ @@ -70512,437 +82185,383 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an existing subscription definition.", - "privilege": "CreateSubscriptionDefinitionVersion", + "description": "Grants permission to delete a classifier", + "privilege": "DeleteClassifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a connector definition.", - "privilege": "DeleteConnectorDefinition", + "description": "Grants permission to delete a connection", + "privilege": "DeleteConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a core definition. Deleting a definition that is currently in use in a deployment affects future deployments.", - "privilege": "DeleteCoreDefinition", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a device definition. Deleting a definition that is currently in use in a deployment affects future deployments.", - "privilege": "DeleteDeviceDefinition", + "description": "Grants permission to delete a crawler", + "privilege": "DeleteCrawler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a Lambda function definition. Deleting a definition that is currently in use in a deployment affects future deployments.", - "privilege": "DeleteFunctionDefinition", + "description": "Grants permission to delete a database", + "privilege": "DeleteDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a group that is not currently in use in a deployment.", - "privilege": "DeleteGroup", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "database*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a logger definition. Deleting a definition that is currently in use in a deployment affects future deployments.", - "privilege": "DeleteLoggerDefinition", + "description": "Grants permission to delete a development endpoint", + "privilege": "DeleteDevEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a resource definition.", - "privilege": "DeleteResourceDefinition", + "description": "Grants permission to delete a job", + "privilege": "DeleteJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a subscription definition. Deleting a definition that is currently in use in a deployment affects future deployments.", - "privilege": "DeleteSubscriptionDefinition", + "description": "Grants permission to delete an ML Transform", + "privilege": "DeleteMLTransform", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "mlTransform*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate the role from a group.", - "privilege": "DisassociateRoleFromGroup", + "description": "Grants permission to delete a partition", + "privilege": "DeletePartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate the service role from an account. Without a service role, deployments will not work.", - "privilege": "DisassociateServiceRoleFromAccount", + "description": "Grants permission to delete a schema registry", + "privilege": "DeleteRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information required to connect to a Greengrass core.", - "privilege": "Discover", + "access_level": "Permissions management", + "description": "Grants permission to delete a resource policy", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "catalog*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the role associated with a group.", - "privilege": "GetAssociatedRole", + "access_level": "Write", + "description": "Grants permission to delete a schema container", + "privilege": "DeleteSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return the status of a bulk deployment.", - "privilege": "GetBulkDeploymentStatus", - "resource_types": [ + "resource_type": "registry*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment*" + "resource_type": "schema*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the connectivity information for a core.", - "privilege": "GetConnectivityInfo", + "access_level": "Write", + "description": "Grants permission to delete a range of schema versions", + "privilege": "DeleteSchemaVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectivityInfo*" + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a connector definition.", - "privilege": "GetConnectorDefinition", + "access_level": "Write", + "description": "Grants permission to delete a security configuration", + "privilege": "DeleteSecurityConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a connector definition version.", - "privilege": "GetConnectorDefinitionVersion", + "access_level": "Write", + "description": "Grants permission to delete a table", + "privilege": "DeleteTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinitionVersion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about a core definition.", - "privilege": "GetCoreDefinition", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" + "resource_type": "table*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a core definition version.", - "privilege": "GetCoreDefinitionVersion", + "access_level": "Write", + "description": "Grants permission to delete a version of a table", + "privilege": "DeleteTableVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinitionVersion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return the status of a deployment.", - "privilege": "GetDeploymentStatus", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deployment*" + "resource_type": "table*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "tableversion*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a device definition.", - "privilege": "GetDeviceDefinition", + "access_level": "Write", + "description": "Grants permission to delete a trigger", + "privilege": "DeleteTrigger", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a device definition version.", - "privilege": "GetDeviceDefinitionVersion", + "access_level": "Write", + "description": "Grants permission to delete a function definition", + "privilege": "DeleteUserDefinedFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinitionVersion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about a Lambda function definition, such as its creation time and latest version.", - "privilege": "GetFunctionDefinition", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" + "resource_type": "userdefinedfunction*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a Lambda function definition version, such as which Lambda functions are included in the version and their configurations.", - "privilege": "GetFunctionDefinitionVersion", + "access_level": "Write", + "description": "Grants permission to delete a workflow", + "privilege": "DeleteWorkflow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "functionDefinitionVersion*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a group.", - "privilege": "GetGroup", + "description": "Grants permission to retrieve the catalog import status", + "privilege": "GetCatalogImportStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "catalog*" } ] }, { "access_level": "Read", - "description": "Grants permission to return the public key of the CA associated with a group.", - "privilege": "GetGroupCertificateAuthority", + "description": "Grants permission to retrieve a classifier", + "privilege": "GetClassifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "certificateAuthority*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the current configuration for the CA used by a group.", - "privilege": "GetGroupCertificateConfiguration", + "description": "Grants permission to list all classifiers", + "privilege": "GetClassifiers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a group version.", - "privilege": "GetGroupVersion", + "description": "Grants permission to retrieve a connection", + "privilege": "GetConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "groupVersion*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about a logger definition.", - "privilege": "GetLoggerDefinition", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "loggerDefinition*" + "resource_type": "connection*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a logger definition version.", - "privilege": "GetLoggerDefinitionVersion", + "description": "Grants permission to retrieve a list of connections", + "privilege": "GetConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinitionVersion*" + "resource_type": "connection*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a resource definition, such as its creation time and latest version.", - "privilege": "GetResourceDefinition", + "description": "Grants permission to retrieve a crawler", + "privilege": "GetCrawler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a resource definition version, such as which resources are included in the version.", - "privilege": "GetResourceDefinitionVersion", + "description": "Grants permission to retrieve metrics about crawlers", + "privilege": "GetCrawlerMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "resourceDefinitionVersion*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the service role that is attached to an account.", - "privilege": "GetServiceRoleForAccount", + "description": "Grants permission to retrieve all crawlers", + "privilege": "GetCrawlers", "resource_types": [ { "condition_keys": [], @@ -70953,49 +82572,54 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a subscription definition.", - "privilege": "GetSubscriptionDefinition", + "description": "Grants permission to retrieve catalog encryption settings", + "privilege": "GetDataCatalogEncryptionSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a subscription definition version.", - "privilege": "GetSubscriptionDefinitionVersion", + "description": "Grants permission to retrieve a database", + "privilege": "GetDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinitionVersion*" + "resource_type": "database*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a paginated list of the deployments that have been started in a bulk deployment operation and their current deployment status.", - "privilege": "ListBulkDeploymentDetailedReports", + "access_level": "Read", + "description": "Grants permission to retrieve all databases", + "privilege": "GetDatabases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of bulk deployments.", - "privilege": "ListBulkDeployments", + "access_level": "Read", + "description": "Grants permission to transform a script into a directed acyclic graph (DAG)", + "privilege": "GetDataflowGraph", "resource_types": [ { "condition_keys": [], @@ -71005,21 +82629,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a connector definition.", - "privilege": "ListConnectorDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve a development endpoint", + "privilege": "GetDevEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of connector definitions.", - "privilege": "ListConnectorDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve all development endpoints", + "privilege": "GetDevEndpoints", "resource_types": [ { "condition_keys": [], @@ -71029,21 +82653,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a core definition.", - "privilege": "ListCoreDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve a job", + "privilege": "GetJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of core definitions.", - "privilege": "ListCoreDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve a job bookmark", + "privilege": "GetJobBookmark", "resource_types": [ { "condition_keys": [], @@ -71053,33 +82677,33 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of all deployments for a group.", - "privilege": "ListDeployments", + "access_level": "Read", + "description": "Grants permission to retrieve a job run", + "privilege": "GetJobRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a device definition.", - "privilege": "ListDeviceDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve all job runs of a job", + "privilege": "GetJobRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of device definitions.", - "privilege": "ListDeviceDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve all current jobs", + "privilege": "GetJobs", "resource_types": [ { "condition_keys": [], @@ -71089,57 +82713,57 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a Lambda function definition.", - "privilege": "ListFunctionDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve an ML Task Run", + "privilege": "GetMLTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" + "resource_type": "mlTransform*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of Lambda function definitions.", - "privilege": "ListFunctionDefinitions", + "description": "Grants permission to retrieve all ML Task Runs", + "privilege": "GetMLTaskRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mlTransform*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of current CAs for a group.", - "privilege": "ListGroupCertificateAuthorities", + "access_level": "Read", + "description": "Grants permission to retrieve an ML Transform", + "privilege": "GetMLTransform", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "mlTransform*" } ] }, { "access_level": "List", - "description": "Grants permission to list the versions of a group.", - "privilege": "ListGroupVersions", + "description": "Grants permission to retrieve all ML Transforms", + "privilege": "GetMLTransforms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of groups.", - "privilege": "ListGroups", + "access_level": "Read", + "description": "Grants permission to create a mapping", + "privilege": "GetMapping", "resource_types": [ { "condition_keys": [], @@ -71149,736 +82773,499 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a logger definition.", - "privilege": "ListLoggerDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve a partition", + "privilege": "GetPartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition*" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of logger definitions.", - "privilege": "ListLoggerDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve the partitions of a table", + "privilege": "GetPartitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "catalog*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a resource definition.", - "privilege": "ListResourceDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve a mapping for a script", + "privilege": "GetPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of resource definitions.", - "privilege": "ListResourceDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve a schema registry", + "privilege": "GetRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the versions of a subscription definition.", - "privilege": "ListSubscriptionDefinitionVersions", + "access_level": "Read", + "description": "Grants permission to retrieve resource policies", + "privilege": "GetResourcePolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "catalog*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of subscription definitions.", - "privilege": "ListSubscriptionDefinitions", + "access_level": "Read", + "description": "Grants permission to retrieve a resource policy", + "privilege": "GetResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "catalog*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the tags for a resource.", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to retrieve a schema container", + "privilege": "GetSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connectorDefinition" + "resource_type": "registry*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition" - }, + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a schema version based on schema definition", + "privilege": "GetSchemaByDefinition", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition" + "resource_type": "registry*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition" - }, + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a schema version", + "privilege": "GetSchemaVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition" - }, + "resource_type": "schema" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to compare two schema versions in schema registry", + "privilege": "GetSchemaVersionsDiff", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition" + "resource_type": "registry*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "Write", - "description": "Grants permission to reset a group's deployments.", - "privilege": "ResetDeployments", + "access_level": "Read", + "description": "Grants permission to retrieve a security configuration", + "privilege": "GetSecurityConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to deploy multiple groups in one operation.", - "privilege": "StartBulkDeployment", + "access_level": "Read", + "description": "Grants permission to retrieve one or more security configurations", + "privilege": "GetSecurityConfigurations", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop the execution of a bulk deployment.", - "privilege": "StopBulkDeployment", + "access_level": "Read", + "description": "Grants permission to retrieve a table", + "privilege": "GetTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource.", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition" - }, + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a version of a table", + "privilege": "GetTableVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition" + "resource_type": "table*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group" - }, + "resource_type": "tableversion*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list of versions of a table", + "privilege": "GetTableVersions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition" + "resource_type": "table*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "tableversion*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve the tables in a database", + "privilege": "GetTables", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bulkDeployment" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition" - }, + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve all tags associated with a resource", + "privilege": "GetTags", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition" + "resource_type": "crawler" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition" + "resource_type": "devendpoint" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group" + "resource_type": "job" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "resourceDefinition" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subscriptionDefinition" + "resource_type": "trigger" }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the connectivity information for a Greengrass core. Any devices that belong to the group that has this core will receive this information in order to find the location of the core and connect to it.", - "privilege": "UpdateConnectivityInfo", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "connectivityInfo*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a connector definition.", - "privilege": "UpdateConnectorDefinition", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connectorDefinition*" + "resource_type": "workflow" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a core definition.", - "privilege": "UpdateCoreDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve a trigger", + "privilege": "GetTrigger", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "coreDefinition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a device definition.", - "privilege": "UpdateDeviceDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve the triggers associated with a job", + "privilege": "GetTriggers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deviceDefinition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a Lambda function definition.", - "privilege": "UpdateFunctionDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve a function definition.", + "privilege": "GetUserDefinedFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "functionDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a group.", - "privilege": "UpdateGroup", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the certificate expiry time for a group.", - "privilege": "UpdateGroupCertificateConfiguration", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "userdefinedfunction*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a logger definition.", - "privilege": "UpdateLoggerDefinition", + "access_level": "Read", + "description": "Grants permission to retrieve multiple function definitions", + "privilege": "GetUserDefinedFunctions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "loggerDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a resource definition.", - "privilege": "UpdateResourceDefinition", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resourceDefinition*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a subscription definition.", - "privilege": "UpdateSubscriptionDefinition", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subscriptionDefinition*" + "resource_type": "userdefinedfunction*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/things/${ThingName}/connectivityInfo", - "condition_keys": [], - "resource": "connectivityInfo" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}/artifacts/lambda/${ArtifactId}", - "condition_keys": [], - "resource": "artifact" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/certificateauthorities/${CertificateAuthorityId}", - "condition_keys": [], - "resource": "certificateAuthority" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}", - "condition_keys": [], - "resource": "deployment" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/bulk/deployments/${BulkDeploymentId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bulkDeployment" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "group" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/versions/${VersionId}", - "condition_keys": [], - "resource": "groupVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "coreDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "coreDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deviceDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "deviceDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "functionDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "functionDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "subscriptionDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "subscriptionDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "loggerDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "loggerDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "resourceDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "resourceDefinitionVersion" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "connectorDefinition" - }, - { - "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}/versions/${VersionId}", - "condition_keys": [], - "resource": "connectorDefinitionVersion" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", - "condition_keys": [], - "resource": "thing" - } - ], - "service_name": "AWS IoT Greengrass" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the Ground Station service.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the Ground Station service.", - "type": "String" - }, - { - "condition": "groundstation:configId", - "description": "Filters access by the ID of a config", - "type": "String" - }, - { - "condition": "groundstation:configType", - "description": "Filters access by the type of a config", - "type": "String" - }, - { - "condition": "groundstation:contactId", - "description": "Filters access by the ID of a contact", - "type": "String" - }, - { - "condition": "groundstation:dataflowEndpointGroupId", - "description": "Filters access by the ID of a dataflow endpoint group", - "type": "String" }, { - "condition": "groundstation:groundStationId", - "description": "Filters access by the ID of a ground station", - "type": "String" - }, - { - "condition": "groundstation:missionProfileId", - "description": "Filters access by the ID of a mission profile", - "type": "String" - }, - { - "condition": "groundstation:satelliteId", - "description": "Filters access by the ID of a satellite", - "type": "String" - } - ], - "prefix": "groundstation", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to cancel a contact", - "privilege": "CancelContact", + "access_level": "Read", + "description": "Grants permission to retrieve a workflow", + "privilege": "GetWorkflow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Contact*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a configuration", - "privilege": "CreateConfig", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a data flow endpoint group", - "privilege": "CreateDataflowEndpointGroup", + "access_level": "Read", + "description": "Grants permission to retrieve a workflow run", + "privilege": "GetWorkflowRun", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a mission profile", - "privilege": "CreateMissionProfile", + "access_level": "Read", + "description": "Grants permission to retrieve workflow run properties", + "privilege": "GetWorkflowRunProperties", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a config", - "privilege": "DeleteConfig", + "access_level": "Read", + "description": "Grants permission to retrieve all runs of a workflow", + "privilege": "GetWorkflowRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a data flow endpoint group", - "privilege": "DeleteDataflowEndpointGroup", + "description": "Grants permission to import an Athena data catalog into AWS Glue", + "privilege": "ImportCatalogToGlue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DataflowEndpointGroup*" + "resource_type": "catalog*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a mission profile", - "privilege": "DeleteMissionProfile", + "access_level": "List", + "description": "Grants permission to retrieve all crawlers", + "privilege": "ListCrawlers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a contact", - "privilege": "DescribeContact", + "access_level": "List", + "description": "Grants permission to retrieve all development endpoints", + "privilege": "ListDevEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Contact*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return a configuration", - "privilege": "GetConfig", + "access_level": "List", + "description": "Grants permission to retrieve all current jobs", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return a data flow endpoint group", - "privilege": "GetDataflowEndpointGroup", + "access_level": "List", + "description": "Grants permission to retrieve all ML Transforms", + "privilege": "ListMLTransforms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DataflowEndpointGroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return minutes usage", - "privilege": "GetMinuteUsage", + "access_level": "List", + "description": "Grants permission to retrieve a list of schema registries", + "privilege": "ListRegistries", "resource_types": [ { "condition_keys": [], @@ -71888,45 +83275,38 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a mission profile", - "privilege": "GetMissionProfile", + "access_level": "List", + "description": "Grants permission to retrieve a list of schema versions", + "privilege": "ListSchemaVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to return information about a satellite", - "privilege": "GetSatellite", - "resource_types": [ + "resource_type": "registry*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Satellite*" + "resource_type": "schema*" } ] }, { "access_level": "List", - "description": "Grants permisson to return a list of past configurations", - "privilege": "ListConfigs", + "description": "Grants permission to retrieve a list of schema containers", + "privilege": "ListSchemas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry" } ] }, { "access_level": "List", - "description": "Grants permission to return a list of contacts", - "privilege": "ListContacts", + "description": "Grants permission to retrieve all triggers", + "privilege": "ListTriggers", "resource_types": [ { "condition_keys": [], @@ -71937,8 +83317,8 @@ }, { "access_level": "List", - "description": "Grants permission to list data flow endpoint groups", - "privilege": "ListDataflowEndpointGroups", + "description": "Grants permission to retrieve all workflows", + "privilege": "ListWorkflows", "resource_types": [ { "condition_keys": [], @@ -71948,21 +83328,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list ground stations", - "privilege": "ListGroundStations", + "access_level": "Write", + "description": "Grants permission to notify an event to the event-driven workflow", + "privilege": "NotifyEvent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workflow*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of mission profiles", - "privilege": "ListMissionProfiles", + "access_level": "Write", + "description": "Grants permission to update catalog encryption settings", + "privilege": "PutDataCatalogEncryptionSettings", "resource_types": [ { "condition_keys": [], @@ -71972,236 +83352,147 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list satellites", - "privilege": "ListSatellites", + "access_level": "Permissions management", + "description": "Grants permission to update a resource policy", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "catalog*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to add metadata to schema version", + "privilege": "PutSchemaVersionMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Contact" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DataflowEndpointGroup" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile" + "resource_type": "schema" } ] }, { "access_level": "Write", - "description": "Grants permission to reserve a contact", - "privilege": "ReserveContact", + "description": "Grants permission to update workflow run properties", + "privilege": "PutWorkflowRunProperties", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to assign a resource tag", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to fetch metadata for a schema version", + "privilege": "QuerySchemaVersionMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Contact" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DataflowEndpointGroup" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "schema" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to deassign a resource tag", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a new schema version", + "privilege": "RegisterSchemaVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config" + "resource_type": "registry*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Contact" - }, + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove metadata from schema version", + "privilege": "RemoveSchemaVersionMetadata", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DataflowEndpointGroup" + "resource_type": "registry" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "schema" } ] }, { "access_level": "Write", - "description": "Grants permission to update a configuration", - "privilege": "UpdateConfig", + "description": "Grants permission to reset a job bookmark", + "privilege": "ResetJobBookmark", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Config*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a mission profile", - "privilege": "UpdateMissionProfile", + "description": "Grants permission to resume a workflow run", + "privilege": "ResumeWorkflowRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "MissionProfile*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:config/${configType}/${configId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "groundstation:configId", - "groundstation:configType" - ], - "resource": "Config" }, - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:contact/${contactId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "groundstation:contactId" - ], - "resource": "Contact" - }, - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:dataflow-endpoint-group/${dataflowEndpointGroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "groundstation:dataflowEndpointGroupId" - ], - "resource": "DataflowEndpointGroup" - }, - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:groundstation:${groundStationId}", - "condition_keys": [ - "groundstation:groundStationId" - ], - "resource": "GroundStationResource" - }, - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:mission-profile/${missionProfileId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "groundstation:missionProfileId" - ], - "resource": "MissionProfile" - }, - { - "arn": "arn:${Partition}:groundstation:${Region}:${Account}:satellite/${satelliteId}", - "condition_keys": [ - "groundstation:satelliteId" - ], - "resource": "Satellite" - } - ], - "service_name": "AWS Ground Station" - }, - { - "conditions": [], - "prefix": "groundtruthlabeling", - "privileges": [ { "access_level": "Read", - "description": "Get status of GroundTruthLabeling Jobs.", - "privilege": "DescribeConsoleJob", + "description": "Grants permission to retrieve the tables in the catalog", + "privilege": "SearchTables", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Paginated list API to list dataset objects in a manifest file.", - "privilege": "ListDatasetObjects", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Filter records from a manifest file using S3 select. Get sample entries based on random sampling.", - "privilege": "RunFilterOrSampleDatasetJob", + "description": "Grants permission to start a crawler", + "privilege": "StartCrawler", "resource_types": [ { "condition_keys": [], @@ -72212,8 +83503,8 @@ }, { "access_level": "Write", - "description": "List a S3 prefix and create manifest files from objects in that location.", - "privilege": "RunGenerateManifestByCrawlingJob", + "description": "Grants permission to change the schedule state of a crawler to SCHEDULED", + "privilege": "StartCrawlerSchedule", "resource_types": [ { "condition_keys": [], @@ -72221,65 +83512,38 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Amazon GroundTruth Labeling" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "guardduty", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept invitations to become a GuardDuty member account", - "privilege": "AcceptInvitation", + "description": "Grants permission to start an Export Labels ML Task Run", + "privilege": "StartExportLabelsTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "mlTransform*" } ] }, { "access_level": "Write", - "description": "Grants permission to archive GuardDuty findings", - "privilege": "ArchiveFindings", + "description": "Grants permission to start an Import Labels ML Task Run", + "privilege": "StartImportLabelsTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "mlTransform*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a detector", - "privilege": "CreateDetector", + "description": "Grants permission to start running a job", + "privilege": "StartJobRun", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -72287,107 +83551,80 @@ }, { "access_level": "Write", - "description": "Grants permission to create GuardDuty filters. A filters defines finding attributes and conditions used to filter findings", - "privilege": "CreateFilter", + "description": "Grants permission to start an Evaluation ML Task Run", + "privilege": "StartMLEvaluationTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mlTransform*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an IPSet", - "privilege": "CreateIPSet", + "description": "Grants permission to start a Labeling Set Generation ML Task Run", + "privilege": "StartMLLabelingSetGenerationTaskRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mlTransform*" } ] }, { "access_level": "Write", - "description": "Grants permission to create GuardDuty member accounts, where the account used to create a member becomes the GuardDuty administrator account", - "privilege": "CreateMembers", + "description": "Grants permission to start a trigger", + "privilege": "StartTrigger", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a publishing destination", - "privilege": "CreatePublishingDestination", + "description": "Grants permission to start running a workflow", + "privilege": "StartWorkflowRun", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "s3:GetObject", - "s3:ListBucket" - ], - "resource_type": "detector*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create sample findings", - "privilege": "CreateSampleFindings", + "description": "Grants permission to stop a running crawler", + "privilege": "StopCrawler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create GuardDuty ThreatIntelSets, where a ThreatIntelSet consists of known malicious IP addresses used by GuardDuty to generate findings", - "privilege": "CreateThreatIntelSet", + "description": "Grants permission to set the schedule state of a crawler to NOT_SCHEDULED", + "privilege": "StopCrawlerSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to decline invitations to become a GuardDuty member account", - "privilege": "DeclineInvitations", + "description": "Grants permission to stop a trigger", + "privilege": "StopTrigger", "resource_types": [ { "condition_keys": [], @@ -72398,141 +83635,128 @@ }, { "access_level": "Write", - "description": "Grants permission to delete GuardDuty detectors", - "privilege": "DeleteDetector", + "description": "Grants permission to stop a workflow run", + "privilege": "StopWorkflowRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete GuardDuty filters", - "privilege": "DeleteFilter", + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "crawler" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete GuardDuty IPSets", - "privilege": "DeleteIPSet", - "resource_types": [ + "resource_type": "devendpoint" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "job" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ipset*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete invitations to become a GuardDuty member account", - "privilege": "DeleteInvitations", - "resource_types": [ + "resource_type": "trigger" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "workflow" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete GuardDuty member accounts", - "privilege": "DeleteMembers", + "access_level": "Tagging", + "description": "Grants permission to remove tags associated with a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a publishing destination", - "privilege": "DeletePublishingDestination", - "resource_types": [ + "resource_type": "crawler" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "devendpoint" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "publishingDestination*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete GuardDuty ThreatIntelSets", - "privilege": "DeleteThreatIntelSet", - "resource_types": [ + "resource_type": "job" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "trigger" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "threatintelset*" + "resource_type": "workflow" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about the delegated administrator associated with a GuardDuty detector", - "privilege": "DescribeOrganizationConfiguration", + "access_level": "Write", + "description": "Grants permission to update a classifier", + "privilege": "UpdateClassifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about a publishing destination", - "privilege": "DescribePublishingDestination", + "access_level": "Write", + "description": "Grants permission to update a connection", + "privilege": "UpdateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "publishingDestination*" + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable the organization delegated administrator for GuardDuty", - "privilege": "DisableOrganizationAdminAccount", + "description": "Grants permission to update a crawler", + "privilege": "UpdateCrawler", "resource_types": [ { "condition_keys": [], @@ -72543,179 +83767,150 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate a GuardDuty member account from its GuardDuty master account", - "privilege": "DisassociateFromMasterAccount", + "description": "Grants permission to update the schedule of a crawler", + "privilege": "UpdateCrawlerSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate GuardDuty member accounts from their master GuardDuty account", - "privilege": "DisassociateMembers", + "description": "Grants permission to update a database", + "privilege": "UpdateDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable an organization delegated administrator for GuardDuty", - "privilege": "EnableOrganizationAdminAccount", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "database*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve GuardDuty detectors", - "privilege": "GetDetector", + "access_level": "Write", + "description": "Grants permission to update a development endpoint", + "privilege": "UpdateDevEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve GuardDuty filters", - "privilege": "GetFilter", + "access_level": "Write", + "description": "Grants permission to update a job", + "privilege": "UpdateJob", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector*" - }, - { - "condition_keys": [], + "condition_keys": [ + "glue:VpcIds", + "glue:SubnetIds", + "glue:SecurityGroupIds" + ], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve GuardDuty findings", - "privilege": "GetFindings", + "access_level": "Write", + "description": "Grants permission to update an ML Transform", + "privilege": "UpdateMLTransform", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "mlTransform*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of GuardDuty finding statistics", - "privilege": "GetFindingsStatistics", + "access_level": "Write", + "description": "Grants permission to update a partition", + "privilege": "UpdatePartition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permsission to retrieve GuardDuty IPSets", - "privilege": "GetIPSet", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "database*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ipset*" + "resource_type": "table*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the count of all GuardDuty invitations sent to a specified account, which does not include the accepted invitation", - "privilege": "GetInvitationsCount", + "access_level": "Write", + "description": "Grants permission to update a schema registry", + "privilege": "UpdateRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details of the GuardDuty master account associated with a member account", - "privilege": "GetMasterAccount", + "access_level": "Write", + "description": "Grants permission to update a schema container", + "privilege": "UpdateSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the member accounts associated with a master account", - "privilege": "GetMembers", - "resource_types": [ + "resource_type": "registry*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "schema*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve GuardDuty ThreatIntelSets", - "privilege": "GetThreatIntelSet", + "access_level": "Write", + "description": "Grants permission to update a table", + "privilege": "UpdateTable", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "catalog*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "threatintelset*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to invite other AWS accounts to enable GuardDuty and become GuardDuty member accounts", - "privilege": "InviteMembers", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "table*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of GuardDuty detectors", - "privilege": "ListDetectors", + "access_level": "Write", + "description": "Grants permission to update a trigger", + "privilege": "UpdateTrigger", "resource_types": [ { "condition_keys": [], @@ -72725,45 +83920,31 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of GuardDuty filters", - "privilege": "ListFilters", + "access_level": "Write", + "description": "Grants permission to update a function definition", + "privilege": "UpdateUserDefinedFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a list of GuardDuty findings", - "privilege": "ListFindings", - "resource_types": [ + "resource_type": "catalog*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a list of GuardDuty IPSets", - "privilege": "ListIPSets", - "resource_types": [ + "resource_type": "database*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "userdefinedfunction*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a lists of all of the GuardDuty membership invitations that were sent to an AWS account", - "privilege": "ListInvitations", + "access_level": "Write", + "description": "Grants permission to update a workflow", + "privilege": "UpdateWorkflow", "resource_types": [ { "condition_keys": [], @@ -72773,373 +83954,446 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrierve a lsit of GuardDuty member accounts associated with a master account", - "privilege": "ListMembers", + "access_level": "Write", + "description": "Grants permission to use an ML Transform from within a Glue ETL Script", + "privilege": "UseMLTransforms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "mlTransform*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:catalog", + "condition_keys": [], + "resource": "catalog" }, { - "access_level": "List", - "description": "Grants permission to list details about the organization delegated administrator for GuardDuty", - "privilege": "ListOrganizationAdminAccounts", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}", + "condition_keys": [], + "resource": "database" }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of publishing destinations", - "privilege": "ListPublishingDestinations", + "arn": "arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}", + "condition_keys": [], + "resource": "table" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}", + "condition_keys": [], + "resource": "tableversion" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}", + "condition_keys": [], + "resource": "connection" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}", + "condition_keys": [], + "resource": "userdefinedfunction" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:devEndpoint/${DevEndpointName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "devendpoint" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:job/${JobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "job" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "trigger" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "crawler" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workflow" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "mlTransform" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:registry/${RegistryName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "registry" + }, + { + "arn": "arn:${Partition}:glue:${Region}:${Account}:schema/${SchemaName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "schema" + } + ], + "service_name": "AWS Glue" + }, + { + "conditions": [], + "prefix": "grafana", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a workspace", + "privilege": "CreateWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of tags associated with a GuardDuty resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete a workspace", + "privilege": "DeleteWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "filter" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ipset" - }, + "resource_type": "workspace*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a workspace", + "privilege": "DescribeWorkspace", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "threatintelset" + "resource_type": "workspace*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of GuardDuty ThreatIntelSets", - "privilege": "ListThreatIntelSets", + "description": "Grants permission to list the permissions on a wokspace", + "privilege": "ListPermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "workspace*" } ] }, { - "access_level": "Write", - "description": "Grants permission to a GuardDuty administrator account to monitor findings from GuardDuty member accounts", - "privilege": "StartMonitoringMembers", + "access_level": "List", + "description": "Grants permission to list workspaces", + "privilege": "ListWorkspaces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable monitoring findings from member accounts", - "privilege": "StopMonitoringMembers", + "access_level": "Permissions management", + "description": "Grants permission to modify the permissions on a workspace", + "privilege": "UpdatePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to add tags to a GuardDuty resource", - "privilege": "TagResource", + "description": "Grants permission to modify a workspace", + "privilege": "UpdateWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "filter" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ipset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "threatintelset" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "workspace*" } ] - }, + } + ], + "resources": [ + { + "arn": "arn:${Partition}:grafana::${Region}:${Account}:workspaces/${ResourceId}", + "condition_keys": [], + "resource": "workspace" + } + ], + "service_name": "Amazon Managed Service for Grafana" + }, + { + "conditions": [], + "prefix": "grafana", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to unarchive GuardDuty findings", - "privilege": "UnarchiveFindings", + "description": "Grants permission to upgrade a workspace with a license", + "privilege": "AssociateLicense", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector*" + "dependent_actions": [ + "aws-marketplace:ViewSubscriptions" + ], + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove tags from a GuardDuty resource", - "privilege": "UntagResource", + "description": "Grants permission to create a workspace", + "privilege": "CreateWorkspace", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "filter" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ipset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "threatintelset" - }, - { - "condition_keys": [ - "aws:TagKeys" + "dependent_actions": [ + "organizations:DescribeOrganization", + "sso:CreateManagedApplicationInstance", + "sso:DescribeRegisteredRegions", + "sso:GetSharedSsoConfiguration" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update GuardDuty detectors", - "privilege": "UpdateDetector", + "description": "Grants permission to delete a workspace", + "privilege": "DeleteWorkspace", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "detector*" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "workspace*" } ] }, { - "access_level": "Write", - "description": "Grants permission to updates GuardDuty filters", - "privilege": "UpdateFilter", + "access_level": "Read", + "description": "Grants permission to describe a workspace", + "privilege": "DescribeWorkspace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, + "resource_type": "workspace*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe authetication providers on a workspace", + "privilege": "DescribeWorkspaceAuthentication", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to update findings feedback to mark GuardDuty findings as useful or not useful", - "privilege": "UpdateFindingsFeedback", + "description": "Grants permission to remove a license from a workspace", + "privilege": "DisassociateLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "workspace*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update GuardDuty IPSets", - "privilege": "UpdateIPSet", + "access_level": "List", + "description": "Grants permission to list the permissions on a wokspace", + "privilege": "ListPermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, + "resource_type": "workspace*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list workspaces", + "privilege": "ListWorkspaces", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ipset*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the delegated administrator configuration associated with a GuardDuty detector", - "privilege": "UpdateOrganizationConfiguration", + "access_level": "Permissions management", + "description": "Grants permission to modify the permissions on a workspace", + "privilege": "UpdatePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a publishing destination", - "privilege": "UpdatePublishingDestination", + "description": "Grants permission to modify a workspace", + "privilege": "UpdateWorkspace", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "s3:GetObject", - "s3:ListBucket" - ], - "resource_type": "detector*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "publishingDestination*" + "resource_type": "workspace*" } ] }, { "access_level": "Write", - "description": "Grants permission to updates the GuardDuty ThreatIntelSets", - "privilege": "UpdateThreatIntelSet", + "description": "Grants permission to modify authetication providers on a workspace", + "privilege": "UpdateWorkspaceAuthentication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detector*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "threatintelset*" + "resource_type": "workspace*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "detector" + "arn": "arn:${Partition}:grafana::${Region}:${Account}:/workspaces/${ResourceId}", + "condition_keys": [], + "resource": "workspace" + } + ], + "service_name": "Amazon Managed Grafana" + }, + { + "conditions": [ + { + "condition": "aws:CurrentTime", + "description": "Filters access by checking date/time conditions for the current date and time", + "type": "Date" }, { - "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/filter/${FilterName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "filter" + "condition": "aws:EpochTime", + "description": "Filters access by checking date/time conditions for the current date and time in epoch or Unix time", + "type": "Date" }, { - "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/ipset/${IPSetId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ipset" + "condition": "aws:MultiFactorAuthAge", + "description": "Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA", + "type": "Numeric" }, { - "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/threatintelset/${ThreatIntelSetId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "threatintelset" + "condition": "aws:MultiFactorAuthPresent", + "description": "Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request", + "type": "Boolean" }, { - "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/publishingDestination/${PublishingDestinationId}", - "condition_keys": [], - "resource": "publishingDestination" - } - ], - "service_name": "Amazon GuardDuty" - }, - { - "conditions": [ + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters create requests based on the allowed set of values for each of the mandatory tags", + "type": "String" + }, { - "condition": "health:eventTypeCode", - "description": "The type of event.", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tag value associated with the resource", "type": "String" }, { - "condition": "health:service", - "description": "The service of the event.", + "condition": "aws:SecureTransport", + "description": "Filters access by checking whether the request was sent using SSL", + "type": "Boolean" + }, + { + "condition": "aws:TagKeys", + "description": "Filters create requests based on the presence of mandatory tags in the request", + "type": "String" + }, + { + "condition": "aws:UserAgent", + "description": "Filters access by the requester's client application", "type": "String" } ], - "prefix": "health", + "prefix": "greengrass", "privileges": [ { - "access_level": "Read", - "description": "Gets a list of accounts that have been affected by the specified events in organization.", - "privilege": "DescribeAffectedAccountsForOrganization", + "access_level": "Write", + "description": "Grants permission to cancel a deployment", + "privilege": "CancelDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "organizations:ListAccounts" + "iot:CancelJob", + "iot:DeleteThingShadow", + "iot:DescribeJob", + "iot:DescribeThing", + "iot:DescribeThingGroup", + "iot:GetThingShadow", + "iot:UpdateJob", + "iot:UpdateThingShadow" ], - "resource_type": "" + "resource_type": "deployment*" } ] }, { - "access_level": "Read", - "description": "Gets a list of entities that have been affected by the specified events.", - "privilege": "DescribeAffectedEntities", + "access_level": "Write", + "description": "Grants permission to create a component", + "privilege": "CreateComponentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event*" + "resource_type": "component*" }, { "condition_keys": [ - "health:eventTypeCode", - "health:service" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73147,494 +84401,437 @@ ] }, { - "access_level": "Read", - "description": "Gets a list of entities that have been affected by the specified events and accounts in organization.", - "privilege": "DescribeAffectedEntitiesForOrganization", + "access_level": "Write", + "description": "Grants permission to create a deployment", + "privilege": "CreateDeployment", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [ - "organizations:ListAccounts" + "iot:CancelJob", + "iot:CreateJob", + "iot:DeleteThingShadow", + "iot:DescribeJob", + "iot:DescribeThing", + "iot:DescribeThingGroup", + "iot:GetThingShadow", + "iot:UpdateJob", + "iot:UpdateThingShadow" ], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns the number of entities that are affected by each of the specified events.", - "privilege": "DescribeEntityAggregates", + "access_level": "Write", + "description": "Grants permission to delete a component", + "privilege": "DeleteComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentVersion*" } ] }, { - "access_level": "Read", - "description": "Returns the number of events of each event type (issue, scheduled change, and account notification).", - "privilege": "DescribeEventAggregates", + "access_level": "Write", + "description": "Grants permission to delete a AWS IoT Greengrass core device, which is an AWS IoT thing. This operation removes the core device from the list of core devices. This operation doesn't delete the AWS IoT thing", + "privilege": "DeleteCoreDevice", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "iot:DescribeJobExecution" + ], + "resource_type": "coreDevice*" } ] }, { "access_level": "Read", - "description": "Returns detailed information about one or more specified events.", - "privilege": "DescribeEventDetails", + "description": "Grants permission to retrieve metadata for a version of a component", + "privilege": "DescribeComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "event*" - }, - { - "condition_keys": [ - "health:eventTypeCode", - "health:service" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "componentVersion*" } ] }, { "access_level": "Read", - "description": "Returns detailed information about one or more specified events for provided accounts in organization.", - "privilege": "DescribeEventDetailsForOrganization", + "description": "Grants permission to get the recipe for a version of a component", + "privilege": "GetComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "organizations:ListAccounts" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "componentVersion*" } ] }, { "access_level": "Read", - "description": "Returns the event types that meet the specified filter criteria.", - "privilege": "DescribeEventTypes", + "description": "Grants permission to get the pre-signed URL to download a public component artifact", + "privilege": "GetComponentVersionArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "componentVersion*" } ] }, { "access_level": "Read", - "description": "Returns information about events that meet the specified filter criteria.", - "privilege": "DescribeEvents", + "description": "Grants permission to retrieves metadata for a AWS IoT Greengrass core device", + "privilege": "GetCoreDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "coreDevice*" } ] }, { "access_level": "Read", - "description": "Returns information about events that meet the specified filter criteria in organization.", - "privilege": "DescribeEventsForOrganization", + "description": "Grants permission to get a deployment", + "privilege": "GetDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "organizations:ListAccounts" + "iot:DescribeJob", + "iot:DescribeThing", + "iot:DescribeThingGroup", + "iot:GetThingShadow" ], - "resource_type": "" + "resource_type": "deployment*" } ] }, { - "access_level": "Read", - "description": "Returns the status of enabling or disabling the Organizational View feature", - "privilege": "DescribeHealthServiceStatusForOrganization", + "access_level": "List", + "description": "Grants permission to retrieve a paginated list of all versions for a component", + "privilege": "ListComponentVersions", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "organizations:ListAccounts" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "component*" } ] }, { - "access_level": "Permissions management", - "description": "Disables the Organizational View feature.", - "privilege": "DisableHealthServiceAccessForOrganization", + "access_level": "List", + "description": "Grants permission to retrieve a paginated list of component summaries", + "privilege": "ListComponents", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "organizations:DisableAWSServiceAccess", - "organizations:ListAccounts" - ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Enables the Organizational View feature.", - "privilege": "EnableHealthServiceAccessForOrganization", + "access_level": "List", + "description": "Grants permission to retrieve a paginated list of AWS IoT Greengrass core devices", + "privilege": "ListCoreDevices", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "organizations:EnableAWSServiceAccess", - "organizations:ListAccounts" - ], + "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:health:*::event/${Service}/${EventTypeCode}/*", - "condition_keys": [], - "resource": "event" - } - ], - "service_name": "AWS Health APIs and Notifications" - }, - { - "conditions": [], - "prefix": "honeycode", - "privileges": [ + }, { - "access_level": "Write", - "description": "Grants permission to approve a team association request for your AWS Account", - "privilege": "ApproveTeamAssociation", + "access_level": "List", + "description": "Grants permission to retrieves a paginated list of deployments", + "privilege": "ListDeployments", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iot:DescribeJob", + "iot:DescribeThing", + "iot:DescribeThingGroup", + "iot:GetThingShadow" + ], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create new rows in a table", - "privilege": "BatchCreateTableRows", + "access_level": "List", + "description": "Grants permission to retrieves a paginated list of deployment jobs that AWS IoT Greengrass sends to AWS IoT Greengrass core devices", + "privilege": "ListEffectiveDeployments", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "table*" + "dependent_actions": [ + "iot:DescribeJob", + "iot:DescribeJobExecution", + "iot:DescribeThing", + "iot:DescribeThingGroup", + "iot:GetThingShadow" + ], + "resource_type": "coreDevice*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete rows from a table", - "privilege": "BatchDeleteTableRows", + "access_level": "List", + "description": "Grants permission to retrieve a paginated list of the components that a AWS IoT Greengrass core device runs", + "privilege": "ListInstalledComponents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "coreDevice*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update rows in a table", - "privilege": "BatchUpdateTableRows", + "access_level": "List", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to upsert rows in a table", - "privilege": "BatchUpsertTableRows", - "resource_types": [ + "resource_type": "component" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a new tenant within Amazon Honeycode for your AWS Account", - "privilege": "CreateTenant", - "resource_types": [ + "resource_type": "componentVersion" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get details about a table data import job", - "privilege": "DescribeTableDataImportJob", - "resource_types": [ + "resource_type": "coreDevice" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to load the data from a screen", - "privilege": "GetScreenData", - "resource_types": [ + "resource_type": "deployment" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "screen*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to invoke a screen automation", - "privilege": "InvokeScreenAutomation", + "access_level": "List", + "description": "Grants permission to list components that meet the component, version, and platform requirements of a deployment", + "privilege": "ResolveComponentCandidates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "screen-automation*" + "resource_type": "componentVersion*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the columns in a table", - "privilege": "ListTableColumns", + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the rows in a table", - "privilege": "ListTableRows", - "resource_types": [ + "resource_type": "component" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the tables in a workbook", - "privilege": "ListTables", - "resource_types": [ + "resource_type": "componentVersion" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "workbook*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all pending and approved team associations with your AWS Account", - "privilege": "ListTeamAssociations", - "resource_types": [ + "resource_type": "coreDevice" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "deployment" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all tenants of Amazon Honeycode for your AWS Account", - "privilege": "ListTenants", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to query the rows of a table using a filter", - "privilege": "QueryTableRows", - "resource_types": [ + "resource_type": "component" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to reject a team association request for your AWS Account", - "privilege": "RejectTeamAssociation", - "resource_types": [ + "resource_type": "componentVersion" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a table data import job", - "privilege": "StartTableDataImportJob", - "resource_types": [ + "resource_type": "coreDevice" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "table*" + "resource_type": "deployment" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:honeycode:${Region}:${Account}:workbook:workbook/${WorkbookId}", - "condition_keys": [], - "resource": "workbook" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "component" }, { - "arn": "arn:${Partition}:honeycode:${Region}:${Account}:table:workbook/${WorkbookId}/table/${TableId}", - "condition_keys": [], - "resource": "table" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}:versions:${ComponentVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "componentVersion" }, { - "arn": "arn:${Partition}:honeycode:${Region}:${Account}:screen:workbook/${WorkbookId}/app/${AppId}/screen/${ScreenId}", - "condition_keys": [], - "resource": "screen" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:coreDevices:${CoreDeviceThingName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "coreDevice" }, { - "arn": "arn:${Partition}:honeycode:${Region}:${Account}:screen-automation:workbook/${WorkbookId}/app/${AppId}/screen/${ScreenId}/automation/${AutomationId}", - "condition_keys": [], - "resource": "screen-automation" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:deployments:${DeploymentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deployment" } ], - "service_name": "Amazon Honeycode" + "service_name": "AWS IoT Greengrass V2" }, { "conditions": [ { - "condition": "iam:AWSServiceName", - "description": "Filters access by the AWS service to which this role is attached", - "type": "String" + "condition": "aws:CurrentTime", + "description": "Filters actions based on date/time conditions for the current date and time", + "type": "Date" }, { - "condition": "iam:AssociatedResourceArn", - "description": "Filters by the resource that the role will be used on behalf of", - "type": "ARN" + "condition": "aws:EpochTime", + "description": "Filters actions based on date/time conditions for the current date and time in epoch or Unix time", + "type": "Date" }, { - "condition": "iam:OrganizationsPolicyId", - "description": "Filters access by the ID of an AWS Organizations policy", - "type": "String" + "condition": "aws:MultiFactorAuthAge", + "description": "Filters actions based on how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA", + "type": "Numeric" }, { - "condition": "iam:PassedToService", - "description": "Filters access by the AWS service to which this role is passed", + "condition": "aws:MultiFactorAuthPresent", + "description": "Filters actions based on whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request", + "type": "Boolean" + }, + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the mandatory tags", "type": "String" }, { - "condition": "iam:PermissionsBoundary", - "description": "Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role)", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tag value associated with the resource", "type": "String" }, { - "condition": "iam:PolicyARN", - "description": "Filters access by the ARN of an IAM policy", - "type": "ARN" + "condition": "aws:SecureTransport", + "description": "Filters actions based on whether the request was sent using SSL", + "type": "Boolean" }, { - "condition": "iam:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to an IAM entity (user or role).", + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + }, + { + "condition": "aws:UserAgent", + "description": "Filters actions based on the requester's client application", "type": "String" } ], - "prefix": "iam", + "prefix": "greengrass", "privileges": [ { "access_level": "Write", - "description": "Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource", - "privilege": "AddClientIDToOpenIDConnectProvider", + "description": "Grants permission to associate a role with a group. The role's permissions must allow Greengrass core Lambda functions and connectors to perform actions in other AWS services", + "privilege": "AssociateRoleToGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "oidc-provider*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add an IAM role to the specified instance profile", - "privilege": "AddRoleToInstanceProfile", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "instance-profile*" + "resource_type": "group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add an IAM user to the specified IAM group", - "privilege": "AddUserToGroup", + "access_level": "Permissions management", + "description": "Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources", + "privilege": "AssociateServiceRoleToAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to attach a managed policy to the specified IAM group", - "privilege": "AttachGroupPolicy", + "access_level": "Write", + "description": "Grants permission to create a connector definition", + "privilege": "CreateConnectorDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "group*" - }, { "condition_keys": [ - "iam:PolicyARN" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73642,39 +84839,26 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to attach a managed policy to the specified IAM role", - "privilege": "AttachRolePolicy", + "access_level": "Write", + "description": "Grants permission to create a version of an existing connector definition", + "privilege": "CreateConnectorDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - }, - { - "condition_keys": [ - "iam:PolicyARN", - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connectorDefinition*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to attach a managed policy to the specified IAM user", - "privilege": "AttachUserPolicy", + "access_level": "Write", + "description": "Grants permission to create a core definition", + "privilege": "CreateCoreDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - }, { "condition_keys": [ - "iam:PolicyARN", - "iam:PermissionsBoundary" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73683,35 +84867,38 @@ }, { "access_level": "Write", - "description": "Grants permission for an IAM user to to change their own password", - "privilege": "ChangePassword", + "description": "Grants permission to create a version of an existing core definition. Greengrass groups must each contain exactly one Greengrass core", + "privilege": "CreateCoreDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "coreDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create access key and secret access key for the specified IAM user", - "privilege": "CreateAccessKey", + "description": "Grants permission to create a deployment", + "privilege": "CreateDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an alias for your AWS account", - "privilege": "CreateAccountAlias", + "description": "Grants permission to create a device definition", + "privilege": "CreateDeviceDefinition", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -73719,89 +84906,91 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new group", - "privilege": "CreateGroup", + "description": "Grants permission to create a version of an existing device definition", + "privilege": "CreateDeviceDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "deviceDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new instance profile", - "privilege": "CreateInstanceProfile", + "description": "Grants permission to create a Lambda function definition to be used in a group that contains a list of Lambda functions and their configurations", + "privilege": "CreateFunctionDefinition", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "instance-profile*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a password for the specified IAM user", - "privilege": "CreateLoginProfile", + "description": "Grants permission to create a version of an existing Lambda function definition", + "privilege": "CreateFunctionDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "functionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC)", - "privilege": "CreateOpenIDConnectProvider", + "description": "Grants permission to create a group.", + "privilege": "CreateGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "oidc-provider*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create a new managed policy", - "privilege": "CreatePolicy", + "access_level": "Write", + "description": "Grants permission to create a CA for the group, or rotate the existing CA", + "privilege": "CreateGroupCertificateAuthority", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "group*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create a new version of the specified managed policy", - "privilege": "CreatePolicyVersion", + "access_level": "Write", + "description": "Grants permission to create a version of a group that has already been defined", + "privilege": "CreateGroupVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new role", - "privilege": "CreateRole", + "description": "Grants permission to create a logger definition", + "privilege": "CreateLoggerDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - }, { "condition_keys": [ - "iam:PermissionsBoundary" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73810,29 +84999,25 @@ }, { "access_level": "Write", - "description": "Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0", - "privilege": "CreateSAMLProvider", + "description": "Grants permission to create a version of an existing logger definition", + "privilege": "CreateLoggerDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "saml-provider*" + "resource_type": "loggerDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf", - "privilege": "CreateServiceLinkedRole", + "description": "Grants permission to create a resource definition that contains a list of resources to be used in a group", + "privilege": "CreateResourceDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - }, { "condition_keys": [ - "iam:AWSServiceName" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73841,29 +85026,37 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new service-specific credential for an IAM user", - "privilege": "CreateServiceSpecificCredential", + "description": "Grants permission to create a version of an existing resource definition", + "privilege": "CreateResourceDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "resourceDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new IAM user", - "privilege": "CreateUser", + "description": "Grants permission to create an AWS IoT job that will trigger your Greengrass cores to update the software they are running", + "privilege": "CreateSoftwareUpdateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a subscription definition", + "privilege": "CreateSubscriptionDefinition", + "resource_types": [ { "condition_keys": [ - "iam:PermissionsBoundary" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -73872,67 +85065,67 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new virtual MFA device", - "privilege": "CreateVirtualMFADevice", + "description": "Grants permission to create a version of an existing subscription definition", + "privilege": "CreateSubscriptionDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mfa*" + "resource_type": "subscriptionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled", - "privilege": "DeactivateMFADevice", + "description": "Grants permission to delete a connector definition", + "privilege": "DeleteConnectorDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "connectorDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the access key pair that is associated with the specified IAM user", - "privilege": "DeleteAccessKey", + "description": "Grants permission to delete a core definition. Deleting a definition that is currently in use in a deployment affects future deployments", + "privilege": "DeleteCoreDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "coreDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified AWS account alias", - "privilege": "DeleteAccountAlias", + "description": "Grants permission to delete a device definition. Deleting a definition that is currently in use in a deployment affects future deployments", + "privilege": "DeleteDeviceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "deviceDefinition*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the password policy for the AWS account", - "privilege": "DeleteAccountPasswordPolicy", + "access_level": "Write", + "description": "Grants permission to delete a Lambda function definition. Deleting a definition that is currently in use in a deployment affects future deployments", + "privilege": "DeleteFunctionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "functionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified IAM group", + "description": "Grants permission to delete a group that is not currently in use in a deployment", "privilege": "DeleteGroup", "resource_types": [ { @@ -73943,484 +85136,249 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the specified inline policy from its group", - "privilege": "DeleteGroupPolicy", + "access_level": "Write", + "description": "Grants permission to delete a logger definition. Deleting a definition that is currently in use in a deployment affects future deployments", + "privilege": "DeleteLoggerDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "loggerDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified instance profile", - "privilege": "DeleteInstanceProfile", + "description": "Grants permission to delete a resource definition", + "privilege": "DeleteResourceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance-profile*" + "resource_type": "resourceDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the password for the specified IAM user", - "privilege": "DeleteLoginProfile", + "description": "Grants permission to delete a subscription definition. Deleting a definition that is currently in use in a deployment affects future deployments", + "privilege": "DeleteSubscriptionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "subscriptionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM", - "privilege": "DeleteOpenIDConnectProvider", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "oidc-provider*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached", - "privilege": "DeletePolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to delete a version from the specified managed policy", - "privilege": "DeletePolicyVersion", + "description": "Grants permission to disassociate the role from a group", + "privilege": "DisassociateRoleFromGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the specified role", - "privilege": "DeleteRole", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to remove the permissions boundary from a role", - "privilege": "DeleteRolePermissionsBoundary", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to delete the specified inline policy from the specified role", - "privilege": "DeleteRolePolicy", + "description": "Grants permission to disassociate the service role from an account. Without a service role, deployments will not work", + "privilege": "DisassociateServiceRoleFromAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a SAML provider resource in IAM", - "privilege": "DeleteSAMLProvider", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "saml-provider*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified SSH public key", - "privilege": "DeleteSSHPublicKey", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified server certificate", - "privilege": "DeleteServerCertificate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "server-certificate*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it", - "privilege": "DeleteServiceLinkedRole", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete the specified service-specific credential for an IAM user", - "privilege": "DeleteServiceSpecificCredential", + "access_level": "Read", + "description": "Grants permission to retrieve information required to connect to a Greengrass core", + "privilege": "Discover", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "thing*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a signing certificate that is associated with the specified IAM user", - "privilege": "DeleteSigningCertificate", + "access_level": "Read", + "description": "Grants permission to retrieve the role associated with a group", + "privilege": "GetAssociatedRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified IAM user", - "privilege": "DeleteUser", + "access_level": "Read", + "description": "Grants permission to return the status of a bulk deployment", + "privilege": "GetBulkDeploymentStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "bulkDeployment*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to remove the permissions boundary from the specified IAM user", - "privilege": "DeleteUserPermissionsBoundary", + "access_level": "Read", + "description": "Grants permission to retrieve the connectivity information for a core", + "privilege": "GetConnectivityInfo", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connectivityInfo*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the specified inline policy from an IAM user", - "privilege": "DeleteUserPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve information about a connector definition", + "privilege": "GetConnectorDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connectorDefinition*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a virtual MFA device", - "privilege": "DeleteVirtualMFADevice", + "access_level": "Read", + "description": "Grants permission to retrieve information about a connector definition version", + "privilege": "GetConnectorDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mfa" + "resource_type": "connectorDefinition*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "sms-mfa" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to detach a managed policy from the specified IAM group", - "privilege": "DetachGroupPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "group*" - }, - { - "condition_keys": [ - "iam:PolicyARN" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "connectorDefinitionVersion*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to detach a managed policy from the specified role", - "privilege": "DetachRolePolicy", + "access_level": "Read", + "description": "Grants permission to retrieve information about a core definition", + "privilege": "GetCoreDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - }, - { - "condition_keys": [ - "iam:PolicyARN", - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "coreDefinition*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to detach a managed policy from the specified IAM user", - "privilege": "DetachUserPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve information about a core definition version", + "privilege": "GetCoreDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "coreDefinition*" }, - { - "condition_keys": [ - "iam:PolicyARN", - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to enable an MFA device and associate it with the specified IAM user", - "privilege": "EnableMFADevice", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "coreDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to generate a credential report for the AWS account", - "privilege": "GenerateCredentialReport", + "description": "Grants permission to return the status of a deployment", + "privilege": "GetDeploymentStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to generate an access report for an AWS Organizations entity", - "privilege": "GenerateOrganizationsAccessReport", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "organizations:DescribePolicy", - "organizations:ListChildren", - "organizations:ListParents", - "organizations:ListPoliciesForTarget", - "organizations:ListRoots", - "organizations:ListTargetsForPolicy" - ], - "resource_type": "access-report*" + "resource_type": "deployment*" }, - { - "condition_keys": [ - "iam:OrganizationsPolicyId" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to generate a service last accessed data report for an IAM resource", - "privilege": "GenerateServiceLastAccessedDetails", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about when the specified access key was last used", - "privilege": "GetAccessKeyLastUsed", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another", - "privilege": "GetAccountAuthorizationDetails", + "description": "Grants permission to retrieve information about a device definition", + "privilege": "GetDeviceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "deviceDefinition*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the password policy for the AWS account", - "privilege": "GetAccountPasswordPolicy", + "description": "Grants permission to retrieve information about a device definition version", + "privilege": "GetDeviceDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account", - "privilege": "GetAccountSummary", - "resource_types": [ + "resource_type": "deviceDefinition*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "deviceDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy", - "privilege": "GetContextKeysForCustomPolicy", + "description": "Grants permission to retrieve information about a Lambda function definition, such as its creation time and latest version", + "privilege": "GetFunctionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "functionDefinition*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role)", - "privilege": "GetContextKeysForPrincipalPolicy", + "description": "Grants permission to retrieve information about a Lambda function definition version, such as which Lambda functions are included in the version and their configurations", + "privilege": "GetFunctionDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role" + "resource_type": "functionDefinition*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve a credential report for the AWS account", - "privilege": "GetCredentialReport", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "resource_type": "functionDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a list of IAM users in the specified IAM group", + "description": "Grants permission to retrieve information about a group", "privilege": "GetGroup", "resource_types": [ { @@ -74432,152 +85390,112 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve an inline policy document that is embedded in the specified IAM group", - "privilege": "GetGroupPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role", - "privilege": "GetInstanceProfile", + "description": "Grants permission to return the public key of the CA associated with a group", + "privilege": "GetGroupCertificateAuthority", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance-profile*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve the user name and password creation date for the specified IAM user", - "privilege": "GetLoginProfile", - "resource_types": [ + "resource_type": "certificateAuthority*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM", - "privilege": "GetOpenIDConnectProvider", + "description": "Grants permission to retrieve the current configuration for the CA used by a group", + "privilege": "GetGroupCertificateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "oidc-provider*" + "resource_type": "group*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an AWS Organizations access report", - "privilege": "GetOrganizationsAccessReport", + "description": "Grants permission to retrieve information about a group version", + "privilege": "GetGroupVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached", - "privilege": "GetPolicy", - "resource_types": [ + "resource_type": "group*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "groupVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about a version of the specified managed policy, including the policy document", - "privilege": "GetPolicyVersion", + "description": "Grants permission to retrieve information about a logger definition", + "privilege": "GetLoggerDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "loggerDefinition*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy", - "privilege": "GetRole", + "description": "Grants permission to retrieve information about a logger definition version", + "privilege": "GetLoggerDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve an inline policy document that is embedded with the specified IAM role", - "privilege": "GetRolePolicy", - "resource_types": [ + "resource_type": "loggerDefinition*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "loggerDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated", - "privilege": "GetSAMLProvider", + "description": "Grants permission to retrieve information about a resource definition, such as its creation time and latest version", + "privilege": "GetResourceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "saml-provider*" + "resource_type": "resourceDefinition*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the specified SSH public key, including metadata about the key", - "privilege": "GetSSHPublicKey", + "description": "Grants permission to retrieve information about a resource definition version, such as which resources are included in the version", + "privilege": "GetResourceDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about the specified server certificate stored in IAM", - "privilege": "GetServerCertificate", - "resource_types": [ + "resource_type": "resourceDefinition*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "server-certificate*" + "resource_type": "resourceDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the service last accessed data report", - "privilege": "GetServiceLastAccessedDetails", + "description": "Grants permission to retrieve the service role that is attached to an account", + "privilege": "GetServiceRoleForAccount", "resource_types": [ { "condition_keys": [], @@ -74588,68 +85506,61 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the entities from the service last accessed data report", - "privilege": "GetServiceLastAccessedDetailsWithEntities", + "description": "Grants permission to retrieve information about a subscription definition", + "privilege": "GetSubscriptionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "subscriptionDefinition*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an IAM service-linked role deletion status", - "privilege": "GetServiceLinkedRoleDeletionStatus", + "description": "Grants permission to retrieve information about a subscription definition version", + "privilege": "GetSubscriptionDefinitionVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN", - "privilege": "GetUser", - "resource_types": [ + "resource_type": "subscriptionDefinition*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "subscriptionDefinitionVersion*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve an inline policy document that is embedded in the specified IAM user", - "privilege": "GetUserPolicy", + "description": "Grants permission to retrieve runtime configuration of a thing", + "privilege": "GetThingRuntimeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "thingRuntimeConfig*" } ] }, { - "access_level": "List", - "description": "Grants permission to list information about the access key IDs that are associated with the specified IAM user", - "privilege": "ListAccessKeys", + "access_level": "Read", + "description": "Grants permission to retrieve a paginated list of the deployments that have been started in a bulk deployment operation and their current deployment status", + "privilege": "ListBulkDeploymentDetailedReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "bulkDeployment*" } ] }, { "access_level": "List", - "description": "Grants permission to list the account alias that is associated with the AWS account", - "privilege": "ListAccountAliases", + "description": "Grants permission to retrieve a list of bulk deployments", + "privilege": "ListBulkDeployments", "resource_types": [ { "condition_keys": [], @@ -74660,68 +85571,20 @@ }, { "access_level": "List", - "description": "Grants permission to list all managed policies that are attached to the specified IAM group", - "privilege": "ListAttachedGroupPolicies", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all managed policies that are attached to the specified IAM role", - "privilege": "ListAttachedRolePolicies", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all managed policies that are attached to the specified IAM user", - "privilege": "ListAttachedUserPolicies", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all IAM identities to which the specified managed policy is attached", - "privilege": "ListEntitiesForPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM group", - "privilege": "ListGroupPolicies", + "description": "Grants permission to list the versions of a connector definition", + "privilege": "ListConnectorDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "connectorDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list the IAM groups that have the specified path prefix", - "privilege": "ListGroups", + "description": "Grants permission to retrieve a list of connector definitions", + "privilege": "ListConnectorDefinitions", "resource_types": [ { "condition_keys": [], @@ -74732,56 +85595,56 @@ }, { "access_level": "List", - "description": "Grants permission to list the IAM groups that the specified IAM user belongs to", - "privilege": "ListGroupsForUser", + "description": "Grants permission to list the versions of a core definition", + "privilege": "ListCoreDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "coreDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list the instance profiles that have the specified path prefix", - "privilege": "ListInstanceProfiles", + "description": "Grants permission to retrieve a list of core definitions", + "privilege": "ListCoreDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance-profile*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the instance profiles that have the specified associated IAM role", - "privilege": "ListInstanceProfilesForRole", + "description": "Grants permission to retrieve a list of all deployments for a group", + "privilege": "ListDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "group*" } ] }, { "access_level": "List", - "description": "Grants permission to list the MFA devices for an IAM user", - "privilege": "ListMFADevices", + "description": "Grants permission to list the versions of a device definition", + "privilege": "ListDeviceDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" + "resource_type": "deviceDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account", - "privilege": "ListOpenIDConnectProviders", + "description": "Grants permission to retrieve a list of device definitions", + "privilege": "ListDeviceDefinitions", "resource_types": [ { "condition_keys": [], @@ -74792,20 +85655,20 @@ }, { "access_level": "List", - "description": "Grants permission to list all managed policies", - "privilege": "ListPolicies", + "description": "Grants permission to list the versions of a Lambda function definition", + "privilege": "ListFunctionDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "functionDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list information about the policies that grant an entity access to a specific service", - "privilege": "ListPoliciesGrantingServiceAccess", + "description": "Grants permission to retrieve a list of Lambda function definitions", + "privilege": "ListFunctionDefinitions", "resource_types": [ { "condition_keys": [], @@ -74816,56 +85679,56 @@ }, { "access_level": "List", - "description": "Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version", - "privilege": "ListPolicyVersions", + "description": "Grants permission to retrieve a list of current CAs for a group", + "privilege": "ListGroupCertificateAuthorities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "group*" } ] }, { "access_level": "List", - "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM role", - "privilege": "ListRolePolicies", + "description": "Grants permission to list the versions of a group", + "privilege": "ListGroupVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "group*" } ] }, { "access_level": "List", - "description": "Grants permission to list the tags that are attached to the specified IAM role.", - "privilege": "ListRoleTags", + "description": "Grants permission to retrieve a list of groups", + "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the IAM roles that have the specified path prefix", - "privilege": "ListRoles", + "description": "Grants permission to list the versions of a logger definition", + "privilege": "ListLoggerDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "loggerDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list the SAML provider resources in IAM", - "privilege": "ListSAMLProviders", + "description": "Grants permission to retrieve a list of logger definitions", + "privilege": "ListLoggerDefinitions", "resource_types": [ { "condition_keys": [], @@ -74876,20 +85739,20 @@ }, { "access_level": "List", - "description": "Grants permission to list information about the SSH public keys that are associated with the specified IAM user", - "privilege": "ListSSHPublicKeys", + "description": "Grants permission to list the versions of a resource definition", + "privilege": "ListResourceDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "resourceDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list the server certificates that have the specified path prefix", - "privilege": "ListServerCertificates", + "description": "Grants permission to retrieve a list of resource definitions", + "privilege": "ListResourceDefinitions", "resource_types": [ { "condition_keys": [], @@ -74900,178 +85763,82 @@ }, { "access_level": "List", - "description": "Grants permission to list the service-specific credentials that are associated with the specified IAM user", - "privilege": "ListServiceSpecificCredentials", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list information about the signing certificates that are associated with the specified IAM user", - "privilege": "ListSigningCertificates", + "description": "Grants permission to list the versions of a subscription definition", + "privilege": "ListSubscriptionDefinitionVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "subscriptionDefinition*" } ] }, { "access_level": "List", - "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM user", - "privilege": "ListUserPolicies", + "description": "Grants permission to retrieve a list of subscription definitions", + "privilege": "ListSubscriptionDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the tags that are attached to the specified IAM user.", - "privilege": "ListUserTags", + "access_level": "Read", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the IAM users that have the specified path prefix", - "privilege": "ListUsers", - "resource_types": [ + "resource_type": "bulkDeployment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list virtual MFA devices by assignment status", - "privilege": "ListVirtualMFADevices", - "resource_types": [ + "resource_type": "connectorDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to pass a role to a service", - "privilege": "PassRole", - "resource_types": [ + "resource_type": "coreDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "deviceDefinition" }, - { - "condition_keys": [ - "iam:AssociatedResourceArn", - "iam:PassedToService" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM group", - "privilege": "PutGroupPolicy", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to set a managed policy as a permissions boundary for a role", - "privilege": "PutRolePermissionsBoundary", - "resource_types": [ + "resource_type": "functionDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "group" }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM role", - "privilege": "PutRolePolicy", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "loggerDefinition" }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to set a managed policy as a permissions boundary for an IAM user", - "privilege": "PutUserPermissionsBoundary", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "resourceDefinition" }, - { - "condition_keys": [ - "iam:PermissionsBoundary" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM user", - "privilege": "PutUserPolicy", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "subscriptionDefinition" }, { "condition_keys": [ - "iam:PermissionsBoundary" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -75080,105 +85847,70 @@ }, { "access_level": "Write", - "description": "Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource", - "privilege": "RemoveClientIDFromOpenIDConnectProvider", + "description": "Grants permission to reset a group's deployments", + "privilege": "ResetDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "oidc-provider*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove an IAM role from the specified EC2 instance profile", - "privilege": "RemoveRoleFromInstanceProfile", + "description": "Grants permission to deploy multiple groups in one operation", + "privilege": "StartBulkDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance-profile*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove an IAM user from the specified group", - "privilege": "RemoveUserFromGroup", + "description": "Grants permission to stop the execution of a bulk deployment", + "privilege": "StopBulkDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "bulkDeployment*" } ] }, { - "access_level": "Write", - "description": "Grants permission to reset the password for an existing service-specific credential for an IAM user", - "privilege": "ResetServiceSpecificCredential", + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to synchronize the specified MFA device with its IAM entity (user or role)", - "privilege": "ResyncMFADevice", - "resource_types": [ + "resource_type": "bulkDeployment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to set the version of the specified policy as the policy's default version", - "privilege": "SetDefaultPolicyVersion", - "resource_types": [ + "resource_type": "connectorDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set the STS global endpoint token version", - "privilege": "SetSecurityTokenServicePreferences", - "resource_types": [ + "resource_type": "coreDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources", - "privilege": "SimulateCustomPolicy", - "resource_types": [ + "resource_type": "deviceDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources", - "privilege": "SimulatePrincipalPolicy", - "resource_types": [ + "resource_type": "functionDefinition" + }, { "condition_keys": [], "dependent_actions": [], @@ -75187,454 +85919,424 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role" + "resource_type": "loggerDefinition" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add tags to an IAM role.", - "privilege": "TagRole", - "resource_types": [ + "resource_type": "resourceDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "subscriptionDefinition" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add tags to an IAM user.", - "privilege": "TagUser", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove the specified tags from the role.", - "privilege": "UntagRole", - "resource_types": [ + "resource_type": "bulkDeployment" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove the specified tags from the user.", - "privilege": "UntagUser", - "resource_types": [ + "resource_type": "connectorDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the status of the specified access key as Active or Inactive", - "privilege": "UpdateAccessKey", - "resource_types": [ + "resource_type": "coreDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the password policy settings for the AWS account", - "privilege": "UpdateAccountPasswordPolicy", - "resource_types": [ + "resource_type": "deviceDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to update the policy that grants an IAM entity permission to assume a role", - "privilege": "UpdateAssumeRolePolicy", - "resource_types": [ + "resource_type": "functionDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the name or path of the specified IAM group", - "privilege": "UpdateGroup", - "resource_types": [ + "resource_type": "group" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to change the password for the specified IAM user", - "privilege": "UpdateLoginProfile", - "resource_types": [ + "resource_type": "loggerDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource", - "privilege": "UpdateOpenIDConnectProviderThumbprint", - "resource_types": [ + "resource_type": "resourceDefinition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "oidc-provider*" + "resource_type": "subscriptionDefinition" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the description or maximum session duration setting of a role", - "privilege": "UpdateRole", + "description": "Grants permission to update the connectivity information for a Greengrass core. Any devices that belong to the group that has this core will receive this information in order to find the location of the core and connect to it", + "privilege": "UpdateConnectivityInfo", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "connectivityInfo*" } ] }, { "access_level": "Write", - "description": "Grants permission to update only the description of a role", - "privilege": "UpdateRoleDescription", + "description": "Grants permission to update a connector definition", + "privilege": "UpdateConnectorDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "role*" + "resource_type": "connectorDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the metadata document for an existing SAML provider resource", - "privilege": "UpdateSAMLProvider", + "description": "Grants permission to update a core definition", + "privilege": "UpdateCoreDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "saml-provider*" + "resource_type": "coreDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the status of an IAM user's SSH public key to active or inactive", - "privilege": "UpdateSSHPublicKey", + "description": "Grants permission to update a device definition", + "privilege": "UpdateDeviceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "deviceDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the name or the path of the specified server certificate stored in IAM", - "privilege": "UpdateServerCertificate", + "description": "Grants permission to update a Lambda function definition", + "privilege": "UpdateFunctionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server-certificate*" + "resource_type": "functionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the status of a service-specific credential to active or inactive for an IAM user", - "privilege": "UpdateServiceSpecificCredential", + "description": "Grants permission to update a group", + "privilege": "UpdateGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the status of the specified user signing certificate to active or disabled", - "privilege": "UpdateSigningCertificate", + "description": "Grants permission to update the certificate expiry time for a group", + "privilege": "UpdateGroupCertificateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the name or the path of the specified IAM user", - "privilege": "UpdateUser", + "description": "Grants permission to update a logger definition", + "privilege": "UpdateLoggerDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "loggerDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to upload an SSH public key and associate it with the specified IAM user", - "privilege": "UploadSSHPublicKey", + "description": "Grants permission to update a resource definition", + "privilege": "UpdateResourceDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "resourceDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to upload a server certificate entity for the AWS account", - "privilege": "UploadServerCertificate", + "description": "Grants permission to update a subscription definition", + "privilege": "UpdateSubscriptionDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "server-certificate*" + "resource_type": "subscriptionDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user", - "privilege": "UploadSigningCertificate", + "description": "Grants permission to update runtime configuration of a thing", + "privilege": "UpdateThingRuntimeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "thingRuntimeConfig*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iam::${Account}:access-report/${EntityPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/things/${ThingName}/connectivityInfo", "condition_keys": [], - "resource": "access-report" + "resource": "connectivityInfo" }, { - "arn": "arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/certificateauthorities/${CertificateAuthorityId}", "condition_keys": [], - "resource": "assumed-role" + "resource": "certificateAuthority" }, { - "arn": "arn:${Partition}:iam::${Account}:federated-user/${UserName}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/deployments/${DeploymentId}", "condition_keys": [], - "resource": "federated-user" + "resource": "deployment" }, { - "arn": "arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}", - "condition_keys": [], - "resource": "group" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/bulk/deployments/${BulkDeploymentId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bulkDeployment" }, { - "arn": "arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}", - "condition_keys": [], - "resource": "instance-profile" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "group" }, { - "arn": "arn:${Partition}:iam::${Account}:mfa/${MfaTokenIdWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/groups/${GroupId}/versions/${VersionId}", "condition_keys": [], - "resource": "mfa" + "resource": "groupVersion" }, { - "arn": "arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}", - "condition_keys": [], - "resource": "oidc-provider" + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "coreDefinition" }, { - "arn": "arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/cores/${CoreDefinitionId}/versions/${VersionId}", "condition_keys": [], - "resource": "policy" + "resource": "coreDefinitionVersion" }, { - "arn": "arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}", "condition_keys": [ - "iam:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "role" + "resource": "deviceDefinition" }, { - "arn": "arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/devices/${DeviceDefinitionId}/versions/${VersionId}", "condition_keys": [], - "resource": "saml-provider" + "resource": "deviceDefinitionVersion" }, { - "arn": "arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "functionDefinition" + }, + { + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/functions/${FunctionDefinitionId}/versions/${VersionId}", "condition_keys": [], - "resource": "server-certificate" + "resource": "functionDefinitionVersion" }, { - "arn": "arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "subscriptionDefinition" + }, + { + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/subscriptions/${SubscriptionDefinitionId}/versions/${VersionId}", "condition_keys": [], - "resource": "sms-mfa" + "resource": "subscriptionDefinitionVersion" }, { - "arn": "arn:${Partition}:iam::${Account}:user/${UserNameWithPath}", + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}", "condition_keys": [ - "iam:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "user" - } - ], - "service_name": "Identity And Access Management" - }, - { - "conditions": [], - "prefix": "identitystore", - "privileges": [ + "resource": "loggerDefinition" + }, { - "access_level": "Read", - "description": "Retrieves information about group from the directory that AWS Identity Store provides by default", - "privilege": "DescribeGroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/loggers/${LoggerDefinitionId}/versions/${VersionId}", + "condition_keys": [], + "resource": "loggerDefinitionVersion" }, { - "access_level": "Read", - "description": "Retrieves information about user from the directory that AWS Identity Store provides by default", - "privilege": "DescribeUser", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resourceDefinition" }, { - "access_level": "List", - "description": "Search for groups within the associated directory", - "privilege": "ListGroups", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/resources/${ResourceDefinitionId}/versions/${VersionId}", + "condition_keys": [], + "resource": "resourceDefinitionVersion" }, { - "access_level": "List", - "description": "Search for users within the associated directory", - "privilege": "ListUsers", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connectorDefinition" + }, + { + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/definition/connectors/${ConnectorDefinitionId}/versions/${VersionId}", + "condition_keys": [], + "resource": "connectorDefinitionVersion" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", + "condition_keys": [], + "resource": "thing" + }, + { + "arn": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/things/${ThingName}/runtimeconfig", + "condition_keys": [], + "resource": "thingRuntimeConfig" } ], - "resources": [], - "service_name": "AWS Identity Store" + "service_name": "AWS IoT Greengrass" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions by the presence of tag key-value pairs in the request", + "description": "Filters access based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions by tag key-value pairs attached to the resource", + "description": "Filters access based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions by the presence of tag keys in the request", + "description": "Filters access based on the tag keys that are passed in the request", "type": "String" }, { - "condition": "imagebuilder:CreatedResourceTag/", - "description": "Filters access by the tag key-value pairs attached to the resource created by Image Builder", + "condition": "groundstation:configId", + "description": "Filters access by the ID of a config", "type": "String" }, { - "condition": "imagebuilder:CreatedResourceTagKeys", - "description": "Filters access by the presence of tag keys in the request", + "condition": "groundstation:configType", + "description": "Filters access by the type of a config", + "type": "String" + }, + { + "condition": "groundstation:contactId", + "description": "Filters access by the ID of a contact", + "type": "String" + }, + { + "condition": "groundstation:dataflowEndpointGroupId", + "description": "Filters access by the ID of a dataflow endpoint group", + "type": "String" + }, + { + "condition": "groundstation:groundStationId", + "description": "Filters access by the ID of a ground station", + "type": "String" + }, + { + "condition": "groundstation:missionProfileId", + "description": "Filters access by the ID of a mission profile", + "type": "String" + }, + { + "condition": "groundstation:satelliteId", + "description": "Filters access by the ID of a satellite", "type": "String" } ], - "prefix": "imagebuilder", + "prefix": "groundstation", "privileges": [ { "access_level": "Write", - "description": "Cancel an image creation", - "privilege": "CancelImageCreation", + "description": "Grants permission to cancel a contact", + "privilege": "CancelContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "Contact*" } ] }, { "access_level": "Write", - "description": "Create a new component", - "privilege": "CreateComponent", + "description": "Grants permission to create a configuration", + "privilege": "CreateConfig", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "component*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "kmsKey" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -75647,16 +86349,9 @@ }, { "access_level": "Write", - "description": "Create a new Container Recipe", - "privilege": "CreateContainerRecipe", + "description": "Grants permission to create a data flow endpoint group", + "privilege": "CreateDataflowEndpointGroup", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "imagebuilder:GetComponent" - ], - "resource_type": "containerRecipe*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -75669,14 +86364,9 @@ }, { "access_level": "Write", - "description": "Create a new distribution configuration", - "privilege": "CreateDistributionConfiguration", + "description": "Grants permission to create a mission profile", + "privilege": "CreateMissionProfile", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "distributionConfiguration*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -75689,346 +86379,379 @@ }, { "access_level": "Write", - "description": "Create a new image", - "privilege": "CreateImage", + "description": "Grants permission to delete a config", + "privilege": "DeleteConfig", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "imagebuilder:GetImageRecipe", - "imagebuilder:GetInfrastructureConfiguration" - ], - "resource_type": "image*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "Config*" } ] }, { "access_level": "Write", - "description": "Create a new image pipeline", - "privilege": "CreateImagePipeline", + "description": "Grants permission to delete a data flow endpoint group", + "privilege": "DeleteDataflowEndpointGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "imagebuilder:GetImageRecipe" - ], - "resource_type": "imagePipeline*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "DataflowEndpointGroup*" } ] }, { "access_level": "Write", - "description": "Create a new Image Recipe", - "privilege": "CreateImageRecipe", + "description": "Grants permission to delete a mission profile", + "privilege": "DeleteMissionProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "imagebuilder:GetComponent" - ], - "resource_type": "imageRecipe*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "MissionProfile*" } ] }, { - "access_level": "Write", - "description": "Create a new infrastructure configuration", - "privilege": "CreateInfrastructureConfiguration", + "access_level": "Read", + "description": "Grants permission to describe a contact", + "privilege": "DescribeContact", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "infrastructureConfiguration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "imagebuilder:CreatedResourceTagKeys", - "imagebuilder:CreatedResourceTag/" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "Contact*" } ] }, { - "access_level": "Write", - "description": "Delete a component", - "privilege": "DeleteComponent", + "access_level": "Read", + "description": "Grants permission to return a configuration", + "privilege": "GetConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component*" + "resource_type": "Config*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a container recipe", - "privilege": "DeleteContainerRecipe", + "access_level": "Read", + "description": "Grants permission to return a data flow endpoint group", + "privilege": "GetDataflowEndpointGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "containerRecipe*" + "resource_type": "DataflowEndpointGroup*" } ] }, { - "access_level": "Write", - "description": "Delete a distribution configuration", - "privilege": "DeleteDistributionConfiguration", + "access_level": "Read", + "description": "Grants permission to return minutes usage", + "privilege": "GetMinuteUsage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "distributionConfiguration*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete an image", - "privilege": "DeleteImage", + "access_level": "Read", + "description": "Grants permission to retrieve a mission profile", + "privilege": "GetMissionProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "MissionProfile*" } ] }, { - "access_level": "Write", - "description": "Delete an image pipeline", - "privilege": "DeleteImagePipeline", + "access_level": "Read", + "description": "Grants permission to return information about a satellite", + "privilege": "GetSatellite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imagePipeline*" + "resource_type": "Satellite*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an image recipe", - "privilege": "DeleteImageRecipe", + "access_level": "List", + "description": "Grants permission to return a list of past configurations", + "privilege": "ListConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imageRecipe*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete an infrastructure configuration", - "privilege": "DeleteInfrastructureConfiguration", + "access_level": "List", + "description": "Grants permission to return a list of contacts", + "privilege": "ListContacts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "infrastructureConfiguration*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View details about a component", - "privilege": "GetComponent", + "access_level": "List", + "description": "Grants permission to list data flow endpoint groups", + "privilege": "ListDataflowEndpointGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View the resource policy associated with a component", - "privilege": "GetComponentPolicy", + "access_level": "List", + "description": "Grants permission to list ground stations", + "privilege": "ListGroundStations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View details about a container recipe", - "privilege": "GetContainerRecipe", + "access_level": "List", + "description": "Grants permission to return a list of mission profiles", + "privilege": "ListMissionProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "containerRecipe*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View the resource policy associated with a container recipe", - "privilege": "GetContainerRecipePolicy", + "access_level": "List", + "description": "Grants permission to list satellites", + "privilege": "ListSatellites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "containerRecipe*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "View details about a distribution configuration", - "privilege": "GetDistributionConfiguration", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "distributionConfiguration*" - } - ] - }, - { - "access_level": "Read", - "description": "View details about an image", - "privilege": "GetImage", - "resource_types": [ + "resource_type": "Config" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "Contact" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "View details about an image pipeline", - "privilege": "GetImagePipeline", - "resource_types": [ + "resource_type": "DataflowEndpointGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "imagePipeline*" + "resource_type": "MissionProfile" } ] }, { - "access_level": "Read", - "description": "View the resource policy associated with an image", - "privilege": "GetImagePolicy", + "access_level": "Write", + "description": "Grants permission to reserve a contact", + "privilege": "ReserveContact", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View details about an image recipe", - "privilege": "GetImageRecipe", + "access_level": "Tagging", + "description": "Grants permission to assign a resource tag", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imageRecipe*" - } - ] - }, - { - "access_level": "Read", - "description": "View the resource policy associated with an image recipe", - "privilege": "GetImageRecipePolicy", - "resource_types": [ + "resource_type": "Config" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "imageRecipe*" + "resource_type": "Contact" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DataflowEndpointGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MissionProfile" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "View details about an infrastructure configuration", - "privilege": "GetInfrastructureConfiguration", + "access_level": "Tagging", + "description": "Grants permission to deassign a resource tag", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "infrastructureConfiguration*" + "resource_type": "Config" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Contact" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "DataflowEndpointGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "MissionProfile" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "List the component build versions in your account", - "privilege": "ListComponentBuildVersions", + "access_level": "Write", + "description": "Grants permission to update a configuration", + "privilege": "UpdateConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "componentVersion*" + "resource_type": "Config*" } ] }, { - "access_level": "List", - "description": "List the component versions owned by or shared with your account", - "privilege": "ListComponents", + "access_level": "Write", + "description": "Grants permission to update a mission profile", + "privilege": "UpdateMissionProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "MissionProfile*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:config/${configType}/${configId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "groundstation:configId", + "groundstation:configType" + ], + "resource": "Config" }, { - "access_level": "List", - "description": "List the container recipes owned by or shared with your account", - "privilege": "ListContainerRecipes", + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:contact/${contactId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "groundstation:contactId" + ], + "resource": "Contact" + }, + { + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:dataflow-endpoint-group/${dataflowEndpointGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "groundstation:dataflowEndpointGroupId" + ], + "resource": "DataflowEndpointGroup" + }, + { + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:groundstation:${groundStationId}", + "condition_keys": [ + "groundstation:groundStationId" + ], + "resource": "GroundStationResource" + }, + { + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:mission-profile/${missionProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "groundstation:missionProfileId" + ], + "resource": "MissionProfile" + }, + { + "arn": "arn:${Partition}:groundstation:${Region}:${Account}:satellite/${satelliteId}", + "condition_keys": [ + "groundstation:satelliteId" + ], + "resource": "Satellite" + } + ], + "service_name": "AWS Ground Station" + }, + { + "conditions": [], + "prefix": "groundtruthlabeling", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate a patch file with the manifest file to update the manifest file", + "privilege": "AssociatePatchToManifestJob", "resource_types": [ { "condition_keys": [], @@ -76038,9 +86761,9 @@ ] }, { - "access_level": "List", - "description": "List the distribution configurations in your account", - "privilege": "ListDistributionConfigurations", + "access_level": "Read", + "description": "Grants permission to get status of GroundTruthLabeling Jobs", + "privilege": "DescribeConsoleJob", "resource_types": [ { "condition_keys": [], @@ -76050,33 +86773,33 @@ ] }, { - "access_level": "List", - "description": "List the image build versions in your account", - "privilege": "ListImageBuildVersions", + "access_level": "Read", + "description": "Grants permission to list dataset objects in a manifest file", + "privilege": "ListDatasetObjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imageVersion*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns a list of images created by the specified pipeline", - "privilege": "ListImagePipelineImages", + "access_level": "Write", + "description": "Grants permission to filter records from a manifest file using S3 select. Get sample entries based on random sampling", + "privilege": "RunFilterOrSampleDatasetJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imagePipeline*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "List the image pipelines in your account", - "privilege": "ListImagePipelines", + "access_level": "Write", + "description": "Grants permission to list a S3 prefix and create manifest files from objects in that location", + "privilege": "RunGenerateManifestByCrawlingJob", "resource_types": [ { "condition_keys": [], @@ -76084,11 +86807,35 @@ "resource_type": "" } ] + } + ], + "resources": [], + "service_name": "Amazon GroundTruth Labeling" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "List", - "description": "List the image recipes owned by or shared with your account", - "privilege": "ListImageRecipes", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "guardduty", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept invitations to become a GuardDuty member account", + "privilege": "AcceptInvitation", "resource_types": [ { "condition_keys": [], @@ -76098,9 +86845,9 @@ ] }, { - "access_level": "List", - "description": "List the image versions owned by or shared with your account", - "privilege": "ListImages", + "access_level": "Write", + "description": "Grants permission to archive GuardDuty findings", + "privilege": "ArchiveFindings", "resource_types": [ { "condition_keys": [], @@ -76110,55 +86857,34 @@ ] }, { - "access_level": "List", - "description": "List the infrastructure configurations in your account", - "privilege": "ListInfrastructureConfigurations", + "access_level": "Write", + "description": "Grants permission to create a detector", + "privilege": "CreateDetector", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "List tag for an Image Builder resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to create GuardDuty filters. A filters defines finding attributes and conditions used to filter findings", + "privilege": "CreateFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "distributionConfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imagePipeline" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imageRecipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "infrastructureConfiguration" + "resource_type": "filter*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -76166,296 +86892,138 @@ ] }, { - "access_level": "Permissions management", - "description": "Set the resource policy associated with a component", - "privilege": "PutComponentPolicy", + "access_level": "Write", + "description": "Grants permission to create an IPSet", + "privilege": "CreateIPSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "component*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Set the resource policy associated with a container recipe", - "privilege": "PutContainerRecipePolicy", + "access_level": "Write", + "description": "Grants permission to create GuardDuty member accounts, where the account used to create a member becomes the GuardDuty administrator account", + "privilege": "CreateMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "containerRecipe*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Set the resource policy associated with an image", - "privilege": "PutImagePolicy", + "access_level": "Write", + "description": "Grants permission to create a publishing destination", + "privilege": "CreatePublishingDestination", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "image*" + "dependent_actions": [ + "s3:GetObject", + "s3:ListBucket" + ], + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Set the resource policy associated with an image recipe", - "privilege": "PutImageRecipePolicy", + "access_level": "Write", + "description": "Grants permission to create sample findings", + "privilege": "CreateSampleFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imageRecipe*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new image from a pipeline", - "privilege": "StartImagePipelineExecution", + "description": "Grants permission to create GuardDuty ThreatIntelSets, where a ThreatIntelSet consists of known malicious IP addresses used by GuardDuty to generate findings", + "privilege": "CreateThreatIntelSet", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [ - "imagebuilder:GetImagePipeline" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "imagePipeline*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Tag an Image Builder resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to decline invitations to become a GuardDuty member account", + "privilege": "DeclineInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "containerRecipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "distributionConfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imagePipeline" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imageRecipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "infrastructureConfiguration" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Untag an Image Builder resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete GuardDuty detectors", + "privilege": "DeleteDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "component" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "containerRecipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "distributionConfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "image" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imagePipeline" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "imageRecipe" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "infrastructureConfiguration" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "detector*" } ] }, { "access_level": "Write", - "description": "Update an existing distribution configuration", - "privilege": "UpdateDistributionConfiguration", + "description": "Grants permission to delete GuardDuty filters", + "privilege": "DeleteFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "distributionConfiguration*" + "resource_type": "filter*" } ] }, { "access_level": "Write", - "description": "Update an existing image pipeline", - "privilege": "UpdateImagePipeline", + "description": "Grants permission to delete GuardDuty IPSets", + "privilege": "DeleteIPSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "imagePipeline*" + "resource_type": "ipset*" } ] }, { "access_level": "Write", - "description": "Update an existing infrastructure configuration", - "privilege": "UpdateInfrastructureConfiguration", + "description": "Grants permission to delete invitations to become a GuardDuty member account", + "privilege": "DeleteInvitations", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "infrastructureConfiguration*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "imagebuilder:CreatedResourceTagKeys", - "imagebuilder:CreatedResourceTag/" - ], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:component/${ComponentName}/${ComponentVersion}/${ComponentBuildVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "component" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:component/${ComponentName}/${ComponentVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "componentVersion" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:distribution-configuration/${DistributionConfigurationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "distributionConfiguration" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion}/${ImageBuildVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "image" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "imageVersion" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image-recipe/${ImageRecipeName}/${ImageRecipeVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "imageRecipe" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:container-recipe/${ContainerRecipeName}/${ContainerRecipeVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "containerRecipe" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image-pipeline/${ImagePipelineName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "imagePipeline" - }, - { - "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:infrastructure-configuration/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "infrastructureConfiguration" }, - { - "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", - "condition_keys": [], - "resource": "kmsKey" - } - ], - "service_name": "Amazon EC2 Image Builder" - }, - { - "conditions": [], - "prefix": "importexport", - "privileges": [ { "access_level": "Write", - "description": "This action cancels a specified job. Only the job owner can cancel it. The action fails if the job has already started or is complete.", - "privilege": "CancelJob", + "description": "Grants permission to delete GuardDuty member accounts", + "privilege": "DeleteMembers", "resource_types": [ { "condition_keys": [], @@ -76466,32 +87034,32 @@ }, { "access_level": "Write", - "description": "This action initiates the process of scheduling an upload or download of your data.", - "privilege": "CreateJob", + "description": "Grants permission to delete a publishing destination", + "privilege": "DeletePublishingDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "publishingDestination*" } ] }, { - "access_level": "Read", - "description": "This action generates a pre-paid shipping label that you will use to ship your device to AWS for processing.", - "privilege": "GetShippingLabel", + "access_level": "Write", + "description": "Grants permission to delete GuardDuty ThreatIntelSets", + "privilege": "DeleteThreatIntelSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "threatintelset*" } ] }, { "access_level": "Read", - "description": "This action returns information about a job, including where the job is in the processing pipeline, the status of the results, and the signature value associated with the job.", - "privilege": "GetStatus", + "description": "Grants permission to retrieve details about the delegated administrator associated with a GuardDuty detector", + "privilege": "DescribeOrganizationConfiguration", "resource_types": [ { "condition_keys": [], @@ -76501,21 +87069,21 @@ ] }, { - "access_level": "List", - "description": "This action returns the jobs associated with the requester.", - "privilege": "ListJobs", + "access_level": "Read", + "description": "Grants permission to retrieve details about a publishing destination", + "privilege": "DescribePublishingDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "publishingDestination*" } ] }, { "access_level": "Write", - "description": "You use this action to change the parameters specified in the original manifest file by supplying a new manifest file.", - "privilege": "UpdateJob", + "description": "Grants permission to disable the organization delegated administrator for GuardDuty", + "privilege": "DisableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], @@ -76523,19 +87091,11 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS Import Export Disk Service" - }, - { - "conditions": [], - "prefix": "inspector", - "privileges": [ + }, { "access_level": "Write", - "description": "Assigns attributes (key and value pairs) to the findings that are specified by the ARNs of the findings.", - "privilege": "AddAttributesToFindings", + "description": "Grants permission to disassociate a GuardDuty member account from its GuardDuty master account", + "privilege": "DisassociateFromMasterAccount", "resource_types": [ { "condition_keys": [], @@ -76546,8 +87106,8 @@ }, { "access_level": "Write", - "description": "Creates a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup.", - "privilege": "CreateAssessmentTarget", + "description": "Grants permission to disassociate GuardDuty member accounts from their master GuardDuty account", + "privilege": "DisassociateMembers", "resource_types": [ { "condition_keys": [], @@ -76558,8 +87118,8 @@ }, { "access_level": "Write", - "description": "Creates an assessment template for the assessment target that is specified by the ARN of the assessment target.", - "privilege": "CreateAssessmentTemplate", + "description": "Grants permission to enable an organization delegated administrator for GuardDuty", + "privilege": "EnableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], @@ -76569,33 +87129,33 @@ ] }, { - "access_level": "Write", - "description": "Creates a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target.", - "privilege": "CreateResourceGroup", + "access_level": "Read", + "description": "Grants permission to retrieve GuardDuty detectors", + "privilege": "GetDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "detector*" } ] }, { - "access_level": "Write", - "description": "Deletes the assessment run that is specified by the ARN of the assessment run.", - "privilege": "DeleteAssessmentRun", + "access_level": "Read", + "description": "Grants permission to retrieve GuardDuty filters", + "privilege": "GetFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "filter*" } ] }, { - "access_level": "Write", - "description": "Deletes the assessment target that is specified by the ARN of the assessment target.", - "privilege": "DeleteAssessmentTarget", + "access_level": "Read", + "description": "Grants permission to retrieve GuardDuty findings", + "privilege": "GetFindings", "resource_types": [ { "condition_keys": [], @@ -76605,9 +87165,9 @@ ] }, { - "access_level": "Write", - "description": "Deletes the assessment template that is specified by the ARN of the assessment template.", - "privilege": "DeleteAssessmentTemplate", + "access_level": "Read", + "description": "Grants permission to retrieve a list of GuardDuty finding statistics", + "privilege": "GetFindingsStatistics", "resource_types": [ { "condition_keys": [], @@ -76618,20 +87178,20 @@ }, { "access_level": "Read", - "description": "Describes the assessment runs that are specified by the ARNs of the assessment runs.", - "privilege": "DescribeAssessmentRuns", + "description": "Grants permsission to retrieve GuardDuty IPSets", + "privilege": "GetIPSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ipset*" } ] }, { "access_level": "Read", - "description": "Describes the assessment targets that are specified by the ARNs of the assessment targets.", - "privilege": "DescribeAssessmentTargets", + "description": "Grants permission to retrieve the count of all GuardDuty invitations sent to a specified account, which does not include the accepted invitation", + "privilege": "GetInvitationsCount", "resource_types": [ { "condition_keys": [], @@ -76642,8 +87202,8 @@ }, { "access_level": "Read", - "description": "Describes the assessment templates that are specified by the ARNs of the assessment templates.", - "privilege": "DescribeAssessmentTemplates", + "description": "Grants permission to retrieve details of the GuardDuty master account associated with a member account", + "privilege": "GetMasterAccount", "resource_types": [ { "condition_keys": [], @@ -76654,8 +87214,8 @@ }, { "access_level": "Read", - "description": "Describes the IAM role that enables Amazon Inspector to access your AWS account.", - "privilege": "DescribeCrossAccountAccessRole", + "description": "Grants permission to describe which data sources are enabled for member accounts detectors", + "privilege": "GetMemberDetectors", "resource_types": [ { "condition_keys": [], @@ -76666,8 +87226,8 @@ }, { "access_level": "Read", - "description": "Describes the findings that are specified by the ARNs of the findings.", - "privilege": "DescribeFindings", + "description": "Grants permission to retrieve the member accounts associated with a master account", + "privilege": "GetMembers", "resource_types": [ { "condition_keys": [], @@ -76678,20 +87238,20 @@ }, { "access_level": "Read", - "description": "Describes the resource groups that are specified by the ARNs of the resource groups.", - "privilege": "DescribeResourceGroups", + "description": "Grants permission to retrieve GuardDuty ThreatIntelSets", + "privilege": "GetThreatIntelSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "threatintelset*" } ] }, { "access_level": "Read", - "description": "Describes the rules packages that are specified by the ARNs of the rules packages.", - "privilege": "DescribeRulesPackages", + "description": "Grants permission to list Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID", + "privilege": "GetUsageStatistics", "resource_types": [ { "condition_keys": [], @@ -76701,9 +87261,9 @@ ] }, { - "access_level": "Read", - "description": "Information about the data that is collected for the specified assessment run.", - "privilege": "GetTelemetryMetadata", + "access_level": "Write", + "description": "Grants permission to invite other AWS accounts to enable GuardDuty and become GuardDuty member accounts", + "privilege": "InviteMembers", "resource_types": [ { "condition_keys": [], @@ -76714,8 +87274,8 @@ }, { "access_level": "List", - "description": "Lists the agents of the assessment runs that are specified by the ARNs of the assessment runs.", - "privilege": "ListAssessmentRunAgents", + "description": "Grants permission to retrieve a list of GuardDuty detectors", + "privilege": "ListDetectors", "resource_types": [ { "condition_keys": [], @@ -76726,8 +87286,8 @@ }, { "access_level": "List", - "description": "Lists the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates.", - "privilege": "ListAssessmentRuns", + "description": "Grants permission to retrieve a list of GuardDuty filters", + "privilege": "ListFilters", "resource_types": [ { "condition_keys": [], @@ -76738,8 +87298,8 @@ }, { "access_level": "List", - "description": "Lists the ARNs of the assessment targets within this AWS account.", - "privilege": "ListAssessmentTargets", + "description": "Grants permission to retrieve a list of GuardDuty findings", + "privilege": "ListFindings", "resource_types": [ { "condition_keys": [], @@ -76750,8 +87310,8 @@ }, { "access_level": "List", - "description": "Lists the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets.", - "privilege": "ListAssessmentTemplates", + "description": "Grants permission to retrieve a list of GuardDuty IPSets", + "privilege": "ListIPSets", "resource_types": [ { "condition_keys": [], @@ -76762,8 +87322,8 @@ }, { "access_level": "List", - "description": "Lists all the event subscriptions for the assessment template that is specified by the ARN of the assessment template.", - "privilege": "ListEventSubscriptions", + "description": "Grants permission to retrieve a lists of all of the GuardDuty membership invitations that were sent to an AWS account", + "privilege": "ListInvitations", "resource_types": [ { "condition_keys": [], @@ -76774,8 +87334,8 @@ }, { "access_level": "List", - "description": "Lists findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs.", - "privilege": "ListFindings", + "description": "Grants permission to retrierve a lsit of GuardDuty member accounts associated with a master account", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], @@ -76786,8 +87346,8 @@ }, { "access_level": "List", - "description": "Lists all available Amazon Inspector rules packages.", - "privilege": "ListRulesPackages", + "description": "Grants permission to list details about the organization delegated administrator for GuardDuty", + "privilege": "ListOrganizationAdminAccounts", "resource_types": [ { "condition_keys": [], @@ -76798,8 +87358,8 @@ }, { "access_level": "List", - "description": "Lists all tags associated with an assessment template.", - "privilege": "ListTagsForResource", + "description": "Grants permission to retrieve a list of publishing destinations", + "privilege": "ListPublishingDestinations", "resource_types": [ { "condition_keys": [], @@ -76810,56 +87370,35 @@ }, { "access_level": "Read", - "description": "Previews the agents installed on the EC2 instances that are part of the specified assessment target.", - "privilege": "PreviewAgents", + "description": "Grants permission to retrieve a list of tags associated with a GuardDuty resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Registers the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action.", - "privilege": "RegisterCrossAccountAccessRole", - "resource_types": [ + "resource_type": "detector" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Removes entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists.", - "privilege": "RemoveAttributesFromFindings", - "resource_types": [ + "resource_type": "filter" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Sets tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template.", - "privilege": "SetTagsForResource", - "resource_types": [ + "resource_type": "ipset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "threatintelset" } ] }, { - "access_level": "Write", - "description": "Starts the assessment run specified by the ARN of the assessment template.", - "privilege": "StartAssessmentRun", + "access_level": "List", + "description": "Grants permission to retrieve a list of GuardDuty ThreatIntelSets", + "privilege": "ListThreatIntelSets", "resource_types": [ { "condition_keys": [], @@ -76870,8 +87409,8 @@ }, { "access_level": "Write", - "description": "Stops the assessment run that is specified by the ARN of the assessment run.", - "privilege": "StopAssessmentRun", + "description": "Grants permission to a GuardDuty administrator account to monitor findings from GuardDuty member accounts", + "privilege": "StartMonitoringMembers", "resource_types": [ { "condition_keys": [], @@ -76882,8 +87421,8 @@ }, { "access_level": "Write", - "description": "Enables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic.", - "privilege": "SubscribeToEvent", + "description": "Grants permission to disable monitoring findings from member accounts", + "privilege": "StopMonitoringMembers", "resource_types": [ { "condition_keys": [], @@ -76893,196 +87432,114 @@ ] }, { - "access_level": "Write", - "description": "Disables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic.", - "privilege": "UnsubscribeFromEvent", + "access_level": "Tagging", + "description": "Grants permission to add tags to a GuardDuty resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the assessment target that is specified by the ARN of the assessment target.", - "privilege": "UpdateAssessmentTarget", - "resource_types": [ + "resource_type": "detector" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "Amazon Inspector" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to IoT.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag key component of a tag attached to an IoT resource.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the resource in the request.", - "type": "String" - }, - { - "condition": "iot:Delete", - "description": "The flag indicating whether or not to also delete an IoT Tunnel immediately", - "type": "Bool" - }, - { - "condition": "iot:DomainName", - "description": "Filters actions based on the domain name of an IoT DomainConfiguration", - "type": "String" - }, - { - "condition": "iot:ThingGroupArn", - "description": "The list of all IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel", - "type": "String" - }, - { - "condition": "iot:TunnelDestinationService", - "description": "The list of all destination services for an IoT Tunnel", - "type": "String" - } - ], - "prefix": "iot", - "privileges": [ - { - "access_level": "Write", - "description": "Accepts a pending certificate transfer.", - "privilege": "AcceptCertificateTransfer", - "resource_types": [ + "resource_type": "filter" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" - } - ] - }, - { - "access_level": "Write", - "description": "Adds a thing to the specified billing group.", - "privilege": "AddThingToBillingGroup", - "resource_types": [ + "resource_type": "ipset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" + "resource_type": "threatintelset" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Adds a thing to the specified thing group.", - "privilege": "AddThingToThingGroup", + "description": "Grants permission to unarchive GuardDuty findings", + "privilege": "UnarchiveFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Associates a group with a continuous job.", - "privilege": "AssociateTargetsWithJob", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a GuardDuty resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "detector" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "filter" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Attaches a policy to the specified target.", - "privilege": "AttachPolicy", - "resource_types": [ + "resource_type": "ipset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert" + "resource_type": "threatintelset" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Attaches the specified policy to the specified principal (certificate or other credential).", - "privilege": "AttachPrincipalPolicy", + "access_level": "Write", + "description": "Grants permission to update GuardDuty detectors", + "privilege": "UpdateDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert" + "resource_type": "detector*" } ] }, { "access_level": "Write", - "description": "Associates a Device Defender security profile with a thing group or with this account.", - "privilege": "AttachSecurityProfile", + "description": "Grants permission to updates GuardDuty filters", + "privilege": "UpdateFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dimension" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "filter*" } ] }, { "access_level": "Write", - "description": "Attaches the specified principal to the specified thing.", - "privilege": "AttachThingPrincipal", + "description": "Grants permission to update findings feedback to mark GuardDuty findings as useful or not useful", + "privilege": "UpdateFindingsFeedback", "resource_types": [ { "condition_keys": [], @@ -77093,20 +87550,20 @@ }, { "access_level": "Write", - "description": "Cancels a mitigation action task that is in progress.", - "privilege": "CancelAuditMitigationActionsTask", + "description": "Grants permission to update GuardDuty IPSets", + "privilege": "UpdateIPSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ipset*" } ] }, { "access_level": "Write", - "description": "Cancels an audit that is in progress. The audit can be either scheduled or on-demand.", - "privilege": "CancelAuditTask", + "description": "Grants permission to update which data sources are enabled for member accounts detectors", + "privilege": "UpdateMemberDetectors", "resource_types": [ { "condition_keys": [], @@ -77117,70 +87574,124 @@ }, { "access_level": "Write", - "description": "Cancels a pending transfer for the specified certificate.", - "privilege": "CancelCertificateTransfer", + "description": "Grants permission to update the delegated administrator configuration associated with a GuardDuty detector", + "privilege": "UpdateOrganizationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Cancels a job.", - "privilege": "CancelJob", + "description": "Grants permission to update a publishing destination", + "privilege": "UpdatePublishingDestination", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "job*" + "dependent_actions": [ + "s3:GetObject", + "s3:ListBucket" + ], + "resource_type": "publishingDestination*" } ] }, { "access_level": "Write", - "description": "Cancels a job execution on a particular device.", - "privilege": "CancelJobExecution", + "description": "Grants permission to updates the GuardDuty ThreatIntelSets", + "privilege": "UpdateThreatIntelSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "threatintelset*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "detector" }, { - "access_level": "Write", - "description": "Clears the default authorizer.", - "privilege": "ClearDefaultAuthorizer", + "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/filter/${FilterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "filter" + }, + { + "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/ipset/${IPSetId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ipset" + }, + { + "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/threatintelset/${ThreatIntelSetId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "threatintelset" + }, + { + "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/publishingDestination/${PublishingDestinationId}", + "condition_keys": [], + "resource": "publishingDestination" + } + ], + "service_name": "Amazon GuardDuty" + }, + { + "conditions": [ + { + "condition": "health:eventTypeCode", + "description": "The type of event.", + "type": "String" + }, + { + "condition": "health:service", + "description": "The service of the event.", + "type": "String" + } + ], + "prefix": "health", + "privileges": [ + { + "access_level": "Read", + "description": "Gets a list of accounts that have been affected by the specified events in organization.", + "privilege": "DescribeAffectedAccountsForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "organizations:ListAccounts" + ], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Closes a tunnel.", - "privilege": "CloseTunnel", + "access_level": "Read", + "description": "Gets a list of entities that have been affected by the specified events.", + "privilege": "DescribeAffectedEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tunnel*" + "resource_type": "event*" }, { "condition_keys": [ - "iot:Delete" + "health:eventTypeCode", + "health:service" ], "dependent_actions": [], "resource_type": "" @@ -77188,21 +87699,23 @@ ] }, { - "access_level": "Write", - "description": "Connect as the specified client", - "privilege": "Connect", + "access_level": "Read", + "description": "Gets a list of entities that have been affected by the specified events and accounts in organization.", + "privilege": "DescribeAffectedEntitiesForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "client*" + "dependent_actions": [ + "organizations:ListAccounts" + ], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a Device Defender audit suppression.", - "privilege": "CreateAuditSuppression", + "access_level": "Read", + "description": "Returns the number of entities that are affected by each of the specified events.", + "privilege": "DescribeEntityAggregates", "resource_types": [ { "condition_keys": [], @@ -77212,39 +87725,31 @@ ] }, { - "access_level": "Write", - "description": "Creates an authorizer.", - "privilege": "CreateAuthorizer", + "access_level": "Read", + "description": "Returns the number of events of each event type (issue, scheduled change, and account notification).", + "privilege": "DescribeEventAggregates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Creates a billing group.", - "privilege": "CreateBillingGroup", + "access_level": "Read", + "description": "Returns detailed information about one or more specified events.", + "privilege": "DescribeEventDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" + "resource_type": "event*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "health:eventTypeCode", + "health:service" ], "dependent_actions": [], "resource_type": "" @@ -77252,155 +87757,137 @@ ] }, { - "access_level": "Write", - "description": "Creates an X.509 certificate using the specified certificate signing request.", - "privilege": "CreateCertificateFromCsr", + "access_level": "Read", + "description": "Returns detailed information about one or more specified events for provided accounts in organization.", + "privilege": "DescribeEventDetailsForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "organizations:ListAccounts" + ], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Defines a dimension that can be used to to limit the scope of a metric used in a security profile.", - "privilege": "CreateDimension", + "access_level": "Read", + "description": "Returns the event types that meet the specified filter criteria.", + "privilege": "DescribeEventTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a domain configuration.", - "privilege": "CreateDomainConfiguration", + "access_level": "Read", + "description": "Returns information about events that meet the specified filter criteria.", + "privilege": "DescribeEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domainconfiguration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iot:DomainName" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Creates a Dynamic Thing Group", - "privilege": "CreateDynamicThingGroup", + "access_level": "Read", + "description": "Returns information about events that meet the specified filter criteria in organization.", + "privilege": "DescribeEventsForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "dynamicthinggroup*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "organizations:ListAccounts" ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Creates a fleet metric", - "privilege": "CreateFleetMetric", + "access_level": "Read", + "description": "Returns the status of enabling or disabling the Organizational View feature", + "privilege": "DescribeHealthServiceStatusForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "fleetmetric*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "organizations:ListAccounts" ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a job.", - "privilege": "CreateJob", + "access_level": "Permissions management", + "description": "Disables the Organizational View feature.", + "privilege": "DisableHealthServiceAccessForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "job*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "organizations:DisableAWSServiceAccess", + "organizations:ListAccounts" ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key.", - "privilege": "CreateKeysAndCertificate", + "access_level": "Permissions management", + "description": "Enables the Organizational View feature.", + "privilege": "EnableHealthServiceAccessForOrganization", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "organizations:EnableAWSServiceAccess", + "organizations:ListAccounts" + ], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:health:*::event/${Service}/${EventTypeCode}/*", + "condition_keys": [], + "resource": "event" + } + ], + "service_name": "AWS Health APIs and Notifications" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "healthlake", + "privileges": [ { "access_level": "Write", - "description": "Defines an action that can be applied to audit findings by using StartAuditMitigationActionsTask.", - "privilege": "CreateMitigationAction", + "description": "Grants permission to create a datastore that can ingest and export FHIR data", + "privilege": "CreateFHIRDatastore", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mitigationaction*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -77413,236 +87900,211 @@ }, { "access_level": "Write", - "description": "Creates an OTA update job.", - "privilege": "CreateOTAUpdate", + "description": "Grants permission to create resource", + "privilege": "CreateResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "otaupdate*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { "access_level": "Write", - "description": "Creates an AWS IoT policy.", - "privilege": "CreatePolicy", + "description": "Grants permission to delete a datastore", + "privilege": "DeleteFHIRDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { "access_level": "Write", - "description": "Creates a new version of the specified AWS IoT policy.", - "privilege": "CreatePolicyVersion", + "description": "Grants permission to delete resource", + "privilege": "DeleteResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a provisioning claim.", - "privilege": "CreateProvisioningClaim", + "access_level": "Read", + "description": "Grants permission to get the properties associated with the FHIR datastore, including the datastore ID, datastore ARN, datastore name, datastore status, created at, datastore type version, and datastore endpoint", + "privilege": "DescribeFHIRDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a fleet provisioning template.", - "privilege": "CreateProvisioningTemplate", + "access_level": "Read", + "description": "Grants permission to display the properties of a FHIR export job, including the ID, ARN, name, and the status of the datastore", + "privilege": "DescribeFHIRExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a new version of a fleet provisioning template.", - "privilege": "CreateProvisioningTemplateVersion", + "access_level": "Read", + "description": "Grants permission to display the properties of a FHIR import job, including the ID, ARN, name, and the status of the datastore", + "privilege": "DescribeFHIRImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a role alias.", - "privilege": "CreateRoleAlias", + "access_level": "Read", + "description": "Grants permission to get the capabilities of a FHIR datastore", + "privilege": "GetCapabilities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rolealias*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a scheduled audit that is run at a specified time interval.", - "privilege": "CreateScheduledAudit", + "access_level": "List", + "description": "Grants permission to list all FHIR datastores that are in the user\u2019s account, regardless of datastore status", + "privilege": "ListFHIRDatastores", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "scheduledaudit*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a Device Defender security profile.", - "privilege": "CreateSecurityProfile", + "access_level": "List", + "description": "Grants permission to get a list of export jobs for the specified datastore", + "privilege": "ListFHIRExportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" - }, + "resource_type": "datastore*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of import jobs for the specified datastore", + "privilege": "ListFHIRImportJobs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a new AWS IoT stream", - "privilege": "CreateStream", + "access_level": "Read", + "description": "Grants permission to get a list of tags for the specified datastore", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - }, + "resource_type": "datastore" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to read resource", + "privilege": "ReadResource", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { - "access_level": "Write", - "description": "Creates a thing in the thing registry.", - "privilege": "CreateThing", + "access_level": "Read", + "description": "Grants permission to search resources with GET method", + "privilege": "SearchWithGet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" - }, + "resource_type": "datastore*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search resources with POST method", + "privilege": "SearchWithPost", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup" + "resource_type": "datastore*" } ] }, { - "access_level": "Tagging", - "description": "Creates a thing group.", - "privilege": "CreateThingGroup", + "access_level": "Write", + "description": "Grants permission to begin a FHIR Export job", + "privilege": "StartFHIRExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" - }, + "resource_type": "datastore*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to begin a FHIR Import job", + "privilege": "StartFHIRImportJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] }, { "access_level": "Tagging", - "description": "Creates a new thing type.", - "privilege": "CreateThingType", + "description": "Grants permission to add tags to a datastore", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thingtype*" + "resource_type": "datastore" }, { "condition_keys": [ + "aws:TagKeys", "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -77650,18 +88112,17 @@ ] }, { - "access_level": "Write", - "description": "Creates a rule.", - "privilege": "CreateTopicRule", + "access_level": "Tagging", + "description": "Grants permission to remove tags associated with a datastore", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "datastore" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -77671,20 +88132,36 @@ }, { "access_level": "Write", - "description": "Deletes the audit configuration associated with the account.", - "privilege": "DeleteAccountAuditConfiguration", + "description": "Grants permission to update resource", + "privilege": "UpdateResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datastore*" } ] - }, + } + ], + "resources": [ + { + "arn": "arn:${Partition}:healthlake:${Region}:${AccountId}:datastore/fhir/${DatastoreId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datastore" + } + ], + "service_name": "Amazon HealthLake" + }, + { + "conditions": [], + "prefix": "honeycode", + "privileges": [ { "access_level": "Write", - "description": "Deletes a Device Defender audit suppression.", - "privilege": "DeleteAuditSuppression", + "description": "Grants permission to approve a team association request for your AWS Account", + "privilege": "ApproveTeamAssociation", "resource_types": [ { "condition_keys": [], @@ -77695,205 +88172,200 @@ }, { "access_level": "Write", - "description": "Deletes the specified authorizer.", - "privilege": "DeleteAuthorizer", + "description": "Grants permission to create new rows in a table", + "privilege": "BatchCreateTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer*" + "resource_type": "table*" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified billing group.", - "privilege": "DeleteBillingGroup", + "access_level": "Write", + "description": "Grants permission to delete rows from a table", + "privilege": "BatchDeleteTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Deletes a registered CA certificate.", - "privilege": "DeleteCACertificate", + "description": "Grants permission to update rows in a table", + "privilege": "BatchUpdateTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cacert*" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Deletes the specified certificate.", - "privilege": "DeleteCertificate", + "description": "Grants permission to upsert rows in a table", + "privilege": "BatchUpsertTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Removes the specified dimension from your AWS account.", - "privilege": "DeleteDimension", + "description": "Grants permission to create a new Amazon Honeycode team for your AWS Account", + "privilege": "CreateTeam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a domain configuration.", - "privilege": "DeleteDomainConfiguration", + "description": "Grants permission to create a new tenant within Amazon Honeycode for your AWS Account", + "privilege": "CreateTenant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domainconfiguration*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified Dynamic Thing Group", - "privilege": "DeleteDynamicThingGroup", + "access_level": "Write", + "description": "Grants permission to remove groups from an Amazon Honeycode team for your AWS Account", + "privilege": "DeregisterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dynamicthinggroup*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified fleet metric", - "privilege": "DeleteFleetMetric", + "access_level": "Read", + "description": "Grants permission to get details about a table data import job", + "privilege": "DescribeTableDataImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleetmetric*" + "resource_type": "table*" } ] }, { - "access_level": "Write", - "description": "Deletes a job and its related job executions.", - "privilege": "DeleteJob", + "access_level": "Read", + "description": "Grants permission to get details about Amazon Honeycode teams for your AWS Account", + "privilege": "DescribeTeam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a job execution.", - "privilege": "DeleteJobExecution", + "access_level": "Read", + "description": "Grants permission to load the data from a screen", + "privilege": "GetScreenData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "screen*" } ] }, { "access_level": "Write", - "description": "Deletes a defined mitigation action from your AWS account.", - "privilege": "DeleteMitigationAction", + "description": "Grants permission to invoke a screen automation", + "privilege": "InvokeScreenAutomation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mitigationaction*" + "resource_type": "screen-automation*" } ] }, { - "access_level": "Write", - "description": "Deletes an OTA update job.", - "privilege": "DeleteOTAUpdate", + "access_level": "List", + "description": "Grants permission to list all Amazon Honeycode domains and their verification status for your AWS Account", + "privilege": "ListDomains", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "otaupdate*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified policy.", - "privilege": "DeletePolicy", + "access_level": "List", + "description": "Grants permission to list all groups in an Amazon Honeycode team for your AWS Account", + "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified version of the specified policy.", - "privilege": "DeletePolicyVersion", + "access_level": "List", + "description": "Grants permission to list the columns in a table", + "privilege": "ListTableColumns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "table*" } ] }, { - "access_level": "Write", - "description": "Deletes a fleet provisioning template.", - "privilege": "DeleteProvisioningTemplate", + "access_level": "List", + "description": "Grants permission to list the rows in a table", + "privilege": "ListTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "table*" } ] }, { - "access_level": "Write", - "description": "Deletes a fleet provisioning template version.", - "privilege": "DeleteProvisioningTemplateVersion", + "access_level": "List", + "description": "Grants permission to list the tables in a workbook", + "privilege": "ListTables", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "workbook*" } ] }, { - "access_level": "Write", - "description": "Deletes a CA certificate registration code.", - "privilege": "DeleteRegistrationCode", + "access_level": "List", + "description": "Grants permission to list all pending and approved team associations with your AWS Account", + "privilege": "ListTeamAssociations", "resource_types": [ { "condition_keys": [], @@ -77903,778 +88375,1032 @@ ] }, { - "access_level": "Write", - "description": "Deletes the specified role alias.", - "privilege": "DeleteRoleAlias", + "access_level": "List", + "description": "Grants permission to list all tenants of Amazon Honeycode for your AWS Account", + "privilege": "ListTenants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rolealias*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a scheduled audit.", - "privilege": "DeleteScheduledAudit", + "access_level": "Read", + "description": "Grants permission to query the rows of a table using a filter", + "privilege": "QueryTableRows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "scheduledaudit*" + "resource_type": "table*" } ] }, { "access_level": "Write", - "description": "Deletes a Device Defender security profile.", - "privilege": "DeleteSecurityProfile", + "description": "Grants permission to request verification of the Amazon Honeycode domains for your AWS Account", + "privilege": "RegisterDomainForVerification", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dimension" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a specified stream.", - "privilege": "DeleteStream", + "description": "Grants permission to add groups to an Amazon Honeycode team for your AWS Account", + "privilege": "RegisterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the specified thing.", - "privilege": "DeleteThing", + "description": "Grants permission to reject a team association request for your AWS Account", + "privilege": "RejectTeamAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified thing group.", - "privilege": "DeleteThingGroup", + "access_level": "Write", + "description": "Grants permission to restart verification of the Amazon Honeycode domains for your AWS Account", + "privilege": "RestartDomainVerification", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the specified thing shadow.", - "privilege": "DeleteThingShadow", + "description": "Grants permission to start a table data import job", + "privilege": "StartTableDataImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "table*" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified thing type.", - "privilege": "DeleteThingType", + "access_level": "Write", + "description": "Grants permission to update an Amazon Honeycode team for your AWS Account", + "privilege": "UpdateTeam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thingtype*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:honeycode:${Region}:${Account}:workbook:workbook/${WorkbookId}", + "condition_keys": [], + "resource": "workbook" + }, + { + "arn": "arn:${Partition}:honeycode:${Region}:${Account}:table:workbook/${WorkbookId}/table/${TableId}", + "condition_keys": [], + "resource": "table" + }, + { + "arn": "arn:${Partition}:honeycode:${Region}:${Account}:screen:workbook/${WorkbookId}/app/${AppId}/screen/${ScreenId}", + "condition_keys": [], + "resource": "screen" + }, + { + "arn": "arn:${Partition}:honeycode:${Region}:${Account}:screen-automation:workbook/${WorkbookId}/app/${AppId}/screen/${ScreenId}/automation/${AutomationId}", + "condition_keys": [], + "resource": "screen-automation" + } + ], + "service_name": "Amazon Honeycode" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + }, + { + "condition": "iam:AWSServiceName", + "description": "Filters access by the AWS service to which this role is attached", + "type": "String" + }, + { + "condition": "iam:AssociatedResourceArn", + "description": "Filters by the resource that the role will be used on behalf of", + "type": "ARN" + }, + { + "condition": "iam:OrganizationsPolicyId", + "description": "Filters access by the ID of an AWS Organizations policy", + "type": "String" + }, + { + "condition": "iam:PassedToService", + "description": "Filters access by the AWS service to which this role is passed", + "type": "String" + }, + { + "condition": "iam:PermissionsBoundary", + "description": "Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role)", + "type": "String" + }, + { + "condition": "iam:PolicyARN", + "description": "Filters access by the ARN of an IAM policy", + "type": "ARN" }, + { + "condition": "iam:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to an IAM entity (user or role)", + "type": "String" + } + ], + "prefix": "iam", + "privileges": [ { "access_level": "Write", - "description": "Deletes the specified rule.", - "privilege": "DeleteTopicRule", + "description": "Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource", + "privilege": "AddClientIDToOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "oidc-provider*" } ] }, { "access_level": "Write", - "description": "Deletes the specified v2 logging level.", - "privilege": "DeleteV2LoggingLevel", + "description": "Grants permission to add an IAM role to the specified instance profile", + "privilege": "AddRoleToInstanceProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "instance-profile*" } ] }, { "access_level": "Write", - "description": "Deprecates the specified thing type.", - "privilege": "DeprecateThingType", + "description": "Grants permission to add an IAM user to the specified IAM group", + "privilege": "AddUserToGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thingtype*" + "resource_type": "group*" } ] }, { - "access_level": "Read", - "description": "Gets information about audit configurations for the account.", - "privilege": "DescribeAccountAuditConfiguration", + "access_level": "Permissions management", + "description": "Grants permission to attach a managed policy to the specified IAM group", + "privilege": "AttachGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "iam:PolicyARN" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started.", - "privilege": "DescribeAuditFinding", + "access_level": "Permissions management", + "description": "Grants permission to attach a managed policy to the specified IAM role", + "privilege": "AttachRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:PolicyARN", + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings.", - "privilege": "DescribeAuditMitigationActionsTask", + "access_level": "Permissions management", + "description": "Grants permission to attach a managed policy to the specified IAM user", + "privilege": "AttachUserPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PolicyARN", + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about a Device Defender audit suppression.", - "privilege": "DescribeAuditSuppression", + "access_level": "Write", + "description": "Grants permission for an IAM user to to change their own password", + "privilege": "ChangePassword", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Gets information about a Device Defender audit.", - "privilege": "DescribeAuditTask", + "access_level": "Write", + "description": "Grants permission to create access key and secret access key for the specified IAM user", + "privilege": "CreateAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Describes an authorizer.", - "privilege": "DescribeAuthorizer", + "access_level": "Write", + "description": "Grants permission to create an alias for your AWS account", + "privilege": "CreateAccountAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified billing group.", - "privilege": "DescribeBillingGroup", + "access_level": "Write", + "description": "Grants permission to create a new group", + "privilege": "CreateGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" + "resource_type": "group*" } ] }, { - "access_level": "Read", - "description": "Describes a registered CA certificate.", - "privilege": "DescribeCACertificate", + "access_level": "Write", + "description": "Grants permission to create a new instance profile", + "privilege": "CreateInstanceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cacert*" + "resource_type": "instance-profile*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified certificate.", - "privilege": "DescribeCertificate", + "access_level": "Write", + "description": "Grants permission to create a password for the specified IAM user", + "privilege": "CreateLoginProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Describes the default authorizer.", - "privilege": "DescribeDefaultAuthorizer", + "access_level": "Write", + "description": "Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC)", + "privilege": "CreateOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "oidc-provider*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Provides details about a dimension that is defined in your AWS account.", - "privilege": "DescribeDimension", + "access_level": "Permissions management", + "description": "Grants permission to create a new managed policy", + "privilege": "CreatePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the domain configuration.", - "privilege": "DescribeDomainConfiguration", + "access_level": "Permissions management", + "description": "Grants permission to create a new version of the specified managed policy", + "privilege": "CreatePolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domainconfiguration*" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "Returns a unique endpoint specific to the AWS account making the call.", - "privilege": "DescribeEndpoint", + "access_level": "Write", + "description": "Grants permission to create a new role", + "privilege": "CreateRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns account event configurations.", - "privilege": "DescribeEventConfigurations", + "access_level": "Write", + "description": "Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0", + "privilege": "CreateSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "saml-provider*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified fleet metric.", - "privilege": "DescribeFleetMetric", + "access_level": "Write", + "description": "Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf", + "privilege": "CreateServiceLinkedRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleetmetric*" + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:AWSServiceName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified index.", - "privilege": "DescribeIndex", + "access_level": "Write", + "description": "Grants permission to create a new service-specific credential for an IAM user", + "privilege": "CreateServiceSpecificCredential", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Describes a job.", - "privilege": "DescribeJob", + "access_level": "Write", + "description": "Grants permission to create a new IAM user", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a job execution.", - "privilege": "DescribeJobExecution", + "access_level": "Write", + "description": "Grants permission to create a new virtual MFA device", + "privilege": "CreateVirtualMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job" + "resource_type": "mfa*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "thing" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about a mitigation action.", - "privilege": "DescribeMitigationAction", + "access_level": "Write", + "description": "Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled", + "privilege": "DeactivateMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mitigationaction*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Returns information about a fleet provisioning template.", - "privilege": "DescribeProvisioningTemplate", + "access_level": "Write", + "description": "Grants permission to delete the access key pair that is associated with the specified IAM user", + "privilege": "DeleteAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Returns information about a fleet provisioning template version.", - "privilege": "DescribeProvisioningTemplateVersion", + "access_level": "Write", + "description": "Grants permission to delete the specified AWS account alias", + "privilege": "DeleteAccountAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a role alias.", - "privilege": "DescribeRoleAlias", + "access_level": "Permissions management", + "description": "Grants permission to delete the password policy for the AWS account", + "privilege": "DeleteAccountPasswordPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rolealias*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about a scheduled audit.", - "privilege": "DescribeScheduledAudit", + "access_level": "Write", + "description": "Grants permission to delete the specified IAM group", + "privilege": "DeleteGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "scheduledaudit*" + "resource_type": "group*" } ] }, { - "access_level": "Read", - "description": "Gets information about a Device Defender security profile.", - "privilege": "DescribeSecurityProfile", + "access_level": "Permissions management", + "description": "Grants permission to delete the specified inline policy from its group", + "privilege": "DeleteGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" + "resource_type": "group*" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified stream.", - "privilege": "DescribeStream", + "access_level": "Write", + "description": "Grants permission to delete the specified instance profile", + "privilege": "DeleteInstanceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "instance-profile*" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified thing.", - "privilege": "DescribeThing", + "access_level": "Write", + "description": "Grants permission to delete the password for the specified IAM user", + "privilege": "DeleteLoginProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified thing group.", - "privilege": "DescribeThingGroup", + "access_level": "Write", + "description": "Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM", + "privilege": "DeleteOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "oidc-provider*" } ] }, { - "access_level": "Read", - "description": "Gets information about the bulk thing registration task.", - "privilege": "DescribeThingRegistrationTask", + "access_level": "Permissions management", + "description": "Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified thing type.", - "privilege": "DescribeThingType", + "access_level": "Permissions management", + "description": "Grants permission to delete a version from the specified managed policy", + "privilege": "DeletePolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thingtype*" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "Describes a tunnel.", - "privilege": "DescribeTunnel", + "access_level": "Write", + "description": "Grants permission to delete the specified role", + "privilege": "DeleteRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "tunnel*" + "resource_type": "role*" } ] }, { "access_level": "Permissions management", - "description": "Detaches a policy from the specified target.", - "privilege": "DetachPolicy", + "description": "Grants permission to remove the permissions boundary from a role", + "privilege": "DeleteRolePermissionsBoundary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert" + "resource_type": "role*" }, { - "condition_keys": [], + "condition_keys": [ + "iam:PermissionsBoundary" + ], "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "" } ] }, { "access_level": "Permissions management", - "description": "Removes the specified policy from the specified certificate.", - "privilege": "DetachPrincipalPolicy", + "description": "Grants permission to delete the specified inline policy from the specified role", + "privilege": "DeleteRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert" + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Disassociates a Device Defender security profile from a thing group or from this account.", - "privilege": "DetachSecurityProfile", + "description": "Grants permission to delete a SAML provider resource in IAM", + "privilege": "DeleteSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" - }, + "resource_type": "saml-provider*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified SSH public key", + "privilege": "DeleteSSHPublicKey", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension" - }, + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified server certificate", + "privilege": "DeleteServerCertificate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "server-certificate*" } ] }, { "access_level": "Write", - "description": "Detaches the specified principal from the specified thing.", - "privilege": "DetachThingPrincipal", + "description": "Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it", + "privilege": "DeleteServiceLinkedRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { "access_level": "Write", - "description": "Disables the specified rule.", - "privilege": "DisableTopicRule", + "description": "Grants permission to delete the specified service-specific credential for an IAM user", + "privilege": "DeleteServiceSpecificCredential", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Enables the specified rule.", - "privilege": "EnableTopicRule", + "description": "Grants permission to delete a signing certificate that is associated with the specified IAM user", + "privilege": "DeleteSigningCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Get buckets aggregation for IoT fleet index", - "privilege": "GetBucketsAggregation", + "access_level": "Write", + "description": "Grants permission to delete the specified IAM user", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Get cardinality for IoT fleet index", - "privilege": "GetCardinality", + "access_level": "Permissions management", + "description": "Grants permission to remove the permissions boundary from the specified IAM user", + "privilege": "DeleteUserPermissionsBoundary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets effective policies.", - "privilege": "GetEffectivePolicies", + "access_level": "Permissions management", + "description": "Grants permission to delete the specified inline policy from an IAM user", + "privilege": "DeleteUserPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert" + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets current fleet indexing configuration", - "privilege": "GetIndexingConfiguration", + "access_level": "Write", + "description": "Grants permission to delete a virtual MFA device", + "privilege": "DeleteVirtualMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "mfa" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "sms-mfa" } ] }, { - "access_level": "Read", - "description": "Gets a job document.", - "privilege": "GetJobDocument", + "access_level": "Permissions management", + "description": "Grants permission to detach a managed policy from the specified IAM group", + "privilege": "DetachGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "group*" + }, + { + "condition_keys": [ + "iam:PolicyARN" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets the logging options.", - "privilege": "GetLoggingOptions", + "access_level": "Permissions management", + "description": "Grants permission to detach a managed policy from the specified role", + "privilege": "DetachRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:PolicyARN", + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets the information about the OTA update job.", - "privilege": "GetOTAUpdate", + "access_level": "Permissions management", + "description": "Grants permission to detach a managed policy from the specified IAM user", + "privilege": "DetachUserPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "otaupdate*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PolicyARN", + "iam:PermissionsBoundary" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets the list of all jobs for a thing that are not in a terminal state.", - "privilege": "GetPendingJobExecutions", + "access_level": "Write", + "description": "Grants permission to enable an MFA device and associate it with the specified IAM user", + "privilege": "EnableMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "user*" } ] }, { "access_level": "Read", - "description": "Get percentiles for IoT fleet index", - "privilege": "GetPercentiles", + "description": "Grants permission to generate a credential report for the AWS account", + "privilege": "GenerateCredentialReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets information about the specified policy with the policy document of the default version.", - "privilege": "GetPolicy", + "description": "Grants permission to generate an access report for an AWS Organizations entity", + "privilege": "GenerateOrganizationsAccessReport", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "organizations:DescribePolicy", + "organizations:ListChildren", + "organizations:ListParents", + "organizations:ListPoliciesForTarget", + "organizations:ListRoots", + "organizations:ListTargetsForPolicy" + ], + "resource_type": "access-report*" + }, + { + "condition_keys": [ + "iam:OrganizationsPolicyId" + ], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets information about the specified policy version.", - "privilege": "GetPolicyVersion", + "description": "Grants permission to generate a service last accessed data report for an IAM resource", + "privilege": "GenerateServiceLastAccessedDetails", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, { "condition_keys": [], "dependent_actions": [], "resource_type": "policy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" } ] }, { "access_level": "Read", - "description": "Gets a registration code used to register a CA certificate with AWS IoT.", - "privilege": "GetRegistrationCode", + "description": "Grants permission to retrieve information about when the specified access key was last used", + "privilege": "GetAccessKeyLastUsed", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "Read", - "description": "Get statistics for IoT fleet index", - "privilege": "GetStatistics", + "description": "Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another", + "privilege": "GetAccountAuthorizationDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets the thing shadow.", - "privilege": "GetThingShadow", + "description": "Grants permission to retrieve the password policy for the AWS account", + "privilege": "GetAccountPasswordPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about the specified rule.", - "privilege": "GetTopicRule", + "access_level": "List", + "description": "Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account", + "privilege": "GetAccountSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets v2 logging options.", - "privilege": "GetV2LoggingOptions", + "description": "Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy", + "privilege": "GetContextKeysForCustomPolicy", "resource_types": [ { "condition_keys": [], @@ -78684,26 +89410,31 @@ ] }, { - "access_level": "List", - "description": "Lists the active violations for a given Device Defender security profile or Thing.", - "privilege": "ListActiveViolations", + "access_level": "Read", + "description": "Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role)", + "privilege": "GetContextKeysForPrincipalPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile" + "resource_type": "group" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing" + "resource_type": "role" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" } ] }, { - "access_level": "List", - "description": "Lists the policies attached to the specified thing group.", - "privilege": "ListAttachedPolicies", + "access_level": "Read", + "description": "Grants permission to retrieve a credential report for the AWS account", + "privilege": "GetCredentialReport", "resource_types": [ { "condition_keys": [], @@ -78713,69 +89444,69 @@ ] }, { - "access_level": "List", - "description": "Lists the findings (results) of a Device Defender audit or of the audits performed during a specified time period.", - "privilege": "ListAuditFindings", + "access_level": "Read", + "description": "Grants permission to retrieve a list of IAM users in the specified IAM group", + "privilege": "GetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { - "access_level": "List", - "description": "Gets the status of audit mitigation action tasks that were executed.", - "privilege": "ListAuditMitigationActionsExecutions", + "access_level": "Read", + "description": "Grants permission to retrieve an inline policy document that is embedded in the specified IAM group", + "privilege": "GetGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { - "access_level": "List", - "description": "Gets a list of audit mitigation action tasks that match the specified filters.", - "privilege": "ListAuditMitigationActionsTasks", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role", + "privilege": "GetInstanceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "instance-profile*" } ] }, { "access_level": "List", - "description": "Lists your Device Defender audit suppressions.", - "privilege": "ListAuditSuppressions", + "description": "Grants permission to retrieve the user name and password creation date for the specified IAM user", + "privilege": "GetLoginProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { - "access_level": "List", - "description": "Lists the Device Defender audits that have been performed during a given time period.", - "privilege": "ListAuditTasks", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM", + "privilege": "GetOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "oidc-provider*" } ] }, { - "access_level": "List", - "description": "Lists the authorizers registered in your account.", - "privilege": "ListAuthorizers", + "access_level": "Read", + "description": "Grants permission to retrieve an AWS Organizations access report", + "privilege": "GetOrganizationsAccessReport", "resource_types": [ { "condition_keys": [], @@ -78785,93 +89516,93 @@ ] }, { - "access_level": "List", - "description": "Lists all billing groups.", - "privilege": "ListBillingGroups", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached", + "privilege": "GetPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "List", - "description": "Lists the CA certificates registered for your AWS account.", - "privilege": "ListCACertificates", + "access_level": "Read", + "description": "Grants permission to retrieve information about a version of the specified managed policy, including the policy document", + "privilege": "GetPolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { - "access_level": "List", - "description": "Lists your certificates.", - "privilege": "ListCertificates", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy", + "privilege": "GetRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { - "access_level": "List", - "description": "List the device certificates signed by the specified CA certificate.", - "privilege": "ListCertificatesByCA", + "access_level": "Read", + "description": "Grants permission to retrieve an inline policy document that is embedded with the specified IAM role", + "privilege": "GetRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { - "access_level": "List", - "description": "Lists the dimensions that are defined for your AWS account.", - "privilege": "ListDimensions", + "access_level": "Read", + "description": "Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated", + "privilege": "GetSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "saml-provider*" } ] }, { - "access_level": "List", - "description": "Lists the domain configuration created by your AWS account.", - "privilege": "ListDomainConfigurations", + "access_level": "Read", + "description": "Grants permission to retrieve the specified SSH public key, including metadata about the key", + "privilege": "GetSSHPublicKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { - "access_level": "List", - "description": "Lists the fleet metrics in your account.", - "privilege": "ListFleetMetrics", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified server certificate stored in IAM", + "privilege": "GetServerCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "server-certificate*" } ] }, { - "access_level": "List", - "description": "Lists all indices for fleet index", - "privilege": "ListIndices", + "access_level": "Read", + "description": "Grants permission to retrieve information about the service last accessed data report", + "privilege": "GetServiceLastAccessedDetails", "resource_types": [ { "condition_keys": [], @@ -78881,69 +89612,69 @@ ] }, { - "access_level": "List", - "description": "Lists the job executions for a job.", - "privilege": "ListJobExecutionsForJob", + "access_level": "Read", + "description": "Grants permission to retrieve information about the entities from the service last accessed data report", + "privilege": "GetServiceLastAccessedDetailsWithEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the job executions for the specified thing.", - "privilege": "ListJobExecutionsForThing", + "access_level": "Read", + "description": "Grants permission to retrieve an IAM service-linked role deletion status", + "privilege": "GetServiceLinkedRoleDeletionStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "role*" } ] }, { - "access_level": "List", - "description": "Lists jobs.", - "privilege": "ListJobs", + "access_level": "Read", + "description": "Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN", + "privilege": "GetUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { - "access_level": "List", - "description": "Gets a list of all mitigation actions that match the specified filter criteria.", - "privilege": "ListMitigationActions", + "access_level": "Read", + "description": "Grants permission to retrieve an inline policy document that is embedded in the specified IAM user", + "privilege": "GetUserPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists all named shadows for a given thing.", - "privilege": "ListNamedShadowsForThing", + "description": "Grants permission to list information about the access key IDs that are associated with the specified IAM user", + "privilege": "ListAccessKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists OTA update jobs in the account.", - "privilege": "ListOTAUpdates", + "description": "Grants permission to list the account alias that is associated with the AWS account", + "privilege": "ListAccountAliases", "resource_types": [ { "condition_keys": [], @@ -78954,44 +89685,44 @@ }, { "access_level": "List", - "description": "Lists certificates that are being transfered but not yet accepted.", - "privilege": "ListOutgoingCertificates", + "description": "Grants permission to list all managed policies that are attached to the specified IAM group", + "privilege": "ListAttachedGroupPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { "access_level": "List", - "description": "Lists your policies.", - "privilege": "ListPolicies", + "description": "Grants permission to list all managed policies that are attached to the specified IAM role", + "privilege": "ListAttachedRolePolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { "access_level": "List", - "description": "Lists the principals associated with the specified policy.", - "privilege": "ListPolicyPrincipals", + "description": "Grants permission to list all managed policies that are attached to the specified IAM user", + "privilege": "ListAttachedUserPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists the versions of the specified policy, and identifies the default version.", - "privilege": "ListPolicyVersions", + "description": "Grants permission to list all IAM identities to which the specified managed policy is attached", + "privilege": "ListEntitiesForPolicy", "resource_types": [ { "condition_keys": [], @@ -79002,20 +89733,20 @@ }, { "access_level": "List", - "description": "Lists the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format.", - "privilege": "ListPrincipalPolicies", + "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM group", + "privilege": "ListGroupPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "group*" } ] }, { "access_level": "List", - "description": "Lists the things associated with the specified principal.", - "privilege": "ListPrincipalThings", + "description": "Grants permission to list the IAM groups that have the specified path prefix", + "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], @@ -79026,194 +89757,150 @@ }, { "access_level": "List", - "description": "A list of fleet provisioning template versions.", - "privilege": "ListProvisioningTemplateVersions", + "description": "Grants permission to list the IAM groups that the specified IAM user belongs to", + "privilege": "ListGroupsForUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists the fleet provisioning templates in your AWS account.", - "privilege": "ListProvisioningTemplates", + "description": "Grants permission to list the tags that are attached to the specified instance profile", + "privilege": "ListInstanceProfileTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "instance-profile*" } ] }, { "access_level": "List", - "description": "Lists role aliases.", - "privilege": "ListRoleAliases", + "description": "Grants permission to list the instance profiles that have the specified path prefix", + "privilege": "ListInstanceProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "instance-profile*" } ] }, { "access_level": "List", - "description": "Lists all of your scheduled audits.", - "privilege": "ListScheduledAudits", + "description": "Grants permission to list the instance profiles that have the specified associated IAM role", + "privilege": "ListInstanceProfilesForRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { "access_level": "List", - "description": "Lists the Device Defender security profiles you have created.", - "privilege": "ListSecurityProfiles", + "description": "Grants permission to list the tags that are attached to the specified virtual mfa device", + "privilege": "ListMFADeviceTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dimension" + "resource_type": "mfa*" } ] }, { "access_level": "List", - "description": "Lists the Device Defender security profiles attached to a target.", - "privilege": "ListSecurityProfilesForTarget", + "description": "Grants permission to list the MFA devices for an IAM user", + "privilege": "ListMFADevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "user" } ] }, { "access_level": "List", - "description": "Lists the streams in your account.", - "privilege": "ListStreams", + "description": "Grants permission to list the tags that are attached to the specified OpenID Connect provider", + "privilege": "ListOpenIDConnectProviderTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "oidc-provider*" } ] }, { "access_level": "List", - "description": "Lists all tags for a given resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account", + "privilege": "ListOpenIDConnectProviders", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "billinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cacert" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dimension" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domainconfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dynamicthinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fleetmetric" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "job" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mitigationaction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "otaupdate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "provisioningtemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rolealias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all managed policies", + "privilege": "ListPolicies", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "scheduledaudit" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list information about the policies that grant an entity access to a specific service", + "privilege": "ListPoliciesGrantingServiceAccess", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile" + "resource_type": "group*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" + "resource_type": "role*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup" - }, + "resource_type": "user*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the tags that are attached to the specified managed policy", + "privilege": "ListPolicyTags", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thingtype" + "resource_type": "policy*" } ] }, { "access_level": "List", - "description": "List targets for the specified policy.", - "privilege": "ListTargetsForPolicy", + "description": "Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version", + "privilege": "ListPolicyVersions", "resource_types": [ { "condition_keys": [], @@ -79224,56 +89911,56 @@ }, { "access_level": "List", - "description": "Lists the targets associated with a given Device Defender security profile.", - "privilege": "ListTargetsForSecurityProfile", + "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM role", + "privilege": "ListRolePolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" + "resource_type": "role*" } ] }, { "access_level": "List", - "description": "Lists all thing groups.", - "privilege": "ListThingGroups", + "description": "Grants permission to list the tags that are attached to the specified IAM role", + "privilege": "ListRoleTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { "access_level": "List", - "description": "List thing groups to which the specified thing belongs.", - "privilege": "ListThingGroupsForThing", + "description": "Grants permission to list the IAM roles that have the specified path prefix", + "privilege": "ListRoles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Lists the principals associated with the specified thing.", - "privilege": "ListThingPrincipals", + "description": "Grants permission to list the tags that are attached to the specified SAML provider", + "privilege": "ListSAMLProviderTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "saml-provider*" } ] }, { "access_level": "List", - "description": "Lists information about bulk thing registration tasks.", - "privilege": "ListThingRegistrationTaskReports", + "description": "Grants permission to list the SAML provider resources in IAM", + "privilege": "ListSAMLProviders", "resource_types": [ { "condition_keys": [], @@ -79284,32 +89971,32 @@ }, { "access_level": "List", - "description": "Lists bulk thing registration tasks.", - "privilege": "ListThingRegistrationTasks", + "description": "Grants permission to list information about the SSH public keys that are associated with the specified IAM user", + "privilege": "ListSSHPublicKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists all thing types.", - "privilege": "ListThingTypes", + "description": "Grants permission to list the tags that are attached to the specified server certificate", + "privilege": "ListServerCertificateTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "server-certificate*" } ] }, { "access_level": "List", - "description": "Lists all things.", - "privilege": "ListThings", + "description": "Grants permission to list the server certificates that have the specified path prefix", + "privilege": "ListServerCertificates", "resource_types": [ { "condition_keys": [], @@ -79320,56 +90007,56 @@ }, { "access_level": "List", - "description": "Lists all things in the specified billing group.", - "privilege": "ListThingsInBillingGroup", + "description": "Grants permission to list the service-specific credentials that are associated with the specified IAM user", + "privilege": "ListServiceSpecificCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists all things in the specified thing group.", - "privilege": "ListThingsInThingGroup", + "description": "Grants permission to list information about the signing certificates that are associated with the specified IAM user", + "privilege": "ListSigningCertificates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists the rules for the specific topic.", - "privilege": "ListTopicRules", + "description": "Grants permission to list the names of the inline policies that are embedded in the specified IAM user", + "privilege": "ListUserPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists tunnels.", - "privilege": "ListTunnels", + "description": "Grants permission to list the tags that are attached to the specified IAM user", + "privilege": "ListUserTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "List", - "description": "Lists the v2 logging levels.", - "privilege": "ListV2LoggingLevels", + "description": "Grants permission to list the IAM users that have the specified path prefix", + "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], @@ -79380,32 +90067,30 @@ }, { "access_level": "List", - "description": "Lists the Device Defender security profile violations discovered during the given time period.", - "privilege": "ListViolationEvents", + "description": "Grants permission to list virtual MFA devices by assignment status", + "privilege": "ListVirtualMFADevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Opens a tunnel.", - "privilege": "OpenTunnel", + "description": "Grants permission to pass a role to a service", + "privilege": "PassRole", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "role*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iot:ThingGroupArn", - "iot:TunnelDestinationService" + "iam:AssociatedResourceArn", + "iam:PassedToService" ], "dependent_actions": [], "resource_type": "" @@ -79413,38 +90098,30 @@ ] }, { - "access_level": "Write", - "description": "Publish to the specified topic.", - "privilege": "Publish", + "access_level": "Permissions management", + "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM group", + "privilege": "PutGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "topic*" + "resource_type": "group*" } ] }, { - "access_level": "Write", - "description": "Receive from the specified topic.", - "privilege": "Receive", + "access_level": "Permissions management", + "description": "Grants permission to set a managed policy as a permissions boundary for a role", + "privilege": "PutRolePermissionsBoundary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "topic*" - } - ] - }, - { - "access_level": "Write", - "description": "Registers a CA certificate with AWS IoT.", - "privilege": "RegisterCACertificate", - "resource_types": [ + "resource_type": "role*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "iam:PermissionsBoundary" ], "dependent_actions": [], "resource_type": "" @@ -79452,139 +90129,150 @@ ] }, { - "access_level": "Write", - "description": "Registers a device certificate with AWS IoT.", - "privilege": "RegisterCertificate", + "access_level": "Permissions management", + "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM role", + "privilege": "PutRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Registers a device certificate with AWS IoT without a registered CA (certificate authority).", - "privilege": "RegisterCertificateWithoutCA", + "access_level": "Permissions management", + "description": "Grants permission to set a managed policy as a permissions boundary for an IAM user", + "privilege": "PutUserPermissionsBoundary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Registers your thing.", - "privilege": "RegisterThing", + "access_level": "Permissions management", + "description": "Grants permission to create or update an inline policy document that is embedded in the specified IAM user", + "privilege": "PutUserPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "iam:PermissionsBoundary" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Rejects a pending certificate transfer.", - "privilege": "RejectCertificateTransfer", + "description": "Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource", + "privilege": "RemoveClientIDFromOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "oidc-provider*" } ] }, { "access_level": "Write", - "description": "Removes thing from the specified billing group.", - "privilege": "RemoveThingFromBillingGroup", + "description": "Grants permission to remove an IAM role from the specified EC2 instance profile", + "privilege": "RemoveRoleFromInstanceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "billinggroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "instance-profile*" } ] }, { "access_level": "Write", - "description": "Removes thing from the specified thing group.", - "privilege": "RemoveThingFromThingGroup", + "description": "Grants permission to remove an IAM user from the specified group", + "privilege": "RemoveUserFromGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Replaces the specified rule.", - "privilege": "ReplaceTopicRule", + "description": "Grants permission to reset the password for an existing service-specific credential for an IAM user", + "privilege": "ResetServiceSpecificCredential", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rule*" + "resource_type": "user*" } ] }, { - "access_level": "Read", - "description": "Search IoT fleet index", - "privilege": "SearchIndex", + "access_level": "Write", + "description": "Grants permission to synchronize the specified MFA device with its IAM entity (user or role)", + "privilege": "ResyncMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "user*" } ] }, { "access_level": "Permissions management", - "description": "Sets the default authorizer. This will be used if a websocket connection is made without specifying an authorizer.", - "privilege": "SetDefaultAuthorizer", + "description": "Grants permission to set the version of the specified policy as the policy's default version", + "privilege": "SetDefaultPolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer*" + "resource_type": "policy*" } ] }, { - "access_level": "Permissions management", - "description": "Sets the specified version of the specified policy as the policy's default (operative) version.", - "privilege": "SetDefaultPolicyVersion", + "access_level": "Write", + "description": "Grants permission to set the STS global endpoint token version", + "privilege": "SetSecurityTokenServicePreferences", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Sets the logging options.", - "privilege": "SetLoggingOptions", + "access_level": "Read", + "description": "Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources", + "privilege": "SimulateCustomPolicy", "resource_types": [ { "condition_keys": [], @@ -79594,346 +90282,291 @@ ] }, { - "access_level": "Write", - "description": "Sets the v2 logging level.", - "privilege": "SetV2LoggingLevel", + "access_level": "Read", + "description": "Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources", + "privilege": "SimulatePrincipalPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "role" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" } ] }, { - "access_level": "Write", - "description": "Sets the v2 logging options.", - "privilege": "SetV2LoggingOptions", + "access_level": "Tagging", + "description": "Grants permission to add tags to an instance profile", + "privilege": "TagInstanceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "instance-profile*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts a task that applies a set of mitigation actions to the specified target.", - "privilege": "StartAuditMitigationActionsTask", + "access_level": "Tagging", + "description": "Grants permission to add tags to a virtual mfa device", + "privilege": "TagMFADevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "mfa*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Gets and starts the next pending job execution for a thing.", - "privilege": "StartNextPendingJobExecution", + "access_level": "Tagging", + "description": "Grants permission to add tags to an OpenID Connect provider", + "privilege": "TagOpenIDConnectProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "oidc-provider*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts an on-demand Device Defender audit.", - "privilege": "StartOnDemandAuditTask", + "access_level": "Tagging", + "description": "Grants permission to add tags to a managed policy", + "privilege": "TagPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts a bulk thing registration task.", - "privilege": "StartThingRegistrationTask", + "access_level": "Tagging", + "description": "Grants permission to add tags to an IAM role", + "privilege": "TagRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "role*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Stops a bulk thing registration task.", - "privilege": "StopThingRegistrationTask", + "access_level": "Tagging", + "description": "Grants permission to add tags to a SAML Provider", + "privilege": "TagSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "saml-provider*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Subscribe to the specified TopicFilter.", - "privilege": "Subscribe", + "access_level": "Tagging", + "description": "Grants permission to add tags to a server certificate", + "privilege": "TagServerCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "topicfilter*" + "resource_type": "server-certificate*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Tag a specified resource", - "privilege": "TagResource", + "description": "Grants permission to add tags to an IAM user", + "privilege": "TagUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer" + "resource_type": "user*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "billinggroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the instance profile", + "privilege": "UntagInstanceProfile", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cacert" + "resource_type": "instance-profile*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "dimension" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the virtual mfa device", + "privilege": "UntagMFADevice", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domainconfiguration" + "resource_type": "mfa*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "dynamicthinggroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the OpenID Connect provider", + "privilege": "UntagOpenIDConnectProvider", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleetmetric" + "resource_type": "oidc-provider*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "job" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the managed policy", + "privilege": "UntagPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mitigationaction" + "resource_type": "policy*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "otaupdate" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the role", + "privilege": "UntagRole", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy" + "resource_type": "role*" }, { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "provisioningtemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rolealias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "scheduledaudit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securityprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thingtype" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Read", - "description": "Test the policies evaluation for group policies", - "privilege": "TestAuthorization", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cert" - } - ] - }, - { - "access_level": "Read", - "description": "Invoke the specified custom authorizer for testing purposes.", - "privilege": "TestInvokeAuthorizer", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "authorizer*" - } - ] - }, - { - "access_level": "Write", - "description": "Transfers the specified certificate to the specified AWS account.", - "privilege": "TransferCertificate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cert*" - } - ] - }, { "access_level": "Tagging", - "description": "Untag a specified resource", - "privilege": "UntagResource", + "description": "Grants permission to remove the specified tags from the SAML Provider", + "privilege": "UntagSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "authorizer" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "billinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cacert" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dimension" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "domainconfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dynamicthinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "fleetmetric" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "job" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mitigationaction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "otaupdate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "provisioningtemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rolealias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "rule" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "scheduledaudit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securityprofile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thinggroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thingtype" + "resource_type": "saml-provider*" }, { "condition_keys": [ @@ -79945,515 +90578,351 @@ ] }, { - "access_level": "Write", - "description": "Configures or reconfigures the Device Defender audit settings for this account.", - "privilege": "UpdateAccountAuditConfiguration", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the server certificate", + "privilege": "UntagServerCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Updates a Device Defender audit suppression.", - "privilege": "UpdateAuditSuppression", - "resource_types": [ + "resource_type": "server-certificate*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates an authorizer", - "privilege": "UpdateAuthorizer", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "authorizer*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates information associated with the specified billing group.", - "privilege": "UpdateBillingGroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "billinggroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates a registered CA certificate.", - "privilege": "UpdateCACertificate", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cacert*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the status of the specified certificate. This operation is idempotent.", - "privilege": "UpdateCertificate", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the user", + "privilege": "UntagUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the definition for a dimension.", - "privilege": "UpdateDimension", - "resource_types": [ + "resource_type": "user*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "dimension*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates a domain configuration.", - "privilege": "UpdateDomainConfiguration", + "description": "Grants permission to update the status of the specified access key as Active or Inactive", + "privilege": "UpdateAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domainconfiguration*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates a Dynamic Thing Group", - "privilege": "UpdateDynamicThingGroup", + "description": "Grants permission to update the password policy settings for the AWS account", + "privilege": "UpdateAccountPasswordPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dynamicthinggroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates event configurations.", - "privilege": "UpdateEventConfigurations", + "access_level": "Permissions management", + "description": "Grants permission to update the policy that grants an IAM entity permission to assume a role", + "privilege": "UpdateAssumeRolePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "role*" } ] }, { "access_level": "Write", - "description": "Updates a fleet metric", - "privilege": "UpdateFleetMetric", + "description": "Grants permission to update the name or path of the specified IAM group", + "privilege": "UpdateGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "fleetmetric*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Updates fleet indexing configuration", - "privilege": "UpdateIndexingConfiguration", + "description": "Grants permission to change the password for the specified IAM user", + "privilege": "UpdateLoginProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates a job.", - "privilege": "UpdateJob", + "description": "Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource", + "privilege": "UpdateOpenIDConnectProviderThumbprint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "oidc-provider*" } ] }, { "access_level": "Write", - "description": "Updates a job execution.", - "privilege": "UpdateJobExecution", + "description": "Grants permission to update the description or maximum session duration setting of a role", + "privilege": "UpdateRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "role*" } ] }, { "access_level": "Write", - "description": "Updates the definition for the specified mitigation action.", - "privilege": "UpdateMitigationAction", + "description": "Grants permission to update only the description of a role", + "privilege": "UpdateRoleDescription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mitigationaction*" + "resource_type": "role*" } ] }, { "access_level": "Write", - "description": "Updates a fleet provisioning template.", - "privilege": "UpdateProvisioningTemplate", + "description": "Grants permission to update the metadata document for an existing SAML provider resource", + "privilege": "UpdateSAMLProvider", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "provisioningtemplate*" + "resource_type": "saml-provider*" } ] }, { "access_level": "Write", - "description": "Updates the role alias", - "privilege": "UpdateRoleAlias", + "description": "Grants permission to update the status of an IAM user's SSH public key to active or inactive", + "privilege": "UpdateSSHPublicKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "rolealias*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates a scheduled audit, including what checks are performed and how often the audit takes place.", - "privilege": "UpdateScheduledAudit", + "description": "Grants permission to update the name or the path of the specified server certificate stored in IAM", + "privilege": "UpdateServerCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "scheduledaudit*" + "resource_type": "server-certificate*" } ] }, { "access_level": "Write", - "description": "Updates a Device Defender security profile.", - "privilege": "UpdateSecurityProfile", + "description": "Grants permission to update the status of a service-specific credential to active or inactive for an IAM user", + "privilege": "UpdateServiceSpecificCredential", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securityprofile*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dimension" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates the data for a stream.", - "privilege": "UpdateStream", + "description": "Grants permission to update the status of the specified user signing certificate to active or disabled", + "privilege": "UpdateSigningCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates information associated with the specified thing.", - "privilege": "UpdateThing", + "description": "Grants permission to update the name or the path of the specified IAM user", + "privilege": "UpdateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates information associated with the specified thing group.", - "privilege": "UpdateThingGroup", + "description": "Grants permission to upload an SSH public key and associate it with the specified IAM user", + "privilege": "UploadSSHPublicKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thinggroup*" + "resource_type": "user*" } ] }, { "access_level": "Write", - "description": "Updates the thing groups to which the thing belongs.", - "privilege": "UpdateThingGroupsForThing", + "description": "Grants permission to upload a server certificate entity for the AWS account", + "privilege": "UploadServerCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "server-certificate*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "thinggroup" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the thing shadow.", - "privilege": "UpdateThingShadow", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thing*" - } - ] - }, - { - "access_level": "Read", - "description": "Validates a Device Defender security profile behaviors specification.", - "privilege": "ValidateSecurityProfileBehaviors", + "description": "Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user", + "privilege": "UploadSigningCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "user*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}", - "condition_keys": [], - "resource": "client" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}", - "condition_keys": [], - "resource": "index" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:fleetmetric/${FleetMetricName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "fleetmetric" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:job/${JobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "job" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:tunnel/${TunnelId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "tunnel" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", + "arn": "arn:${Partition}:iam::${Account}:access-report/${EntityPath}", "condition_keys": [], - "resource": "thing" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "thinggroup" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "billinggroup" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dynamicthinggroup" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "thingtype" + "resource": "access-report" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}", + "arn": "arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}", "condition_keys": [], - "resource": "topic" + "resource": "assumed-role" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}", + "arn": "arn:${Partition}:iam::${Account}:federated-user/${UserName}", "condition_keys": [], - "resource": "topicfilter" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "rolealias" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "authorizer" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "policy" + "resource": "federated-user" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", + "arn": "arn:${Partition}:iam::${Account}:group/${GroupNameWithPath}", "condition_keys": [], - "resource": "cert" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cacert" + "resource": "group" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:stream/${streamId}", + "arn": "arn:${Partition}:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "stream" + "resource": "instance-profile" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:otaupdate/${otaUpdateId}", + "arn": "arn:${Partition}:iam::${Account}:mfa/${MfaTokenIdWithPath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "otaupdate" + "resource": "mfa" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}", + "arn": "arn:${Partition}:iam::${Account}:oidc-provider/${OidcProviderName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "scheduledaudit" + "resource": "oidc-provider" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:mitigationaction/${MitigationActionName}", + "arn": "arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "mitigationaction" + "resource": "policy" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}", + "arn": "arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "iam:ResourceTag/${TagKey}" ], - "resource": "securityprofile" + "resource": "role" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:dimension/${DimensionName}", + "arn": "arn:${Partition}:iam::${Account}:saml-provider/${SamlProviderName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "dimension" + "resource": "saml-provider" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:rule/${ruleName}", + "arn": "arn:${Partition}:iam::${Account}:server-certificate/${CertificateNameWithPath}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "rule" + "resource": "server-certificate" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:provisioningtemplate/${provisioningTemplate}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "provisioningtemplate" + "arn": "arn:${Partition}:iam::${Account}:sms-mfa/${MfaTokenIdWithPath}", + "condition_keys": [], + "resource": "sms-mfa" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${domainConfigurationName}", + "arn": "arn:${Partition}:iam::${Account}:user/${UserNameWithPath}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}", + "iam:ResourceTag/${TagKey}" ], - "resource": "domainconfiguration" + "resource": "user" } ], - "service_name": "AWS IoT" + "service_name": "Identity And Access Management" }, { "conditions": [], - "prefix": "iot-device-tester", + "prefix": "identitystore", "privileges": [ { "access_level": "Read", - "description": "Grants permission for IoT Device Tester to check if a given set of product, test suite and device tester version are compatible", - "privilege": "CheckVersion", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission for IoT Device Tester to download compatible test suite versions", - "privilege": "DownloadTestSuite", + "description": "Grants permission to retrieves information about group from the directory that AWS Identity Store provides by default", + "privilege": "DescribeGroup", "resource_types": [ { "condition_keys": [], @@ -80464,8 +90933,8 @@ }, { "access_level": "Read", - "description": "Grants permission for IoT Device Tester to get information on latest version of device tester available", - "privilege": "LatestIdt", + "description": "Grants permission to retrieves information about user from the directory that AWS Identity Store provides by default", + "privilege": "DescribeUser", "resource_types": [ { "condition_keys": [], @@ -80475,9 +90944,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permissions for IoT Device Tester to send usage metrics on your behalf", - "privilege": "SendMetrics", + "access_level": "List", + "description": "Grants permission to search for groups within the associated directory", + "privilege": "ListGroups", "resource_types": [ { "condition_keys": [], @@ -80487,9 +90956,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission for IoT Device Tester to get list of supported products and test suite versions", - "privilege": "SupportedVersion", + "access_level": "List", + "description": "Grants permission to search for users within the associated directory", + "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], @@ -80500,47 +90969,76 @@ } ], "resources": [], - "service_name": "AWS IoT Device Tester" + "service_name": "AWS Identity Store" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to IoT 1-Click.", + "description": "Filters actions by the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "The preface string for a tag key and value pair attached to an IoT 1-Click resource.", + "description": "Filters actions by tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the IoT 1-Click resource in the request.", + "description": "Filters actions by the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "imagebuilder:CreatedResourceTag/", + "description": "Filters access by the tag key-value pairs attached to the resource created by Image Builder", + "type": "String" + }, + { + "condition": "imagebuilder:CreatedResourceTagKeys", + "description": "Filters access by the presence of tag keys in the request", "type": "String" } ], - "prefix": "iot1click", + "prefix": "imagebuilder", "privileges": [ { "access_level": "Write", - "description": "Associate a device to a placement", - "privilege": "AssociateDeviceWithPlacement", + "description": "Grants permission to cancel an image creation", + "privilege": "CancelImageCreation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "image*" } ] }, { - "access_level": "Read", - "description": "Claim a batch of devices with a claim code.", - "privilege": "ClaimDevicesByClaimCode", + "access_level": "Write", + "description": "Grants permission to create a new component", + "privilege": "CreateComponent", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:TagResource", + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "resource_type": "component*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "kmsKey" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -80548,25 +91046,46 @@ }, { "access_level": "Write", - "description": "Create a new placement in a project", - "privilege": "CreatePlacement", + "description": "Grants permission to create a new Container Recipe", + "privilege": "CreateContainerRecipe", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "iam:CreateServiceLinkedRole", + "imagebuilder:GetComponent", + "imagebuilder:GetImage", + "imagebuilder:TagResource", + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "resource_type": "containerRecipe*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new project", - "privilege": "CreateProject", + "description": "Grants permission to create a new distribution configuration", + "privilege": "CreateDistributionConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "project*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:TagResource" + ], + "resource_type": "distributionConfiguration*" }, { "condition_keys": [ @@ -80580,228 +91099,268 @@ }, { "access_level": "Write", - "description": "Delete a placement from a project", - "privilege": "DeletePlacement", + "description": "Grants permission to create a new image", + "privilege": "CreateImage", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:GetContainerRecipe", + "imagebuilder:GetDistributionConfiguration", + "imagebuilder:GetImageRecipe", + "imagebuilder:GetInfrastructureConfiguration", + "imagebuilder:TagResource" + ], + "resource_type": "image*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Delete a project", - "privilege": "DeleteProject", + "description": "Grants permission to create a new image pipeline", + "privilege": "CreateImagePipeline", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:GetContainerRecipe", + "imagebuilder:GetImageRecipe", + "imagebuilder:TagResource" + ], + "resource_type": "imagePipeline*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a device", - "privilege": "DescribeDevice", + "access_level": "Write", + "description": "Grants permission to create a new Image Recipe", + "privilege": "CreateImageRecipe", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeImages", + "iam:CreateServiceLinkedRole", + "imagebuilder:GetComponent", + "imagebuilder:GetImage", + "imagebuilder:TagResource" + ], + "resource_type": "imageRecipe*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a placement", - "privilege": "DescribePlacement", + "access_level": "Write", + "description": "Grants permission to create a new infrastructure configuration", + "privilege": "CreateInfrastructureConfiguration", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "iam:PassRole", + "imagebuilder:TagResource", + "sns:Publish" + ], + "resource_type": "infrastructureConfiguration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "imagebuilder:CreatedResourceTagKeys", + "imagebuilder:CreatedResourceTag/" + ], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a project", - "privilege": "DescribeProject", + "access_level": "Write", + "description": "Grants permission to delete a component", + "privilege": "DeleteComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "component*" } ] }, { "access_level": "Write", - "description": "Disassociate a device from a placement", - "privilege": "DisassociateDeviceFromPlacement", + "description": "Grants permission to delete a container recipe", + "privilege": "DeleteContainerRecipe", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "containerRecipe*" } ] }, { - "access_level": "Read", - "description": "Finalize a device claim", - "privilege": "FinalizeDeviceClaim", + "access_level": "Write", + "description": "Grants permission to delete a distribution configuration", + "privilege": "DeleteDistributionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "distributionConfiguration*" } ] }, { - "access_level": "Read", - "description": "Get available methods of a device", - "privilege": "GetDeviceMethods", + "access_level": "Write", + "description": "Grants permission to delete an image", + "privilege": "DeleteImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "image*" } ] }, { - "access_level": "Read", - "description": "Get devices associated to a placement", - "privilege": "GetDevicesInPlacement", + "access_level": "Write", + "description": "Grants permission to delete an image pipeline", + "privilege": "DeleteImagePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "imagePipeline*" } ] }, { - "access_level": "Read", - "description": "Initialize a device claim", - "privilege": "InitiateDeviceClaim", + "access_level": "Write", + "description": "Grants permission to delete an image recipe", + "privilege": "DeleteImageRecipe", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "imageRecipe*" } ] }, { "access_level": "Write", - "description": "Invoke a device method", - "privilege": "InvokeDeviceMethod", + "description": "Grants permission to delete an infrastructure configuration", + "privilege": "DeleteInfrastructureConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "infrastructureConfiguration*" } ] }, { "access_level": "Read", - "description": "List past events published by a device", - "privilege": "ListDeviceEvents", + "description": "Grants permission to view details about a component", + "privilege": "GetComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "device*" + "dependent_actions": [ + "kms:Decrypt" + ], + "resource_type": "component*" } ] }, { - "access_level": "List", - "description": "List all devices", - "privilege": "ListDevices", + "access_level": "Read", + "description": "Grants permission to view the resource policy associated with a component", + "privilege": "GetComponentPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "component*" } ] }, { "access_level": "Read", - "description": "List placements in a project", - "privilege": "ListPlacements", + "description": "Grants permission to view details about a container recipe", + "privilege": "GetContainerRecipe", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "containerRecipe*" } ] }, { - "access_level": "List", - "description": "List all projects", - "privilege": "ListProjects", + "access_level": "Read", + "description": "Grants permission to view the resource policy associated with a container recipe", + "privilege": "GetContainerRecipePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "containerRecipe*" } ] }, { - "access_level": "List", - "description": "Lists the tags (metadata) which you have assigned to the resource.", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to view details about a distribution configuration", + "privilege": "GetDistributionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" + "resource_type": "distributionConfiguration*" } ] }, { - "access_level": "Write", - "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to view details about an image", + "privilege": "GetImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" + "resource_type": "image*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -80810,225 +91369,168 @@ }, { "access_level": "Read", - "description": "Unclaim a device", - "privilege": "UnclaimDevice", + "description": "Grants permission to view details about an image pipeline", + "privilege": "GetImagePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "imagePipeline*" } ] }, { - "access_level": "Write", - "description": "Removes the given tags (metadata) from the resource.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to view the resource policy associated with an image", + "privilege": "GetImagePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "image*" } ] }, { - "access_level": "Write", - "description": "Update device state", - "privilege": "UpdateDeviceState", + "access_level": "Read", + "description": "Grants permission to view details about an image recipe", + "privilege": "GetImageRecipe", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "imageRecipe*" } ] }, { - "access_level": "Write", - "description": "Update a placement", - "privilege": "UpdatePlacement", + "access_level": "Read", + "description": "Grants permission to view the resource policy associated with an image recipe", + "privilege": "GetImageRecipePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "imageRecipe*" } ] }, { - "access_level": "Write", - "description": "Update a project", - "privilege": "UpdateProject", + "access_level": "Read", + "description": "Grants permission to view details about an infrastructure configuration", + "privilege": "GetInfrastructureConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "infrastructureConfiguration*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iot1click:${Region}:${Account}:devices/${DeviceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:iot1click:${Region}:${Account}:projects/${ProjectName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "project" - } - ], - "service_name": "AWS IoT 1-Click" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to IoT Analytics.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the IoT Analytics resource in the request.", - "type": "String" }, - { - "condition": "iotanalytics:ResourceTag/${TagKey}", - "description": "The preface string for a tag key and value pair attached to an IoT Analytics resource.", - "type": "String" - } - ], - "prefix": "iotanalytics", - "privileges": [ { "access_level": "Write", - "description": "Puts a batch of messages into the specified channel.", - "privilege": "BatchPutMessage", + "description": "Grants permission to import a new component", + "privilege": "ImportComponent", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:TagResource", + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "resource_type": "component*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "kmsKey" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Cancels reprocessing for the specified pipeline.", - "privilege": "CancelPipelineReprocessing", + "access_level": "List", + "description": "Grants permission to list the component build versions in your account", + "privilege": "ListComponentBuildVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "componentVersion*" } ] }, { - "access_level": "Write", - "description": "Creates a channel.", - "privilege": "CreateChannel", + "access_level": "List", + "description": "Grants permission to list the component versions owned by or shared with your account", + "privilege": "ListComponents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a dataset.", - "privilege": "CreateDataset", + "access_level": "List", + "description": "Grants permission to list the container recipes owned by or shared with your account", + "privilege": "ListContainerRecipes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Generates content of the specified dataset (by executing the dataset actions).", - "privilege": "CreateDatasetContent", + "access_level": "List", + "description": "Grants permission to list the distribution configurations in your account", + "privilege": "ListDistributionConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a datastore.", - "privilege": "CreateDatastore", + "access_level": "List", + "description": "Grants permission to list the image build versions in your account", + "privilege": "ListImageBuildVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "imageVersion*" } ] }, { - "access_level": "Write", - "description": "Creates a pipeline.", - "privilege": "CreatePipeline", + "access_level": "List", + "description": "Grants permission to returns a list of packages installed on the specified image", + "privilege": "ListImagePackages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "image*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -81036,323 +91538,266 @@ ] }, { - "access_level": "Write", - "description": "Deletes the specified channel.", - "privilege": "DeleteChannel", + "access_level": "List", + "description": "Grants permission to returns a list of images created by the specified pipeline", + "privilege": "ListImagePipelineImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "imagePipeline*" } ] }, { - "access_level": "Write", - "description": "Deletes the specified dataset.", - "privilege": "DeleteDataset", + "access_level": "List", + "description": "Grants permission to list the image pipelines in your account", + "privilege": "ListImagePipelines", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the content of the specified dataset.", - "privilege": "DeleteDatasetContent", + "access_level": "List", + "description": "Grants permission to list the image recipes owned by or shared with your account", + "privilege": "ListImageRecipes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified datastore.", - "privilege": "DeleteDatastore", + "access_level": "List", + "description": "Grants permission to list the image versions owned by or shared with your account", + "privilege": "ListImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified pipeline.", - "privilege": "DeletePipeline", + "access_level": "List", + "description": "Grants permission to list the infrastructure configurations in your account", + "privilege": "ListInfrastructureConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes the specified channel.", - "privilege": "DescribeChannel", + "description": "Grants permission to list tag for an Image Builder resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "component" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "distributionConfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "imagePipeline" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "imageRecipe" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "infrastructureConfiguration" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes the specified dataset.", - "privilege": "DescribeDataset", + "access_level": "Permissions management", + "description": "Grants permission to set the resource policy associated with a component", + "privilege": "PutComponentPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "component*" } ] }, { - "access_level": "Read", - "description": "Describes the specified datastore.", - "privilege": "DescribeDatastore", + "access_level": "Permissions management", + "description": "Grants permission to set the resource policy associated with a container recipe", + "privilege": "PutContainerRecipePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore*" + "resource_type": "containerRecipe*" } ] }, { - "access_level": "Read", - "description": "Describes logging options for the the account.", - "privilege": "DescribeLoggingOptions", + "access_level": "Permissions management", + "description": "Grants permission to set the resource policy associated with an image", + "privilege": "PutImagePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "image*" } ] }, { - "access_level": "Read", - "description": "Describes the specified pipeline.", - "privilege": "DescribePipeline", + "access_level": "Permissions management", + "description": "Grants permission to set the resource policy associated with an image recipe", + "privilege": "PutImageRecipePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "imageRecipe*" } ] }, { - "access_level": "Read", - "description": "Gets the content of the specified dataset.", - "privilege": "GetDatasetContent", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset*" - } - ] - }, - { - "access_level": "List", - "description": "Lists the channels for the account.", - "privilege": "ListChannels", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the datasets for the account.", - "privilege": "ListDatasets", + "access_level": "Write", + "description": "Grants permission to create a new image from a pipeline", + "privilege": "StartImagePipelineExecution", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "imagebuilder:GetImagePipeline" + ], + "resource_type": "imagePipeline*" } ] }, { - "access_level": "List", - "description": "Lists the datastores for the account.", - "privilege": "ListDatastores", + "access_level": "Tagging", + "description": "Grants permission to tag an Image Builder resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the pipelines for the account.", - "privilege": "ListPipelines", - "resource_types": [ + "resource_type": "component" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Lists the tags (metadata) which you have assigned to the resource.", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "containerRecipe" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "distributionConfiguration" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" + "resource_type": "image" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore" + "resource_type": "imagePipeline" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline" - } - ] - }, - { - "access_level": "Write", - "description": "Puts logging options for the the account.", - "privilege": "PutLoggingOptions", - "resource_types": [ + "resource_type": "imageRecipe" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Runs the specified pipeline activity.", - "privilege": "RunPipelineActivity", - "resource_types": [ + "resource_type": "infrastructureConfiguration" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, - { - "access_level": "Read", - "description": "Samples the specified channel's data.", - "privilege": "SampleChannelData", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel*" - } - ] - }, - { - "access_level": "Write", - "description": "Starts reprocessing for the specified pipeline.", - "privilege": "StartPipelineReprocessing", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pipeline*" - } - ] - }, { "access_level": "Tagging", - "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource.", - "privilege": "TagResource", + "description": "Grants permission to untag an Image Builder resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset" + "resource_type": "component" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore" + "resource_type": "containerRecipe" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline" + "resource_type": "distributionConfiguration" }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Removes the given tags (metadata) from the resource.", - "privilege": "UntagResource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "image" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset" + "resource_type": "imagePipeline" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datastore" + "resource_type": "imageRecipe" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline" + "resource_type": "infrastructureConfiguration" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -81362,180 +91807,145 @@ }, { "access_level": "Write", - "description": "Updates the specified channel.", - "privilege": "UpdateChannel", + "description": "Grants permission to update an existing distribution configuration", + "privilege": "UpdateDistributionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "distributionConfiguration*" } ] }, { "access_level": "Write", - "description": "Updates the specified dataset.", - "privilege": "UpdateDataset", + "description": "Grants permission to update an existing image pipeline", + "privilege": "UpdateImagePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "imagePipeline*" } ] }, { "access_level": "Write", - "description": "Updates the specified datastore.", - "privilege": "UpdateDatastore", + "description": "Grants permission to update an existing infrastructure configuration", + "privilege": "UpdateInfrastructureConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "datastore*" - } - ] - }, - { - "access_level": "Write", - "description": "Updates the specified pipeline.", - "privilege": "UpdatePipeline", - "resource_types": [ + "dependent_actions": [ + "iam:PassRole", + "sns:Publish" + ], + "resource_type": "infrastructureConfiguration*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "imagebuilder:CreatedResourceTagKeys", + "imagebuilder:CreatedResourceTag/" + ], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:channel/${ChannelName}", + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:component/${ComponentName}/${ComponentVersion}/${ComponentBuildVersion}", "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iotanalytics:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "channel" + "resource": "component" }, { - "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:dataset/${DatasetName}", + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:component/${ComponentName}/${ComponentVersion}", "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iotanalytics:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "dataset" + "resource": "componentVersion" }, { - "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:datastore/${DatastoreName}", + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:distribution-configuration/${DistributionConfigurationName}", "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iotanalytics:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "datastore" + "resource": "distributionConfiguration" }, { - "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:pipeline/${PipelineName}", + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion}/${ImageBuildVersion}", "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "iotanalytics:ResourceTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "pipeline" - } - ], - "service_name": "AWS IoT Analytics" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" + "resource": "image" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "imageVersion" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "iotdeviceadvisor", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a suite definition", - "privilege": "CreateSuiteDefinition", - "resource_types": [ - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image-recipe/${ImageRecipeName}/${ImageRecipeVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "imageRecipe" }, { - "access_level": "Write", - "description": "Grants permission to delete a suite definition", - "privilege": "DeleteSuiteDefinition", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suitedefinition*" - } - ] + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:container-recipe/${ContainerRecipeName}/${ContainerRecipeVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "containerRecipe" }, { - "access_level": "Read", - "description": "Grants permission to get a suite definition", - "privilege": "GetSuiteDefinition", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suitedefinition*" - } - ] + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image-pipeline/${ImagePipelineName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "imagePipeline" }, { - "access_level": "Read", - "description": "Grants permission to get a suite run", - "privilege": "GetSuiteRun", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suiterun*" - } - ] + "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:infrastructure-configuration/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "infrastructureConfiguration" }, { - "access_level": "Read", - "description": "Grants permission to get the qualification report for a suite run", - "privilege": "GetSuiteRunReport", + "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", + "condition_keys": [], + "resource": "kmsKey" + } + ], + "service_name": "Amazon EC2 Image Builder" + }, + { + "conditions": [], + "prefix": "importexport", + "privileges": [ + { + "access_level": "Write", + "description": "This action cancels a specified job. Only the job owner can cancel it. The action fails if the job has already started or is complete.", + "privilege": "CancelJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suiterun*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list suite definitions", - "privilege": "ListSuiteDefinitions", + "access_level": "Write", + "description": "This action initiates the process of scheduling an upload or download of your data.", + "privilege": "CreateJob", "resource_types": [ { "condition_keys": [], @@ -81545,38 +91955,33 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list suite runs", - "privilege": "ListSuiteRuns", + "access_level": "Read", + "description": "This action generates a pre-paid shipping label that you will use to ship your device to AWS for processing.", + "privilege": "GetShippingLabel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list the tags (metadata) assigned to a resource", - "privilege": "ListTagsForResource", + "description": "This action returns information about a job, including where the job is in the processing pipeline, the status of the results, and the signature value associated with the job.", + "privilege": "GetStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suiterun" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the test cases provided by IoT Device Advisor", - "privilege": "ListTestCases", + "description": "This action returns the jobs associated with the requester.", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], @@ -81587,368 +91992,280 @@ }, { "access_level": "Write", - "description": "Grants permission to start a suite run", - "privilege": "StartSuiteRun", + "description": "You use this action to change the parameters specified in the original manifest file by supplying a new manifest file.", + "privilege": "UpdateJob", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS Import Export Disk Service" + }, + { + "conditions": [], + "prefix": "inspector", + "privileges": [ { - "access_level": "Tagging", - "description": "Grants permission to add to or modify the tags of the given resource. Tags are metadata which can be used to manage a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to assign attributes (key and value pairs) to the findings that are specified by the ARNs of the findings", + "privilege": "AddAttributesToFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suiterun" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove the given tags (metadata) from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup", + "privilege": "CreateAssessmentTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "suiterun" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a suite definition", - "privilege": "UpdateSuiteDefinition", + "description": "Grants permission to create an assessment template for the assessment target that is specified by the ARN of the assessment target", + "privilege": "CreateAssessmentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "suitedefinition*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suitedefinition/${suiteDefinitionId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "suitedefinition" - }, - { - "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suiterun/${suiteDefinitionId}/${suiteRunId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "suiterun" - } - ], - "service_name": "AWS IoT Core Device Advisor" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", - "type": "String" }, - { - "condition": "iotevents:keyValue", - "description": "Filters access by the instanceId (key-value) of the message", - "type": "String" - } - ], - "prefix": "iotevents", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to send one or more acknowledge action requests to AWS IoT Events", - "privilege": "BatchAcknowledgeAlarm", + "description": "Grants permission to start the generation of an exclusions preview for the specified assessment template", + "privilege": "CreateExclusionsPreview", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disable one or more alarm instances", - "privilege": "BatchDisableAlarm", + "description": "Grants permission to create a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target", + "privilege": "CreateResourceGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable one or more alarm instances", - "privilege": "BatchEnableAlarm", + "description": "Grants permission to delete the assessment run that is specified by the ARN of the assessment run", + "privilege": "DeleteAssessmentRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send a set of messages to the AWS IoT Events system", - "privilege": "BatchPutMessage", + "description": "Grants permission to delete the assessment target that is specified by the ARN of the assessment target", + "privilege": "DeleteAssessmentTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to reset one or more alarm instances", - "privilege": "BatchResetAlarm", + "description": "Grants permission to delete the assessment template that is specified by the ARN of the assessment template", + "privilege": "DeleteAssessmentTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to change one or more alarm instances to the snooze mode", - "privilege": "BatchSnoozeAlarm", + "access_level": "Read", + "description": "Grants permission to describe the assessment runs that are specified by the ARNs of the assessment runs", + "privilege": "DescribeAssessmentRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a detector instance within the AWS IoT Events system", - "privilege": "BatchUpdateDetector", + "access_level": "Read", + "description": "Grants permission to describe the assessment targets that are specified by the ARNs of the assessment targets", + "privilege": "DescribeAssessmentTargets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an alarm model to monitor an AWS IoT Events input attribute or an AWS IoT SiteWise asset property", - "privilege": "CreateAlarmModel", + "access_level": "Read", + "description": "Grants permission to describe the assessment templates that are specified by the ARNs of the assessment templates", + "privilege": "DescribeAssessmentTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a detector model to monitor an AWS IoT Events input attribute", - "privilege": "CreateDetectorModel", + "access_level": "Read", + "description": "Grants permission to describe the IAM role that enables Amazon Inspector to access your AWS account", + "privilege": "DescribeCrossAccountAccessRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an Input in IotEvents", - "privilege": "CreateInput", + "access_level": "Read", + "description": "Grants permission to describe the exclusions that are specified by the exclusions' ARNs", + "privilege": "DescribeExclusions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an alarm model", - "privilege": "DeleteAlarmModel", + "access_level": "Read", + "description": "Grants permission to describe the findings that are specified by the ARNs of the findings", + "privilege": "DescribeFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a detector model", - "privilege": "DeleteDetectorModel", + "access_level": "Read", + "description": "Grants permission to describe the resource groups that are specified by the ARNs of the resource groups", + "privilege": "DescribeResourceGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an input", - "privilege": "DeleteInput", + "access_level": "Read", + "description": "Grants permission to describe the rules packages that are specified by the ARNs of the rules packages", + "privilege": "DescribeRulesPackages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about an alarm instance", - "privilege": "DescribeAlarm", + "description": "Grants permission to produce an assessment report that includes detailed and comprehensive results of a specified assessment run", + "privilege": "GetAssessmentReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about an alarm model", - "privilege": "DescribeAlarmModel", + "description": "Grants permission to retrieve the exclusions preview (a list of ExclusionPreview objects) specified by the preview token", + "privilege": "GetExclusionsPreview", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retriev information about a detector instance", - "privilege": "DescribeDetector", + "description": "Grants permission to get information about the data that is collected for the specified assessment run", + "privilege": "GetTelemetryMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about a detector model", - "privilege": "DescribeDetectorModel", + "access_level": "List", + "description": "Grants permission to list the agents of the assessment runs that are specified by the ARNs of the assessment runs", + "privilege": "ListAssessmentRunAgents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve an information about Input", - "privilege": "DescribeInput", + "access_level": "List", + "description": "Grants permission to list the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates", + "privilege": "ListAssessmentRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the current settings of the AWS IoT Events logging options", - "privilege": "DescribeLoggingOptions", + "access_level": "List", + "description": "Grants permission to list the ARNs of the assessment targets within this AWS account", + "privilege": "ListAssessmentTargets", "resource_types": [ { "condition_keys": [], @@ -81959,20 +92276,20 @@ }, { "access_level": "List", - "description": "Grants permission to list all the versions of an alarm model", - "privilege": "ListAlarmModelVersions", + "description": "Grants permission to list the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets", + "privilege": "ListAssessmentTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the alarm models that you created", - "privilege": "ListAlarmModels", + "description": "Grants permission to list all the event subscriptions for the assessment template that is specified by the ARN of the assessment template", + "privilege": "ListEventSubscriptions", "resource_types": [ { "condition_keys": [], @@ -81983,32 +92300,32 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve information about all alarm instances per alarmModel", - "privilege": "ListAlarms", + "description": "Grants permission to list exclusions that are generated by the assessment run", + "privilege": "ListExclusions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all the versions of a detector model", - "privilege": "ListDetectorModelVersions", + "description": "Grants permission to list findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs", + "privilege": "ListFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the detector models that you created", - "privilege": "ListDetectorModels", + "description": "Grants permission to list all available Amazon Inspector rules packages", + "privilege": "ListRulesPackages", "resource_types": [ { "condition_keys": [], @@ -82018,21 +92335,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all detector instances per detectormodel", - "privilege": "ListDetectors", + "access_level": "Read", + "description": "Grants permission to list all tags associated with an assessment template", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to lists the inputs you have created", - "privilege": "ListInputs", + "access_level": "Read", + "description": "Grants permission to preview the agents installed on the EC2 instances that are part of the specified assessment target", + "privilege": "PreviewAgents", "resource_types": [ { "condition_keys": [], @@ -82042,26 +92359,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list the tags (metadata) which you have assigned to the resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to register the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action", + "privilege": "RegisterCrossAccountAccessRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to set or update the AWS IoT Events logging options", - "privilege": "PutLoggingOptions", + "description": "Grants permission to remove entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists", + "privilege": "RemoveAttributesFromFindings", "resource_types": [ { "condition_keys": [], @@ -82072,491 +92384,340 @@ }, { "access_level": "Tagging", - "description": "Grants permission to adds to or modifies the tags of the given resource.Tags are metadata which can be used to manage a resource", - "privilege": "TagResource", + "description": "Grants permission to set tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template", + "privilege": "SetTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove the given tags (metadata) from the resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to start the assessment run specified by the ARN of the assessment template", + "privilege": "StartAssessmentRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an alarm model", - "privilege": "UpdateAlarmModel", + "description": "Grants permission to stop the assessment run that is specified by the ARN of the assessment run", + "privilege": "StopAssessmentRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alarmModel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a detector model", - "privilege": "UpdateDetectorModel", + "description": "Grants permission to enable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic", + "privilege": "SubscribeToEvent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "detectorModel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input", - "privilege": "UpdateInput", + "description": "Grants permission to disable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic", + "privilege": "UnsubscribeFromEvent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update input routing", - "privilege": "UpdateInputRouting", + "description": "Grants permission to update the assessment target that is specified by the ARN of the assessment target", + "privilege": "UpdateAssessmentTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] } ], - "resources": [ - { - "arn": "arn:${Partition}:iotevents:${Region}:${Account}:detectorModel/${DetectorModelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "detectorModel" - }, - { - "arn": "arn:${Partition}:iotevents:${Region}:${Account}:alarmModel/${AlarmModelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "alarmModel" - }, - { - "arn": "arn:${Partition}:iotevents:${Region}:${Account}:input/${inputName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "input" - } - ], - "service_name": "AWS IoT Events" + "resources": [], + "service_name": "Amazon Inspector" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", + "description": "Filters access by a tag key that is present in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", + "description": "Filters access by a tag key component of a tag associated to the IoT resource in the request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", + "description": "Filters access by a list of tag keys associated to the IoT resource in the request", + "type": "String" + }, + { + "condition": "iot:Delete", + "description": "Filters access by a flag indicating whether or not to also delete an IoT Tunnel immediately when making iot:CloseTunnel request", + "type": "Bool" + }, + { + "condition": "iot:DomainName", + "description": "Filters access by based on the domain name of an IoT DomainConfiguration", + "type": "String" + }, + { + "condition": "iot:ThingGroupArn", + "description": "Filters access by a list of IoT Thing Group ARNs that the destination IoT Thing belongs to for an IoT Tunnel", + "type": "String" + }, + { + "condition": "iot:TunnelDestinationService", + "description": "Filters access by a list of destination services for an IoT Tunnel", "type": "String" } ], - "prefix": "iotfleethub", + "prefix": "iot", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an application", - "privilege": "CreateApplication", + "description": "Grants permission to accept a pending certificate transfer", + "privilege": "AcceptCertificateTransfer", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "sso:CreateManagedApplicationInstance", - "sso:DescribeRegisteredRegions" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an dashboard", - "privilege": "CreateDashboard", + "description": "Grants permission to add a thing to the specified billing group", + "privilege": "AddThingToBillingGroup", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an application", - "privilege": "DeleteApplication", - "resource_types": [ + "resource_type": "billinggroup*" + }, { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "application*" + "dependent_actions": [], + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an dashboard", - "privilege": "DeleteDashboard", + "description": "Grants permission to add a thing to the specified thing group", + "privilege": "AddThingToThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an application", - "privilege": "DescribeApplication", - "resource_types": [ + "resource_type": "thing*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "thinggroup*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an dashboard", - "privilege": "DescribeDashboard", + "access_level": "Write", + "description": "Grants permission to associate a group with a continuous job", + "privilege": "AssociateTargetsWithJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all applications", - "privilege": "ListApplications", - "resource_types": [ + "resource_type": "job*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all dashboards", - "privilege": "ListDashboards", - "resource_types": [ + "resource_type": "thing*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thinggroup*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Permissions management", + "description": "Grants permission to attach a policy to the specified target", + "privilege": "AttachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" + "resource_type": "cert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard" + "resource_type": "thinggroup" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Permissions management", + "description": "Grants permission to attach the specified policy to the specified principal (certificate or other credential)", + "privilege": "AttachPrincipalPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cert" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to associate a Device Defender security profile with a thing group or with this account", + "privilege": "AttachSecurityProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application" + "resource_type": "securityprofile*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard" + "resource_type": "custommetric" }, { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dimension" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup" } ] }, { "access_level": "Write", - "description": "Grants permission to update an application", - "privilege": "UpdateApplication", + "description": "Grants permission to attach the specified principal to the specified thing", + "privilege": "AttachThingPrincipal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an dashboard", - "privilege": "UpdateDashboard", + "description": "Grants permission to cancel a mitigation action task that is in progress", + "privilege": "CancelAuditMitigationActionsTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "application" - }, - { - "arn": "arn:${Partition}:iotfleethub::${Account}:dashboard/${DashboardId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - } - ], - "service_name": "Fleet Hub for AWS IoT Device Management" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", - "type": "String" - }, - { - "condition": "iotsitewise:assetHierarchyPath", - "description": "Filters access by an asset hierarchy path, which is the string of asset IDs in the asset's hierarchy, each separated by a forward slash", - "type": "String" - }, - { - "condition": "iotsitewise:childAssetId", - "description": "Filters access by the ID of a child asset being associated to a parent asset", - "type": "String" }, - { - "condition": "iotsitewise:group", - "description": "Filters access by the ID of an AWS Single Sign-On group", - "type": "String" - }, - { - "condition": "iotsitewise:iam", - "description": "Filters access by the ID of an AWS IAM identity", - "type": "String" - }, - { - "condition": "iotsitewise:portal", - "description": "Filters access by the ID of a portal", - "type": "String" - }, - { - "condition": "iotsitewise:project", - "description": "Filters access by the ID of a project", - "type": "String" - }, - { - "condition": "iotsitewise:propertyId", - "description": "Filters access by the ID of an asset property", - "type": "String" - }, - { - "condition": "iotsitewise:user", - "description": "Filters access by the ID of an AWS Single Sign-On user", - "type": "String" - } - ], - "prefix": "iotsitewise", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a child asset to a parent asset by a hierarchy", - "privilege": "AssociateAssets", + "description": "Grants permission to cancel an audit that is in progress. The audit can be either scheduled or on-demand", + "privilege": "CancelAuditTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate assets to a project", - "privilege": "BatchAssociateProjectAssets", + "description": "Grants permission to cancel a pending transfer for the specified certificate", + "privilege": "CancelCertificateTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate assets from a project", - "privilege": "BatchDisassociateProjectAssets", + "description": "Grants permission to cancel a Device Defender ML Detect mitigation action", + "privilege": "CancelDetectMitigationActionsTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to put property values for asset properties", - "privilege": "BatchPutAssetPropertyValue", + "description": "Grants permission to cancel a job", + "privilege": "CancelJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "job*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an access policy for a portal or a project", - "privilege": "CreateAccessPolicy", + "description": "Grants permission to cancel a job execution on a particular device", + "privilege": "CancelJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal" + "resource_type": "job*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, + "resource_type": "thing*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to clear the default authorizer", + "privilege": "ClearDefaultAuthorizer", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -82564,18 +92725,17 @@ }, { "access_level": "Write", - "description": "Grants permission to create an asset from an asset model", - "privilege": "CreateAsset", + "description": "Grants permission to close a tunnel", + "privilege": "CloseTunnel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "tunnel*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "iot:Delete" ], "dependent_actions": [], "resource_type": "" @@ -82584,49 +92744,35 @@ }, { "access_level": "Write", - "description": "Grants permission to create an asset model", - "privilege": "CreateAssetModel", + "description": "Grants permission to confirm a http url TopicRuleDestinationDestination", + "privilege": "ConfirmTopicRuleDestination", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "destination*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dashboard in a project", - "privilege": "CreateDashboard", + "description": "Grants permission to connect as the specified client", + "privilege": "Connect", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "client*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a gateway", - "privilege": "CreateGateway", + "description": "Grants permission to create a Device Defender audit suppression", + "privilege": "CreateAuditSuppression", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -82634,31 +92780,33 @@ }, { "access_level": "Write", - "description": "Grants permission to create a portal", - "privilege": "CreatePortal", + "description": "Grants permission to create an authorizer", + "privilege": "CreateAuthorizer", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "authorizer*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [ - "sso:CreateManagedApplicationInstance", - "sso:DescribeRegisteredRegions" - ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a project in a portal", - "privilege": "CreateProject", + "description": "Grants permission to create a billing group", + "privilege": "CreateBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "billinggroup*" }, { "condition_keys": [ @@ -82672,339 +92820,509 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an access policy", - "privilege": "DeleteAccessPolicy", + "description": "Grants permission to create an X.509 certificate using the specified certificate signing request", + "privilege": "CreateCertificateFromCsr", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an asset", - "privilege": "DeleteAsset", + "description": "Grants permission to create a custom metric for device side metric reporting and monitoring", + "privilege": "CreateCustomMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "custommetric*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an asset model", - "privilege": "DeleteAssetModel", + "description": "Grants permission to define a dimension that can be used to to limit the scope of a metric used in a security profile", + "privilege": "CreateDimension", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "dimension*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dashboard", - "privilege": "DeleteDashboard", + "description": "Grants permission to create a domain configuration", + "privilege": "CreateDomainConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "domainconfiguration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iot:DomainName" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a gateway", - "privilege": "DeleteGateway", + "description": "Grants permission to create a Dynamic Thing Group", + "privilege": "CreateDynamicThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "dynamicthinggroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a portal", - "privilege": "DeletePortal", + "description": "Grants permission to create a fleet metric", + "privilege": "CreateFleetMetric", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" + "dependent_actions": [], + "resource_type": "fleetmetric*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "portal*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a project", - "privilege": "DeleteProject", + "description": "Grants permission to create a job", + "privilege": "CreateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "job*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "jobtemplate" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an access policy", - "privilege": "DescribeAccessPolicy", + "access_level": "Write", + "description": "Grants permission to create a job template", + "privilege": "CreateJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "jobtemplate*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an asset", - "privilege": "DescribeAsset", + "access_level": "Write", + "description": "Grants permission to create a 2048 bit RSA key pair and issues an X.509 certificate using the issued public key", + "privilege": "CreateKeysAndCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an asset model", - "privilege": "DescribeAssetModel", + "access_level": "Write", + "description": "Grants permission to define an action that can be applied to audit findings by using StartAuditMitigationActionsTask", + "privilege": "CreateMitigationAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "mitigationaction*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an asset property", - "privilege": "DescribeAssetProperty", + "access_level": "Write", + "description": "Grants permission to create an OTA update job", + "privilege": "CreateOTAUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "otaupdate*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dashboard", - "privilege": "DescribeDashboard", + "access_level": "Write", + "description": "Grants permission to create an AWS IoT policy", + "privilege": "CreatePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a gateway", - "privilege": "DescribeGateway", + "access_level": "Write", + "description": "Grants permission to create a new version of the specified AWS IoT policy", + "privilege": "CreatePolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a capability configuration for a gateway", - "privilege": "DescribeGatewayCapabilityConfiguration", + "access_level": "Write", + "description": "Grants permission to create a provisioning claim", + "privilege": "CreateProvisioningClaim", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "provisioningtemplate*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe logging options for the AWS account", - "privilege": "DescribeLoggingOptions", + "access_level": "Write", + "description": "Grants permission to create a fleet provisioning template", + "privilege": "CreateProvisioningTemplate", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "provisioningtemplate*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a portal", - "privilege": "DescribePortal", + "access_level": "Write", + "description": "Grants permission to create a new version of a fleet provisioning template", + "privilege": "CreateProvisioningTemplateVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "provisioningtemplate*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a project", - "privilege": "DescribeProject", + "access_level": "Write", + "description": "Grants permission to create a role alias", + "privilege": "CreateRoleAlias", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "rolealias*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a child asset from a parent asset by a hierarchy", - "privilege": "DisassociateAssets", + "description": "Grants permission to create a scheduled audit that is run at a specified time interval", + "privilege": "CreateScheduledAudit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "scheduledaudit*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve computed aggregates for an asset property", - "privilege": "GetAssetPropertyAggregates", + "access_level": "Write", + "description": "Grants permission to create a Device Defender security profile", + "privilege": "CreateSecurityProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve the latest value for an asset property", - "privilege": "GetAssetPropertyValue", - "resource_types": [ + "resource_type": "securityprofile*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "custommetric" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dimension" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the value history for an asset property", - "privilege": "GetAssetPropertyValueHistory", + "access_level": "Write", + "description": "Grants permission to create a new AWS IoT stream", + "privilege": "CreateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "stream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all access policies for an identity or a resource", - "privilege": "ListAccessPolicies", + "access_level": "Write", + "description": "Grants permission to create a thing in the thing registry", + "privilege": "CreateThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal" + "resource_type": "thing*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" + "resource_type": "billinggroup" } ] }, { - "access_level": "List", - "description": "Grants permission to list all asset models", - "privilege": "ListAssetModels", + "access_level": "Write", + "description": "Grants permission to create a thing group", + "privilege": "CreateThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "thinggroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the asset relationship graph for an asset", - "privilege": "ListAssetRelationships", + "access_level": "Write", + "description": "Grants permission to create a new thing type", + "privilege": "CreateThingType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "thingtype*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assets", - "privilege": "ListAssets", + "access_level": "Write", + "description": "Grants permission to create a rule", + "privilege": "CreateTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model" + "resource_type": "rule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assets associated to an asset by a hierarchy", - "privilege": "ListAssociatedAssets", + "access_level": "Write", + "description": "Grants permission to create a TopicRuleDestination", + "privilege": "CreateTopicRuleDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "destination*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all dashboards in a project", - "privilege": "ListDashboards", + "access_level": "Write", + "description": "Grants permission to delete the audit configuration associated with the account", + "privilege": "DeleteAccountAuditConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all gateways", - "privilege": "ListGateways", + "access_level": "Write", + "description": "Grants permission to delete a Device Defender audit suppression", + "privilege": "DeleteAuditSuppression", "resource_types": [ { "condition_keys": [], @@ -83014,525 +93332,408 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all portals", - "privilege": "ListPortals", + "access_level": "Write", + "description": "Grants permission to delete the specified authorizer", + "privilege": "DeleteAuthorizer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "authorizer*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assets associated with a project", - "privilege": "ListProjectAssets", + "access_level": "Write", + "description": "Grants permission to delete the specified billing group", + "privilege": "DeleteBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "billinggroup*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all projects in a portal", - "privilege": "ListProjects", + "access_level": "Write", + "description": "Grants permission to delete a registered CA certificate", + "privilege": "DeleteCACertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "cacert*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete the specified certificate", + "privilege": "DeleteCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "gateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "portal" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to set logging options for the AWS account", - "privilege": "PutLoggingOptions", + "description": "Grants permission to deletes the specified custom metric from your AWS account", + "privilege": "DeleteCustomMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "custommetric*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to remove the specified dimension from your AWS account", + "privilege": "DeleteDimension", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "asset-model" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "gateway" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "portal" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "dimension*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete a domain configuration", + "privilege": "DeleteDomainConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy" - }, + "resource_type": "domainconfiguration*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified Dynamic Thing Group", + "privilege": "DeleteDynamicThingGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset" - }, + "resource_type": "dynamicthinggroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the specified fleet metric", + "privilege": "DeleteFleetMetric", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model" - }, + "resource_type": "fleetmetric*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a job and its related job executions", + "privilege": "DeleteJob", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard" - }, + "resource_type": "job*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a job execution", + "privilege": "DeleteJobExecution", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway" + "resource_type": "job*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal" - }, + "resource_type": "thing*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a job template", + "privilege": "DeleteJobTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "jobtemplate*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an access policy", - "privilege": "UpdateAccessPolicy", + "description": "Grants permission to delete a defined mitigation action from your AWS account", + "privilege": "DeleteMitigationAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "access-policy*" + "resource_type": "mitigationaction*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset", - "privilege": "UpdateAsset", + "description": "Grants permission to delete an OTA update job", + "privilege": "DeleteOTAUpdate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "otaupdate*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset model", - "privilege": "UpdateAssetModel", + "description": "Grants permission to delete the specified policy", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset-model*" + "resource_type": "policy*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an asset property", - "privilege": "UpdateAssetProperty", + "description": "Grants permission to Delete the specified version of the specified policy", + "privilege": "DeletePolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "asset*" + "resource_type": "policy*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a dashboard", - "privilege": "UpdateDashboard", + "description": "Grants permission to delete a fleet provisioning template", + "privilege": "DeleteProvisioningTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "provisioningtemplate*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a gateway", - "privilege": "UpdateGateway", + "description": "Grants permission to delete a fleet provisioning template version", + "privilege": "DeleteProvisioningTemplateVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "provisioningtemplate*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a capability configuration for a gateway", - "privilege": "UpdateGatewayCapabilityConfiguration", + "description": "Grants permission to delete a CA certificate registration code", + "privilege": "DeleteRegistrationCode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "gateway*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a portal", - "privilege": "UpdatePortal", + "description": "Grants permission to delete the specified role alias", + "privilege": "DeleteRoleAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "portal*" + "resource_type": "rolealias*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a project", - "privilege": "UpdateProject", + "description": "Grants permission to delete a scheduled audit", + "privilege": "DeleteScheduledAudit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "scheduledaudit*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "asset" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "asset-model" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "gateway" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "portal" }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "project" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - }, - { - "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:access-policy/${AccessPolicyId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "access-policy" - } - ], - "service_name": "AWS IoT SiteWise" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the thingsgraph service.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service.", - "type": "String" - } - ], - "prefix": "iotthingsgraph", - "privileges": [ { "access_level": "Write", - "description": "Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed.", - "privilege": "AssociateEntityToThing", + "description": "Grants permission to delete a Device Defender security profile", + "privilege": "DeleteSecurityProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing", - "iot:DescribeThingGroup" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "securityprofile*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "custommetric" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dimension" } ] }, { "access_level": "Write", - "description": "Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", - "privilege": "CreateFlowTemplate", + "description": "Grants permission to delete a specified stream", + "privilege": "DeleteStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "Tagging", - "description": "Creates an instance of a system with specified configurations and Things.", - "privilege": "CreateSystemInstance", + "access_level": "Write", + "description": "Grants permission to delete the specified thing", + "privilege": "DeleteThing", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", - "privilege": "CreateSystemTemplate", + "description": "Grants permission to delete the specified thing group", + "privilege": "DeleteThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thinggroup*" } ] }, { "access_level": "Write", - "description": "Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance).", - "privilege": "DeleteFlowTemplate", + "description": "Grants permission to delete the specified thing shadow", + "privilege": "DeleteThingShadow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action.", - "privilege": "DeleteNamespace", + "description": "Grants permission to delete the specified thing type", + "privilege": "DeleteThingType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thingtype*" } ] }, { "access_level": "Write", - "description": "Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance.", - "privilege": "DeleteSystemInstance", + "description": "Grants permission to delete the specified rule", + "privilege": "DeleteTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "rule*" } ] }, { "access_level": "Write", - "description": "Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed.", - "privilege": "DeleteSystemTemplate", + "description": "Grants permission to delete a TopicRuleDestination", + "privilege": "DeleteTopicRuleDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "destination*" } ] }, { "access_level": "Write", - "description": "Deploys the system instance to the target specified in CreateSystemInstance.", - "privilege": "DeploySystemInstance", + "description": "Grants permission to delete the specified v2 logging level", + "privilege": "DeleteV2LoggingLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run.", - "privilege": "DeprecateFlowTemplate", + "description": "Grants permission to deprecate the specified thing type", + "privilege": "DeprecateThingType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "thingtype*" } ] }, { - "access_level": "Write", - "description": "Deprecates the specified system.", - "privilege": "DeprecateSystemTemplate", + "access_level": "Read", + "description": "Grants permission to get information about audit configurations for the account", + "privilege": "DescribeAccountAuditConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets the latest version of the user's namespace and the public version that it is tracking.", - "privilege": "DescribeNamespace", + "description": "Grants permission to get information about a single audit finding. Properties include the reason for noncompliance, the severity of the issue, and when the audit that returned the finding was started", + "privilege": "DescribeAuditFinding", "resource_types": [ { "condition_keys": [], @@ -83542,24 +93743,21 @@ ] }, { - "access_level": "Write", - "description": "Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing.", - "privilege": "DissociateEntityFromThing", + "access_level": "Read", + "description": "Grants permission to get information about an audit mitigation task that is used to apply mitigation actions to a set of audit findings", + "privilege": "DescribeAuditMitigationActionsTask", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing", - "iot:DescribeThingGroup" - ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default.", - "privilege": "GetEntities", + "description": "Grants permission to get information about a Device Defender audit suppression", + "privilege": "DescribeAuditSuppression", "resource_types": [ { "condition_keys": [], @@ -83570,80 +93768,80 @@ }, { "access_level": "Read", - "description": "Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow.", - "privilege": "GetFlowTemplate", + "description": "Grants permission to get information about a Device Defender audit", + "privilege": "DescribeAuditTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted.", - "privilege": "GetFlowTemplateRevisions", + "description": "Grants permission to describe an authorizer", + "privilege": "DescribeAuthorizer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "authorizer*" } ] }, { "access_level": "Read", - "description": "Gets the status of a namespace deletion task.", - "privilege": "GetNamespaceDeletionStatus", + "description": "Grants permission to get information about the specified billing group", + "privilege": "DescribeBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "billinggroup*" } ] }, { "access_level": "Read", - "description": "Gets a system instance.", - "privilege": "GetSystemInstance", + "description": "Grants permission to describe a registered CA certificate", + "privilege": "DescribeCACertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "cacert*" } ] }, { "access_level": "Read", - "description": "Gets a system.", - "privilege": "GetSystemTemplate", + "description": "Grants permission to get information about the specified certificate", + "privilege": "DescribeCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "cert*" } ] }, { "access_level": "Read", - "description": "Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted.", - "privilege": "GetSystemTemplateRevisions", + "description": "Grants permission to describe a custom metric that is defined in your AWS account", + "privilege": "DescribeCustomMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "custommetric*" } ] }, { "access_level": "Read", - "description": "Gets the status of the specified upload.", - "privilege": "GetUploadStatus", + "description": "Grants permission to describe the default authorizer", + "privilege": "DescribeDefaultAuthorizer", "resource_types": [ { "condition_keys": [], @@ -83653,9 +93851,9 @@ ] }, { - "access_level": "List", - "description": "Lists details of a single workflow execution", - "privilege": "ListFlowExecutionMessages", + "access_level": "Read", + "description": "Grants permission to describe a Device Defender ML Detect mitigation action", + "privilege": "DescribeDetectMitigationActionsTask", "resource_types": [ { "condition_keys": [], @@ -83665,45 +93863,45 @@ ] }, { - "access_level": "List", - "description": "Lists all tags for a given resource", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to get details about a dimension that is defined in your AWS account", + "privilege": "DescribeDimension", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance" + "resource_type": "dimension*" } ] }, { "access_level": "Read", - "description": "Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking.", - "privilege": "SearchEntities", + "description": "Grants permission to get information about the domain configuration", + "privilege": "DescribeDomainConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domainconfiguration*" } ] }, { "access_level": "Read", - "description": "Searches for workflow executions of a system instance", - "privilege": "SearchFlowExecutions", + "description": "Grants permission to get a unique endpoint specific to the AWS account making the call", + "privilege": "DescribeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Searches for summary information about workflows.", - "privilege": "SearchFlowTemplates", + "description": "Grants permission to get account event configurations", + "privilege": "DescribeEventConfigurations", "resource_types": [ { "condition_keys": [], @@ -83714,229 +93912,158 @@ }, { "access_level": "Read", - "description": "Searches for system instances in the user's account.", - "privilege": "SearchSystemInstances", + "description": "Grants permission to get information about the specified fleet metric", + "privilege": "DescribeFleetMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "fleetmetric*" } ] }, { "access_level": "Read", - "description": "Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow.", - "privilege": "SearchSystemTemplates", + "description": "Grants permission to get information about the specified index", + "privilege": "DescribeIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Searches for things associated with the specified entity. You can search by both device and device model.", - "privilege": "SearchThings", + "description": "Grants permission to describe a job", + "privilege": "DescribeJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, { - "access_level": "Tagging", - "description": "Tag a specified resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to describe a job execution", + "privilege": "DescribeJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance" + "resource_type": "job" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing" } ] }, { - "access_level": "Write", - "description": "Removes the system instance and associated triggers from the target.", - "privilege": "UndeploySystemInstance", + "access_level": "Read", + "description": "Grants permission to describe a job template", + "privilege": "DescribeJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance*" + "resource_type": "jobtemplate*" } ] }, { - "access_level": "Tagging", - "description": "Untag a specified resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to get information about a mitigation action", + "privilege": "DescribeMitigationAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "SystemInstance" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "mitigationaction*" } ] }, { - "access_level": "Write", - "description": "Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace.", - "privilege": "UpdateFlowTemplate", + "access_level": "Read", + "description": "Grants permission to get information about a fleet provisioning template", + "privilege": "DescribeProvisioningTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Workflow*" + "resource_type": "provisioningtemplate*" } ] }, { - "access_level": "Write", - "description": "Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed.", - "privilege": "UpdateSystemTemplate", + "access_level": "Read", + "description": "Grants permission to get information about a fleet provisioning template version", + "privilege": "DescribeProvisioningTemplateVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "System*" + "resource_type": "provisioningtemplate*" } ] }, { - "access_level": "Write", - "description": "Asynchronously uploads one or more entity definitions to the user's namespace.", - "privilege": "UploadEntityDefinitions", + "access_level": "Read", + "description": "Grants permission to describe a role alias", + "privilege": "DescribeRoleAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "rolealias*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}", - "condition_keys": [], - "resource": "Workflow" - }, - { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}", - "condition_keys": [], - "resource": "System" - }, - { - "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "SystemInstance" - } - ], - "service_name": "AWS IoT Things Graph" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "A tag key that is present in the request that the user makes to IoT Wireless.", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag key component of a tag attached to an IoT Wireless resource.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the resource in the request.", - "type": "String" - } - ], - "prefix": "iotwireless", - "privileges": [ - { - "access_level": "Write", - "description": "Link partner accounts with Aws account.", - "privilege": "AssociateAwsAccountWithPartnerAccount", + "access_level": "Read", + "description": "Grants permission to get information about a scheduled audit", + "privilege": "DescribeScheduledAudit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "scheduledaudit*" } ] }, { - "access_level": "Write", - "description": "Associate the wireless device with AWS IoT thing for a given wirelessDeviceId.", - "privilege": "AssociateWirelessDeviceWithThing", + "access_level": "Read", + "description": "Grants permission to get information about a Device Defender security profile", + "privilege": "DescribeSecurityProfile", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessDevice*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "securityprofile*" } ] }, { - "access_level": "Write", - "description": "Associate a WirelessGateway with the IoT Core Identity certificate.", - "privilege": "AssociateWirelessGatewayWithCertificate", + "access_level": "Read", + "description": "Grants permission to get information about the specified stream", + "privilege": "DescribeStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId.", - "privilege": "AssociateWirelessGatewayWithThing", + "access_level": "Read", + "description": "Grants permission to get information about the specified thing", + "privilege": "DescribeThing", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessGateway*" - }, { "condition_keys": [], "dependent_actions": [], @@ -83945,214 +94072,197 @@ ] }, { - "access_level": "Write", - "description": "Create a Destination resource.", - "privilege": "CreateDestination", + "access_level": "Read", + "description": "Grants permission to get information about the specified thing group", + "privilege": "DescribeThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "thinggroup*" } ] }, { - "access_level": "Write", - "description": "Create a DeviceProfile resource.", - "privilege": "CreateDeviceProfile", + "access_level": "Read", + "description": "Grants permission to get information about the bulk thing registration task", + "privilege": "DescribeThingRegistrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a ServiceProfile resource.", - "privilege": "CreateServiceProfile", + "access_level": "Read", + "description": "Grants permission to get information about the specified thing type", + "privilege": "DescribeThingType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "thingtype*" } ] }, { - "access_level": "Write", - "description": "Create a WirelessDevice resource with given Destination.", - "privilege": "CreateWirelessDevice", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Destination*" - }, + "access_level": "Read", + "description": "Grants permission to describe a tunnel", + "privilege": "DescribeTunnel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "tunnel*" } ] }, { - "access_level": "Write", - "description": "Create a WirelessGateway resource.", - "privilege": "CreateWirelessGateway", + "access_level": "Permissions management", + "description": "Grants permission to detach a policy from the specified target", + "privilege": "DetachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "cert" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thinggroup" } ] }, { - "access_level": "Write", - "description": "Create a task for a given WirelessGateway.", - "privilege": "CreateWirelessGatewayTask", + "access_level": "Permissions management", + "description": "Grants permission to remove the specified policy from the specified certificate", + "privilege": "DetachPrincipalPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "cert" } ] }, { "access_level": "Write", - "description": "Create a WirelessGateway task definition.", - "privilege": "CreateWirelessGatewayTaskDefinition", + "description": "Grants permission to disassociate a Device Defender security profile from a thing group or from this account", + "privilege": "DetachSecurityProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "securityprofile*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "custommetric" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dimension" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup" } ] }, { "access_level": "Write", - "description": "Delete a Destination.", - "privilege": "DeleteDestination", + "description": "Grants permission to detach the specified principal from the specified thing", + "privilege": "DetachThingPrincipal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Delete a DeviceProfile.", - "privilege": "DeleteDeviceProfile", + "description": "Grants permission to disable the specified rule", + "privilege": "DisableTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile*" + "resource_type": "rule*" } ] }, { "access_level": "Write", - "description": "Delete a ServiceProfile.", - "privilege": "DeleteServiceProfile", + "description": "Grants permission to enable the specified rule", + "privilege": "EnableTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile*" + "resource_type": "rule*" } ] }, { - "access_level": "Write", - "description": "Delete a WirelessDevice.", - "privilege": "DeleteWirelessDevice", + "access_level": "List", + "description": "Grants permission to fetch a Device Defender's ML Detect Security Profile training model's status", + "privilege": "GetBehaviorModelTrainingSummaries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "securityprofile" } ] }, { - "access_level": "Write", - "description": "Delete a WirelessGateway.", - "privilege": "DeleteWirelessGateway", + "access_level": "Read", + "description": "Grants permission to get buckets aggregation for IoT fleet index", + "privilege": "GetBucketsAggregation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Delete task for a given WirelessGateway.", - "privilege": "DeleteWirelessGatewayTask", + "access_level": "Read", + "description": "Grants permission to get cardinality for IoT fleet index", + "privilege": "GetCardinality", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Delete a WirelessGateway task definition.", - "privilege": "DeleteWirelessGatewayTaskDefinition", + "access_level": "Read", + "description": "Grants permission to get effective policies", + "privilege": "GetEffectivePolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cert" } ] }, { - "access_level": "Write", - "description": "Disassociate an AWS account from a partner account.", - "privilege": "DisassociateAwsAccountFromPartnerAccount", + "access_level": "Read", + "description": "Grants permission to get current fleet indexing configuration", + "privilege": "GetIndexingConfiguration", "resource_types": [ { "condition_keys": [], @@ -84162,53 +94272,46 @@ ] }, { - "access_level": "Write", - "description": "Disassociate a wireless device from a AWS IoT thing.", - "privilege": "DisassociateWirelessDeviceFromThing", + "access_level": "Read", + "description": "Grants permission to get a job document", + "privilege": "GetJobDocument", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessDevice*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thing*" + "resource_type": "job*" } ] }, { - "access_level": "Write", - "description": "Disassociate a WirelessGateway from a IoT Core Identity certificate.", - "privilege": "DisassociateWirelessGatewayFromCertificate", + "access_level": "Read", + "description": "Grants permission to get the logging options", + "privilege": "GetLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the information about the OTA update job", + "privilege": "GetOTAUpdate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cert*" + "resource_type": "otaupdate*" } ] }, { - "access_level": "Write", - "description": "Disassociate a WirelessGateway from a IoT Core thing.", - "privilege": "DisassociateWirelessGatewayFromThing", + "access_level": "Read", + "description": "Grants permission to get the list of all jobs for a thing that are not in a terminal state", + "privilege": "GetPendingJobExecutions", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iot:DescribeThing" - ], - "resource_type": "WirelessGateway*" - }, { "condition_keys": [], "dependent_actions": [], @@ -84218,44 +94321,44 @@ }, { "access_level": "Read", - "description": "Get the Destination", - "privilege": "GetDestination", + "description": "Grants permission to get percentiles for IoT fleet index", + "privilege": "GetPercentiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Get the DeviceProfile", - "privilege": "GetDeviceProfile", + "description": "Grants permission to get information about the specified policy with the policy document of the default version", + "privilege": "GetPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "DeviceProfile*" + "resource_type": "policy*" } ] }, { "access_level": "Read", - "description": "Get the associated PartnerAccount", - "privilege": "GetPartnerAccount", + "description": "Grants permission to get information about the specified policy version", + "privilege": "GetPolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { "access_level": "Read", - "description": "Retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format.", - "privilege": "GetServiceEndpoint", + "description": "Grants permission to get a registration code used to register a CA certificate with AWS IoT", + "privilege": "GetRegistrationCode", "resource_types": [ { "condition_keys": [], @@ -84266,104 +94369,109 @@ }, { "access_level": "Read", - "description": "Get the ServiceProfile", - "privilege": "GetServiceProfile", + "description": "Grants permission to get the retained message on the specified topic", + "privilege": "GetRetainedMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile*" + "resource_type": "topic*" } ] }, { "access_level": "Read", - "description": "Get the WirelessDevice", - "privilege": "GetWirelessDevice", + "description": "Grants permission to get statistics for IoT fleet index", + "privilege": "GetStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "index*" } ] }, { "access_level": "Read", - "description": "Get statistics info for a given WirelessDevice", - "privilege": "GetWirelessDeviceStatistics", + "description": "Grants permission to get the thing shadow", + "privilege": "GetThingShadow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "thing*" } ] }, { "access_level": "Read", - "description": "Get the WirelessGateway", - "privilege": "GetWirelessGateway", + "description": "Grants permission to get information about the specified rule", + "privilege": "GetTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "rule*" } ] }, { "access_level": "Read", - "description": "Get the IoT Core Identity certificate id associated with the WirelessGateway.", - "privilege": "GetWirelessGatewayCertificate", + "description": "Grants permission to get a TopicRuleDestination", + "privilege": "GetTopicRuleDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "destination*" } ] }, { "access_level": "Read", - "description": "Get Current firmware version and other information for the WirelessGateway", - "privilege": "GetWirelessGatewayFirmwareInformation", + "description": "Grants permission to get v2 logging options", + "privilege": "GetV2LoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Get statistics info for a given WirelessGateway", - "privilege": "GetWirelessGatewayStatistics", + "access_level": "List", + "description": "Grants permission to list the active violations for a given Device Defender security profile or Thing", + "privilege": "ListActiveViolations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "securityprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing" } ] }, { - "access_level": "Read", - "description": "Get the task for a given WirelessGateway", - "privilege": "GetWirelessGatewayTask", + "access_level": "List", + "description": "Grants permission to list the policies attached to the specified thing group", + "privilege": "ListAttachedPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe the given WirelessGateway task definition.", - "privilege": "GetWirelessGatewayTaskDefinition", + "access_level": "List", + "description": "Grants permission to list the findings (results) of a Device Defender audit or of the audits performed during a specified time period", + "privilege": "ListAuditFindings", "resource_types": [ { "condition_keys": [], @@ -84374,8 +94482,8 @@ }, { "access_level": "List", - "description": "List information of available Destinations based on the AWS account.", - "privilege": "ListDestinations", + "description": "Grants permission to get the status of audit mitigation action tasks that were executed", + "privilege": "ListAuditMitigationActionsExecutions", "resource_types": [ { "condition_keys": [], @@ -84386,8 +94494,8 @@ }, { "access_level": "List", - "description": "List information of available DeviceProfiles based on the AWS account.", - "privilege": "ListDeviceProfiles", + "description": "Grants permission to get a list of audit mitigation action tasks that match the specified filters", + "privilege": "ListAuditMitigationActionsTasks", "resource_types": [ { "condition_keys": [], @@ -84398,8 +94506,8 @@ }, { "access_level": "List", - "description": "Lists the available partner accounts.", - "privilege": "ListPartnerAccounts", + "description": "Grants permission to list your Device Defender audit suppressions", + "privilege": "ListAuditSuppressions", "resource_types": [ { "condition_keys": [], @@ -84410,8 +94518,8 @@ }, { "access_level": "List", - "description": "List information of available ServiceProfiles based on the AWS account.", - "privilege": "ListServiceProfiles", + "description": "Grants permission to list the Device Defender audits that have been performed during a given time period", + "privilege": "ListAuditTasks", "resource_types": [ { "condition_keys": [], @@ -84422,35 +94530,20 @@ }, { "access_level": "List", - "description": "Lists all tags for a given resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to list the authorizers registered in your account", + "privilege": "ListAuthorizers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DeviceProfile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ServiceProfile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "WirelessGateway" + "resource_type": "" } ] }, { "access_level": "List", - "description": "List information of available WirelessDevices based on the AWS account.", - "privilege": "ListWirelessDevices", + "description": "Grants permission to list all billing groups", + "privilege": "ListBillingGroups", "resource_types": [ { "condition_keys": [], @@ -84461,8 +94554,8 @@ }, { "access_level": "List", - "description": "List information of available WirelessGateway task definitions based on the AWS account.", - "privilege": "ListWirelessGatewayTaskDefinitions", + "description": "Grants permission to list the CA certificates registered for your AWS account", + "privilege": "ListCACertificates", "resource_types": [ { "condition_keys": [], @@ -84473,8 +94566,8 @@ }, { "access_level": "List", - "description": "List information of available WirelessGateways based on the AWS account.", - "privilege": "ListWirelessGateways", + "description": "Grants permission to list your certificates", + "privilege": "ListCertificates", "resource_types": [ { "condition_keys": [], @@ -84484,114 +94577,93 @@ ] }, { - "access_level": "Write", - "description": "Send the decrypted application data frame to the target device", - "privilege": "SendDataToWirelessDevice", + "access_level": "List", + "description": "Grants permission to list the device certificates signed by the specified CA certificate", + "privilege": "ListCertificatesByCA", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Tag a given resource.", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to list the custom metrics in your AWS account", + "privilege": "ListCustomMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DeviceProfile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ServiceProfile" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "WirelessGateway" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Simulate a provisioned device to send an uplink data with payload of 'Hello'", - "privilege": "TestWirelessDevice", + "access_level": "List", + "description": "Grants permission to lists mitigation actions executions for a Device Defender ML Detect Security Profile", + "privilege": "ListDetectMitigationActionsExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "thing" } ] }, { - "access_level": "Tagging", - "description": "Remove the given tags from the resource.", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to list Device Defender ML Detect mitigation actions tasks", + "privilege": "ListDetectMitigationActionsTasks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DeviceProfile" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the dimensions that are defined for your AWS account", + "privilege": "ListDimensions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ServiceProfile" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the domain configuration created by your AWS account", + "privilege": "ListDomainConfigurations", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a Destination resource.", - "privilege": "UpdateDestination", + "access_level": "List", + "description": "Grants permission to list the fleet metrics in your account", + "privilege": "ListFleetMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Destination*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a partner account.", - "privilege": "UpdatePartnerAccount", + "access_level": "List", + "description": "Grants permission to list all indices for fleet index", + "privilege": "ListIndices", "resource_types": [ { "condition_keys": [], @@ -84601,85 +94673,33 @@ ] }, { - "access_level": "Write", - "description": "Update a WirelessDevice resource.", - "privilege": "UpdateWirelessDevice", + "access_level": "List", + "description": "Grants permission to list the job executions for a job", + "privilege": "ListJobExecutionsForJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessDevice*" + "resource_type": "job*" } ] }, { - "access_level": "Write", - "description": "Update a WirelessGateway resource.", - "privilege": "UpdateWirelessGateway", + "access_level": "List", + "description": "Grants permission to list the job executions for the specified thing", + "privilege": "ListJobExecutionsForThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "WirelessGateway*" + "resource_type": "thing*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}", - "condition_keys": [], - "resource": "WirelessDevice" - }, - { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "WirelessGateway" - }, - { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "DeviceProfile" - }, - { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ServiceProfile" - }, - { - "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Destination" - }, - { - "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", - "condition_keys": [], - "resource": "thing" }, { - "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", - "condition_keys": [], - "resource": "cert" - } - ], - "service_name": "AWS IoT Core for LoRaWAN" - }, - { - "conditions": [], - "prefix": "iq", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to submit new project requests", - "privilege": "CreateProject", + "access_level": "List", + "description": "Grants permission to list job templates", + "privilege": "ListJobTemplates", "resource_types": [ { "condition_keys": [], @@ -84687,19 +94707,11 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS IQ" - }, - { - "conditions": [], - "prefix": "iq-permission", - "privileges": [ + }, { - "access_level": "Write", - "description": "Grants permission to approve an access grant", - "privilege": "ApproveAccessGrant", + "access_level": "List", + "description": "Grants permission to list jobs", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], @@ -84707,502 +94719,356 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS IQ Permissions" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags associated with the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "ivs", - "privileges": [ - { - "access_level": "Read", - "description": "Grants permission to get multiple channels simultaneously by channel ARN.", - "privilege": "BatchGetChannel", + "access_level": "List", + "description": "Grants permission to get a list of all mitigation actions that match the specified filter criteria", + "privilege": "ListMitigationActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get multiple stream keys simultaneously by stream key ARN.", - "privilege": "BatchGetStreamKey", + "access_level": "List", + "description": "Grants permission to list all named shadows for a given thing", + "privilege": "ListNamedShadowsForThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "thing*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new channel and an associated stream key.", - "privilege": "CreateChannel", + "access_level": "List", + "description": "Grants permission to list OTA update jobs in the account", + "privilege": "ListOTAUpdates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Stream-Key*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a stream key.", - "privilege": "CreateStreamKey", + "access_level": "List", + "description": "Grants permission to list certificates that are being transfered but not yet accepted", + "privilege": "ListOutgoingCertificates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a channel and channel's stream keys.", - "privilege": "DeleteChannel", + "access_level": "List", + "description": "Grants permission to list your policies", + "privilege": "ListPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the playback key pair for a specified ARN", - "privilege": "DeletePlaybackKeyPair", + "access_level": "List", + "description": "Grants permission to list the principals associated with the specified policy", + "privilege": "ListPolicyPrincipals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the stream key for a specified ARN", - "privilege": "DeleteStreamKey", + "access_level": "List", + "description": "Grants permission to list the versions of the specified policy, and identifies the default version", + "privilege": "ListPolicyVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "policy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the channel configuration for a specified channel ARN", - "privilege": "GetChannel", + "access_level": "List", + "description": "Grants permission to list the policies attached to the specified principal. If you use an Amazon Cognito identity, the ID needs to be in Amazon Cognito Identity format", + "privilege": "ListPrincipalPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the playback keypair information for a specified ARN", - "privilege": "GetPlaybackKeyPair", + "access_level": "List", + "description": "Grants permission to list the things associated with the specified principal", + "privilege": "ListPrincipalThings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about the active (live) stream on a specified channel", - "privilege": "GetStream", + "access_level": "List", + "description": "Grants permission to get a list of fleet provisioning template versions", + "privilege": "ListProvisioningTemplateVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "provisioningtemplate*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get stream-key information for a specified ARN", - "privilege": "GetStreamKey", + "access_level": "List", + "description": "Grants permission to list the fleet provisioning templates in your AWS account", + "privilege": "ListProvisioningTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to import the public key.", - "privilege": "ImportPlaybackKeyPair", + "access_level": "List", + "description": "Grants permission to list the retained messages for your account", + "privilege": "ListRetainedMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to get summary information about channels", - "privilege": "ListChannels", + "description": "Grants permission to list role aliases", + "privilege": "ListRoleAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to get summary information about playback key pairs", - "privilege": "ListPlaybackKeyPairs", + "description": "Grants permission to list all of your scheduled audits", + "privilege": "ListScheduledAudits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to get summary information about stream keys", - "privilege": "ListStreamKeys", + "description": "Grants permission to list the Device Defender security profiles you have created", + "privilege": "ListSecurityProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "custommetric" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key*" + "resource_type": "dimension" } ] }, { "access_level": "List", - "description": "Grants permission to get summary information about live streams", + "description": "Grants permission to list the Device Defender security profiles attached to a target", + "privilege": "ListSecurityProfilesForTarget", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the streams in your account", "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to get information about the tags for a specified ARN", + "access_level": "Read", + "description": "Grants permission to list all tags for a given resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" + "resource_type": "authorizer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair" + "resource_type": "billinggroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" + "resource_type": "cacert" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to insert metadata into an RTMP stream for a specified channel", - "privilege": "PutMetadata", - "resource_types": [ + "resource_type": "custommetric" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disconnect a streamer on a specified channel", - "privilege": "StopStream", - "resource_types": [ + "resource_type": "dimension" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add or update tags for a resource with a specified ARN", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "domainconfiguration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" + "resource_type": "dynamicthinggroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair" + "resource_type": "fleetmetric" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" + "resource_type": "job" }, { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove tags for a resource with a specified ARN", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "jobtemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel" + "resource_type": "mitigationaction" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Playback-Key-Pair" + "resource_type": "otaupdate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Stream-Key" + "resource_type": "policy" }, { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a channel's configuration", - "privilege": "UpdateChannel", - "resource_types": [ + "resource_type": "provisioningtemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Channel*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:ivs::${Account}:channel/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Channel" - }, - { - "arn": "arn:${Partition}:ivs::${Account}:stream-key/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Stream-Key" - }, - { - "arn": "arn:${Partition}:ivs::${Account}:playback-key/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Playback-Key-Pair" - } - ], - "service_name": "Amazon Interactive Video Service" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the MSK resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "kafka", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster", - "privilege": "BatchAssociateScramSecret", - "resource_types": [ + "resource_type": "rolealias" + }, { "condition_keys": [], - "dependent_actions": [ - "kms:CreateGrant", - "kms:RetireGrant" - ], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster", - "privilege": "BatchDisassociateScramSecret", - "resource_types": [ + "dependent_actions": [], + "resource_type": "rule" + }, { "condition_keys": [], - "dependent_actions": [ - "kms:RetireGrant" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "scheduledaudit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securityprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thingtype" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an MSK cluster", - "privilege": "CreateCluster", + "access_level": "List", + "description": "Grants permission to list targets for the specified policy", + "privilege": "ListTargetsForPolicy", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "iam:AttachRolePolicy", - "iam:CreateServiceLinkedRole", - "iam:PutRolePolicy", - "kms:CreateGrant", - "kms:DescribeKey" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "policy*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an MSK configuration", - "privilege": "CreateConfiguration", + "access_level": "List", + "description": "Grants permission to list the targets associated with a given Device Defender security profile", + "privilege": "ListTargetsForSecurityProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "securityprofile*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an MSK cluster", - "privilege": "DeleteCluster", + "access_level": "List", + "description": "Grants permission to list all thing groups", + "privilege": "ListThingGroups", "resource_types": [ { "condition_keys": [], @@ -85212,21 +95078,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete the specified MSK configuration", - "privilege": "DeleteConfiguration", + "access_level": "List", + "description": "Grants permission to list thing groups to which the specified thing belongs", + "privilege": "ListThingGroupsForThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK cluster", - "privilege": "DescribeCluster", + "access_level": "List", + "description": "Grants permission to list the principals associated with the specified thing", + "privilege": "ListThingPrincipals", "resource_types": [ { "condition_keys": [], @@ -85236,9 +95102,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe the cluster operation that is specified by the given ARN", - "privilege": "DescribeClusterOperation", + "access_level": "List", + "description": "Grants permission to list information about bulk thing registration tasks", + "privilege": "ListThingRegistrationTaskReports", "resource_types": [ { "condition_keys": [], @@ -85248,9 +95114,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK configuration", - "privilege": "DescribeConfiguration", + "access_level": "List", + "description": "Grants permission to list bulk thing registration tasks", + "privilege": "ListThingRegistrationTasks", "resource_types": [ { "condition_keys": [], @@ -85260,9 +95126,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe an MSK configuration revision", - "privilege": "DescribeConfigurationRevision", + "access_level": "List", + "description": "Grants permission to list all thing types", + "privilege": "ListThingTypes", "resource_types": [ { "condition_keys": [], @@ -85272,9 +95138,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get connection details for the brokers in an MSK cluster", - "privilege": "GetBootstrapBrokers", + "access_level": "List", + "description": "Grants permission to list all things", + "privilege": "ListThings", "resource_types": [ { "condition_keys": [], @@ -85285,32 +95151,32 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of the Apache Kafka versions to which you can update an MSK cluster", - "privilege": "GetCompatibleKafkaVersions", + "description": "Grants permission to list all things in the specified billing group", + "privilege": "ListThingsInBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "billinggroup*" } ] }, { "access_level": "List", - "description": "Returns a list of all the operations that have been performed on the specified MSK cluster", - "privilege": "ListClusterOperations", + "description": "Grants permission to list all things in the specified thing group", + "privilege": "ListThingsInThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thinggroup*" } ] }, { "access_level": "List", - "description": "Grants permission to list all MSK clusters in this account", - "privilege": "ListClusters", + "description": "Grants permission to list all TopicRuleDestinations", + "privilege": "ListTopicRuleDestinations", "resource_types": [ { "condition_keys": [], @@ -85321,8 +95187,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all revisions for an MSK configuration in this account", - "privilege": "ListConfigurationRevisions", + "description": "Grants permission to list the rules for the specific topic", + "privilege": "ListTopicRules", "resource_types": [ { "condition_keys": [], @@ -85333,8 +95199,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all MSK configurations in this account", - "privilege": "ListConfigurations", + "description": "Grants permission to list tunnels", + "privilege": "ListTunnels", "resource_types": [ { "condition_keys": [], @@ -85345,8 +95211,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all Apache Kafka versions supported by Amazon MSK", - "privilege": "ListKafkaVersions", + "description": "Grants permission to list the v2 logging levels", + "privilege": "ListV2LoggingLevels", "resource_types": [ { "condition_keys": [], @@ -85357,95 +95223,95 @@ }, { "access_level": "List", - "description": "Grants permission to list brokers in an MSK cluster", - "privilege": "ListNodes", + "description": "Grants permission to list the Device Defender security profile violations discovered during the given time period", + "privilege": "ListViolationEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "securityprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Scram Secrets associated with an Amazon MSK cluster", - "privilege": "ListScramSecrets", + "access_level": "Write", + "description": "Grants permission to open a tunnel", + "privilege": "OpenTunnel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iot:ThingGroupArn", + "iot:TunnelDestinationService" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags of an MSK resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to publish to the specified topic", + "privilege": "Publish", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Grants permission to reboot broker", - "privilege": "RebootBroker", + "description": "Grants permission to receive from the specified topic", + "privilege": "Receive", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "topic*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag an MSK resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to register a CA certificate with AWS IoT", + "privilege": "RegisterCACertificate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "iam:PassRole" + ], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an MSK resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to register a device certificate with AWS IoT", + "privilege": "RegisterCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the number of brokers of the MSK cluster", - "privilege": "UpdateBrokerCount", + "description": "Grants permission to register a device certificate with AWS IoT without a registered CA (certificate authority)", + "privilege": "RegisterCertificateWithoutCA", "resource_types": [ { "condition_keys": [], @@ -85456,8 +95322,8 @@ }, { "access_level": "Write", - "description": "Updates the storage size of the brokers of the MSK cluster", - "privilege": "UpdateBrokerStorage", + "description": "Grants permission to register your thing", + "privilege": "RegisterThing", "resource_types": [ { "condition_keys": [], @@ -85468,100 +95334,78 @@ }, { "access_level": "Write", - "description": "Grants permission to update the configuration of the MSK cluster", - "privilege": "UpdateClusterConfiguration", + "description": "Grants permission to reject a pending certificate transfer", + "privilege": "RejectCertificateTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the MSK cluster to the specified Apache Kafka version", - "privilege": "UpdateClusterKafkaVersion", + "description": "Grants permission to remove thing from the specified billing group", + "privilege": "RemoveThingFromBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "billinggroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new revision of the MSK configuration", - "privilege": "UpdateConfiguration", + "description": "Grants permission to remove thing from the specified thing group", + "privilege": "RemoveThingFromThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the monitoring settings for the MSK cluster", - "privilege": "UpdateMonitoring", + "description": "Grants permission to replace the specified rule", + "privilege": "ReplaceTopicRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "rule*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${UUID}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "cluster" - } - ], - "service_name": "Amazon Managed Streaming for Apache Kafka" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on the allowed set of values for each of the mandatory tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters create requests based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "kendra", - "privileges": [ { "access_level": "Write", - "description": "Grant permission to batch delete document", - "privilege": "BatchDeleteDocument", + "description": "Grants permission to publish a retained message to the specified topic", + "privilege": "RetainPublish", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "topic*" } ] }, { - "access_level": "Write", - "description": "Grant permission to batch put document", - "privilege": "BatchPutDocument", + "access_level": "Read", + "description": "Grants permission to search IoT fleet index", + "privilege": "SearchIndex", "resource_types": [ { "condition_keys": [], @@ -85571,55 +95415,36 @@ ] }, { - "access_level": "Write", - "description": "Grant permission to create a data source", - "privilege": "CreateDataSource", + "access_level": "Permissions management", + "description": "Grants permission to set the default authorizer. This will be used if a websocket connection is made without specifying an authorizer", + "privilege": "SetDefaultAuthorizer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "authorizer*" } ] }, { - "access_level": "Write", - "description": "Grant permission to create an Faq", - "privilege": "CreateFaq", + "access_level": "Permissions management", + "description": "Grants permission to set the specified version of the specified policy as the policy's default (operative) version", + "privilege": "SetDefaultPolicyVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "policy*" } ] }, { "access_level": "Write", - "description": "Grant permission to create an Index", - "privilege": "CreateIndex", + "description": "Grants permission to set the logging options", + "privilege": "SetLoggingOptions", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -85627,359 +95452,377 @@ }, { "access_level": "Write", - "description": "Grant permission to create a Thesaurus", - "privilege": "CreateThesaurus", + "description": "Grants permission to set the v2 logging level", + "privilege": "SetV2LoggingLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grant permission to delete a data source", - "privilege": "DeleteDataSource", + "description": "Grants permission to set the v2 logging options", + "privilege": "SetV2LoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grant permission to delete an Faq", - "privilege": "DeleteFaq", + "description": "Grants permission to start a task that applies a set of mitigation actions to the specified target", + "privilege": "StartAuditMitigationActionsTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grant permission to delete an Index", - "privilege": "DeleteIndex", + "description": "Grants permission to start a Device Defender ML Detect mitigation actions task", + "privilege": "StartDetectMitigationActionsTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "securityprofile" } ] }, { "access_level": "Write", - "description": "Grant permission to delete a Thesaurus", - "privilege": "DeleteThesaurus", + "description": "Grants permission to get and start the next pending job execution for a thing", + "privilege": "StartNextPendingJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thesaurus*" + "resource_type": "thing*" } ] }, { - "access_level": "Read", - "description": "Grant permission to describe a data source", - "privilege": "DescribeDataSource", + "access_level": "Write", + "description": "Grants permission to start an on-demand Device Defender audit", + "privilege": "StartOnDemandAuditTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grant permission to describe an Faq", - "privilege": "DescribeFaq", + "access_level": "Write", + "description": "Grants permission to start a bulk thing registration task", + "privilege": "StartThingRegistrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a bulk thing registration task", + "privilege": "StopThingRegistrationTask", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grant permission to describe an Index", - "privilege": "DescribeIndex", + "access_level": "Write", + "description": "Grants permission to subscribe to the specified TopicFilter", + "privilege": "Subscribe", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "topicfilter*" } ] }, { - "access_level": "Read", - "description": "Grant permission to describe a Thesaurus", - "privilege": "DescribeThesaurus", + "access_level": "Tagging", + "description": "Grants permission to tag a specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "authorizer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus*" - } - ] - }, - { - "access_level": "List", - "description": "Grant permission to get Data Source sync job history", - "privilege": "ListDataSourceSyncJobs", - "resource_types": [ + "resource_type": "billinggroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" + "resource_type": "cacert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "custommetric" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dimension" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domainconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dynamicthinggroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fleetmetric" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "jobtemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mitigationaction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "otaupdate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "policy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "provisioningtemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rolealias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "rule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "scheduledaudit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securityprofile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thinggroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thingtype" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grant permission to list the data sources", - "privilege": "ListDataSources", + "access_level": "Read", + "description": "Grants permission to test the policies evaluation for group policies", + "privilege": "TestAuthorization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "cert" } ] }, { - "access_level": "List", - "description": "Grant permission to list the Faqs", - "privilege": "ListFaqs", + "access_level": "Read", + "description": "Grants permission to test invoke the specified custom authorizer for testing purposes", + "privilege": "TestInvokeAuthorizer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "authorizer*" } ] }, { - "access_level": "List", - "description": "Grant permission to list the indexes", - "privilege": "ListIndices", + "access_level": "Write", + "description": "Grants permission to transfer the specified certificate to the specified AWS account", + "privilege": "TransferCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cert*" } ] }, { - "access_level": "List", - "description": "Grant permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Tagging", + "description": "Grants permission to untag a specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "authorizer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq" + "resource_type": "billinggroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index" + "resource_type": "cacert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus" - } - ] - }, - { - "access_level": "List", - "description": "Grant permission to list the Thesauri", - "privilege": "ListThesauri", - "resource_types": [ + "resource_type": "custommetric" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Read", - "description": "Grant permission to query documents and faqs", - "privilege": "Query", - "resource_types": [ + "resource_type": "dimension" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Write", - "description": "Grant permission to start Data Source sync job", - "privilege": "StartDataSourceSyncJob", - "resource_types": [ + "resource_type": "domainconfiguration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" + "resource_type": "dynamicthinggroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Write", - "description": "Grant permission to stop Data Source sync job", - "privilege": "StopDataSourceSyncJob", - "resource_types": [ + "resource_type": "fleetmetric" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" + "resource_type": "job" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Write", - "description": "Grant permission to send feedback about a query results", - "privilege": "SubmitFeedback", - "resource_types": [ + "resource_type": "jobtemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grant permission to tag a resource with given key value pairs", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "mitigationaction" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "otaupdate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq" + "resource_type": "policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index" + "resource_type": "provisioningtemplate" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus" + "resource_type": "rolealias" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grant permission to remove the tag with the given key from a resource", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "rule" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source" + "resource_type": "scheduledaudit" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "faq" + "resource_type": "securityprofile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "index" + "resource_type": "stream" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "thesaurus" + "resource_type": "thinggroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thingtype" }, { "condition_keys": [ @@ -85992,317 +95835,269 @@ }, { "access_level": "Write", - "description": "Grant permission to update a data source", - "privilege": "UpdateDataSource", + "description": "Grants permission to configure or reconfigure the Device Defender audit settings for this account", + "privilege": "UpdateAccountAuditConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-source*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grant permission to update an Index", - "privilege": "UpdateIndex", + "description": "Grants permission to update a Device Defender audit suppression", + "privilege": "UpdateAuditSuppression", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grant permission to update a thesaurus", - "privilege": "UpdateThesaurus", + "description": "Grants permission to update an authorizer", + "privilege": "UpdateAuthorizer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "index*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "thesaurus*" + "resource_type": "authorizer*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "index" - }, - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/data-source/${DataSourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "data-source" - }, - { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/faq/${FaqId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "faq" }, { - "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "thesaurus" - } - ], - "service_name": "Amazon Kendra" - }, - { - "conditions": [], - "prefix": "kinesis", - "privileges": [ - { - "access_level": "Tagging", - "description": "Adds or updates tags for the specified Amazon Kinesis stream. Each stream can have up to 10 tags.", - "privilege": "AddTagsToStream", + "access_level": "Write", + "description": "Grants permission to update information associated with the specified billing group", + "privilege": "UpdateBillingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "billinggroup*" } ] }, { "access_level": "Write", - "description": "Creates a Amazon Kinesis stream.", - "privilege": "CreateStream", + "description": "Grants permission to update a registered CA certificate", + "privilege": "UpdateCACertificate", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cacert*" } ] }, { "access_level": "Write", - "description": "Decreases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", - "privilege": "DecreaseStreamRetentionPeriod", + "description": "Grants permission to update the status of the specified certificate. This operation is idempotent", + "privilege": "UpdateCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Deletes a stream and all its shards and data.", - "privilege": "DeleteStream", + "description": "Grants permission to update the specified custom metric", + "privilege": "UpdateCustomMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "custommetric*" } ] }, { "access_level": "Write", - "description": "Deregisters a stream consumer with a Kinesis data stream.", - "privilege": "DeregisterStreamConsumer", + "description": "Grants permission to update the definition for a dimension", + "privilege": "UpdateDimension", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" - }, + "resource_type": "dimension*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a domain configuration", + "privilege": "UpdateDomainConfiguration", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "domainconfiguration*" } ] }, { - "access_level": "Read", - "description": "Describes the shard limits and usage for the account.", - "privilege": "DescribeLimits", + "access_level": "Write", + "description": "Grants permission to update a Dynamic Thing Group", + "privilege": "UpdateDynamicThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dynamicthinggroup*" } ] }, { - "access_level": "Read", - "description": "Describes the specified stream.", - "privilege": "DescribeStream", + "access_level": "Write", + "description": "Grants permission to update event configurations", + "privilege": "UpdateEventConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets the description of a registered stream consumer.", - "privilege": "DescribeStreamConsumer", + "access_level": "Write", + "description": "Grants permission to update a fleet metric", + "privilege": "UpdateFleetMetric", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" + "resource_type": "fleetmetric*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Provides a summarized description of the specified Kinesis data stream without the shard list.", - "privilege": "DescribeStreamSummary", + "access_level": "Write", + "description": "Grants permission to update fleet indexing configuration", + "privilege": "UpdateIndexingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Disables enhanced monitoring.", - "privilege": "DisableEnhancedMonitoring", + "description": "Grants permission to update a job", + "privilege": "UpdateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "job*" } ] }, { "access_level": "Write", - "description": "API_EnableEnhancedMonitoring.html", - "privilege": "EnableEnhancedMonitoring", + "description": "Grants permission to update a job execution", + "privilege": "UpdateJobExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { - "access_level": "Read", - "description": "Gets data records from a shard.", - "privilege": "GetRecords", + "access_level": "Write", + "description": "Grants permission to update the definition for the specified mitigation action", + "privilege": "UpdateMitigationAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "mitigationaction*" } ] }, { - "access_level": "Read", - "description": "Gets a shard iterator. A shard iterator expires five minutes after it is returned to the requester.", - "privilege": "GetShardIterator", + "access_level": "Write", + "description": "Grants permission to update a fleet provisioning template", + "privilege": "UpdateProvisioningTemplate", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "provisioningtemplate*" } ] }, { "access_level": "Write", - "description": "Increases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", - "privilege": "IncreaseStreamRetentionPeriod", + "description": "Grants permission to update the role alias", + "privilege": "UpdateRoleAlias", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "rolealias*" } ] }, { - "access_level": "List", - "description": "Lists the shards in a stream and provides information about each shard.", - "privilege": "ListShards", + "access_level": "Write", + "description": "Grants permission to update a scheduled audit, including what checks are performed and how often the audit takes place", + "privilege": "UpdateScheduledAudit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "scheduledaudit*" } ] }, { - "access_level": "List", - "description": "Lists the stream consumers registered to receive data from a Kinesis stream using enhanced fan-out, and provides information about each consumer.", - "privilege": "ListStreamConsumers", + "access_level": "Write", + "description": "Grants permission to update a Device Defender security profile", + "privilege": "UpdateSecurityProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists your streams.", - "privilege": "ListStreams", - "resource_types": [ + "resource_type": "securityprofile*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Lists the tags for the specified Amazon Kinesis stream.", - "privilege": "ListTagsForStream", - "resource_types": [ + "resource_type": "custommetric" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "dimension" } ] }, { "access_level": "Write", - "description": "Merges two adjacent shards in a stream and combines them into a single shard to reduce the stream's capacity to ingest and transport data.", - "privilege": "MergeShards", + "description": "Grants permission to update the data for a stream", + "privilege": "UpdateStream", "resource_types": [ { "condition_keys": [], @@ -86313,124 +96108,319 @@ }, { "access_level": "Write", - "description": "Writes a single data record from a producer into an Amazon Kinesis stream.", - "privilege": "PutRecord", + "description": "Grants permission to update information associated with the specified thing", + "privilege": "UpdateThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Writes multiple data records from a producer into an Amazon Kinesis stream in a single call (also referred to as a PutRecords request).", - "privilege": "PutRecords", + "description": "Grants permission to update information associated with the specified thing group", + "privilege": "UpdateThingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "thinggroup*" } ] }, { "access_level": "Write", - "description": "Registers a stream consumer with a Kinesis data stream.", - "privilege": "RegisterStreamConsumer", + "description": "Grants permission to update the thing groups to which the thing belongs", + "privilege": "UpdateThingGroupsForThing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" + "resource_type": "thing*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "thinggroup" } ] }, { - "access_level": "Tagging", - "description": "Description for SplitShard", - "privilege": "RemoveTagsFromStream", + "access_level": "Write", + "description": "Grants permission to update the thing shadow", + "privilege": "UpdateThingShadow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Description for SplitShard", - "privilege": "SplitShard", + "description": "Grants permission to update a TopicRuleDestination", + "privilege": "UpdateTopicRuleDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "destination*" } ] }, { - "access_level": "Write", - "description": "Grants permission to enable or update server-side encryption using an AWS KMS key for a specified stream.", - "privilege": "StartStreamEncryption", + "access_level": "Read", + "description": "Grants permission to validate a Device Defender security profile behaviors specification", + "privilege": "ValidateSecurityProfileBehaviors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "kmsKey*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:client/${ClientId}", + "condition_keys": [], + "resource": "client" }, { - "access_level": "Write", - "description": "Grants permission to disable server-side encryption for a specified stream.", - "privilege": "StopStreamEncryption", + "arn": "arn:${Partition}:iot:${Region}:${Account}:index/${IndexName}", + "condition_keys": [], + "resource": "index" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:fleetmetric/${FleetMetricName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "fleetmetric" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:job/${JobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "job" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:jobtemplate/${JobTemplateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "jobtemplate" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:tunnel/${TunnelId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "tunnel" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", + "condition_keys": [], + "resource": "thing" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "thinggroup" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:billinggroup/${BillingGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "billinggroup" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thinggroup/${ThingGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dynamicthinggroup" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thingtype/${ThingTypeName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "thingtype" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:topic/${TopicName}", + "condition_keys": [], + "resource": "topic" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:topicfilter/${TopicFilter}", + "condition_keys": [], + "resource": "topicfilter" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:rolealias/${RoleAlias}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rolealias" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:authorizer/${AuthorizerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "authorizer" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:policy/${PolicyName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "policy" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", + "condition_keys": [], + "resource": "cert" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:cacert/${CACertificate}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cacert" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:stream/${StreamId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "stream" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:otaupdate/${OtaUpdateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "otaupdate" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:scheduledaudit/${ScheduleName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "scheduledaudit" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:mitigationaction/${MitigationActionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "mitigationaction" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:securityprofile/${SecurityProfileName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "securityprofile" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:custommetric/${MetricName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "custommetric" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:dimension/${DimensionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dimension" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:rule/${RuleName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "rule" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:destination/${DestinationType}/${Uuid}", + "condition_keys": [], + "resource": "destination" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:provisioningtemplate/${ProvisioningTemplate}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "provisioningtemplate" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName}/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "domainconfiguration" + } + ], + "service_name": "AWS IoT" + }, + { + "conditions": [], + "prefix": "iot-device-tester", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission for IoT Device Tester to check if a given set of product, test suite and device tester version are compatible", + "privilege": "CheckVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "kmsKey*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Listening to a specific shard with enhanced fan-out.", - "privilege": "SubscribeToShard", + "description": "Grants permission for IoT Device Tester to download compatible test suite versions", + "privilege": "DownloadTestSuite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "consumer*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission for IoT Device Tester to get information on latest version of device tester available", + "privilege": "LatestIdt", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the shard count of the specified stream to the specified number of shards.", - "privilege": "UpdateShardCount", + "description": "Grants permissions for IoT Device Tester to send usage metrics on your behalf", + "privilege": "SendMetrics", "resource_types": [ { "condition_keys": [], @@ -86438,88 +96428,89 @@ "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kinesis:${Region}:${Account}:stream/${StreamName}", - "condition_keys": [], - "resource": "stream" - }, - { - "arn": "arn:${Partition}:kinesis:${Region}:${Account}:${StreamType}/${StreamName}/consumer/${ConsumerName}:${ConsumerCreationTimpstamp}", - "condition_keys": [], - "resource": "consumer" }, { - "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", - "condition_keys": [], - "resource": "kmsKey" + "access_level": "Read", + "description": "Grants permission for IoT Device Tester to get list of supported products and test suite versions", + "privilege": "SupportedVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], - "service_name": "Amazon Kinesis" + "resources": [], + "service_name": "AWS IoT Device Tester" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tag keys in the request", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" } ], - "prefix": "kinesisanalytics", + "prefix": "iot1click", "privileges": [ { "access_level": "Write", - "description": "Adds input to the application.", - "privilege": "AddApplicationInput", + "description": "Grants permission to associate a device to a placement", + "privilege": "AssociateDeviceWithPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Adds output to the application.", - "privilege": "AddApplicationOutput", + "access_level": "Read", + "description": "Grants permission to claim a batch of devices with a claim code", + "privilege": "ClaimDevicesByClaimCode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Adds reference data source to the application.", - "privilege": "AddApplicationReferenceDataSource", + "description": "Grants permission to create a new placement in a project", + "privilege": "CreatePlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Creates an application.", - "privilege": "CreateApplication", + "description": "Grants permission to create a new project", + "privilege": "CreateProject", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -86532,284 +96523,224 @@ }, { "access_level": "Write", - "description": "Deletes the application.", - "privilege": "DeleteApplication", + "description": "Grants permission to delete a placement from a project", + "privilege": "DeletePlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Deletes the specified output of the application.", - "privilege": "DeleteApplicationOutput", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Deletes the specified reference data source of the application.", - "privilege": "DeleteApplicationReferenceDataSource", + "access_level": "Read", + "description": "Grants permission to describe a device", + "privilege": "DescribeDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device*" } ] }, { "access_level": "Read", - "description": "Describes the specified application.", - "privilege": "DescribeApplication", + "description": "Grants permission to describe a placement", + "privilege": "DescribePlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Discovers the input schema for the application.", - "privilege": "DiscoverInputSchema", + "description": "Grants permission to describe a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Read", - "description": "Grant permission to Kinesis Data Analytics console to display stream results for Kinesis Data Analytics SQL runtime applications.", - "privilege": "GetApplicationState", + "access_level": "Write", + "description": "Grants permission to disassociate a device from a placement", + "privilege": "DisassociateDeviceFromPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { - "access_level": "List", - "description": "List applications for the account", - "privilege": "ListApplications", + "access_level": "Read", + "description": "Grants permission to finalize a device claim", + "privilege": "FinalizeDeviceClaim", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Fetch the tags associated with the application.", - "privilege": "ListTagsForResource", + "description": "Grants permission to get available methods of a device", + "privilege": "GetDeviceMethods", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device*" } ] }, { - "access_level": "Write", - "description": "Starts the application.", - "privilege": "StartApplication", + "access_level": "Read", + "description": "Grants permission to get devices associated to a placement", + "privilege": "GetDevicesInPlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Stops the application.", - "privilege": "StopApplication", + "access_level": "Read", + "description": "Grants permission to initialize a device claim", + "privilege": "InitiateDeviceClaim", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device*" } ] }, { - "access_level": "Tagging", - "description": "Add tags to the application.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to invoke a device method", + "privilege": "InvokeDeviceMethod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "device*" } ] }, { - "access_level": "Tagging", - "description": "Remove the specified tags from the application.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to list past events published by a device", + "privilege": "ListDeviceEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "device*" } ] }, { - "access_level": "Write", - "description": "Updates the application.", - "privilege": "UpdateApplication", + "access_level": "List", + "description": "Grants permission to list all devices", + "privilege": "ListDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "application" - } - ], - "service_name": "Amazon Kinesis Analytics" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tag keys in the request", - "type": "String" - } - ], - "prefix": "kinesisanalytics", - "privileges": [ - { - "access_level": "Write", - "description": "Adds cloudwatch logging option to the application.", - "privilege": "AddApplicationCloudWatchLoggingOption", + "access_level": "Read", + "description": "Grants permission to list placements in a project", + "privilege": "ListPlacements", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Adds input to the application.", - "privilege": "AddApplicationInput", + "access_level": "List", + "description": "Grants permission to list all projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Adds input processing configuration to the application.", - "privilege": "AddApplicationInputProcessingConfiguration", + "access_level": "Read", + "description": "Grants permission to lists the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Adds output to the application.", - "privilege": "AddApplicationOutput", - "resource_types": [ + "resource_type": "device" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project" } ] }, { - "access_level": "Write", - "description": "Adds reference data source to the application.", - "privilege": "AddApplicationReferenceDataSource", + "access_level": "Tagging", + "description": "Grants permission to add or modify the tags of a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Adds VPC configuration to the application.", - "privilege": "AddApplicationVpcConfiguration", - "resource_types": [ + "resource_type": "device" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an application.", - "privilege": "CreateApplication", - "resource_types": [ + "resource_type": "project" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -86821,206 +96752,149 @@ ] }, { - "access_level": "Write", - "description": "Creates a snapshot for an application.", - "privilege": "CreateApplicationSnapshot", + "access_level": "Read", + "description": "Grants permission to unclaim a device", + "privilege": "UnclaimDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device*" } ] }, { - "access_level": "Write", - "description": "Deletes the application.", - "privilege": "DeleteApplication", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags (metadata) from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the specified cloudwatch logging option of the application.", - "privilege": "DeleteApplicationCloudWatchLoggingOption", + "description": "Grants permission to update device state", + "privilege": "UpdateDeviceState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "device*" } ] }, { "access_level": "Write", - "description": "Deletes the specified input processing configuration of the application.", - "privilege": "DeleteApplicationInputProcessingConfiguration", + "description": "Grants permission to update a placement", + "privilege": "UpdatePlacement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Deletes the specified output of the application.", - "privilege": "DeleteApplicationOutput", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes the specified reference data source of the application.", - "privilege": "DeleteApplicationReferenceDataSource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes a snapshot for an application.", - "privilege": "DeleteApplicationSnapshot", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes the specified VPC configuration of the application.", - "privilege": "DeleteApplicationVpcConfiguration", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes the specified application.", - "privilege": "DescribeApplication", + "description": "Update a project", + "privilege": "UpdateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "project*" } ] - }, + } + ], + "resources": [ { - "access_level": "Read", - "description": "Describes an application snapshot.", - "privilege": "DescribeApplicationSnapshot", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] + "arn": "arn:${Partition}:iot1click:${Region}:${Account}:devices/${DeviceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "device" }, { - "access_level": "Read", - "description": "Discovers the input schema for the application.", - "privilege": "DiscoverInputSchema", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, + "arn": "arn:${Partition}:iot1click:${Region}:${Account}:projects/${ProjectName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "project" + } + ], + "service_name": "AWS IoT 1-Click" + }, + { + "conditions": [ { - "access_level": "Read", - "description": "Lists the snapshots for an application.", - "privilege": "ListApplicationSnapshots", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] + "condition": "aws:RequestTag/${TagKey}", + "description": "A tag key that is present in the request that the user makes to IoT Analytics.", + "type": "String" }, { - "access_level": "List", - "description": "List applications for the account", - "privilege": "ListApplications", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:TagKeys", + "description": "The list of all the tag key names associated with the IoT Analytics resource in the request.", + "type": "String" }, { - "access_level": "Read", - "description": "Fetch the tags associated with the application.", - "privilege": "ListTagsForResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "application*" - } - ] - }, + "condition": "iotanalytics:ResourceTag/${TagKey}", + "description": "The preface string for a tag key and value pair attached to an IoT Analytics resource.", + "type": "String" + } + ], + "prefix": "iotanalytics", + "privileges": [ { "access_level": "Write", - "description": "Starts the application.", - "privilege": "StartApplication", + "description": "Puts a batch of messages into the specified channel.", + "privilege": "BatchPutMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Stops the application.", - "privilege": "StopApplication", + "description": "Cancels reprocessing for the specified pipeline.", + "privilege": "CancelPipelineReprocessing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "pipeline*" } ] }, { - "access_level": "Tagging", - "description": "Add tags to the application.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Creates a channel.", + "privilege": "CreateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "channel*" }, { "condition_keys": [ @@ -87033,17 +96907,18 @@ ] }, { - "access_level": "Tagging", - "description": "Remove the specified tags from the application.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Creates a dataset.", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "dataset*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -87053,81 +96928,45 @@ }, { "access_level": "Write", - "description": "Updates the application.", - "privilege": "UpdateApplication", + "description": "Generates content of the specified dataset (by executing the dataset actions).", + "privilege": "CreateDatasetContent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "application*" + "resource_type": "dataset*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "application" - } - ], - "service_name": "Amazon Kinesis Analytics V2" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters requests based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the stream.", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters requests based on the presence of mandatory tag keys in the request", - "type": "String" - } - ], - "prefix": "kinesisvideo", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to connect as a master to the signaling channel specified by the endpoint", - "privilege": "ConnectAsMaster", + "description": "Creates a datastore.", + "privilege": "CreateDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to connect as a viewer to the signaling channel specified by the endpoint", - "privilege": "ConnectAsViewer", - "resource_types": [ + "resource_type": "datastore*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a signaling channel", - "privilege": "CreateSignalingChannel", + "description": "Creates a pipeline.", + "privilege": "CreatePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "pipeline*" }, { "condition_keys": [ @@ -87141,184 +96980,176 @@ }, { "access_level": "Write", - "description": "Grants permission to create a Kinesis video stream", - "privilege": "CreateStream", + "description": "Deletes the specified channel.", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing signaling channel", - "privilege": "DeleteSignalingChannel", + "description": "Deletes the specified dataset.", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing Kinesis video stream", - "privilege": "DeleteStream", + "description": "Deletes the content of the specified dataset.", + "privilege": "DeleteDatasetContent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "dataset*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the specified signaling channel", - "privilege": "DescribeSignalingChannel", + "access_level": "Write", + "description": "Deletes the specified datastore.", + "privilege": "DeleteDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "datastore*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the specified Kinesis video stream", - "privilege": "DescribeStream", + "access_level": "Write", + "description": "Deletes the specified pipeline.", + "privilege": "DeletePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "pipeline*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a media clip from a video stream", - "privilege": "GetClip", + "description": "Describes the specified channel.", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "channel*" } ] }, { "access_level": "Read", - "description": "Grants permission to create a URL for MPEG-DASH video streaming", - "privilege": "GetDASHStreamingSessionURL", + "description": "Describes the specified dataset.", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "dataset*" } ] }, { "access_level": "Read", - "description": "Grants permission to get an endpoint for a specified stream for either reading or writing media data to Kinesis Video Streams", - "privilege": "GetDataEndpoint", + "description": "Describes the specified datastore.", + "privilege": "DescribeDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "datastore*" } ] }, { "access_level": "Read", - "description": "Grants permission to create a URL for HLS video streaming", - "privilege": "GetHLSStreamingSessionURL", + "description": "Describes logging options for the the account.", + "privilege": "DescribeLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the ICE server configuration", - "privilege": "GetIceServerConfig", + "description": "Describes the specified pipeline.", + "privilege": "DescribePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "pipeline*" } ] }, { "access_level": "Read", - "description": "Grants permission to return media content of a Kinesis video stream", - "privilege": "GetMedia", + "description": "Gets the content of the specified dataset.", + "privilege": "GetDatasetContent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "dataset*" } ] }, { - "access_level": "Read", - "description": "Grants permission to read and return media data only from persisted storage", - "privilege": "GetMediaForFragmentList", + "access_level": "List", + "description": "Lists the channels for the account.", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get endpoints for a specified combination of protocol and role for a signaling channel", - "privilege": "GetSignalingChannelEndpoint", + "access_level": "List", + "description": "Lists information about dataset contents that have been created.", + "privilege": "ListDatasetContents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "dataset*" } ] }, { "access_level": "List", - "description": "Grants permission to list the fragments from archival storage based on the pagination token or selector type with range specified", - "privilege": "ListFragments", + "description": "Lists the datasets for the account.", + "privilege": "ListDatasets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list your signaling channels", - "privilege": "ListSignalingChannels", + "description": "Lists the datastores for the account.", + "privilege": "ListDatastores", "resource_types": [ { "condition_keys": [], @@ -87329,8 +97160,8 @@ }, { "access_level": "List", - "description": "Grants permission to list your Kinesis video streams", - "privilege": "ListStreams", + "description": "Lists the pipelines for the account.", + "privilege": "ListPipelines", "resource_types": [ { "condition_keys": [], @@ -87341,7 +97172,7 @@ }, { "access_level": "Read", - "description": "Grants permission to fetch the tags associated with your resource", + "description": "Lists the tags (metadata) which you have assigned to the resource.", "privilege": "ListTagsForResource", "resource_types": [ { @@ -87352,49 +97183,71 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datastore" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pipeline" + } + ] + }, + { + "access_level": "Write", + "description": "Puts logging options for the the account.", + "privilege": "PutLoggingOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to fetch the tags associated with Kinesis video stream", - "privilege": "ListTagsForStream", + "description": "Runs the specified pipeline activity.", + "privilege": "RunPipelineActivity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to send media data to a Kinesis video stream", - "privilege": "PutMedia", + "access_level": "Read", + "description": "Samples the specified channel's data.", + "privilege": "SampleChannelData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to send the Alexa SDP offer to the master", - "privilege": "SendAlexaOfferToMaster", + "description": "Starts reprocessing for the specified pipeline.", + "privilege": "StartPipelineReprocessing", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "pipeline*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to attach set of tags to your resource", + "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource.", "privilege": "TagResource", "resource_types": [ { @@ -87405,27 +97258,17 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" + "resource_type": "dataset" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to attach set of tags to your Kinesis video streams", - "privilege": "TagStream", - "resource_types": [ + "resource_type": "datastore" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "pipeline" }, { "condition_keys": [ @@ -87439,7 +97282,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from your resource", + "description": "Removes the given tags (metadata) from the resource.", "privilege": "UntagResource", "resource_types": [ { @@ -87450,10 +97293,21 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream" + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datastore" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pipeline" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -87462,218 +97316,123 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from your Kinesis video streams", - "privilege": "UntagStream", + "access_level": "Write", + "description": "Updates the specified channel.", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the data retention period of your Kinesis video stream", - "privilege": "UpdateDataRetention", + "description": "Updates the specified dataset.", + "privilege": "UpdateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing signaling channel", - "privilege": "UpdateSignalingChannel", + "description": "Updates the specified datastore.", + "privilege": "UpdateDatastore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "datastore*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing Kinesis video stream", - "privilege": "UpdateStream", + "description": "Updates the specified pipeline.", + "privilege": "UpdatePipeline", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "pipeline*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime}", + "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:channel/${ChannelName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iotanalytics:ResourceTag/${TagKey}" ], - "resource": "stream" + "resource": "channel" }, { - "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:channel/${ChannelName}/${CreationTime}", + "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:dataset/${DatasetName}", "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iotanalytics:ResourceTag/${TagKey}" ], - "resource": "channel" + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:datastore/${DatastoreName}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iotanalytics:ResourceTag/${TagKey}" + ], + "resource": "datastore" + }, + { + "arn": "arn:${Partition}:iotanalytics:${Region}:${Account}:pipeline/${PipelineName}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "iotanalytics:ResourceTag/${TagKey}" + ], + "resource": "pipeline" } ], - "service_name": "Amazon Kinesis Video Streams" + "service_name": "AWS IoT Analytics" }, { "conditions": [ { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access to the specified AWS KMS operations based on tags assigned to the customer master key", - "type": "String" - }, - { - "condition": "kms:BypassPolicyLockoutSafetyCheck", - "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request", - "type": "Bool" - }, - { - "condition": "kms:CallerAccount", - "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement", - "type": "String" - }, - { - "condition": "kms:CustomerMasterKeySpec", - "description": "Filters access to an API operation based on the CustomerMasterKeySpec property of the CMK that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource", - "type": "String" - }, - { - "condition": "kms:CustomerMasterKeyUsage", - "description": "Filters access to an API operation based on the KeyUsage property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource", - "type": "String" - }, - { - "condition": "kms:DataKeyPairSpec", - "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the DataKeyPairSpec parameter in the request", - "type": "String" - }, - { - "condition": "kms:EncryptionAlgorithm", - "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request", - "type": "String" - }, - { - "condition": "kms:EncryptionContextKeys", - "description": "Filters access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation", - "type": "String" - }, - { - "condition": "kms:ExpirationModel", - "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request", - "type": "String" - }, - { - "condition": "kms:GrantConstraintType", - "description": "Filters access to the CreateGrant operation based on the grant constraint in the request", - "type": "String" - }, - { - "condition": "kms:GrantIsForAWSResource", - "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service", - "type": "Bool" - }, - { - "condition": "kms:GrantOperations", - "description": "Filters access to the CreateGrant operation based on the operations in the grant", - "type": "String" - }, - { - "condition": "kms:GranteePrincipal", - "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant", - "type": "String" - }, - { - "condition": "kms:KeyOrigin", - "description": "Filters access to an API operation based on the Origin property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource", - "type": "String" - }, - { - "condition": "kms:MessageType", - "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request", - "type": "String" - }, - { - "condition": "kms:ReEncryptOnSameKey", - "description": "Filters access to the ReEncrypt operation when it uses the same customer master key that was used for the Encrypt operation", - "type": "Bool" - }, - { - "condition": "kms:RequestAlias", - "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request", - "type": "String" - }, - { - "condition": "kms:ResourceAliases", - "description": "Filters access to specified AWS KMS operations based on aliases associated with the customer master key", - "type": "String" - }, - { - "condition": "kms:RetiringPrincipal", - "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant", - "type": "String" - }, - { - "condition": "kms:SigningAlgorithm", - "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request", - "type": "String" - }, - { - "condition": "kms:ValidTo", - "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date", - "type": "Numeric" - }, - { - "condition": "kms:ViaService", - "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service", + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { - "condition": "kms:WrappingAlgorithm", - "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { - "condition": "kms:WrappingKeySpec", - "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request", + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" } ], - "prefix": "kms", + "prefix": "iotdeviceadvisor", "privileges": [ { "access_level": "Write", - "description": "Controls permission to cancel the scheduled deletion of a customer master key", - "privilege": "CancelKeyDeletion", + "description": "Grants permission to create a suite definition", + "privilege": "CreateSuiteDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "key*" - }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87682,88 +97441,102 @@ }, { "access_level": "Write", - "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster", - "privilege": "ConnectCustomKeyStore", + "description": "Grants permission to delete a suite definition", + "privilege": "DeleteSuiteDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "suitedefinition*" } ] }, { - "access_level": "Write", - "description": "Controls permission to create an alias for a customer master key (CMK). Aliases are optional friendly names that you can associate with customer master keys", - "privilege": "CreateAlias", + "access_level": "Read", + "description": "Grants permission to get a suite definition", + "privilege": "GetSuiteDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" - }, + "resource_type": "suitedefinition*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a suite run", + "privilege": "GetSuiteRun", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "suiterun*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the qualification report for a suite run", + "privilege": "GetSuiteRunReport", + "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "suiterun*" } ] }, { - "access_level": "Write", - "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage", - "privilege": "CreateCustomKeyStore", + "access_level": "List", + "description": "Grants permission to list suite definitions", + "privilege": "ListSuiteDefinitions", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "cloudhsm:DescribeClusters" - ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy", - "privilege": "CreateGrant", + "access_level": "List", + "description": "Grants permission to list suite runs", + "privilege": "ListSuiteRuns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "suitedefinition*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags (metadata) assigned to a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "suitedefinition" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:GrantConstraintType", - "kms:GrantIsForAWSResource", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "suiterun" } ] }, { "access_level": "Write", - "description": "Controls permission to create a customer master key that can be used to protect data keys and other sensitive information", - "privilege": "CreateKey", + "description": "Grants permission to start a suite run", + "privilege": "StartSuiteRun", "resource_types": [ { "condition_keys": [ - "kms:BypassPolicyLockoutSafetyCheck", - "kms:CustomerMasterKeySpec", - "kms:CustomerMasterKeyUsage", - "kms:KeyOrigin" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87772,20 +97545,35 @@ }, { "access_level": "Write", - "description": "Controls permission to decrypt ciphertext that was encrypted under a customer master key", - "privilege": "Decrypt", + "description": "Grants permission to stop a suite run", + "privilege": "StopSuiteRun", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "suiterun*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add to or modify the tags of the given resource. Tags are metadata which can be used to manage a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "suitedefinition" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "suiterun" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87793,24 +97581,23 @@ ] }, { - "access_level": "Write", - "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with customer master keys", - "privilege": "DeleteAlias", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags (metadata) from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "alias*" + "resource_type": "suitedefinition" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "suiterun" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87819,154 +97606,158 @@ }, { "access_level": "Write", - "description": "Controls permission to delete a custom key store", - "privilege": "DeleteCustomKeyStore", + "description": "Grants permission to update a suite definition", + "privilege": "UpdateSuiteDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "suitedefinition*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suitedefinition/${suiteDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "suitedefinition" + }, + { + "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suiterun/${suiteDefinitionId}/${suiteRunId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "suiterun" + } + ], + "service_name": "AWS IoT Core Device Advisor" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by the tag keys in the request", + "type": "String" }, + { + "condition": "iotevents:keyValue", + "description": "Filters access by the instanceId (key-value) of the message", + "type": "String" + } + ], + "prefix": "iotevents", + "privileges": [ { "access_level": "Write", - "description": "Controls permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable", - "privilege": "DeleteImportedKeyMaterial", + "description": "Grants permission to send one or more acknowledge action requests to AWS IoT Events", + "privilege": "BatchAcknowledgeAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { - "access_level": "Read", - "description": "Controls permission to view detailed information about custom key stores in the account and region", - "privilege": "DescribeCustomKeyStores", + "access_level": "Write", + "description": "Grants permission to disable one or more alarm instances", + "privilege": "BatchDisableAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { - "access_level": "Read", - "description": "Controls permission to view detailed information about a customer master key", - "privilege": "DescribeKey", + "access_level": "Write", + "description": "Grants permission to enable one or more alarm instances", + "privilege": "BatchEnableAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Controls permission to disable a customer master key, which prevents it from being used in cryptographic operations", - "privilege": "DisableKey", + "description": "Grants permission to send a set of messages to the AWS IoT Events system", + "privilege": "BatchPutMessage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Controls permission to disable automatic rotation of a customer managed customer master key", - "privilege": "DisableKeyRotation", + "description": "Grants permission to reset one or more alarm instances", + "privilege": "BatchResetAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster", - "privilege": "DisconnectCustomKeyStore", + "description": "Grants permission to change one or more alarm instances to the snooze mode", + "privilege": "BatchSnoozeAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Controls permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations", - "privilege": "EnableKey", + "description": "Grants permission to update a detector instance within the AWS IoT Events system", + "privilege": "BatchUpdateDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Controls permission to enable automatic rotation of the cryptographic material in a customer master key", - "privilege": "EnableKeyRotation", + "description": "Grants permission to create an alarm model to monitor an AWS IoT Events input attribute or an AWS IoT SiteWise asset property", + "privilege": "CreateAlarmModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "alarmModel*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87975,20 +97766,18 @@ }, { "access_level": "Write", - "description": "Controls permission to use the specified customer master key to encrypt data and data keys", - "privilege": "Encrypt", + "description": "Grants permission to create a detector model to monitor an AWS IoT Events input attribute", + "privilege": "CreateDetectorModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "detectorModel*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -87997,20 +97786,18 @@ }, { "access_level": "Write", - "description": "Controls permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS", - "privilege": "GenerateDataKey", + "description": "Grants permission to create an Input in IotEvents", + "privilege": "CreateInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "input*" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88019,192 +97806,116 @@ }, { "access_level": "Write", - "description": "Controls permission to use the customer master key to generate data key pairs", - "privilege": "GenerateDataKeyPair", + "description": "Grants permission to delete an alarm model", + "privilege": "DeleteAlarmModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:DataKeyPairSpec", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "alarmModel*" } ] }, { "access_level": "Write", - "description": "Controls permission to use the customer master key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy", - "privilege": "GenerateDataKeyPairWithoutPlaintext", + "description": "Grants permission to delete a detector model", + "privilege": "DeleteDetectorModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:DataKeyPairSpec", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "detectorModel*" } ] }, { "access_level": "Write", - "description": "Controls permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key", - "privilege": "GenerateDataKeyWithoutPlaintext", + "description": "Grants permission to delete an input", + "privilege": "DeleteInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { - "access_level": "Write", - "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS", - "privilege": "GenerateRandom", + "access_level": "Read", + "description": "Grants permission to retrieve information about an alarm instance", + "privilege": "DescribeAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "alarmModel*" } ] }, { "access_level": "Read", - "description": "Controls permission to view the key policy for the specified customer master key", - "privilege": "GetKeyPolicy", + "description": "Grants permission to retrieve information about an alarm model", + "privilege": "DescribeAlarmModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "alarmModel*" } ] }, { "access_level": "Read", - "description": "Controls permission to determine whether automatic key rotation is enabled on the customer master key", - "privilege": "GetKeyRotationStatus", + "description": "Grants permission to retriev information about a detector instance", + "privilege": "DescribeDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "detectorModel*" } ] }, { "access_level": "Read", - "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token", - "privilege": "GetParametersForImport", + "description": "Grants permission to retrieve information about a detector model", + "privilege": "DescribeDetectorModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService", - "kms:WrappingAlgorithm", - "kms:WrappingKeySpec" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "detectorModel*" } ] }, { "access_level": "Read", - "description": "Controls permission to download the public key of an asymmetric customer master key", - "privilege": "GetPublicKey", + "description": "Grants permission to retrieve the detector model analysis information", + "privilege": "DescribeDetectorModelAnalysis", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Controls permission to import cryptographic material into a customer master key", - "privilege": "ImportKeyMaterial", + "access_level": "Read", + "description": "Grants permission to retrieve an information about Input", + "privilege": "DescribeInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:ExpirationModel", - "kms:ValidTo", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { - "access_level": "List", - "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with customer master keys", - "privilege": "ListAliases", + "access_level": "Read", + "description": "Grants permission to retrieve the current settings of the AWS IoT Events logging options", + "privilege": "DescribeLoggingOptions", "resource_types": [ { "condition_keys": [], @@ -88214,41 +97925,36 @@ ] }, { - "access_level": "List", - "description": "Controls permission to view all grants for a customer master key", - "privilege": "ListGrants", + "access_level": "Read", + "description": "Grants permission to retrieve the detector model analysis results", + "privilege": "GetDetectorModelAnalysisResults", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:GrantIsForAWSResource", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "Controls permission to view the names of key policies for a customer master key", - "privilege": "ListKeyPolicies", + "description": "Grants permission to list all the versions of an alarm model", + "privilege": "ListAlarmModelVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "alarmModel*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the alarm models that you created", + "privilege": "ListAlarmModels", + "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -88256,31 +97962,35 @@ }, { "access_level": "List", - "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account", - "privilege": "ListKeys", + "description": "Grants permission to retrieve information about all alarm instances per alarmModel", + "privilege": "ListAlarms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "alarmModel*" } ] }, { "access_level": "List", - "description": "Controls permission to view all tags that are attached to a customer master key", - "privilege": "ListResourceTags", + "description": "Grants permission to list all the versions of a detector model", + "privilege": "ListDetectorModelVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "detectorModel*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the detector models that you created", + "privilege": "ListDetectorModels", + "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -88288,110 +97998,100 @@ }, { "access_level": "List", - "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants", - "privilege": "ListRetirableGrants", + "description": "Grants permission to retrieve information about all detector instances per detectormodel", + "privilege": "ListDetectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "detectorModel*" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to replace the key policy for the specified customer master key", - "privilege": "PutKeyPolicy", + "access_level": "List", + "description": "Grants permission to list one or more input routings", + "privilege": "ListInputRoutings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to lists the inputs you have created", + "privilege": "ListInputs", + "resource_types": [ { - "condition_keys": [ - "kms:BypassPolicyLockoutSafetyCheck", - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", - "privilege": "ReEncryptFrom", + "access_level": "Read", + "description": "Grants permission to list the tags (metadata) which you have assigned to the resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "detectorModel" }, { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ReEncryptOnSameKey", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input" } ] }, { "access_level": "Write", - "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", - "privilege": "ReEncryptTo", + "description": "Grants permission to set or update the AWS IoT Events logging options", + "privilege": "PutLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:EncryptionAlgorithm", - "kms:EncryptionContextKeys", - "kms:ReEncryptOnSameKey", - "kms:ViaService" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform", - "privilege": "RetireGrant", + "access_level": "Write", + "description": "Grants permission to start the detector model analysis", + "privilege": "StartDetectorModelAnalysis", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant", - "privilege": "RevokeGrant", + "access_level": "Tagging", + "description": "Grants permission to adds to or modifies the tags of the given resource.Tags are metadata which can be used to manage a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "detectorModel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:GrantIsForAWSResource", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88399,19 +98099,23 @@ ] }, { - "access_level": "Write", - "description": "Controls permission to schedule deletion of a customer master key", - "privilege": "ScheduleKeyDeletion", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags (metadata) from the resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "detectorModel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88420,117 +98124,180 @@ }, { "access_level": "Write", - "description": "Controls permission to produce a digital signature for a message", - "privilege": "Sign", + "description": "Grants permission to update an alarm model", + "privilege": "UpdateAlarmModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, - { - "condition_keys": [ - "kms:CallerAccount", - "kms:MessageType", - "kms:SigningAlgorithm", - "kms:ViaService" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "alarmModel*" } ] }, { - "access_level": "Tagging", - "description": "Controls permission to create or update tags that are attached to a customer master key", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to update a detector model", + "privilege": "UpdateDetectorModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "detectorModel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an input", + "privilege": "UpdateInput", + "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input*" } ] }, { - "access_level": "Tagging", - "description": "Controls permission to delete tags that are attached to a customer master key", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update input routing", + "privilege": "UpdateInputRouting", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "input*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iotevents:${Region}:${Account}:detectorModel/${DetectorModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "detectorModel" + }, + { + "arn": "arn:${Partition}:iotevents:${Region}:${Account}:alarmModel/${AlarmModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "alarmModel" + }, + { + "arn": "arn:${Partition}:iotevents:${Region}:${Account}:input/${inputName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "input" + } + ], + "service_name": "AWS IoT Events" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by the tag keys in the request", + "type": "String" + } + ], + "prefix": "iotfleethub", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", + "resource_types": [ { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sso:CreateManagedApplicationInstance", + "sso:DescribeRegisteredRegions" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Controls permission to associate an alias with a different customer master key. An alias is an optional friendly name that you can associate with a customer master key", - "privilege": "UpdateAlias", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "alias*" - }, + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "application*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an application", + "privilege": "DescribeApplication", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" - }, + "resource_type": "application*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all applications", + "privilege": "ListApplications", + "resource_types": [ { - "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Controls permission to change the properties of a custom key store", - "privilege": "UpdateCustomKeyStore", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application" } ] }, { - "access_level": "Write", - "description": "Controls permission to delete or change the description of a customer master key", - "privilege": "UpdateKeyDescription", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "application" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:ViaService" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -88538,134 +98305,155 @@ ] }, { - "access_level": "Write", - "description": "Controls permission to use the specified customer master key to verify digital signatures", - "privilege": "Verify", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "key*" + "resource_type": "application" }, { "condition_keys": [ - "kms:CallerAccount", - "kms:MessageType", - "kms:SigningAlgorithm", - "kms:ViaService" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an application", + "privilege": "UpdateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "application*" + } + ] } ], "resources": [ { - "arn": "arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}", - "condition_keys": [], - "resource": "alias" - }, - { - "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", - "condition_keys": [], - "resource": "key" + "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" } ], - "service_name": "AWS Key Management Service" + "service_name": "AWS IoT Fleet Hub for Device Management" }, { - "conditions": [], - "prefix": "lakeformation", - "privileges": [ + "conditions": [ { - "access_level": "Permissions management", - "description": "Grants data lake permissions to one or more principals in a batch.", - "privilege": "BatchGrantPermissions", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag key-value pairs in the request", + "type": "String" }, { - "access_level": "Permissions management", - "description": "Revokes data lake permissions from one or more principals in a batch.", - "privilege": "BatchRevokePermissions", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions by the tag keys in the request", + "type": "String" + } + ], + "prefix": "iotfleethub", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sso:CreateManagedApplicationInstance", + "sso:DescribeRegisteredRegions" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deregisters a registered location.", - "privilege": "DeregisterResource", + "description": "Grants permission to create an dashboard", + "privilege": "CreateDashboard", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a registered location.", - "privilege": "DescribeResource", + "access_level": "Write", + "description": "Grants permission to delete an application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants virtual data lake access permissions.", - "privilege": "GetDataAccess", + "description": "Grants permission to delete an dashboard", + "privilege": "DeleteDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dashboard*" } ] }, { "access_level": "Read", - "description": "Retrieves data lake settings such as the list of data lake administrators and database and table default permissions.", - "privilege": "GetDataLakeSettings", + "description": "Grants permission to describe an application", + "privilege": "DescribeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Read", - "description": "Retrieves permissions attached to resources in the given path.", - "privilege": "GetEffectivePermissionsForPath", + "description": "Grants permission to describe an dashboard", + "privilege": "DescribeDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dashboard*" } ] }, { - "access_level": "Permissions management", - "description": "Grants data lake permissions to a principal.", - "privilege": "GrantPermissions", + "access_level": "List", + "description": "Grants permission to list all applications", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], @@ -88676,8 +98464,8 @@ }, { "access_level": "List", - "description": "Lists permissions filtered by principal or resource.", - "privilege": "ListPermissions", + "description": "Grants permission to list all dashboards", + "privilege": "ListDashboards", "resource_types": [ { "condition_keys": [], @@ -88687,172 +98475,241 @@ ] }, { - "access_level": "List", - "description": "Lists registered locations.", - "privilege": "ListResources", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" } ] }, { - "access_level": "Permissions management", - "description": "Overwrites data lake settings such as the list of data lake administrators and database and table default permissions.", - "privilege": "PutDataLakeSettings", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Registers a new location to be managed by Lake Formation.", - "privilege": "RegisterResource", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Revokes data lake permissions from a principal.", - "privilege": "RevokePermissions", + "access_level": "Write", + "description": "Grants permission to update an application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Updates a registered location.", - "privilege": "UpdateResource", + "description": "Grants permission to update an dashboard", + "privilege": "UpdateDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dashboard*" } ] } ], - "resources": [], - "service_name": "AWS Lake Formation" + "resources": [ + { + "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + }, + { + "arn": "arn:${Partition}:iotfleethub::${Account}:dashboard/${DashboardId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dashboard" + } + ], + "service_name": "Fleet Hub for AWS IoT Device Management" }, { "conditions": [ { - "condition": "lambda:CodeSigningConfigArn", - "description": "Filters access by the ARN of an AWS Lambda code signing config", + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { - "condition": "lambda:FunctionArn", - "description": "Filters access by the ARN of an AWS Lambda function", - "type": "ARN" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to the resource", + "type": "String" }, { - "condition": "lambda:Layer", - "description": "Filters access by the ARN of an AWS Lambda layer", + "condition": "aws:TagKeys", + "description": "Filters actions by the tag keys in the request", "type": "String" }, { - "condition": "lambda:Principal", - "description": "Filters access by restricting the AWS service or account that can invoke a function", + "condition": "iotsitewise:assetHierarchyPath", + "description": "Filters access by an asset hierarchy path, which is the string of asset IDs in the asset's hierarchy, each separated by a forward slash", "type": "String" }, { - "condition": "lambda:SecurityGroupIds", - "description": "Filters access by the ID of security groups configured for the AWS Lambda function", + "condition": "iotsitewise:childAssetId", + "description": "Filters access by the ID of a child asset being associated to a parent asset", "type": "String" }, { - "condition": "lambda:SubnetIds", - "description": "Filters access by the ID of subnets configured for the AWS Lambda function", + "condition": "iotsitewise:group", + "description": "Filters access by the ID of an AWS Single Sign-On group", "type": "String" }, { - "condition": "lambda:VpcIds", - "description": "Filters access by the ID of the VPC configured for the AWS Lambda function", + "condition": "iotsitewise:iam", + "description": "Filters access by the ID of an AWS IAM identity", + "type": "String" + }, + { + "condition": "iotsitewise:portal", + "description": "Filters access by the ID of a portal", + "type": "String" + }, + { + "condition": "iotsitewise:project", + "description": "Filters access by the ID of a project", + "type": "String" + }, + { + "condition": "iotsitewise:propertyId", + "description": "Filters access by the ID of an asset property", + "type": "String" + }, + { + "condition": "iotsitewise:user", + "description": "Filters access by the ID of an AWS Single Sign-On user", "type": "String" } ], - "prefix": "lambda", + "prefix": "iotsitewise", "privileges": [ { - "access_level": "Permissions management", - "description": "Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer", - "privilege": "AddLayerVersionPermission", + "access_level": "Write", + "description": "Grants permission to associate a child asset to a parent asset by a hierarchy", + "privilege": "AssociateAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "asset*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to give an AWS service or another account permission to use an AWS Lambda function", - "privilege": "AddPermission", + "access_level": "Write", + "description": "Grants permission to associate assets to a project", + "privilege": "BatchAssociateProjectAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - }, - { - "condition_keys": [ - "lambda:Principal" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an alias for a Lambda function version", - "privilege": "CreateAlias", + "description": "Grants permission to disassociate assets from a project", + "privilege": "BatchDisassociateProjectAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Lambda code signing config", - "privilege": "CreateCodeSigningConfig", + "description": "Grants permission to put property values for asset properties", + "privilege": "BatchPutAssetPropertyValue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "asset*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a mapping between an event source and an AWS Lambda function", - "privilege": "CreateEventSourceMapping", + "description": "Grants permission to create an access policy for a portal or a project", + "privilege": "CreateAccessPolicy", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" + }, { "condition_keys": [ - "lambda:FunctionArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88861,20 +98718,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Lambda function", - "privilege": "CreateFunction", + "description": "Grants permission to create an asset from an asset model", + "privilege": "CreateAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset-model*" }, { "condition_keys": [ - "lambda:Layer", - "lambda:VpcIds", - "lambda:SubnetIds", - "lambda:SecurityGroupIds" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88883,41 +98738,48 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda function alias", - "privilege": "DeleteAlias", + "description": "Grants permission to create an asset model", + "privilege": "CreateAssetModel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda code signing config", - "privilege": "DeleteCodeSigningConfig", + "description": "Grants permission to create a dashboard in a project", + "privilege": "CreateDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "project*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda event source mapping", - "privilege": "DeleteEventSourceMapping", + "description": "Grants permission to create a gateway", + "privilege": "CreateGateway", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventSourceMapping*" - }, { "condition_keys": [ - "lambda:FunctionArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -88926,349 +98788,341 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Lambda function", - "privilege": "DeleteFunction", + "description": "Grants permission to create a portal", + "privilege": "CreatePortal", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "sso:CreateManagedApplicationInstance", + "sso:DescribeRegisteredRegions" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to detach a code signing config from an AWS Lambda function", - "privilege": "DeleteFunctionCodeSigningConfig", + "description": "Grants permission to create a project in a portal", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "portal*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a concurrent execution limit from an AWS Lambda function", - "privilege": "DeleteFunctionConcurrency", + "description": "Grants permission to delete an access policy", + "privilege": "DeleteAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "access-policy*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", - "privilege": "DeleteFunctionEventInvokeConfig", + "description": "Grants permission to delete an asset", + "privilege": "DeleteAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a version of an AWS Lambda layer", - "privilege": "DeleteLayerVersion", + "description": "Grants permission to delete an asset model", + "privilege": "DeleteAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "asset-model*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function", - "privilege": "DeleteProvisionedConcurrencyConfig", + "description": "Grants permission to delete a dashboard", + "privilege": "DeleteDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function version" + "resource_type": "dashboard*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to disable replication for a Lambda@Edge function", - "privilege": "DisableReplication", + "access_level": "Write", + "description": "Grants permission to delete a gateway", + "privilege": "DeleteGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "gateway*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to enable replication for a Lambda@Edge function", - "privilege": "EnableReplication", + "access_level": "Write", + "description": "Grants permission to delete a portal", + "privilege": "DeletePortal", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "function*" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "portal*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an account's limits and usage in an AWS Region", - "privilege": "GetAccountSettings", + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda function alias", - "privilege": "GetAlias", + "description": "Grants permission to describe an access policy", + "privilege": "DescribeAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "access-policy*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda code signing config", - "privilege": "GetCodeSigningConfig", + "description": "Grants permission to describe an asset", + "privilege": "DescribeAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "asset*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda event source mapping", - "privilege": "GetEventSourceMapping", + "description": "Grants permission to describe an asset model", + "privilege": "DescribeAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventSourceMapping*" - }, - { - "condition_keys": [ - "lambda:FunctionArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "asset-model*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about an AWS Lambda function", - "privilege": "GetFunction", + "description": "Grants permission to describe an asset property", + "privilege": "DescribeAssetProperty", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the code signing config arn attached to an AWS Lambda function", - "privilege": "GetFunctionCodeSigningConfig", + "description": "Grants permission to describe a dashboard", + "privilege": "DescribeDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "dashboard*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about the reserved concurrency configuration for a function", - "privilege": "GetFunctionConcurrency", + "description": "Grants permission to describe the default encryption configuration for the AWS account", + "privilege": "DescribeDefaultEncryptionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about the version-specific settings of an AWS Lambda function or version", - "privilege": "GetFunctionConfiguration", + "description": "Grants permission to describe a gateway", + "privilege": "DescribeGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "gateway*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the configuration for asynchronous invocation for a function, version, or alias", - "privilege": "GetFunctionEventInvokeConfig", + "description": "Grants permission to describe a capability configuration for a gateway", + "privilege": "DescribeGatewayCapabilityConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "gateway*" } ] }, { "access_level": "Read", - "description": "Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API", - "privilege": "GetLayerVersion", + "description": "Grants permission to describe logging options for the AWS account", + "privilege": "DescribeLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view the resource-based policy for a version of an AWS Lambda layer", - "privilege": "GetLayerVersionPolicy", + "description": "Grants permission to describe a portal", + "privilege": "DescribePortal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" + "resource_type": "portal*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias", - "privilege": "GetPolicy", + "description": "Grants permission to describe a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "project*" } ] }, { "access_level": "Read", - "description": "Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version", - "privilege": "GetProvisionedConcurrencyConfig", + "description": "Grants permission to describe the storage configuration for the AWS account", + "privilege": "DescribeStorageConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function version" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "(Deprecated) Grants permission to invoke a function asynchronously", - "privilege": "InvokeAsync", + "description": "Grants permission to disassociate a child asset from a parent asset by a hierarchy", + "privilege": "DisassociateAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to invoke an AWS Lambda function", - "privilege": "InvokeFunction", + "access_level": "Read", + "description": "Grants permission to retrieve computed aggregates for an asset property", + "privilege": "GetAssetPropertyAggregates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of aliases for an AWS Lambda function", - "privilege": "ListAliases", + "access_level": "Read", + "description": "Grants permission to retrieve the latest value for an asset property", + "privilege": "GetAssetPropertyValue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda code signing configs", - "privilege": "ListCodeSigningConfigs", + "access_level": "Read", + "description": "Grants permission to retrieve the value history for an asset property", + "privilege": "GetAssetPropertyValueHistory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda event source mappings", - "privilege": "ListEventSourceMappings", + "description": "Grants permission to list all access policies for an identity or a resource", + "privilege": "ListAccessPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve a list of configurations for asynchronous invocation for a function", - "privilege": "ListFunctionEventInvokeConfigs", - "resource_types": [ + "resource_type": "portal" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "project" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function", - "privilege": "ListFunctions", + "description": "Grants permission to list all asset models", + "privilege": "ListAssetModels", "resource_types": [ { "condition_keys": [], @@ -89279,250 +99133,229 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned", - "privilege": "ListFunctionsByCodeSigningConfig", + "description": "Grants permission to list the asset relationship graph for an asset", + "privilege": "ListAssetRelationships", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "asset*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of versions of an AWS Lambda layer", - "privilege": "ListLayerVersions", + "description": "Grants permission to list all assets", + "privilege": "ListAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset-model" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer", - "privilege": "ListLayers", + "description": "Grants permission to list all assets associated to an asset by a hierarchy", + "privilege": "ListAssociatedAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function", - "privilege": "ListProvisionedConcurrencyConfigs", + "description": "Grants permission to list all dashboards in a project", + "privilege": "ListDashboards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "project*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of tags for an AWS Lambda function", - "privilege": "ListTags", + "access_level": "List", + "description": "Grants permission to list all gateways", + "privilege": "ListGateways", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of versions for an AWS Lambda function", - "privilege": "ListVersionsByFunction", + "description": "Grants permission to list all portals", + "privilege": "ListPortals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Lambda layer", - "privilege": "PublishLayerVersion", + "access_level": "List", + "description": "Grants permission to list all assets associated with a project", + "privilege": "ListProjectAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layer*" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Lambda function version", - "privilege": "PublishVersion", + "access_level": "List", + "description": "Grants permission to list all projects in a portal", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "portal*" } ] }, { - "access_level": "Write", - "description": "Grants permission to attach a code signing config to an AWS Lambda function", - "privilege": "PutFunctionCodeSigningConfig", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "access-policy" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset-model" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to configure reserved concurrency for an AWS Lambda function", - "privilege": "PutFunctionConcurrency", + "description": "Grants permission to set the default encryption configuration for the AWS account", + "privilege": "PutDefaultEncryptionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias", - "privilege": "PutFunctionEventInvokeConfig", + "description": "Grants permission to set logging options for the AWS account", + "privilege": "PutLoggingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version", - "privilege": "PutProvisionedConcurrencyConfig", + "description": "Grants permission to set storage configuration for the AWS account", + "privilege": "PutStorageConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "function version" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer", - "privilege": "RemoveLayerVersionPermission", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "layerVersion*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to revoke function-use permission from an AWS service or another account", - "privilege": "RemovePermission", - "resource_types": [ + "resource_type": "access-policy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "asset" }, - { - "condition_keys": [ - "lambda:Principal" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add tags to an AWS Lambda function", - "privilege": "TagResource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to remove tags from an AWS Lambda function", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "asset-model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the configuration of an AWS Lambda function's alias", - "privilege": "UpdateAlias", - "resource_types": [ + "resource_type": "dashboard" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update an AWS Lambda code signing config", - "privilege": "UpdateCodeSigningConfig", - "resource_types": [ + "resource_type": "gateway" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the configuration of an AWS Lambda event source mapping", - "privilege": "UpdateEventSourceMapping", - "resource_types": [ + "resource_type": "portal" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventSourceMapping*" + "resource_type": "project" }, { "condition_keys": [ - "lambda:FunctionArn" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -89530,50 +99363,48 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update the code of an AWS Lambda function", - "privilege": "UpdateFunctionCode", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the code signing config of an AWS Lambda function", - "privilege": "UpdateFunctionCodeSigningConfig", - "resource_types": [ + "resource_type": "access-policy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "code signing config*" + "resource_type": "asset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the version-specific settings of an AWS Lambda function", - "privilege": "UpdateFunctionConfiguration", - "resource_types": [ + "resource_type": "asset-model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "portal" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project" }, { "condition_keys": [ - "lambda:Layer", - "lambda:VpcIds", - "lambda:SubnetIds", - "lambda:SecurityGroupIds" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -89582,449 +99413,487 @@ }, { "access_level": "Write", - "description": "Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", - "privilege": "UpdateFunctionEventInvokeConfig", + "description": "Grants permission to update an access policy", + "privilege": "UpdateAccessPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "function*" + "resource_type": "access-policy*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:codesigningconfig:${CodeSigningConfigId}", - "condition_keys": [], - "resource": "code signing config" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}", - "condition_keys": [], - "resource": "eventSourceMapping" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}", - "condition_keys": [], - "resource": "function" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}", - "condition_keys": [], - "resource": "function alias" - }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}", - "condition_keys": [], - "resource": "function version" }, { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}", - "condition_keys": [], - "resource": "layer" + "access_level": "Write", + "description": "Grants permission to update an asset", + "privilege": "UpdateAsset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "asset*" + } + ] }, - { - "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}", - "condition_keys": [], - "resource": "layerVersion" - } - ], - "service_name": "AWS Lambda" - }, - { - "conditions": [], - "prefix": "launchwizard", - "privileges": [ { "access_level": "Write", - "description": "Delete an application", - "privilege": "DeleteApp", + "description": "Grants permission to update an asset model", + "privilege": "UpdateAssetModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset-model*" } ] }, { - "access_level": "Read", - "description": "Describe provisioning applications", - "privilege": "DescribeProvisionedApp", + "access_level": "Write", + "description": "Grants permission to update an AssetModel property routing", + "privilege": "UpdateAssetModelPropertyRouting", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset-model*" } ] }, { - "access_level": "Read", - "description": "Describe provisioning events", - "privilege": "DescribeProvisioningEvents", + "access_level": "Write", + "description": "Grants permission to update an asset property", + "privilege": "UpdateAssetProperty", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "asset*" } ] }, { - "access_level": "Read", - "description": "Get infrastructure suggestion", - "privilege": "GetInfrastructureSuggestion", + "access_level": "Write", + "description": "Grants permission to update a dashboard", + "privilege": "UpdateDashboard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dashboard*" } ] }, { - "access_level": "Read", - "description": "Get customer's ip address", - "privilege": "GetIpAddress", + "access_level": "Write", + "description": "Grants permission to update a gateway", + "privilege": "UpdateGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gateway*" } ] }, { - "access_level": "Read", - "description": "Get resource cost estimate", - "privilege": "GetResourceCostEstimate", + "access_level": "Write", + "description": "Grants permission to update a capability configuration for a gateway", + "privilege": "UpdateGatewayCapabilityConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "gateway*" } ] }, { - "access_level": "List", - "description": "List provisioning applications", - "privilege": "ListProvisionedApps", + "access_level": "Write", + "description": "Grants permission to update a portal", + "privilege": "UpdatePortal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "portal*" } ] }, { "access_level": "Write", - "description": "Start a provisioning", - "privilege": "StartProvisioning", + "description": "Grants permission to update a project", + "privilege": "UpdateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] } ], - "resources": [], - "service_name": "Launch Wizard" - }, - { - "conditions": [ + "resources": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the tags in the request.", - "type": "String" + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "asset" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to a Lex resource.", - "type": "String" + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "asset-model" }, { - "condition": "aws:TagKeys", - "description": "Filters access based on the set of tag keys in the request.", - "type": "String" + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "gateway" }, { - "condition": "lex:associatedIntents", - "description": "Enables you to control access based on the intents included in the request.", + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "portal" + }, + { + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "project" + }, + { + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dashboard" + }, + { + "arn": "arn:${Partition}:iotsitewise:${Region}:${Account}:access-policy/${AccessPolicyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "access-policy" + } + ], + "service_name": "AWS IoT SiteWise" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the thingsgraph service.", "type": "String" }, { - "condition": "lex:associatedSlotTypes", - "description": "Enables you to control access based on the slot types included in the request.", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair.", "type": "String" }, { - "condition": "lex:channelType", - "description": "Enables you to control access based on the channel type included in the request.", + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the thingsgraph service.", "type": "String" } ], - "prefix": "lex", + "prefix": "iotthingsgraph", "privileges": [ { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified bot.", - "privilege": "CreateBotVersion", + "description": "Associates a device with a concrete thing that is in the user's registry. A thing can be associated with only one device at a time. If you associate a thing with a new device id, its previous association will be removed.", + "privilege": "AssociateEntityToThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot version*" + "dependent_actions": [ + "iot:DescribeThing", + "iot:DescribeThingGroup" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified intent.", - "privilege": "CreateIntentVersion", + "description": "Creates a workflow template. Workflows can be created only in the user's namespace. (The public namespace contains only entities.) The workflow can contain only entities in the specified namespace. The workflow is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", + "privilege": "CreateFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a new version based on the $LATEST version of the specified slot type.", - "privilege": "CreateSlotTypeVersion", + "description": "Creates an instance of a system with specified configurations and Things.", + "privilege": "CreateSystemInstance", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes all versions of a bot.", - "privilege": "DeleteBot", + "description": "Creates a system. The system is validated against the entities in the latest version of the user's namespace unless another namespace version is specified in the request.", + "privilege": "CreateSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an alias for a specific bot.", - "privilege": "DeleteBotAlias", + "description": "Deletes a workflow. Any new system or system instance that contains this workflow will fail to update or deploy. Existing system instances that contain the workflow will continue to run (since they use a snapshot of the workflow taken at the time of deploying the system instance).", + "privilege": "DeleteFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "Workflow*" } ] }, { "access_level": "Write", - "description": "Deletes the association between a Amazon Lex bot alias and a messaging platform.", - "privilege": "DeleteBotChannelAssociation", + "description": "Deletes the specified namespace. This action deletes all of the entities in the namespace. Delete the systems and flows in the namespace before performing this action.", + "privilege": "DeleteNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of a bot.", - "privilege": "DeleteBotVersion", + "description": "Deletes a system instance. Only instances that have never been deployed, or that have been undeployed from the target can be deleted. Users can create a new system instance that has the same ID as a deleted system instance.", + "privilege": "DeleteSystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "SystemInstance*" } ] }, { "access_level": "Write", - "description": "Deletes all versions of an intent.", - "privilege": "DeleteIntent", + "description": "Deletes a system. New system instances can't contain the system after its deletion. Existing system instances that contain the system will continue to work because they use a snapshot of the system that is taken when it is deployed.", + "privilege": "DeleteSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "System*" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of an intent.", - "privilege": "DeleteIntentVersion", + "description": "Deploys the system instance to the target specified in CreateSystemInstance.", + "privilege": "DeploySystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "SystemInstance*" } ] }, { "access_level": "Write", - "description": "Removes session information for a specified bot, alias, and user ID.", - "privilege": "DeleteSession", + "description": "Deprecates the specified workflow. This action marks the workflow for deletion. Deprecated flows can't be deployed, but existing system instances that use the flow will continue to run.", + "privilege": "DeprecateFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, + "resource_type": "Workflow*" + } + ] + }, + { + "access_level": "Write", + "description": "Deprecates the specified system.", + "privilege": "DeprecateSystemTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "System*" } ] }, { - "access_level": "Write", - "description": "Deletes all versions of a slot type.", - "privilege": "DeleteSlotType", + "access_level": "Read", + "description": "Gets the latest version of the user's namespace and the public version that it is tracking.", + "privilege": "DescribeNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a specific version of a slot type.", - "privilege": "DeleteSlotTypeVersion", + "description": "Dissociates a device entity from a concrete thing. The action takes only the type of the entity that you need to dissociate because only one entity of a particular type can be associated with a thing.", + "privilege": "DissociateEntityFromThing", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iot:DescribeThing", + "iot:DescribeThingGroup" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets descriptions of the specified entities. Uses the latest version of the user's namespace by default.", + "privilege": "GetEntities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the information Amazon Lex maintains for utterances on a specific bot and userId.", - "privilege": "DeleteUtterances", + "access_level": "Read", + "description": "Gets the latest version of the DefinitionDocument and FlowTemplateSummary for the specified workflow.", + "privilege": "GetFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "Workflow*" } ] }, { "access_level": "Read", - "description": "Returns information for a specific bot. In addition to the bot name, the bot version or alias is required.", - "privilege": "GetBot", + "description": "Gets revisions of the specified workflow. Only the last 100 revisions are stored. If the workflow has been deprecated, this action will return revisions that occurred before the deprecation. This action won't work for workflows that have been deleted.", + "privilege": "GetFlowTemplateRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" - }, + "resource_type": "Workflow*" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the status of a namespace deletion task.", + "privilege": "GetNamespaceDeletionStatus", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about a Amazon Lex bot alias.", - "privilege": "GetBotAlias", + "description": "Gets a system instance.", + "privilege": "GetSystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias*" + "resource_type": "SystemInstance*" } ] }, { - "access_level": "List", - "description": "Returns a list of aliases for a given Amazon Lex bot.", - "privilege": "GetBotAliases", + "access_level": "Read", + "description": "Gets a system.", + "privilege": "GetSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "System*" } ] }, { "access_level": "Read", - "description": "Returns information about the association between a Amazon Lex bot and a messaging platform.", - "privilege": "GetBotChannelAssociation", + "description": "Gets revisions made to the specified system template. Only the previous 100 revisions are stored. If the system has been deprecated, this action will return the revisions that occurred before its deprecation. This action won't work with systems that have been deleted.", + "privilege": "GetSystemTemplateRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "System*" } ] }, { - "access_level": "List", - "description": "Returns a list of all of the channels associated with a single bot.", - "privilege": "GetBotChannelAssociations", + "access_level": "Read", + "description": "Gets the status of the specified upload.", + "privilege": "GetUploadStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Returns information for all versions of a specific bot.", - "privilege": "GetBotVersions", + "description": "Lists details of a single workflow execution", + "privilege": "ListFlowExecutionMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Returns information for the $LATEST version of all bots, subject to filters provided by the client.", - "privilege": "GetBots", + "description": "Lists all tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SystemInstance" } ] }, { "access_level": "Read", - "description": "Returns information about a built-in intent.", - "privilege": "GetBuiltinIntent", + "description": "Searches for entities of the specified type. You can search for entities in your namespace and the public namespace that you're tracking.", + "privilege": "SearchEntities", "resource_types": [ { "condition_keys": [], @@ -90035,20 +99904,20 @@ }, { "access_level": "Read", - "description": "Gets a list of built-in intents that meet the specified criteria.", - "privilege": "GetBuiltinIntents", + "description": "Searches for workflow executions of a system instance", + "privilege": "SearchFlowExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SystemInstance*" } ] }, { "access_level": "Read", - "description": "Gets a list of built-in slot types that meet the specified criteria.", - "privilege": "GetBuiltinSlotTypes", + "description": "Searches for summary information about workflows.", + "privilege": "SearchFlowTemplates", "resource_types": [ { "condition_keys": [], @@ -90059,20 +99928,20 @@ }, { "access_level": "Read", - "description": "Exports Amazon Lex Resource in a requested format.", - "privilege": "GetExport", + "description": "Searches for system instances in the user's account.", + "privilege": "SearchSystemInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Gets information about an import job started with StartImport.", - "privilege": "GetImport", + "description": "Searches for summary information about systems in the user's account. You can filter by the ID of a workflow to return only systems that use the specified workflow.", + "privilege": "SearchSystemTemplates", "resource_types": [ { "condition_keys": [], @@ -90083,85 +99952,95 @@ }, { "access_level": "Read", - "description": "Returns information for a specific intent. In addition to the intent name, you must also specify the intent version.", - "privilege": "GetIntent", + "description": "Searches for things associated with the specified entity. You can search by both device and device model.", + "privilege": "SearchThings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information for all versions of a specific intent.", - "privilege": "GetIntentVersions", + "access_level": "Tagging", + "description": "Tag a specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "SystemInstance" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information for the $LATEST version of all intents, subject to filters provided by the client.", - "privilege": "GetIntents", + "access_level": "Write", + "description": "Removes the system instance and associated triggers from the target.", + "privilege": "UndeploySystemInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SystemInstance*" } ] }, { - "access_level": "Read", - "description": "Returns session information for a specified bot, alias, and user ID.", - "privilege": "GetSession", + "access_level": "Tagging", + "description": "Untag a specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "SystemInstance" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a specific version of a slot type. In addition to specifying the slot type name, you must also specify the slot type version.", - "privilege": "GetSlotType", + "access_level": "Write", + "description": "Updates the specified workflow. All deployed systems and system instances that use the workflow will see the changes in the flow when it is redeployed. The workflow can contain only entities in the specified namespace.", + "privilege": "UpdateFlowTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "Workflow*" } ] }, { - "access_level": "List", - "description": "Returns information for all versions of a specific slot type.", - "privilege": "GetSlotTypeVersions", + "access_level": "Write", + "description": "Updates the specified system. You don't need to run this action after updating a workflow. Any system instance that uses the system will see the changes in the system when it is redeployed.", + "privilege": "UpdateSystemTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "System*" } ] }, { - "access_level": "List", - "description": "Returns information for the $LATEST version of all slot types, subject to filters provided by the client.", - "privilege": "GetSlotTypes", + "access_level": "Write", + "description": "Asynchronously uploads one or more entity definitions to the user's namespace.", + "privilege": "UploadEntityDefinitions", "resource_types": [ { "condition_keys": [], @@ -90169,89 +100048,128 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Workflow/${NamespacePath}", + "condition_keys": [], + "resource": "Workflow" }, { - "access_level": "List", - "description": "Returns a view of aggregate utterance data for versions of a bot for a recent time period.", - "privilege": "GetUtterancesView", + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:System/${NamespacePath}", + "condition_keys": [], + "resource": "System" + }, + { + "arn": "arn:${Partition}:iotthingsgraph:${Region}:${Account}:Deployment/${NamespacePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SystemInstance" + } + ], + "service_name": "AWS IoT Things Graph" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key that is present in the request that the user makes to IoT Wireless", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key component of a tag attached to an IoT Wireless resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the list of all the tag key names associated with the resource in the request", + "type": "String" + } + ], + "prefix": "iotwireless", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to link partner accounts with Aws account", + "privilege": "AssociateAwsAccountWithPartnerAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "bot version*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Lists tags for a Lex resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to associate the wireless device with AWS IoT thing for a given wirelessDeviceId", + "privilege": "AssociateWirelessDeviceWithThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" + "dependent_actions": [ + "iot:DescribeThing" + ], + "resource_type": "WirelessDevice*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Sends user input (text or speech) to Amazon Lex.", - "privilege": "PostContent", + "description": "Grants permission to associate a WirelessGateway with the IoT Core Identity certificate", + "privilege": "AssociateWirelessGatewayWithCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot alias" + "resource_type": "WirelessGateway*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Sends user input (text-only) to Amazon Lex.", - "privilege": "PostText", + "description": "Grants permission to associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId", + "privilege": "AssociateWirelessGatewayWithThing", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" + "dependent_actions": [ + "iot:DescribeThing" + ], + "resource_type": "WirelessGateway*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Creates or updates the $LATEST version of a Amazon Lex conversational bot.", - "privilege": "PutBot", + "description": "Grants permission to create a Destination resource", + "privilege": "CreateDestination", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot version*" - }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -90260,18 +100178,13 @@ }, { "access_level": "Write", - "description": "Creates or updates an alias for the specific bot.", - "privilege": "PutBotAlias", + "description": "Grants permission to create a DeviceProfile resource", + "privilege": "CreateDeviceProfile", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias*" - }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -90280,81 +100193,70 @@ }, { "access_level": "Write", - "description": "Creates or updates the $LATEST version of an intent.", - "privilege": "PutIntent", + "description": "Grants permission to create a ServiceProfile resource", + "privilege": "CreateServiceProfile", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "intent version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a new session or modifies an existing session with an Amazon Lex bot.", - "privilege": "PutSession", + "description": "Grants permission to create a WirelessDevice resource with given Destination", + "privilege": "CreateWirelessDevice", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "bot version" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates or updates the $LATEST version of a slot type.", - "privilege": "PutSlotType", + "description": "Grants permission to create a WirelessGateway resource", + "privilege": "CreateWirelessGateway", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "slottype version*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Starts a job to import a resource to Amazon Lex.", - "privilege": "StartImport", + "description": "Grants permission to create a task for a given WirelessGateway", + "privilege": "CreateWirelessGatewayTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "Tagging", - "description": "Adds or overwrites tags to a Lex resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to create a WirelessGateway task definition", + "privilege": "CreateWirelessGatewayTaskDefinition", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel" - }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -90362,285 +100264,225 @@ ] }, { - "access_level": "Tagging", - "description": "Removes tags from a Lex resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete a Destination", + "privilege": "DeleteDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bot alias" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Destination*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotVersion}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot version" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotAlias}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "bot alias" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-channel:${BotName}:${BotAlias}:${ChannelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channel" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:intent:${IntentName}:${IntentVersion}", - "condition_keys": [], - "resource": "intent version" - }, - { - "arn": "arn:${Partition}:lex:${Region}:${Account}:slottype:${SlotName}:${SlotVersion}", - "condition_keys": [], - "resource": "slottype version" - } - ], - "service_name": "Amazon Lex" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters create requests based on allowed set of values for each of the mandatory tags", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Enforce tag keys that are used in the request", - "type": "String" }, - { - "condition": "license-manager:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource.", - "type": "String" - } - ], - "prefix": "license-manager", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept a grant", - "privilege": "AcceptGrant", + "description": "Grants permission to delete a DeviceProfile", + "privilege": "DeleteDeviceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "DeviceProfile*" } ] }, { "access_level": "Write", - "description": "Grants permission to check in license entitlements back to pool", - "privilege": "CheckInLicense", + "description": "Grants permission to delete a ServiceProfile", + "privilege": "DeleteServiceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ServiceProfile*" } ] }, { "access_level": "Write", - "description": "Grants permission to check out license entitlements for borrow use case", - "privilege": "CheckoutBorrowLicense", + "description": "Grants permission to delete a WirelessDevice", + "privilege": "DeleteWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Grants permission to check out license entitlements", - "privilege": "CheckoutLicense", + "description": "Grants permission to delete a WirelessGateway", + "privilege": "DeleteWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new grant for license", - "privilege": "CreateGrant", + "description": "Grants permission to delete task for a given WirelessGateway", + "privilege": "DeleteWirelessGatewayTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "WirelessGateway*" } ] }, { "access_level": "Write", - "description": "Grants permission to create new version of grant", - "privilege": "CreateGrantVersion", + "description": "Grants permission to delete a WirelessGateway task definition", + "privilege": "DeleteWirelessGatewayTaskDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "WirelessGatewayTaskDefinition*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new license", - "privilege": "CreateLicense", + "description": "Grants permission to disassociate an AWS account from a partner account", + "privilege": "DisassociateAwsAccountFromPartnerAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SidewalkAccount*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to create a new license configuration", - "privilege": "CreateLicenseConfiguration", + "access_level": "Write", + "description": "Grants permission to disassociate a wireless device from a AWS IoT thing", + "privilege": "DisassociateWirelessDeviceFromThing", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "condition_keys": [], + "dependent_actions": [ + "iot:DescribeThing" ], + "resource_type": "WirelessDevice*" + }, + { + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "thing*" } ] }, { "access_level": "Write", - "description": "Grants permission to create new version of license.", - "privilege": "CreateLicenseVersion", + "description": "Grants permission to disassociate a WirelessGateway from a IoT Core Identity certificate", + "privilege": "DisassociateWirelessGatewayFromCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "WirelessGateway*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cert*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new token for license", - "privilege": "CreateToken", + "description": "Grants permission to disassociate a WirelessGateway from a IoT Core thing", + "privilege": "DisassociateWirelessGatewayFromThing", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iot:DescribeThing" + ], + "resource_type": "WirelessGateway*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "thing*" } ] }, { - "access_level": "Write", - "description": "Deletes a grant", - "privilege": "DeleteGrant", + "access_level": "Read", + "description": "Grants permission to get the Destination", + "privilege": "GetDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "Destination*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a license", - "privilege": "DeleteLicense", + "access_level": "Read", + "description": "Grants permission to get the DeviceProfile", + "privilege": "GetDeviceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "DeviceProfile*" } ] }, { - "access_level": "Write", - "description": "Grants permission to permanently delete a license configuration", - "privilege": "DeleteLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to get log levels by resource types", + "privilege": "GetLogLevelsByResourceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete token", - "privilege": "DeleteToken", + "access_level": "Read", + "description": "Grants permission to get the associated PartnerAccount", + "privilege": "GetPartnerAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SidewalkAccount*" } ] }, { - "access_level": "Write", - "description": "Grants permission to extend consumption period of already checkout license entitlements", - "privilege": "ExtendLicenseConsumption", + "access_level": "Read", + "description": "Grants permission to get resource log level", + "privilege": "GetResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" } ] }, { "access_level": "Read", - "description": "Grants permission to get access token", - "privilege": "GetAccessToken", + "description": "Grants permission to retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format", + "privilege": "GetServiceEndpoint", "resource_types": [ { "condition_keys": [], @@ -90651,116 +100493,116 @@ }, { "access_level": "Read", - "description": "Grants permission to get a grant", - "privilege": "GetGrant", + "description": "Grants permission to get the ServiceProfile", + "privilege": "GetServiceProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "ServiceProfile*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a license", - "privilege": "GetLicense", + "description": "Grants permission to get the WirelessDevice", + "privilege": "GetWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "List", - "description": "Grants permission to get a license configuration", - "privilege": "GetLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to get statistics info for a given WirelessDevice", + "privilege": "GetWirelessDeviceStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a license usage", - "privilege": "GetLicenseUsage", + "description": "Grants permission to get the WirelessGateway", + "privilege": "GetWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to get service settings", - "privilege": "GetServiceSettings", + "access_level": "Read", + "description": "Grants permission to get the IoT Core Identity certificate id associated with the WirelessGateway", + "privilege": "GetWirelessGatewayCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list associations for a selected license configuration", - "privilege": "ListAssociationsForLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to get Current firmware version and other information for the WirelessGateway", + "privilege": "GetWirelessGatewayFirmwareInformation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list distributed grants", - "privilege": "ListDistributedGrants", + "access_level": "Read", + "description": "Grants permission to get statistics info for a given WirelessGateway", + "privilege": "GetWirelessGatewayStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the license configuration operations that failed", - "privilege": "ListFailuresForLicenseConfigurationOperations", + "access_level": "Read", + "description": "Grants permission to get the task for a given WirelessGateway", + "privilege": "GetWirelessGatewayTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "WirelessGateway*" } ] }, { - "access_level": "List", - "description": "Grants permission to list license configurations", - "privilege": "ListLicenseConfigurations", + "access_level": "Read", + "description": "Grants permission to get the given WirelessGateway task definition", + "privilege": "GetWirelessGatewayTaskDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGatewayTaskDefinition*" } ] }, { - "access_level": "List", - "description": "Grants permission to list license specifications associated with a selected resource", - "privilege": "ListLicenseSpecificationsForResource", + "access_level": "Read", + "description": "List information of available Destinations based on the AWS account.", + "privilege": "ListDestinations", "resource_types": [ { "condition_keys": [], @@ -90770,21 +100612,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list license versions", - "privilege": "ListLicenseVersions", + "access_level": "Read", + "description": "Grants permission to list information of available DeviceProfiles based on the AWS account", + "privilege": "ListDeviceProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list licenses", - "privilege": "ListLicenses", + "access_level": "Read", + "description": "Grants permission to list the available partner accounts", + "privilege": "ListPartnerAccounts", "resource_types": [ { "condition_keys": [], @@ -90794,9 +100636,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list received grants", - "privilege": "ListReceivedGrants", + "access_level": "Read", + "description": "Grants permission to list information of available ServiceProfiles based on the AWS account", + "privilege": "ListServiceProfiles", "resource_types": [ { "condition_keys": [], @@ -90806,45 +100648,51 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list received licenses", - "privilege": "ListReceivedLicenses", + "access_level": "Read", + "description": "Grants permission to list all tags for a given resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list resource inventory", - "privilege": "ListResourceInventory", - "resource_types": [ + "resource_type": "Destination" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list tags for a selected resource", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "DeviceProfile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "ServiceProfile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "SidewalkAccount" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGatewayTaskDefinition" } ] }, { - "access_level": "List", - "description": "Grants permission to list tokens", - "privilege": "ListTokens", + "access_level": "Read", + "description": "Grants permission to list information of available WirelessDevices based on the AWS account", + "privilege": "ListWirelessDevices", "resource_types": [ { "condition_keys": [], @@ -90854,283 +100702,191 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list usage records for selected license configuration", - "privilege": "ListUsageForLicenseConfiguration", + "access_level": "Read", + "description": "Grants permission to list information of available WirelessGateway task definitions based on the AWS account", + "privilege": "ListWirelessGatewayTaskDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to reject a grant", - "privilege": "RejectGrant", + "access_level": "Read", + "description": "Grants permission to list information of available WirelessGateways based on the AWS account", + "privilege": "ListWirelessGateways", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "grant*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a selected resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to put resource log level", + "privilege": "PutResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "WirelessDevice" }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to untag a selected resource", - "privilege": "UntagResource", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "WirelessGateway" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing license configuration", - "privilege": "UpdateLicenseConfiguration", + "description": "Grants permission to reset all resource log levels", + "privilege": "ResetAllResourceLogLevels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to updates license specifications for a selected resource", - "privilege": "UpdateLicenseSpecificationsForResource", + "description": "Grants permission to reset resource log level", + "privilege": "ResetResourceLogLevel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "license-configuration*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to updates service settings", - "privilege": "UpdateServiceSettings", - "resource_types": [ + "resource_type": "WirelessDevice" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration/${LicenseConfigurationId}", - "condition_keys": [ - "license-manager:ResourceTag/${TagKey}" - ], - "resource": "license-configuration" - }, - { - "arn": "arn:${Partition}:license-manager::${Account}:license:${LicenseId}", - "condition_keys": [], - "resource": "license" - }, - { - "arn": "arn:${Partition}:license-manager::${Account}:grant:${GrantId}", - "condition_keys": [], - "resource": "grant" - } - ], - "service_name": "AWS License Manager" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "lightsail", - "privileges": [ { "access_level": "Write", - "description": "Creates a static IP address that can be attached to an instance.", - "privilege": "AllocateStaticIp", + "description": "Grants permission to send the decrypted application data frame to the target device", + "privilege": "SendDataToWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "Write", - "description": "Attaches a disk to an instance.", - "privilege": "AttachDisk", + "access_level": "Tagging", + "description": "Grants permission to tag a given resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "Destination" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - } - ] - }, - { - "access_level": "Write", - "description": "Attaches one or more instances to a load balancer.", - "privilege": "AttachInstancesToLoadBalancer", - "resource_types": [ + "resource_type": "DeviceProfile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "ServiceProfile" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" - } - ] - }, - { - "access_level": "Write", - "description": "Attaches a TLS certificate to a load balancer.", - "privilege": "AttachLoadBalancerTlsCertificate", - "resource_types": [ + "resource_type": "SidewalkAccount" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" - } - ] - }, - { - "access_level": "Write", - "description": "Attaches a static IP address to an instance.", - "privilege": "AttachStaticIp", - "resource_types": [ + "resource_type": "WirelessDevice" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "WirelessGateway" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "WirelessGatewayTaskDefinition" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Closes a public port of an instance.", - "privilege": "CloseInstancePublicPorts", + "description": "Grants permission to simulate a provisioned device to send an uplink data with payload of 'Hello'", + "privilege": "TestWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "WirelessDevice*" } ] }, { - "access_level": "Write", - "description": "Copies a snapshot from one AWS Region to another in Amazon Lightsail.", - "privilege": "CopySnapshot", + "access_level": "Tagging", + "description": "Grants permission to remove the given tags from the resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new Amazon EC2 instance from an exported Amazon Lightsail snapshot.", - "privilege": "CreateCloudFormationStack", - "resource_types": [ + "resource_type": "Destination" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ExportSnapshotRecord*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a disk.", - "privilege": "CreateDisk", - "resource_types": [ + "resource_type": "DeviceProfile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "ServiceProfile" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a disk from snapshot.", - "privilege": "CreateDiskFromSnapshot", - "resource_types": [ + "resource_type": "SidewalkAccount" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "WirelessDevice" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGateway" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "WirelessGatewayTaskDefinition" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -91140,192 +100896,231 @@ }, { "access_level": "Write", - "description": "Creates a disk snapshot.", - "privilege": "CreateDiskSnapshot", + "description": "Grants permission to update a Destination resource", + "privilege": "UpdateDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Destination*" } ] }, { "access_level": "Write", - "description": "Creates a domain resource for the specified domain name.", - "privilege": "CreateDomain", + "description": "Grants permission to update log levels by resource types", + "privilege": "UpdateLogLevelsByResourceTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT).", - "privilege": "CreateDomainEntry", + "description": "Grants permission to update a partner account", + "privilege": "UpdatePartnerAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "SidewalkAccount*" } ] }, { "access_level": "Write", - "description": "Creates an instance snapshot.", - "privilege": "CreateInstanceSnapshot", + "description": "Grants permission to update a WirelessDevice resource", + "privilege": "UpdateWirelessDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessDevice*" } ] }, { "access_level": "Write", - "description": "Creates one or more instances.", - "privilege": "CreateInstances", + "description": "Grants permission to update a WirelessGateway resource", + "privilege": "UpdateWirelessGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "WirelessGateway*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessDevice" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessGateway" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DeviceProfile" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ServiceProfile" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Destination" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:SidewalkAccount/${SidewalkAccountId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "SidewalkAccount" + }, + { + "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGatewayTaskDefinition/${WirelessGatewayTaskDefinitionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "WirelessGatewayTaskDefinition" + }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}", + "condition_keys": [], + "resource": "thing" }, + { + "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}", + "condition_keys": [], + "resource": "cert" + } + ], + "service_name": "AWS IoT Core for LoRaWAN" + }, + { + "conditions": [], + "prefix": "iq", + "privileges": [ { "access_level": "Write", - "description": "Creates one or more instances based on an instance snapshot.", - "privilege": "CreateInstancesFromSnapshot", + "description": "Grants permission to submit new project requests", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS IQ" + }, + { + "conditions": [], + "prefix": "iq-permission", + "privileges": [ { "access_level": "Write", - "description": "Creates a key pair used to authenticate and connect to an instance.", - "privilege": "CreateKeyPair", + "description": "Grants permission to approve an access grant", + "privilege": "ApproveAccessGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [], + "service_name": "AWS IQ Permissions" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags associated with the request", + "type": "String" }, { - "access_level": "Write", - "description": "Creates a load balancer.", - "privilege": "CreateLoadBalancer", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "ivs", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to get multiple channels simultaneously by channel ARN", + "privilege": "BatchGetChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Creates a load balancer TLS certificate.", - "privilege": "CreateLoadBalancerTlsCertificate", + "access_level": "Read", + "description": "Grants permission to get multiple stream keys simultaneously by stream key ARN", + "privilege": "BatchGetStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "Stream-Key*" } ] }, { "access_level": "Write", - "description": "Creates a new relational database.", - "privilege": "CreateRelationalDatabase", + "description": "Grants permission to create a new channel and an associated stream key", + "privilege": "CreateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "Channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Stream-Key*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -91334,18 +101129,18 @@ }, { "access_level": "Write", - "description": "Creates a new relational database from a snapshot.", - "privilege": "CreateRelationalDatabaseFromSnapshot", + "description": "Grants permission to create a a new recording configuration", + "privilege": "CreateRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "Recording-Configuration*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -91354,18 +101149,18 @@ }, { "access_level": "Write", - "description": "Creates a relational database snapshot.", - "privilege": "CreateRelationalDatabaseSnapshot", + "description": "Grants permission to create a stream key", + "privilege": "CreateStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot*" + "resource_type": "Stream-Key*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -91374,522 +101169,536 @@ }, { "access_level": "Write", - "description": "Deletes a disk.", - "privilege": "DeleteDisk", + "description": "Grants permission to delete a channel and channel's stream keys", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes a disk snapshot.", - "privilege": "DeleteDiskSnapshot", - "resource_types": [ + "resource_type": "Channel*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "Stream-Key*" } ] }, { "access_level": "Write", - "description": "Deletes a domain resource and all of its DNS records.", - "privilege": "DeleteDomain", + "description": "Grants permission to delete the playback key pair for a specified ARN", + "privilege": "DeletePlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "Playback-Key-Pair*" } ] }, { "access_level": "Write", - "description": "Deletes a DNS record entry for a domain resource.", - "privilege": "DeleteDomainEntry", + "description": "Grants permission to delete a recording configuration for the specified ARN", + "privilege": "DeleteRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "Recording-Configuration*" } ] }, { "access_level": "Write", - "description": "Deletes an instance.", - "privilege": "DeleteInstance", + "description": "Grants permission to delete the stream key for a specified ARN", + "privilege": "DeleteStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "Stream-Key*" } ] }, { - "access_level": "Write", - "description": "Deletes an instance snapshot.", - "privilege": "DeleteInstanceSnapshot", + "access_level": "Read", + "description": "Grants permission to get the channel configuration for a specified channel ARN", + "privilege": "GetChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Deletes a key pair used to authenticate and connect to an instance.", - "privilege": "DeleteKeyPair", + "access_level": "Read", + "description": "Grants permission to get the playback keypair information for a specified ARN", + "privilege": "GetPlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "Playback-Key-Pair*" } ] }, { - "access_level": "Write", - "description": "Deletes the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance.", - "privilege": "DeleteKnownHostKeys", + "access_level": "Read", + "description": "Grants permission to get the recording configuration for the specified ARN", + "privilege": "GetRecordingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "Recording-Configuration*" } ] }, { - "access_level": "Write", - "description": "Deletes a load balancer.", - "privilege": "DeleteLoadBalancer", + "access_level": "Read", + "description": "Grants permission to get information about the active (live) stream on a specified channel", + "privilege": "GetStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Deletes a load balancer TLS certificate.", - "privilege": "DeleteLoadBalancerTlsCertificate", + "access_level": "Read", + "description": "Grants permission to get stream-key information for a specified ARN", + "privilege": "GetStreamKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "Stream-Key*" } ] }, { "access_level": "Write", - "description": "Deletes a relational database.", - "privilege": "DeleteRelationalDatabase", + "description": "Grants permission to import the public key", + "privilege": "ImportPlaybackKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "Playback-Key-Pair*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes relational database snapshot.", - "privilege": "DeleteRelationalDatabaseSnapshot", + "access_level": "List", + "description": "Grants permission to get summary information about channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Detaches a disk from an instance.", - "privilege": "DetachDisk", + "access_level": "List", + "description": "Grants permission to get summary information about playback key pairs", + "privilege": "ListPlaybackKeyPairs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "Playback-Key-Pair*" } ] }, { - "access_level": "Write", - "description": "Detaches one or more instances from a load balancer.", - "privilege": "DetachInstancesFromLoadBalancer", + "access_level": "List", + "description": "Grants permission to get summary information about recording configurations", + "privilege": "ListRecordingConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "Recording-Configuration*" } ] }, { - "access_level": "Write", - "description": "Detaches a static IP from an instance to which it is attached.", - "privilege": "DetachStaticIp", + "access_level": "List", + "description": "Grants permission to get summary information about stream keys", + "privilege": "ListStreamKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "Channel*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "Stream-Key*" } ] }, { - "access_level": "Write", - "description": "Downloads the default key pair used to authenticate and connect to instances in a specific AWS Region.", - "privilege": "DownloadDefaultKeyPair", + "access_level": "List", + "description": "Grants permission to get summary information about live streams", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "Channel*" } ] }, { - "access_level": "Write", - "description": "Exports an Amazon Lightsail snapshot to Amazon EC2.", - "privilege": "ExportSnapshot", + "access_level": "Read", + "description": "Grants permission to get information about the tags for a specified ARN", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Returns the names of all active (not deleted) resources.", - "privilege": "GetActiveNames", - "resource_types": [ + "resource_type": "Channel" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Returns a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance.", - "privilege": "GetBlueprints", - "resource_types": [ + "resource_type": "Playback-Key-Pair" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Returns a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance.", - "privilege": "GetBundles", - "resource_types": [ + "resource_type": "Recording-Configuration" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Stream-Key" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots.", - "privilege": "GetCloudFormationStackRecords", + "access_level": "Write", + "description": "Grants permission to insert metadata into an RTMP stream for a specified channel", + "privilege": "PutMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CloudFormationStackRecord*" + "resource_type": "Channel*" } ] }, { - "access_level": "Read", - "description": "Returns information about a disk.", - "privilege": "GetDisk", + "access_level": "Write", + "description": "Grants permission to disconnect a streamer on a specified channel", + "privilege": "StopStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" + "resource_type": "Channel*" } ] }, { - "access_level": "Read", - "description": "Returns information about a disk snapshot.", - "privilege": "GetDiskSnapshot", + "access_level": "Tagging", + "description": "Grants permission to add or update tags for a resource with a specified ARN", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - } - ] - }, - { - "access_level": "List", - "description": "Returns information about all disk snapshots.", - "privilege": "GetDiskSnapshots", - "resource_types": [ + "resource_type": "Channel" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Disk*" - } - ] - }, - { - "access_level": "List", - "description": "Returns information about all disks.", - "privilege": "GetDisks", - "resource_types": [ + "resource_type": "Playback-Key-Pair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Recording-Configuration" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Stream-Key" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns DNS records for a domain resource.", - "privilege": "GetDomain", + "access_level": "Tagging", + "description": "Grants permission to remove tags for a resource with a specified ARN", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns DNS records for all domain resources.", - "privilege": "GetDomains", - "resource_types": [ + "resource_type": "Channel" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" - } - ] - }, - { - "access_level": "List", - "description": "Returns information about all records to export Amazon Lightsail snapshots to Amazon EC2.", - "privilege": "GetExportSnapshotRecords", - "resource_types": [ + "resource_type": "Playback-Key-Pair" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ExportSnapshotRecord*" - } - ] - }, - { - "access_level": "Read", - "description": "Returns information about an instance.", - "privilege": "GetInstance", - "resource_types": [ + "resource_type": "Recording-Configuration" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "Stream-Key" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Returns temporary keys you can use to authenticate and connect to an instance.", - "privilege": "GetInstanceAccessDetails", + "description": "Grants permission to update a channel's configuration", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "Channel*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ivs:${Region}:${Account}:channel/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Channel" }, { - "access_level": "Read", - "description": "Returns the data points for the specified metric of an instance.", - "privilege": "GetInstanceMetricData", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" - } - ] + "arn": "arn:${Partition}:ivs:${Region}:${Account}:stream-key/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Stream-Key" }, { - "access_level": "Read", - "description": "Returns the port states of an instance.", - "privilege": "GetInstancePortStates", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" - } - ] + "arn": "arn:${Partition}:ivs:${Region}:${Account}:playback-key/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Playback-Key-Pair" }, { - "access_level": "Read", - "description": "Returns information about an instance snapshot.", - "privilege": "GetInstanceSnapshot", + "arn": "arn:${Partition}:ivs:${Region}:${Account}:recording-configuration/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Recording-Configuration" + } + ], + "service_name": "Amazon Interactive Video Service" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "kafka", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster", + "privilege": "BatchAssociateScramSecret", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "dependent_actions": [ + "kms:CreateGrant", + "kms:RetireGrant" + ], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information about all instance snapshots.", - "privilege": "GetInstanceSnapshots", + "access_level": "Write", + "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster", + "privilege": "BatchDisassociateScramSecret", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot*" + "dependent_actions": [ + "kms:RetireGrant" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns the state of an instance.", - "privilege": "GetInstanceState", + "access_level": "Write", + "description": "Grants permission to create an MSK cluster", + "privilege": "CreateCluster", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PutRolePolicy", + "kms:CreateGrant", + "kms:DescribeKey" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about all instances.", - "privilege": "GetInstances", + "access_level": "Write", + "description": "Grants permission to create an MSK configuration", + "privilege": "CreateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Instance*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information about a key pair.", - "privilege": "GetKeyPair", + "access_level": "Write", + "description": "Grants permission to delete an MSK cluster", + "privilege": "DeleteCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about all key pairs.", - "privilege": "GetKeyPairs", + "access_level": "Write", + "description": "Grants permission to delete the specified MSK configuration", + "privilege": "DeleteConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about a load balancer.", - "privilege": "GetLoadBalancer", + "description": "Grants permission to describe an MSK cluster", + "privilege": "DescribeCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns the data points for the specified metric of a load balancer.", - "privilege": "GetLoadBalancerMetricData", + "description": "Grants permission to describe the cluster operation that is specified by the given ARN", + "privilege": "DescribeClusterOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about a load balancer TLS certificate.", - "privilege": "GetLoadBalancerTlsCertificates", + "description": "Grants permission to describe an MSK configuration", + "privilege": "DescribeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about load balancers.", - "privilege": "GetLoadBalancers", + "description": "Grants permission to describe an MSK configuration revision", + "privilege": "DescribeConfigurationRevision", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on.", - "privilege": "GetOperation", + "description": "Grants permission to get connection details for the brokers in an MSK cluster", + "privilege": "GetBootstrapBrokers", "resource_types": [ { "condition_keys": [], @@ -91899,9 +101708,9 @@ ] }, { - "access_level": "Read", - "description": "Returns information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on.", - "privilege": "GetOperations", + "access_level": "List", + "description": "Grants permission to get a list of the Apache Kafka versions to which you can update an MSK cluster", + "privilege": "GetCompatibleKafkaVersions", "resource_types": [ { "condition_keys": [], @@ -91911,41 +101720,21 @@ ] }, { - "access_level": "Read", - "description": "Returns operations for a resource.", - "privilege": "GetOperationsForResource", + "access_level": "List", + "description": "Grants permission to return a list of all the operations that have been performed on the specified MSK cluster", + "privilege": "ListClusterOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "KeyPair" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Returns a list of all valid AWS Regions for Amazon Lightsail.", - "privilege": "GetRegions", + "description": "Grants permission to list all MSK clusters in this account", + "privilege": "ListClusters", "resource_types": [ { "condition_keys": [], @@ -91956,20 +101745,20 @@ }, { "access_level": "List", - "description": "Returns information about a relational database.", - "privilege": "GetRelationalDatabase", + "description": "Grants permission to list all revisions for an MSK configuration in this account", + "privilege": "ListConfigurationRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Returns a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database.", - "privilege": "GetRelationalDatabaseBlueprints", + "description": "Grants permission to list all MSK configurations in this account", + "privilege": "ListConfigurations", "resource_types": [ { "condition_keys": [], @@ -91980,8 +101769,8 @@ }, { "access_level": "List", - "description": "Returns a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database.", - "privilege": "GetRelationalDatabaseBundles", + "description": "Grants permission to list all Apache Kafka versions supported by Amazon MSK", + "privilege": "ListKafkaVersions", "resource_types": [ { "condition_keys": [], @@ -91991,9 +101780,9 @@ ] }, { - "access_level": "Read", - "description": "Returns events for a relational database.", - "privilege": "GetRelationalDatabaseEvents", + "access_level": "List", + "description": "Grants permission to list brokers in an MSK cluster", + "privilege": "ListNodes", "resource_types": [ { "condition_keys": [], @@ -92003,9 +101792,9 @@ ] }, { - "access_level": "Read", - "description": "Returns events for the specified log stream of a relational database.", - "privilege": "GetRelationalDatabaseLogEvents", + "access_level": "List", + "description": "Grants permission to list the Scram Secrets associated with an Amazon MSK cluster", + "privilege": "ListScramSecrets", "resource_types": [ { "condition_keys": [], @@ -92015,21 +101804,21 @@ ] }, { - "access_level": "Read", - "description": "Returns the log streams available for a relational database.", - "privilege": "GetRelationalDatabaseLogStreams", + "access_level": "List", + "description": "Grants permission to list tags of an MSK resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster" } ] }, { "access_level": "Write", - "description": "Returns the master user password of a relational database.", - "privilege": "GetRelationalDatabaseMasterUserPassword", + "description": "Grants permission to reboot broker", + "privilege": "RebootBroker", "resource_types": [ { "condition_keys": [], @@ -92039,105 +101828,120 @@ ] }, { - "access_level": "Read", - "description": "Returns the data points for the specified metric of a relational database.", - "privilege": "GetRelationalDatabaseMetricData", + "access_level": "Tagging", + "description": "Grants permission to tag an MSK resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns the parameters of a relational database.", - "privilege": "GetRelationalDatabaseParameters", + "access_level": "Tagging", + "description": "Grants permission to remove tags from an MSK resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information about a relational database snapshot.", - "privilege": "GetRelationalDatabaseSnapshot", + "access_level": "Write", + "description": "Grants permission to update the number of brokers of the MSK cluster", + "privilege": "UpdateBrokerCount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Returns information about all relational database snapshots.", - "privilege": "GetRelationalDatabaseSnapshots", + "access_level": "Write", + "description": "Grants permission to update the storage size of the brokers of the MSK cluster", + "privilege": "UpdateBrokerStorage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Return information about all relational databases.", - "privilege": "GetRelationalDatabases", + "access_level": "Write", + "description": "Grants permission to update the broker type of an Amazon MSK cluster", + "privilege": "UpdateBrokerType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a static IP.", - "privilege": "GetStaticIp", + "access_level": "Write", + "description": "Grants permission to update the configuration of the MSK cluster", + "privilege": "UpdateClusterConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about all static IPs.", - "privilege": "GetStaticIps", + "access_level": "Write", + "description": "Grants permission to update the MSK cluster to the specified Apache Kafka version", + "privilege": "UpdateClusterKafkaVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Imports a public key from a key pair.", - "privilege": "ImportKeyPair", + "description": "Grants permission to create a new revision of the MSK configuration", + "privilege": "UpdateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered.", - "privilege": "IsVpcPeered", + "access_level": "Write", + "description": "Grants permission to update the monitoring settings for the MSK cluster", + "privilege": "UpdateMonitoring", "resource_types": [ { "condition_keys": [], @@ -92148,306 +101952,495 @@ }, { "access_level": "Write", - "description": "Adds, or opens a public port of an instance.", - "privilege": "OpenInstancePublicPorts", + "description": "Grants permission to update the security settings for the MSK cluster", + "privilege": "UpdateSecurity", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "dependent_actions": [ + "kms:RetireGrant" + ], + "resource_type": "" } ] - }, + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${UUID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + } + ], + "service_name": "Amazon Managed Streaming for Apache Kafka" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource. The resource tag context key will only apply to the cluster resource, not topics, groups and transactional IDs", + "type": "String" + } + ], + "prefix": "kafka-cluster", + "privileges": [ { "access_level": "Write", - "description": "Tries to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC.", - "privilege": "PeerVpc", + "description": "Grants permission to alter various aspects of the cluster, equivalent to Apache Kafka's ALTER CLUSTER ACL", + "privilege": "AlterCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeCluster" + ], + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Sets the specified open ports for an instance, and closes all ports for every protocol not included in the request.", - "privilege": "PutInstancePublicPorts", + "description": "Grants permission to alter the dynamic configuration of a cluster, equivalent to Apache Kafka's ALTER_CONFIGS CLUSTER ACL", + "privilege": "AlterClusterDynamicConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeClusterDynamicConfiguration" + ], + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Reboots an instance that is in a running state.", - "privilege": "RebootInstance", + "description": "Grants permission to join groups on a cluster, equivalent to Apache Kafka's READ GROUP ACL", + "privilege": "AlterGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeGroup" + ], + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Reboots a relational database that is in a running state.", - "privilege": "RebootRelationalDatabase", + "description": "Grants permission to alter topics on a cluster, equivalent to Apache Kafka's ALTER TOPIC ACL", + "privilege": "AlterTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" + ], + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Deletes a static IP.", - "privilege": "ReleaseStaticIp", + "description": "Grants permission to alter the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's ALTER_CONFIGS TOPIC ACL", + "privilege": "AlterTopicDynamicConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopicDynamicConfiguration" + ], + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Starts an instance that is in a stopped state.", - "privilege": "StartInstance", + "description": "Grants permission to alter transactional IDs on a cluster, equivalent to Apache Kafka's WRITE TRANSACTIONAL_ID ACL", + "privilege": "AlterTransactionalId", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTransactionalId", + "kafka-cluster:WriteData" + ], + "resource_type": "transactional-id*" } ] }, { "access_level": "Write", - "description": "Starts a relational database that is in a stopped state.", - "privilege": "StartRelationalDatabase", + "description": "Grants permission to connect and authenticate to the cluster", + "privilege": "Connect", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "cluster*" } ] }, { "access_level": "Write", - "description": "Stops an instance that is in a running state.", - "privilege": "StopInstance", + "description": "Grants permission to create topics on a cluster, equivalent to Apache Kafka's CREATE CLUSTER/TOPIC ACL", + "privilege": "CreateTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance*" + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "topic*" } ] }, { "access_level": "Write", - "description": "Stops a relational database that is in a running state.", - "privilege": "StopRelationalDatabase", + "description": "Grants permission to delete groups on a cluster, equivalent to Apache Kafka's DELETE GROUP ACL", + "privilege": "DeleteGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeGroup" + ], + "resource_type": "group*" } ] }, { "access_level": "Write", - "description": "Tags a resource.", - "privilege": "TagResource", + "description": "Grants permission to delete topics on a cluster, equivalent to Apache Kafka's DELETE TOPIC ACL", + "privilege": "DeleteTopic", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Disk" - }, + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" + ], + "resource_type": "topic*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe various aspects of the cluster, equivalent to Apache Kafka's DESCRIBE CLUSTER ACL", + "privilege": "DescribeCluster", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "DiskSnapshot" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the dynamic configuration of a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS CLUSTER ACL", + "privilege": "DescribeClusterDynamicConfiguration", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Domain" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe groups on a cluster, equivalent to Apache Kafka's DESCRIBE GROUP ACL", + "privilege": "DescribeGroup", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe topics on a cluster, equivalent to Apache Kafka's DESCRIBE TOPIC ACL", + "privilege": "DescribeTopic", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "topic*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the dynamic configuration of topics on a cluster, equivalent to Apache Kafka's DESCRIBE_CONFIGS TOPIC ACL", + "privilege": "DescribeTopicDynamicConfiguration", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "KeyPair" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "topic*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe transactional IDs on a cluster, equivalent to Apache Kafka's DESCRIBE TRANSACTIONAL_ID ACL", + "privilege": "DescribeTransactionalId", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer" - }, + "dependent_actions": [ + "kafka-cluster:Connect" + ], + "resource_type": "transactional-id*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to read data from topics on a cluster, equivalent to Apache Kafka's READ TOPIC ACL", + "privilege": "ReadData", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabase" - }, + "dependent_actions": [ + "kafka-cluster:AlterGroup", + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" + ], + "resource_type": "topic*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to write data to topics on a cluster, equivalent to Apache Kafka's WRITE TOPIC ACL", + "privilege": "WriteData", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot" - }, + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:DescribeTopic" + ], + "resource_type": "topic*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to write data idempotently on a cluster, equivalent to Apache Kafka's IDEMPOTENT_WRITE CLUSTER ACL", + "privilege": "WriteDataIdempotently", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "StaticIp" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "kafka-cluster:Connect", + "kafka-cluster:WriteData" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "cluster*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:cluster/${ClusterName}/${ClusterUuid}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:topic/${ClusterName}/${ClusterUuid}/${TopicName}", + "condition_keys": [], + "resource": "topic" + }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:group/${ClusterName}/${ClusterUuid}/${GroupName}", + "condition_keys": [], + "resource": "group" }, + { + "arn": "arn:${Partition}:kafka:${Region}:${Account}:transactional-id/${ClusterName}/${ClusterUuid}/${TransactionalId}", + "condition_keys": [], + "resource": "transactional-id" + } + ], + "service_name": "Apache Kafka APIs for Amazon MSK clusters" + }, + { + "conditions": [], + "prefix": "kafkaconnect", + "privileges": [ { "access_level": "Write", - "description": "Attempts to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC.", - "privilege": "UnpeerVpc", + "description": "Grants permission to create an MSK Connect connector", + "privilege": "CreateConnector", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "firehose:TagDeliveryStream", + "iam:AttachRolePolicy", + "iam:CreateServiceLinkedRole", + "iam:PassRole", + "iam:PutRolePolicy", + "logs:CreateLogDelivery", + "logs:DescribeLogGroups", + "logs:DescribeResourcePolicies", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:PutResourcePolicy", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Untags a resource.", - "privilege": "UntagResource", + "description": "Grants permission to create an MSK Connect custom plugin", + "privilege": "CreateCustomPlugin", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "Disk" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "DiskSnapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Domain" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Instance" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "InstanceSnapshot" - }, + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an MSK Connect worker configuration", + "privilege": "CreateWorkerConfiguration", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "KeyPair" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an MSK Connect connector", + "privilege": "DeleteConnector", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "LoadBalancer" - }, + "dependent_actions": [ + "logs:DeleteLogDelivery", + "logs:ListLogDeliveries" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an MSK Connect connector", + "privilege": "DescribeConnector", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an MSK Connect custom plugin", + "privilege": "DescribeCustomPlugin", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabaseSnapshot" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an MSK Connect worker configuration", + "privilege": "DescribeWorkerConfiguration", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StaticIp" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a domain recordset after it is created.", - "privilege": "UpdateDomainEntry", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect connectors in this account", + "privilege": "ListConnectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Domain*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a load balancer attribute, such as the health check path and session stickiness.", - "privilege": "UpdateLoadBalancerAttribute", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect custom plugins in this account", + "privilege": "ListCustomPlugins", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "LoadBalancer*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates a relational database.", - "privilege": "UpdateRelationalDatabase", + "access_level": "Read", + "description": "Grants permission to list all MSK Connect worker configurations in this account", + "privilege": "ListWorkerConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "RelationalDatabase*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the parameters of a relational database.", - "privilege": "UpdateRelationalDatabaseParameters", + "description": "Grants permission to update an MSK Connect connector", + "privilege": "UpdateConnector", "resource_types": [ { "condition_keys": [], @@ -92459,181 +102452,141 @@ ], "resources": [ { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Domain" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Instance" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "InstanceSnapshot" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "KeyPair" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "StaticIp" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Disk" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "DiskSnapshot" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "LoadBalancer" - }, - { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:PeeredVpc/${Id}", + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:connector/${ConnectorName}/${UUID}", "condition_keys": [], - "resource": "PeeredVpc" + "resource": "connector" }, { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}", + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:custom-plugin/${CustomPluginName}/${UUID}", "condition_keys": [], - "resource": "LoadBalancerTlsCertificate" + "resource": "custom plugin" }, { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}", + "arn": "arn:${Partition}:kafkaconnect:${Region}:${Account}:worker-configuration/${WorkerConfigurationName}/${UUID}", "condition_keys": [], - "resource": "ExportSnapshotRecord" - }, + "resource": "worker configuration" + } + ], + "service_name": "Amazon Managed Streaming for Kafka Connect" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}", - "condition_keys": [], - "resource": "CloudFormationStackRecord" + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" }, { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "RelationalDatabase" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" }, { - "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "RelationalDatabaseSnapshot" + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" } ], - "service_name": "Amazon Lightsail" - }, - { - "conditions": [], - "prefix": "logs", + "prefix": "kendra", "privileges": [ { "access_level": "Write", - "description": "Associates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group.", - "privilege": "AssociateKmsKey", + "description": "Grants permission to batch delete document", + "privilege": "BatchDeleteDocument", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Cancels an export task if it is in PENDING or RUNNING state", - "privilege": "CancelExportTask", + "access_level": "Read", + "description": "Grants permission to do batch get document status", + "privilege": "BatchGetDocumentStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket", - "privilege": "CreateExportTask", + "description": "Grants permission to batch put document", + "privilege": "BatchPutDocument", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates the log delivery", - "privilege": "CreateLogDelivery", + "description": "Grants permission to clear out the suggestions for a given index, generated so far", + "privilege": "ClearQuerySuggestions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates a new log group with the specified name", - "privilege": "CreateLogGroup", + "description": "Grants permission to create a data source", + "privilege": "CreateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a new log stream with the specified name", - "privilege": "CreateLogStream", + "description": "Grants permission to create an Faq", + "privilege": "CreateFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the destination with the specified name and eventually disables all the subscription filters that publish to it", - "privilege": "DeleteDestination", + "description": "Grants permission to create an Index", + "privilege": "CreateIndex", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -92641,260 +102594,324 @@ }, { "access_level": "Write", - "description": "Deletes the log delivery information for specified log delivery", - "privilege": "DeleteLogDelivery", + "description": "Grants permission to create a QuerySuggestions BlockList", + "privilege": "CreateQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes the log group with the specified name and permanently deletes all the archived log events associated with it", - "privilege": "DeleteLogGroup", + "description": "Grants permission to create a Thesaurus", + "privilege": "CreateThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a log stream and permanently deletes all the archived log events associated with it", - "privilege": "DeleteLogStream", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Deletes a metric filter associated with the specified log group", - "privilege": "DeleteMetricFilter", + "description": "Grants permission to delete an Faq", + "privilege": "DeleteFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "faq*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Deletes a resource policy from this account", - "privilege": "DeleteResourcePolicy", + "description": "Grants permission to delete an Index", + "privilege": "DeleteIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Deletes the retention policy of the specified log group", - "privilege": "DeleteRetentionPolicy", + "description": "Grants permission to delete principal mapping from index", + "privilege": "DeletePrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { "access_level": "Write", - "description": "Deletes a subscription filter associated with the specified log group", - "privilege": "DeleteSubscriptionFilter", + "description": "Grants permission to delete a QuerySuggestions BlockList", + "privilege": "DeleteQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" - } - ] - }, - { - "access_level": "List", - "description": "Returns all the destinations that are associated with the AWS account making the request", - "privilege": "DescribeDestinations", - "resource_types": [ + "resource_type": "index*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "query-suggestions-block-list*" } ] }, { - "access_level": "List", - "description": "Returns all the export tasks that are associated with the AWS account making the request", - "privilege": "DescribeExportTasks", + "access_level": "Write", + "description": "Grants permission to delete a Thesaurus", + "privilege": "DeleteThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus*" } ] }, { - "access_level": "List", - "description": "Returns all the log groups that are associated with the AWS account making the request", - "privilege": "DescribeLogGroups", + "access_level": "Read", + "description": "Grants permission to describe a data source", + "privilege": "DescribeDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Returns all the log streams that are associated with the specified log group", - "privilege": "DescribeLogStreams", + "access_level": "Read", + "description": "Grants permission to describe an Faq", + "privilege": "DescribeFaq", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "faq*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Returns all the metrics filters associated with the specified log group", - "privilege": "DescribeMetricFilters", + "access_level": "Read", + "description": "Grants permission to describe an Index", + "privilege": "DescribeIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Returns a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account. You can request all queries, or limit it to queries of a specific log group or queries with a certain status.", - "privilege": "DescribeQueries", + "access_level": "Read", + "description": "Grants permission to describe principal mapping from index", + "privilege": "DescribePrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "List", - "description": "Return all the resource policies in this account.", - "privilege": "DescribeResourcePolicies", + "access_level": "Read", + "description": "Grants permission to describe a QuerySuggestions BlockList", + "privilege": "DescribeQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list*" } ] }, { - "access_level": "List", - "description": "Returns all the subscription filters associated with the specified log group", - "privilege": "DescribeSubscriptionFilters", + "access_level": "Read", + "description": "Grants permission to describe the query suggestions configuration for an index", + "privilege": "DescribeQuerySuggestionsConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Disassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group", - "privilege": "DisassociateKmsKey", + "access_level": "Read", + "description": "Grants permission to describe a Thesaurus", + "privilege": "DescribeThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus*" } ] }, { "access_level": "Read", - "description": "Retrieves log events, optionally filtered by a filter pattern from the specified log group", - "privilege": "FilterLogEvents", + "description": "Grants permission to get suggestions for a query prefix", + "privilege": "GetQuerySuggestions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Gets the log delivery information for specified log delivery", - "privilege": "GetLogDelivery", + "access_level": "List", + "description": "Grants permission to get Data Source sync job history", + "privilege": "ListDataSourceSyncJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Retrieves log events from the specified log stream", - "privilege": "GetLogEvents", + "access_level": "List", + "description": "Grants permission to list the data sources", + "privilege": "ListDataSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Returns a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field. The search is limited to a time period that you specify.", - "privilege": "GetLogGroupFields", + "access_level": "List", + "description": "Grants permission to list the Faqs", + "privilege": "ListFaqs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Retrieves all the fields and values of a single log event. All fields are retrieved, even if the original query that produced the logRecordPointer retrieved only a subset of fields. Fields are returned as field name/field value pairs.", - "privilege": "GetLogRecord", + "access_level": "List", + "description": "Grants permission to list groups that are older than an ordering id", + "privilege": "ListGroupsOlderThanOrderingId", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "Read", - "description": "Returns the results from the specified query. If the query is in progress, partial results of that current execution are returned. Only the fields requested in the query are returned.", - "privilege": "GetQueryResults", + "access_level": "List", + "description": "Grants permission to list the indexes", + "privilege": "ListIndices", "resource_types": [ { "condition_keys": [], @@ -92905,319 +102922,467 @@ }, { "access_level": "List", - "description": "Lists all the log deliveries for specified account and/or log source", - "privilege": "ListLogDeliveries", + "description": "Grants permission to list the QuerySuggestions BlockLists", + "privilege": "ListQuerySuggestionsBlockLists", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" } ] }, { - "access_level": "List", - "description": "Lists the tags for the specified log group", - "privilege": "ListTagsLogGroup", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "data-source" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "faq" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus" } ] }, { - "access_level": "Write", - "description": "Creates or updates a Destination", - "privilege": "PutDestination", + "access_level": "List", + "description": "Grants permission to list the Thesauri", + "privilege": "ListThesauri", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates or updates an access policy associated with an existing Destination", - "privilege": "PutDestinationPolicy", + "description": "Grants permission to put principal mapping in index", + "privilege": "PutPrincipalMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "data-source" } ] }, { - "access_level": "Write", - "description": "Uploads a batch of log events to the specified log stream", - "privilege": "PutLogEvents", + "access_level": "Read", + "description": "Grants permission to query documents and faqs", + "privilege": "Query", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-stream*" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates or updates a metric filter and associates it with the specified log group", - "privilege": "PutMetricFilter", + "description": "Grants permission to start Data Source sync job", + "privilege": "StartDataSourceSyncJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Creates or updates a resource policy allowing other AWS services to put log events to this account", - "privilege": "PutResourcePolicy", + "description": "Grants permission to stop Data Source sync job", + "privilege": "StopDataSourceSyncJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Sets the retention of the specified log group", - "privilege": "PutRetentionPolicy", + "description": "Grants permission to send feedback about a query results", + "privilege": "SubmitFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Write", - "description": "Creates or updates a subscription filter and associates it with the specified log group", - "privilege": "PutSubscriptionFilter", + "access_level": "Tagging", + "description": "Grants permission to tag a resource with given key value pairs", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" + "dependent_actions": [], + "resource_type": "data-source" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "faq" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "log-group*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group and time range to query, and the query string to use.", - "privilege": "StartQuery", + "access_level": "Tagging", + "description": "Grants permission to remove the tag with the given key from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "data-source" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "faq" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Stops a CloudWatch Logs Insights query that is in progress. If the query has already ended, the operation returns an error indicating that the specified query is not running.", - "privilege": "StopQuery", + "access_level": "Write", + "description": "Grants permission to update a data source", + "privilege": "UpdateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "data-source*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Adds or updates the specified tags for the specified log group", - "privilege": "TagLogGroup", + "description": "Grants permission to update an Index", + "privilege": "UpdateIndex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { - "access_level": "Read", - "description": "Tests the filter pattern of a metric filter against a sample of log event messages", - "privilege": "TestMetricFilter", + "access_level": "Write", + "description": "Grants permission to update a QuerySuggestions BlockList", + "privilege": "UpdateQuerySuggestionsBlockList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query-suggestions-block-list*" } ] }, { "access_level": "Write", - "description": "Removes the specified tags from the specified log group", - "privilege": "UntagLogGroup", + "description": "Grants permission to update the query suggestions configuration for an index", + "privilege": "UpdateQuerySuggestionsConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "log-group*" + "resource_type": "index*" } ] }, { "access_level": "Write", - "description": "Updates the log delivery information for specified log delivery", - "privilege": "UpdateLogDelivery", + "description": "Grants permission to update a thesaurus", + "privilege": "UpdateThesaurus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "index*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "thesaurus*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}", - "condition_keys": [], - "resource": "log-group" + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "index" }, { - "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}", - "condition_keys": [], - "resource": "log-stream" + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/data-source/${DataSourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "data-source" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/faq/${FaqId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "faq" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "thesaurus" + }, + { + "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/query-suggestions-block-list/${QuerySuggestionsBlockListId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "query-suggestions-block-list" } ], - "service_name": "Amazon CloudWatch Logs" + "service_name": "Amazon Kendra" }, { "conditions": [], - "prefix": "lookoutvision", + "prefix": "kinesis", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to create a dataset manifest", - "privilege": "CreateDataset", + "access_level": "Tagging", + "description": "Adds or updates tags for the specified Amazon Kinesis stream. Each stream can have up to 10 tags.", + "privilege": "AddTagsToStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new anomaly detection model", - "privilege": "CreateModel", + "description": "Creates a Amazon Kinesis stream.", + "privilege": "CreateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new project", - "privilege": "CreateProject", + "description": "Decreases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", + "privilege": "DecreaseStreamRetentionPeriod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataset", + "description": "Deletes a stream and all its shards and data.", + "privilege": "DeleteStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a model and all associated assets", - "privilege": "DeleteModel", + "description": "Deregisters a stream consumer with a Kinesis data stream.", + "privilege": "DeregisterStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "consumer*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Grants permission to permanently remove a project", - "privilege": "DeleteProject", + "access_level": "Read", + "description": "Describes the shard limits and usage for the account.", + "privilege": "DescribeLimits", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to show detailed information about dataset manifest", - "privilege": "DescribeDataset", + "description": "Describes the specified stream.", + "privilege": "DescribeStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to show detailed information about a model", - "privilege": "DescribeModel", + "description": "Gets the description of a registered stream consumer.", + "privilege": "DescribeStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "consumer*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to show detailed information about a project", - "privilege": "DescribeProject", + "description": "Provides a summarized description of the specified Kinesis data stream without the shard list.", + "privilege": "DescribeStreamSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to provides state information about a running anomaly detection job", - "privilege": "DescribeTrialDetection", + "access_level": "Write", + "description": "Disables enhanced monitoring.", + "privilege": "DisableEnhancedMonitoring", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "API_EnableEnhancedMonitoring.html", + "privilege": "EnableEnhancedMonitoring", "resource_types": [ { "condition_keys": [], @@ -93228,32 +103393,44 @@ }, { "access_level": "Read", - "description": "Grants permission to invoke detection of anomalies", - "privilege": "DetectAnomalies", + "description": "Gets data records from a shard.", + "privilege": "GetRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the contents of dataset manifest", - "privilege": "ListDatasetEntries", + "access_level": "Read", + "description": "Gets a shard iterator. A shard iterator expires five minutes after it is returned to the requester.", + "privilege": "GetShardIterator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Increases the stream's retention period, which is the length of time data records are accessible after they are added to the stream.", + "privilege": "IncreaseStreamRetentionPeriod", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" } ] }, { "access_level": "List", - "description": "Grants permission to list all models associated with a project", - "privilege": "ListModels", + "description": "Lists the shards in a stream and provides information about each shard.", + "privilege": "ListShards", "resource_types": [ { "condition_keys": [], @@ -93264,8 +103441,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all projects", - "privilege": "ListProjects", + "description": "Lists the stream consumers registered to receive data from a Kinesis stream using enhanced fan-out, and provides information about each consumer.", + "privilege": "ListStreamConsumers", "resource_types": [ { "condition_keys": [], @@ -93276,8 +103453,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all anomaly detection jobs", - "privilege": "ListTrialDetections", + "description": "Lists your streams.", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], @@ -93287,323 +103464,300 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to start anomaly detection model", - "privilege": "StartModel", + "access_level": "Read", + "description": "Lists the tags for the specified Amazon Kinesis stream.", + "privilege": "ListTagsForStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to start bulk detection of anomalies for a set of images stored in an S3 bucket", - "privilege": "StartTrialDetection", + "description": "Merges two adjacent shards in a stream and combines them into a single shard to reduce the stream's capacity to ingest and transport data.", + "privilege": "MergeShards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop anomaly detection model", - "privilege": "StopModel", + "description": "Writes a single data record from a producer into an Amazon Kinesis stream.", + "privilege": "PutRecord", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a training or test dataset manifest", - "privilege": "UpdateDatasetEntries", + "description": "Writes multiple data records from a producer into an Amazon Kinesis stream in a single call (also referred to as a PutRecords request).", + "privilege": "PutRecords", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:model/${ProjectName}/${ModelVersion}", - "condition_keys": [], - "resource": "model" }, { - "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:project/${ProjectName}", - "condition_keys": [], - "resource": "project" - } - ], - "service_name": "Amazon Lookout for Vision" - }, - { - "conditions": [], - "prefix": "machinelearning", - "privileges": [ - { - "access_level": "Tagging", - "description": "Adds one or more tags to an object, up to a limit of 10. Each tag consists of a key and an optional value", - "privilege": "AddTags", + "access_level": "Write", + "description": "Registers a stream consumer with a Kinesis data stream.", + "privilege": "RegisterStreamConsumer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation" + "resource_type": "consumer*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Generates predictions for a group of observations", - "privilege": "CreateBatchPrediction", + "access_level": "Tagging", + "description": "Description for SplitShard", + "privilege": "RemoveTagsFromStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Creates a DataSource object from an Amazon RDS", - "privilege": "CreateDataSourceFromRDS", + "description": "Description for SplitShard", + "privilege": "SplitShard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Creates a DataSource from a database hosted on an Amazon Redshift cluster", - "privilege": "CreateDataSourceFromRedshift", + "description": "Grants permission to enable or update server-side encryption using an AWS KMS key for a specified stream.", + "privilege": "StartStreamEncryption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a DataSource object from S3", - "privilege": "CreateDataSourceFromS3", - "resource_types": [ + "resource_type": "kmsKey*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Creates a new Evaluation of an MLModel", - "privilege": "CreateEvaluation", + "description": "Grants permission to disable server-side encryption for a specified stream.", + "privilege": "StopStreamEncryption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "kmsKey*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "stream*" } ] }, { - "access_level": "Write", - "description": "Creates a new MLModel", - "privilege": "CreateMLModel", + "access_level": "Read", + "description": "Listening to a specific shard with enhanced fan-out.", + "privilege": "SubscribeToShard", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "consumer*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Creates a real-time endpoint for the MLModel", - "privilege": "CreateRealtimeEndpoint", + "description": "Updates the shard count of the specified stream to the specified number of shards.", + "privilege": "UpdateShardCount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesis:${Region}:${Account}:stream/${StreamName}", + "condition_keys": [], + "resource": "stream" + }, + { + "arn": "arn:${Partition}:kinesis:${Region}:${Account}:${StreamType}/${StreamName}/consumer/${ConsumerName}:${ConsumerCreationTimpstamp}", + "condition_keys": [], + "resource": "consumer" + }, + { + "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", + "condition_keys": [], + "resource": "kmsKey" + } + ], + "service_name": "Amazon Kinesis" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value assoicated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tag keys in the request", + "type": "String" + } + ], + "prefix": "kinesisanalytics", + "privileges": [ { "access_level": "Write", - "description": "Assigns the DELETED status to a BatchPrediction, rendering it unusable", - "privilege": "DeleteBatchPrediction", + "description": "Adds input to the application.", + "privilege": "AddApplicationInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to a DataSource, rendering it unusable", - "privilege": "DeleteDataSource", + "description": "Adds output to the application.", + "privilege": "AddApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to an Evaluation, rendering it unusable", - "privilege": "DeleteEvaluation", + "description": "Adds reference data source to the application.", + "privilege": "AddApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Assigns the DELETED status to an MLModel, rendering it unusable", - "privilege": "DeleteMLModel", + "description": "Creates an application.", + "privilege": "CreateApplication", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a real time endpoint of an MLModel", - "privilege": "DeleteRealtimeEndpoint", + "description": "Deletes the application.", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "application*" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified tags associated with an ML object. After this operation is complete, you can't recover deleted tags", - "privilege": "DeleteTags", + "access_level": "Write", + "description": "Deletes the specified output of the application.", + "privilege": "DeleteApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns a list of BatchPrediction operations that match the search criteria in the request", - "privilege": "DescribeBatchPredictions", + "access_level": "Write", + "description": "Deletes the specified reference data source of the application.", + "privilege": "DeleteApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns a list of DataSource that match the search criteria in the request", - "privilege": "DescribeDataSources", + "access_level": "Read", + "description": "Describes the specified application.", + "privilege": "DescribeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Returns a list of DescribeEvaluations that match the search criteria in the request", - "privilege": "DescribeEvaluations", + "access_level": "Read", + "description": "Discovers the input schema for the application.", + "privilege": "DiscoverInputSchema", "resource_types": [ { "condition_keys": [], @@ -93613,233 +103767,229 @@ ] }, { - "access_level": "List", - "description": "Returns a list of MLModel that match the search criteria in the request", - "privilege": "DescribeMLModels", + "access_level": "Read", + "description": "Grant permission to Kinesis Data Analytics console to display stream results for Kinesis Data Analytics SQL runtime applications.", + "privilege": "GetApplicationState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "List", - "description": "Describes one or more of the tags for your Amazon ML object", - "privilege": "DescribeTags", + "description": "List applications for the account", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "evaluation" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "mlmodel" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns a BatchPrediction that includes detailed metadata, status, and data file information", - "privilege": "GetBatchPrediction", + "description": "Fetch the tags associated with the application.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns a DataSource that includes metadata and data file information, as well as the current status of the DataSource", - "privilege": "GetDataSource", + "access_level": "Write", + "description": "Starts the application.", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns an Evaluation that includes metadata as well as the current status of the Evaluation", - "privilege": "GetEvaluation", + "access_level": "Write", + "description": "Stops the application.", + "privilege": "StopApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Returns an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel", - "privilege": "GetMLModel", + "access_level": "Tagging", + "description": "Add tags to the application.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Generates a prediction for the observation using the specified ML Model", - "privilege": "Predict", + "access_level": "Tagging", + "description": "Remove the specified tags from the application.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates the BatchPredictionName of a BatchPrediction", - "privilege": "UpdateBatchPrediction", + "description": "Updates the application.", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchprediction*" + "resource_type": "application*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + } + ], + "service_name": "Amazon Kinesis Analytics" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value assoicated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tag keys in the request", + "type": "String" + } + ], + "prefix": "kinesisanalytics", + "privileges": [ { "access_level": "Write", - "description": "Updates the DataSourceName of a DataSource", - "privilege": "UpdateDataSource", + "description": "Grants permission to add cloudwatch logging option to the application", + "privilege": "AddApplicationCloudWatchLoggingOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Updates the EvaluationName of an Evaluation", - "privilege": "UpdateEvaluation", + "description": "Grants permission to add input to the application", + "privilege": "AddApplicationInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "evaluation*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Updates the MLModelName and the ScoreThreshold of an MLModel", - "privilege": "UpdateMLModel", + "description": "Grants permission to add input processing configuration to the application", + "privilege": "AddApplicationInputProcessingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "mlmodel*" + "resource_type": "application*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:batchprediction/${BatchPredictionId}", - "condition_keys": [], - "resource": "batchprediction" - }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:datasource/${DatasourceId}", - "condition_keys": [], - "resource": "datasource" - }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:evaluation/${EvaluationId}", - "condition_keys": [], - "resource": "evaluation" }, - { - "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:mlmodel/${MlModelId}", - "condition_keys": [], - "resource": "mlmodel" - } - ], - "service_name": "Amazon Machine Learning" - }, - { - "conditions": [ - { - "condition": "aws:SourceArn", - "description": "Allow access to the specified actions only when the request operates on the specified aws resource", - "type": "Arn" - } - ], - "prefix": "macie", - "privileges": [ { "access_level": "Write", - "description": "Enables the user to associate a specified AWS account with Amazon Macie as a member account.", - "privilege": "AssociateMemberAccount", + "description": "Grants permission to add output to the application", + "privilege": "AddApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Enables the user to associate specified S3 resources with Amazon Macie for monitoring and data classification.", - "privilege": "AssociateS3Resources", + "description": "Grants permission to add reference data source to the application", + "privilege": "AddApplicationReferenceDataSource", "resource_types": [ { - "condition_keys": [ - "aws:SourceArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Enables the user to remove the specified member account from Amazon Macie.", - "privilege": "DisassociateMemberAccount", + "description": "Grants permission to add VPC configuration to the application", + "privilege": "AddApplicationVpcConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Enables the user to remove specified S3 resources from being monitored by Amazon Macie.", - "privilege": "DisassociateS3Resources", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", "resource_types": [ { "condition_keys": [ - "aws:SourceArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -93847,199 +103997,153 @@ ] }, { - "access_level": "List", - "description": "Enables the user to list all Amazon Macie member accounts for the current Macie master account.", - "privilege": "ListMemberAccounts", + "access_level": "Read", + "description": "Grants permission to create and return a URL that you can use to connect to an application's extension", + "privilege": "CreateApplicationPresignedUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "List", - "description": "Enables the user to list all the S3 resources associated with Amazon Macie.", - "privilege": "ListS3Resources", + "access_level": "Write", + "description": "Grants permission to create a snapshot for an application", + "privilege": "CreateApplicationSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Enables the user to update the classification types for the specified S3 resources.", - "privilege": "UpdateS3Resources", + "description": "Grants permission to delete the application", + "privilege": "DeleteApplication", "resource_types": [ { - "condition_keys": [ - "aws:SourceArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] - } - ], - "resources": [], - "service_name": "Amazon Macie Classic" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs that are associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "macie2", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept an Amazon Macie membership invitation", - "privilege": "AcceptInvitation", + "description": "Grants permission to delete the specified cloudwatch logging option of the application", + "privilege": "DeleteApplicationCloudWatchLoggingOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about one or more custom data identifiers", - "privilege": "BatchGetCustomDataIdentifiers", + "access_level": "Write", + "description": "Grants permission to delete the specified input processing configuration of the application", + "privilege": "DeleteApplicationInputProcessingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a classification job", - "privilege": "CreateClassificationJob", + "description": "Grants permission to delete the specified output of the application", + "privilege": "DeleteApplicationOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a custom data identifier", - "privilege": "CreateCustomDataIdentifier", + "description": "Grants permission to delete the specified reference data source of the application", + "privilege": "DeleteApplicationReferenceDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to create and define the settings for a findings filter", - "privilege": "CreateFindingsFilter", + "description": "Grants permission to delete a snapshot for an application", + "privilege": "DeleteApplicationSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants permission to send an Amazon Macie membership invitation", - "privilege": "CreateInvitations", + "description": "Grants permission to delete the specified VPC configuration of the application", + "privilege": "DeleteApplicationVpcConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate an account with an Amazon Macie master account", - "privilege": "CreateMember", + "access_level": "Read", + "description": "Grants permission to describe the specified application", + "privilege": "DescribeApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" - }, + "resource_type": "application*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an application snapshot", + "privilege": "DescribeApplicationSnapshot", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create sample findings", - "privilege": "CreateSampleFindings", + "access_level": "Read", + "description": "Grants permission to describe the application version of an application", + "privilege": "DescribeApplicationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to decline Amazon Macie membership invitations", - "privilege": "DeclineInvitations", + "access_level": "Read", + "description": "Grants permission to discover the input schema for the application", + "privilege": "DiscoverInputSchema", "resource_types": [ { "condition_keys": [], @@ -94049,33 +104153,33 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete a custom data identifier", - "privilege": "DeleteCustomDataIdentifier", + "access_level": "Read", + "description": "Grants permission to list the snapshots for an application", + "privilege": "ListApplicationSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a findings filter", - "privilege": "DeleteFindingsFilter", + "access_level": "Read", + "description": "Grants permission to list application versions of an application", + "privilege": "ListApplicationVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete Amazon Macie membership invitations", - "privilege": "DeleteInvitations", + "access_level": "List", + "description": "Grants permission to list applications for the account", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], @@ -94085,309 +104189,372 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete the association between an Amazon Macie master account and an account", - "privilege": "DeleteMember", + "access_level": "Read", + "description": "Grants permission to fetch the tags associated with the application", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve statistical and other data about S3 buckets that Amazon Macie monitors and analyzes", - "privilege": "DescribeBuckets", + "access_level": "Write", + "description": "Grants permission to perform rollback operation on an application", + "privilege": "RollbackApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the status and settings for a classification job", - "privilege": "DescribeClassificationJob", + "access_level": "Write", + "description": "Grants permission to start the application", + "privilege": "StartApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" + "resource_type": "application*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the Amazon Macie configuration settings for an AWS organization", - "privilege": "DescribeOrganizationConfiguration", + "access_level": "Write", + "description": "Grants permission to stop the application", + "privilege": "StopApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable an Amazon Macie account, which also deletes Macie resources for the account", - "privilege": "DisableMacie", + "access_level": "Tagging", + "description": "Grants permission to add tags to the application", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable an account as a delegated administrator of Amazon Macie for an AWS organization", - "privilege": "DisableOrganizationAdminAccount", + "access_level": "Tagging", + "description": "Grants permission to remove the specified tags from the application", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "application*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants an Amazon Macie member account with permission to disassociate from its master account", - "privilege": "DisassociateFromMasterAccount", + "description": "Grants permission to update the application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "application*" } ] }, { "access_level": "Write", - "description": "Grants an Amazon Macie master account with permission to disassociate from a member account", - "privilege": "DisassociateMember", + "description": "Grants permission to update the maintenance configuration of an application", + "privilege": "UpdateApplicationMaintenanceConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "application*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:kinesisanalytics:${Region}:${Account}:application/${ApplicationName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "application" + } + ], + "service_name": "Amazon Kinesis Analytics V2" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters requests based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value assoicated with the stream.", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters requests based on the presence of mandatory tag keys in the request", + "type": "String" + } + ], + "prefix": "kinesisvideo", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to enable and specify the configuration settings for a new Amazon Macie account", - "privilege": "EnableMacie", + "description": "Grants permission to connect as a master to the signaling channel specified by the endpoint", + "privilege": "ConnectAsMaster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable an account as a delegated administrator of Amazon Macie for an AWS organization", - "privilege": "EnableOrganizationAdminAccount", + "description": "Grants permission to connect as a viewer to the signaling channel specified by the endpoint", + "privilege": "ConnectAsViewer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes", - "privilege": "GetBucketStatistics", + "access_level": "Write", + "description": "Grants permission to create a signaling channel", + "privilege": "CreateSignalingChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "channel*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the settings for exporting data classification results", - "privilege": "GetClassificationExportConfiguration", + "access_level": "Write", + "description": "Grants permission to create a Kinesis video stream", + "privilege": "CreateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "stream*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the settings for a custom data identifier", - "privilege": "GetCustomDataIdentifier", + "access_level": "Write", + "description": "Grants permission to delete an existing signaling channel", + "privilege": "DeleteSignalingChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "CustomDataIdentifier*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve aggregated statistical data about findings", - "privilege": "GetFindingStatistics", + "access_level": "Write", + "description": "Grants permission to delete an existing Kinesis video stream", + "privilege": "DeleteStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about one or more findings", - "privilege": "GetFindings", + "access_level": "List", + "description": "Grants permission to describe the specified signaling channel", + "privilege": "DescribeSignalingChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve information about the settings for a findings filter", - "privilege": "GetFindingsFilter", + "access_level": "List", + "description": "Grants permission to describe the specified Kinesis video stream", + "privilege": "DescribeStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the count of Amazon Macie membership invitations that were received by an account", - "privilege": "GetInvitationsCount", + "description": "Grants permission to get a media clip from a video stream", + "privilege": "GetClip", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the status and configuration settings for an Amazon Macie account", - "privilege": "GetMacieSession", + "description": "Grants permission to create a URL for MPEG-DASH video streaming", + "privilege": "GetDASHStreamingSessionURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the Amazon Macie master account for an account", - "privilege": "GetMasterAccount", + "description": "Grants permission to get an endpoint for a specified stream for either reading or writing media data to Kinesis Video Streams", + "privilege": "GetDataEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about an account that's associated with an Amazon Macie master account", - "privilege": "GetMember", + "description": "Grants permission to create a URL for HLS video streaming", + "privilege": "GetHLSStreamingSessionURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Member*" + "resource_type": "stream*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve quotas and aggregated usage data for one or more accounts", - "privilege": "GetUsageStatistics", + "description": "Grants permission to get the ICE server configuration", + "privilege": "GetIceServerConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve aggregated usage data for an account", - "privilege": "GetUsageTotals", + "description": "Grants permission to return media content of a Kinesis video stream", + "privilege": "GetMedia", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about the status and settings for one or more classification jobs", - "privilege": "ListClassificationJobs", + "access_level": "Read", + "description": "Grants permission to read and return media data only from persisted storage", + "privilege": "GetMediaForFragmentList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all custom data identifiers", - "privilege": "ListCustomDataIdentifiers", + "access_level": "Read", + "description": "Grants permission to get endpoints for a specified combination of protocol and role for a signaling channel", + "privilege": "GetSignalingChannelEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a subset of information about one or more findings", - "privilege": "ListFindings", + "description": "Grants permission to list the fragments from archival storage based on the pagination token or selector type with range specified", + "privilege": "ListFragments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve information about all findings filters", - "privilege": "ListFindingsFilters", + "description": "Grants permission to list your signaling channels", + "privilege": "ListSignalingChannels", "resource_types": [ { "condition_keys": [], @@ -94398,8 +104565,8 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve information about all the Amazon Macie membership invitations that were received by an account", - "privilege": "ListInvitations", + "description": "Grants permission to list your Kinesis video streams", + "privilege": "ListStreams", "resource_types": [ { "condition_keys": [], @@ -94409,58 +104576,73 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about all the accounts that are associated with an Amazon Macie master account", - "privilege": "ListMembers", + "access_level": "Read", + "description": "Grants permission to fetch the tags associated with your resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about the delegated, Amazon Macie administrator account for an AWS organization", - "privilege": "ListOrganizationAdminAccounts", + "access_level": "Read", + "description": "Grants permission to fetch the tags associated with Kinesis video stream", + "privilege": "ListTagsForStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the tags for an Amazon Macie resource or member account", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to send media data to a Kinesis video stream", + "privilege": "PutMedia", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants permission to create or update the settings for exporting data classification results", - "privilege": "PutClassificationExportConfiguration", + "description": "Grants permission to send the Alexa SDP offer to the master", + "privilege": "SendAlexaOfferToMaster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add or update the tags for an Amazon Macie resource or member account", + "description": "Grants permission to attach set of tags to your resource", "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -94472,24 +104654,18 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to test a custom data identifier", - "privilege": "TestCustomDataIdentifier", + "access_level": "Tagging", + "description": "Grants permission to attach set of tags to your Kinesis video streams", + "privilege": "TagStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an Amazon Macie resource or member account", - "privilege": "UntagResource", - "resource_types": [ + "resource_type": "stream*" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -94498,18 +104674,22 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a classification job", - "privilege": "UpdateClassificationJob", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from your resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ClassificationJob*" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -94518,18 +104698,17 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update the settings for a findings filter", - "privilege": "UpdateFindingsFilter", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from your Kinesis video streams", + "privilege": "UntagStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FindingsFilter*" + "resource_type": "stream*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -94539,440 +104718,498 @@ }, { "access_level": "Write", - "description": "Grants permission to suspend or re-enable an Amazon Macie account, or update the configuration settings for a Macie account", - "privilege": "UpdateMacieSession", + "description": "Grants permission to update the data retention period of your Kinesis video stream", + "privilege": "UpdateDataRetention", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] }, { "access_level": "Write", - "description": "Grants an Amazon Macie master account with permission to suspend or re-enable a member account", - "privilege": "UpdateMemberSession", + "description": "Grants permission to update an existing signaling channel", + "privilege": "UpdateSignalingChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to update Amazon Macie configuration settings for an AWS organization", - "privilege": "UpdateOrganizationConfiguration", + "description": "Grants permission to update an existing Kinesis video stream", + "privilege": "UpdateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stream*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:classification-job/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ClassificationJob" - }, - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:custom-data-identifier/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "CustomDataIdentifier" - }, - { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:findings-filter/${ResourceId}", + "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "FindingsFilter" + "resource": "stream" }, { - "arn": "arn:${Partition}:macie2:${Region}:${Account}:member/${ResourceId}", + "arn": "arn:${Partition}:kinesisvideo:${Region}:${Account}:channel/${ChannelName}/${CreationTime}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Member" + "resource": "channel" } ], - "service_name": "Amazon Macie" + "service_name": "Amazon Kinesis Video Streams" }, { - "conditions": [], - "prefix": "managedblockchain", - "privileges": [ + "conditions": [ { - "access_level": "Write", - "description": "Grants permission to create a member of an Amazon Managed Blockchain network.", - "privilege": "CreateMember", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network*" - } - ] + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to create an Amazon Managed Blockchain network.", - "privilege": "CreateNetwork", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "kms:BypassPolicyLockoutSafetyCheck", + "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request", + "type": "Bool" }, { - "access_level": "Write", - "description": "Grants permission to create a node within a member of an Amazon Managed Blockchain network.", - "privilege": "CreateNode", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network" - } - ] + "condition": "kms:CallerAccount", + "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to create a proposal that other blockchain network members can vote on to add or remove a member in an Amazon Managed Blockchain network.", - "privilege": "CreateProposal", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network*" - } - ] + "condition": "kms:CustomerMasterKeySpec", + "description": "The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key.", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to delete a member and all associated resources from an Amazon Managed Blockchain network.", - "privilege": "DeleteMember", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member*" - } - ] + "condition": "kms:CustomerMasterKeyUsage", + "description": "The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key.", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to delete a node from a member of an Amazon Managed Blockchain network.", - "privilege": "DeleteNode", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "node*" - } - ] + "condition": "kms:DataKeyPairSpec", + "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to return detailed information about a member of an Amazon Managed Blockchain network.", - "privilege": "GetMember", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "member*" - } - ] + "condition": "kms:EncryptionAlgorithm", + "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to return detailed information about an Amazon Managed Blockchain network.", - "privilege": "GetNetwork", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "network*" - } - ] + "condition": "kms:EncryptionContextKeys", + "description": "Filters access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation", + "type": "ArrayOfString" }, { - "access_level": "Read", - "description": "Grants permission to return detailed information about a node within a member of an Amazon Managed Blockchain network.", - "privilege": "GetNode", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "node*" - } - ] + "condition": "kms:ExpirationModel", + "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request", + "type": "String" }, { - "access_level": "Read", - "description": "Grants permission to return detailed information about a proposal of an Amazon Managed Blockchain network.", - "privilege": "GetProposal", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proposal*" - } - ] + "condition": "kms:GrantConstraintType", + "description": "Filters access to the CreateGrant operation based on the grant constraint in the request", + "type": "String" }, { - "access_level": "List", - "description": "Grants permission to list the invitations extended to the active AWS account from any Managed Blockchain network.", - "privilege": "ListInvitations", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "kms:GrantIsForAWSResource", + "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service", + "type": "Bool" }, { - "access_level": "List", - "description": "Grants permission to list the members of an Amazon Managed Blockchain network and the properties of their memberships.", - "privilege": "ListMembers", + "condition": "kms:GrantOperations", + "description": "Filters access to the CreateGrant operation based on the operations in the grant", + "type": "ArrayOfString" + }, + { + "condition": "kms:GranteePrincipal", + "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant", + "type": "String" + }, + { + "condition": "kms:KeyOrigin", + "description": "Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key", + "type": "String" + }, + { + "condition": "kms:KeySpec", + "description": "Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:KeyUsage", + "description": "Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:MessageType", + "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request", + "type": "String" + }, + { + "condition": "kms:MultiRegion", + "description": "Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "Bool" + }, + { + "condition": "kms:MultiRegionKeyType", + "description": "Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", + "type": "String" + }, + { + "condition": "kms:PrimaryRegion", + "description": "Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request", + "type": "String" + }, + { + "condition": "kms:ReEncryptOnSameKey", + "description": "Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation", + "type": "Bool" + }, + { + "condition": "kms:ReplicaRegion", + "description": "Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request", + "type": "String" + }, + { + "condition": "kms:RequestAlias", + "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request", + "type": "String" + }, + { + "condition": "kms:ResourceAliases", + "description": "Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key", + "type": "ArrayOfString" + }, + { + "condition": "kms:RetiringPrincipal", + "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant", + "type": "String" + }, + { + "condition": "kms:SigningAlgorithm", + "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request", + "type": "String" + }, + { + "condition": "kms:ValidTo", + "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date", + "type": "Date" + }, + { + "condition": "kms:ViaService", + "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service", + "type": "String" + }, + { + "condition": "kms:WrappingAlgorithm", + "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request", + "type": "String" + }, + { + "condition": "kms:WrappingKeySpec", + "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request", + "type": "String" + } + ], + "prefix": "kms", + "privileges": [ + { + "access_level": "Write", + "description": "Controls permission to cancel the scheduled deletion of an AWS KMS key", + "privilege": "CancelKeyDeletion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about the Amazon Managed Blockchain networks in which the current AWS account has members.", - "privilege": "ListNetworks", + "access_level": "Write", + "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster", + "privilege": "ConnectCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the nodes within a member of an Amazon Managed Blockchain network.", - "privilege": "ListNodes", + "access_level": "Write", + "description": "Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys", + "privilege": "CreateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "member" + "resource_type": "alias*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "network" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all votes for a proposal, including the value of the vote and the unique identifier of the member that cast the vote for the given Amazon Managed Blockchain network.", - "privilege": "ListProposalVotes", + "access_level": "Write", + "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage", + "privilege": "CreateCustomKeyStore", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proposal*" + "condition_keys": [ + "kms:CallerAccount" + ], + "dependent_actions": [ + "cloudhsm:DescribeClusters", + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list proposals for the given Amazon Managed Blockchain network.", - "privilege": "ListProposals", + "access_level": "Permissions management", + "description": "Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy", + "privilege": "CreateGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "network*" + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:GrantConstraintType", + "kms:GrantIsForAWSResource", + "kms:ViaService" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to reject the invitation to join the blockchain network.", - "privilege": "RejectInvitation", + "description": "Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information", + "privilege": "CreateKey", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "invitation*" + "condition_keys": [ + "kms:BypassPolicyLockoutSafetyCheck", + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:PutKeyPolicy", + "kms:TagResource" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a member of an Amazon Managed Blockchain network.", - "privilege": "UpdateMember", + "description": "Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key", + "privilege": "Decrypt", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" ], - "resource_type": "member*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a node from a member of an Amazon Managed Blockchain network.", - "privilege": "UpdateNode", + "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys", + "privilege": "DeleteAlias", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "dependent_actions": [], + "resource_type": "alias*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" ], - "resource_type": "node*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to cast a vote for a proposal on behalf of the blockchain network member specified.", - "privilege": "VoteOnProposal", + "description": "Controls permission to delete a custom key store", + "privilege": "DeleteCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], - "resource_type": "proposal*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:managedblockchain:${Region}::networks/${NetworkId}", - "condition_keys": [], - "resource": "network" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:members/${MemberId}", - "condition_keys": [], - "resource": "member" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:nodes/${NodeId}", - "condition_keys": [], - "resource": "node" }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}::proposals/${ProposalId}", - "condition_keys": [], - "resource": "proposal" - }, - { - "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:invitations/${InvitationId}", - "condition_keys": [], - "resource": "invitation" - } - ], - "service_name": "Amazon Managed Blockchain" - }, - { - "conditions": [], - "prefix": "marketplacecommerceanalytics", - "privileges": [ { "access_level": "Write", - "description": "Request a data set to be published to your Amazon S3 bucket.", - "privilege": "GenerateDataSet", + "description": "Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable", + "privilege": "DeleteImportedKeyMaterial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Request a support data set to be published to your Amazon S3 bucket.", - "privilege": "StartSupportDataExport", + "access_level": "Read", + "description": "Controls permission to view detailed information about custom key stores in the account and region", + "privilege": "DescribeCustomKeyStores", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS Marketplace Commerce Analytics Service" - }, - { - "conditions": [], - "prefix": "mechanicalturk", - "privileges": [ + }, { - "access_level": "Write", - "description": "The AcceptQualificationRequest operation grants a Worker's request for a Qualification", - "privilege": "AcceptQualificationRequest", + "access_level": "Read", + "description": "Controls permission to view detailed information about an AWS KMS key", + "privilege": "DescribeKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The ApproveAssignment operation approves the results of a completed assignment", - "privilege": "ApproveAssignment", + "description": "Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations", + "privilege": "DisableKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The AssociateQualificationWithWorker operation gives a Worker a Qualification", - "privilege": "AssociateQualificationWithWorker", + "description": "Controls permission to disable automatic rotation of a customer managed AWS KMS key", + "privilege": "DisableKeyRotation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateAdditionalAssignmentsForHIT operation increases the maximum number of assignments of an existing HIT", - "privilege": "CreateAdditionalAssignmentsForHIT", + "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster", + "privilege": "DisconnectCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], "resource_type": "" } @@ -94980,92 +105217,165 @@ }, { "access_level": "Write", - "description": "The CreateHIT operation creates a new HIT (Human Intelligence Task)", - "privilege": "CreateHIT", + "description": "Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations", + "privilege": "EnableKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateHITType operation creates a new HIT type", - "privilege": "CreateHITType", + "description": "Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key", + "privilege": "EnableKeyRotation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateHITWithHITType operation creates a new Human Intelligence Task (HIT) using an existing HITTypeID generated by the CreateHITType operation", - "privilege": "CreateHITWithHITType", + "description": "Controls permission to use the specified AWS KMS key to encrypt data and data keys", + "privilege": "Encrypt", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateQualificationType operation creates a new Qualification type, which is represented by a QualificationType data structure", - "privilege": "CreateQualificationType", + "description": "Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS", + "privilege": "GenerateDataKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateWorkerBlock operation allows you to prevent a Worker from working on your HITs", - "privilege": "CreateWorkerBlock", + "description": "Controls permission to use the AWS KMS key to generate data key pairs", + "privilege": "GenerateDataKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:DataKeyPairSpec", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteHIT operation disposes of a HIT that is no longer needed", - "privilege": "DeleteHIT", + "description": "Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy", + "privilege": "GenerateDataKeyPairWithoutPlaintext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:DataKeyPairSpec", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteQualificationType disposes a Qualification type and disposes any HIT types that are associated with the Qualification type", - "privilege": "DeleteQualificationType", + "description": "Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key", + "privilege": "GenerateDataKeyWithoutPlaintext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteWorkerBlock operation allows you to reinstate a blocked Worker to work on your HITs", - "privilege": "DeleteWorkerBlock", + "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS", + "privilege": "GenerateRandom", "resource_types": [ { "condition_keys": [], @@ -95075,69 +105385,114 @@ ] }, { - "access_level": "Write", - "description": "The DisassociateQualificationFromWorker revokes a previously granted Qualification from a user", - "privilege": "DisassociateQualificationFromWorker", + "access_level": "Read", + "description": "Controls permission to view the key policy for the specified AWS KMS key", + "privilege": "GetKeyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "The GetAccountBalance operation retrieves the amount of money in your Amazon Mechanical Turk account", - "privilege": "GetAccountBalance", + "description": "Controls permission to determine whether automatic key rotation is enabled on the AWS KMS key", + "privilege": "GetKeyRotationStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "The GetAssignment retrieves an assignment with an AssignmentStatus value of Submitted, Approved, or Rejected, using the assignment's ID", - "privilege": "GetAssignment", + "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token", + "privilege": "GetParametersForImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService", + "kms:WrappingAlgorithm", + "kms:WrappingKeySpec" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "The GetFileUploadURL operation generates and returns a temporary URL", - "privilege": "GetFileUploadURL", + "description": "Controls permission to download the public key of an asymmetric AWS KMS key", + "privilege": "GetPublicKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "The GetHIT operation retrieves the details of the specified HIT", - "privilege": "GetHIT", + "access_level": "Write", + "description": "Controls permission to import cryptographic material into an AWS KMS key", + "privilege": "ImportKeyMaterial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ExpirationModel", + "kms:ValidTo", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "The GetQualificationScore operation returns the value of a Worker's Qualification for a given Qualification type", - "privilege": "GetQualificationScore", + "access_level": "List", + "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys", + "privilege": "ListAliases", "resource_types": [ { "condition_keys": [], @@ -95147,33 +105502,50 @@ ] }, { - "access_level": "Read", - "description": "The GetQualificationType operation retrieves information about a Qualification type using its ID", - "privilege": "GetQualificationType", + "access_level": "List", + "description": "Controls permission to view all grants for an AWS KMS key", + "privilege": "ListGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:GrantIsForAWSResource", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "The ListAssignmentsForHIT operation retrieves completed assignments for a HIT", - "privilege": "ListAssignmentsForHIT", + "description": "Controls permission to view the names of key policies for an AWS KMS key", + "privilege": "ListKeyPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "The ListBonusPayments operation retrieves the amounts of bonuses you have paid to Workers for a given HIT or assignment", - "privilege": "ListBonusPayments", + "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account", + "privilege": "ListKeys", "resource_types": [ { "condition_keys": [], @@ -95184,179 +105556,293 @@ }, { "access_level": "List", - "description": "The ListHITs operation returns all of a Requester's HITs", - "privilege": "ListHITs", + "description": "Controls permission to view all tags that are attached to an AWS KMS key", + "privilege": "ListResourceTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "The ListHITsForQualificationType operation returns the HITs that use the given QualififcationType for a QualificationRequirement", - "privilege": "ListHITsForQualificationType", + "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants", + "privilege": "ListRetirableGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "key*" } ] }, { - "access_level": "List", - "description": "The ListQualificationRequests operation retrieves requests for Qualifications of a particular Qualification type", - "privilege": "ListQualificationRequests", + "access_level": "Permissions management", + "description": "Controls permission to replace the key policy for the specified AWS KMS key", + "privilege": "PutKeyPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:BypassPolicyLockoutSafetyCheck", + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "The ListQualificationTypes operation searches for Qualification types using the specified search query, and returns a list of Qualification types", - "privilege": "ListQualificationTypes", + "access_level": "Write", + "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", + "privilege": "ReEncryptFrom", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:ReEncryptOnSameKey", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "The ListReviewPolicyResultsForHIT operation retrieves the computed results and the actions taken in the course of executing your Review Policies during a CreateHIT operation", - "privilege": "ListReviewPolicyResultsForHIT", + "access_level": "Write", + "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS", + "privilege": "ReEncryptTo", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:EncryptionAlgorithm", + "kms:EncryptionContextKeys", + "kms:ReEncryptOnSameKey", + "kms:RequestAlias", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "The ListReviewableHITs operation returns all of a Requester's HITs that have not been approved or rejected", - "privilege": "ListReviewableHITs", + "access_level": "Write", + "description": "Controls permission to replicate a multi-Region primary key", + "privilege": "ReplicateKey", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole", + "kms:CreateKey", + "kms:PutKeyPolicy", + "kms:TagResource" + ], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ReplicaRegion", + "kms:ViaService" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "The ListWorkersBlocks operation retrieves a list of Workers who are blocked from working on your HITs", - "privilege": "ListWorkerBlocks", + "access_level": "Permissions management", + "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform", + "privilege": "RetireGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "key*" } ] }, { - "access_level": "List", - "description": "The ListWorkersWithQualificationType operation returns all of the Workers with a given Qualification type", - "privilege": "ListWorkersWithQualificationType", + "access_level": "Permissions management", + "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant", + "privilege": "RevokeGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:GrantIsForAWSResource", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The NotifyWorkers operation sends an email to one or more Workers that you specify with the Worker ID", - "privilege": "NotifyWorkers", + "description": "Controls permission to schedule deletion of an AWS KMS key", + "privilege": "ScheduleKeyDeletion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The RejectAssignment operation rejects the results of a completed assignment", - "privilege": "RejectAssignment", + "description": "Controls permission to produce a digital signature for a message", + "privilege": "Sign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:MessageType", + "kms:RequestAlias", + "kms:SigningAlgorithm", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The RejectQualificationRequest operation rejects a user's request for a Qualification", - "privilege": "RejectQualificationRequest", + "description": "Controls access to internal APIs that synchronize multi-Region keys", + "privilege": "SynchronizeMultiRegionKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "key*" } ] }, { - "access_level": "Write", - "description": "The SendBonus operation issues a payment of money from your account to a Worker", - "privilege": "SendBonus", + "access_level": "Tagging", + "description": "Controls permission to create or update tags that are attached to an AWS KMS key", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "The SendTestEventNotification operation causes Amazon Mechanical Turk to send a notification message as if a HIT event occurred, according to the provided notification specification", - "privilege": "SendTestEventNotification", + "access_level": "Tagging", + "description": "Controls permission to delete tags that are attached to an AWS KMS key", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The UpdateExpirationForHIT operation allows you extend the expiration time of a HIT beyond is current expiration or expire a HIT immediately", - "privilege": "UpdateExpirationForHIT", + "description": "Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key", + "privilege": "UpdateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "alias*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The UpdateHITReviewStatus operation toggles the status of a HIT", - "privilege": "UpdateHITReviewStatus", + "description": "Controls permission to change the properties of a custom key store", + "privilege": "UpdateCustomKeyStore", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "kms:CallerAccount" + ], "dependent_actions": [], "resource_type": "" } @@ -95364,52 +105850,91 @@ }, { "access_level": "Write", - "description": "The UpdateHITTypeOfHIT operation allows you to change the HITType properties of a HIT", - "privilege": "UpdateHITTypeOfHIT", + "description": "Controls permission to delete or change the description of an AWS KMS key", + "privilege": "UpdateKeyDescription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The UpdateNotificationSettings operation creates, updates, disables or re-enables notifications for a HIT type", - "privilege": "UpdateNotificationSettings", + "description": "Controls permission to update the primary Region of a multi-Region primary key", + "privilege": "UpdatePrimaryRegion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:PrimaryRegion", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "The UpdateQualificationType operation modifies the attributes of an existing Qualification type, which is represented by a QualificationType data structure", - "privilege": "UpdateQualificationType", + "description": "Controls permission to use the specified AWS KMS key to verify digital signatures", + "privilege": "Verify", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "key*" + }, + { + "condition_keys": [ + "kms:CallerAccount", + "kms:MessageType", + "kms:RequestAlias", + "kms:SigningAlgorithm", + "kms:ViaService" + ], + "dependent_actions": [], "resource_type": "" } ] } ], - "resources": [], - "service_name": "Amazon Mechanical Turk" + "resources": [ + { + "arn": "arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}", + "condition_keys": [], + "resource": "alias" + }, + { + "arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}", + "condition_keys": [], + "resource": "key" + } + ], + "service_name": "AWS Key Management Service" }, { "conditions": [], - "prefix": "mediaconnect", + "prefix": "lakeformation", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to add outputs to any flow.", - "privilege": "AddFlowOutputs", + "access_level": "Permissions management", + "description": "Grants data lake permissions to one or more principals in a batch.", + "privilege": "BatchGrantPermissions", "resource_types": [ { "condition_keys": [], @@ -95419,9 +105944,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create flows.", - "privilege": "CreateFlow", + "access_level": "Permissions management", + "description": "Revokes data lake permissions from one or more principals in a batch.", + "privilege": "BatchRevokePermissions", "resource_types": [ { "condition_keys": [], @@ -95432,8 +105957,8 @@ }, { "access_level": "Write", - "description": "Grants permission to delete flows.", - "privilege": "DeleteFlow", + "description": "Deregisters a registered location.", + "privilege": "DeregisterResource", "resource_types": [ { "condition_keys": [], @@ -95444,8 +105969,8 @@ }, { "access_level": "Read", - "description": "Grants permission to display the details of a flow including the flow ARN, name, and Availability Zone, as well as details about the source, outputs, and entitlements.", - "privilege": "DescribeFlow", + "description": "Describes a registered location.", + "privilege": "DescribeResource", "resource_types": [ { "condition_keys": [], @@ -95456,8 +105981,8 @@ }, { "access_level": "Write", - "description": "Grants permission to grant entitlements on any flow.", - "privilege": "GrantFlowEntitlements", + "description": "Grants virtual data lake access permissions.", + "privilege": "GetDataAccess", "resource_types": [ { "condition_keys": [], @@ -95467,9 +105992,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to display a list of all entitlements that have been granted to the account.", - "privilege": "ListEntitlements", + "access_level": "Read", + "description": "Retrieves data lake settings such as the list of data lake administrators and database and table default permissions.", + "privilege": "GetDataLakeSettings", "resource_types": [ { "condition_keys": [], @@ -95479,9 +106004,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to display a list of flows that are associated with this account.", - "privilege": "ListFlows", + "access_level": "Read", + "description": "Retrieves permissions attached to resources in the given path.", + "privilege": "GetEffectivePermissionsForPath", "resource_types": [ { "condition_keys": [], @@ -95491,9 +106016,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove outputs from any flow.", - "privilege": "RemoveFlowOutput", + "access_level": "Permissions management", + "description": "Grants data lake permissions to a principal.", + "privilege": "GrantPermissions", "resource_types": [ { "condition_keys": [], @@ -95503,9 +106028,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to revoke entitlements on any flow.", - "privilege": "RevokeFlowEntitlement", + "access_level": "List", + "description": "Lists permissions filtered by principal or resource.", + "privilege": "ListPermissions", "resource_types": [ { "condition_keys": [], @@ -95515,9 +106040,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to start flows.", - "privilege": "StartFlow", + "access_level": "List", + "description": "Lists registered locations.", + "privilege": "ListResources", "resource_types": [ { "condition_keys": [], @@ -95527,9 +106052,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to stop flows.", - "privilege": "StopFlow", + "access_level": "Permissions management", + "description": "Overwrites data lake settings such as the list of data lake administrators and database and table default permissions.", + "privilege": "PutDataLakeSettings", "resource_types": [ { "condition_keys": [], @@ -95540,8 +106065,8 @@ }, { "access_level": "Write", - "description": "Grants permission to update entitlements on any flow.", - "privilege": "UpdateFlowEntitlement", + "description": "Registers a new location to be managed by Lake Formation.", + "privilege": "RegisterResource", "resource_types": [ { "condition_keys": [], @@ -95551,9 +106076,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update outputs on any flow.", - "privilege": "UpdateFlowOutput", + "access_level": "Permissions management", + "description": "Revokes data lake permissions from a principal.", + "privilege": "RevokePermissions", "resource_types": [ { "condition_keys": [], @@ -95564,8 +106089,8 @@ }, { "access_level": "Write", - "description": "Grants permission to update the source of any flow.", - "privilege": "UpdateFlowSource", + "description": "Updates a registered location.", + "privilege": "UpdateResource", "resource_types": [ { "condition_keys": [], @@ -95575,130 +106100,112 @@ ] } ], - "resources": [ + "resources": [], + "service_name": "AWS Lake Formation" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${FlowId}:${EntitlementName}", - "condition_keys": [], - "resource": "Entitlement" + "condition": "lambda:CodeSigningConfigArn", + "description": "Filters access by the ARN of an AWS Lambda code signing config", + "type": "String" }, { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${FlowId}:${FlowName}", - "condition_keys": [], - "resource": "Flow" + "condition": "lambda:FunctionArn", + "description": "Filters access by the ARN of an AWS Lambda function", + "type": "ARN" }, { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:output:${OutputId}:${OutputName}", - "condition_keys": [], - "resource": "Output" + "condition": "lambda:Layer", + "description": "Filters access by the ARN of a version of an AWS Lambda layer", + "type": "String" }, { - "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:source:${SourceId}:${SourceName}", - "condition_keys": [], - "resource": "Source" - } - ], - "service_name": "AWS Elemental MediaConnect" - }, - { - "conditions": [ + "condition": "lambda:Principal", + "description": "Filters access by restricting the AWS service or account that can invoke a function", + "type": "String" + }, { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", + "condition": "lambda:SecurityGroupIds", + "description": "Filters access by the ID of security groups configured for the AWS Lambda function", "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", + "condition": "lambda:SubnetIds", + "description": "Filters access by the ID of subnets configured for the AWS Lambda function", "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", + "condition": "lambda:VpcIds", + "description": "Filters access by the ID of the VPC configured for the AWS Lambda function", "type": "String" } ], - "prefix": "mediaconvert", + "prefix": "lambda", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to associate an AWS Certificate Manager (ACM) Amazon Resource Name (ARN) with AWS Elemental MediaConvert.", - "privilege": "AssociateCertificate", + "access_level": "Permissions management", + "description": "Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer", + "privilege": "AddLayerVersionPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel an AWS Elemental MediaConvert job that is waiting in queue", - "privilege": "CancelJob", + "access_level": "Permissions management", + "description": "Grants permission to give an AWS service or another account permission to use an AWS Lambda function", + "privilege": "AddPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:Principal" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create and submit an AWS Elemental MediaConvert job", - "privilege": "CreateJob", + "description": "Grants permission to create an alias for a Lambda function version", + "privilege": "CreateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert custom job template", - "privilege": "CreateJobTemplate", + "description": "Grants permission to create an AWS Lambda code signing config", + "privilege": "CreateCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "code signing config*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert custom output preset", - "privilege": "CreatePreset", + "description": "Grants permission to create a mapping between an event source and an AWS Lambda function", + "privilege": "CreateEventSourceMapping", "resource_types": [ { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -95707,13 +106214,21 @@ }, { "access_level": "Write", - "description": "Grants permission to create an AWS Elemental MediaConvert job queue", - "privilege": "CreateQueue", + "description": "Grants permission to create an AWS Lambda function", + "privilege": "CreateFunction", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "function*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:Layer", + "lambda:VpcIds", + "lambda:SubnetIds", + "lambda:SecurityGroupIds", + "lambda:CodeSigningConfigArn" ], "dependent_actions": [], "resource_type": "" @@ -95722,140 +106237,152 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert custom job template", - "privilege": "DeleteJobTemplate", + "description": "Grants permission to delete an AWS Lambda function alias", + "privilege": "DeleteAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert custom output preset", - "privilege": "DeletePreset", + "description": "Grants permission to delete an AWS Lambda code signing config", + "privilege": "DeleteCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "code signing config*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an AWS Elemental MediaConvert job queue", - "privilege": "DeleteQueue", + "description": "Grants permission to delete an AWS Lambda event source mapping", + "privilege": "DeleteEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "eventSourceMapping*" + }, + { + "condition_keys": [ + "lambda:FunctionArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to subscribe to the AWS Elemental MediaConvert service, by sending a request for an account-specific endpoint. All transcoding requests must be sent to the endpoint that the service returns.", - "privilege": "DescribeEndpoints", + "access_level": "Write", + "description": "Grants permission to delete an AWS Lambda function", + "privilege": "DeleteFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove an association between the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate and an AWS Elemental MediaConvert resource.", - "privilege": "DisassociateCertificate", + "description": "Grants permission to detach a code signing config from an AWS Lambda function", + "privilege": "DeleteFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job", - "privilege": "GetJob", + "access_level": "Write", + "description": "Grants permission to remove a concurrent execution limit from an AWS Lambda function", + "privilege": "DeleteFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Job*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job template", - "privilege": "GetJobTemplate", + "access_level": "Write", + "description": "Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", + "privilege": "DeleteFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert output preset", - "privilege": "GetPreset", + "access_level": "Write", + "description": "Grants permission to delete a version of an AWS Lambda layer", + "privilege": "DeleteLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an AWS Elemental MediaConvert job queue", - "privilege": "GetQueue", + "access_level": "Write", + "description": "Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function", + "privilege": "DeleteProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "function alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "function version" } ] }, { - "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert job templates", - "privilege": "ListJobTemplates", + "access_level": "Permissions management", + "description": "Grants permission to disable replication for a Lambda@Edge function", + "privilege": "DisableReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert jobs", - "privilege": "ListJobs", + "access_level": "Permissions management", + "description": "Grants permission to enable replication for a Lambda@Edge function", + "privilege": "EnableReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "function*" } ] }, { - "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert output presets", - "privilege": "ListPresets", + "access_level": "Read", + "description": "Grants permission to view details about an account's limits and usage in an AWS Region", + "privilege": "GetAccountSettings", "resource_types": [ { "condition_keys": [], @@ -95865,63 +106392,42 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list AWS Elemental MediaConvert job queues", - "privilege": "ListQueues", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda function alias", + "privilege": "GetAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the tags for a MediaConvert queue, preset, or job template", - "privilege": "ListTagsForResource", + "description": "Grants permission to view details about an AWS Lambda code signing config", + "privilege": "GetCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "code signing config*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a MediaConvert queue, preset, or job template", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda event source mapping", + "privilege": "GetEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "eventSourceMapping*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "lambda:FunctionArn" ], "dependent_actions": [], "resource_type": "" @@ -95929,492 +106435,316 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a MediaConvert queue, preset, or job template", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to view details about an AWS Lambda function", + "privilege": "GetFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert custom job template", - "privilege": "UpdateJobTemplate", + "access_level": "Read", + "description": "Grants permission to view the code signing config arn attached to an AWS Lambda function", + "privilege": "GetFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "JobTemplate*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Preset" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Queue" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert custom output preset", - "privilege": "UpdatePreset", + "access_level": "Read", + "description": "Grants permission to view details about the reserved concurrency configuration for a function", + "privilege": "GetFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Preset*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an AWS Elemental MediaConvert job queue", - "privilege": "UpdateQueue", + "access_level": "Read", + "description": "Grants permission to view details about the version-specific settings of an AWS Lambda function or version", + "privilege": "GetFunctionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Queue*" + "resource_type": "function*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobs/${JobId}", - "condition_keys": [], - "resource": "Job" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:queues/${QueueName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Queue" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:presets/${PresetName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Preset" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobTemplates/${JobTemplateName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "JobTemplate" - }, - { - "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:certificates/${CertificateArn}", - "condition_keys": [], - "resource": "CertificateAssociation" - } - ], - "service_name": "AWS Elemental MediaConvert" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "The tag for a MediaLive request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "The tag for a MediaLive resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "The tag keys for a MediaLive resource or request", - "type": "String" - } - ], - "prefix": "medialive", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to accept an input device transfer", - "privilege": "AcceptInputDeviceTransfer", + "access_level": "Read", + "description": "Grants permission to view the configuration for asynchronous invocation for a function, version, or alias", + "privilege": "GetFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes", - "privilege": "BatchDelete", + "access_level": "Read", + "description": "Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API", + "privilege": "GetLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start channels and multiplexes", - "privilege": "BatchStart", + "access_level": "Read", + "description": "Grants permission to view the resource-based policy for a version of an AWS Lambda layer", + "privilege": "GetLayerVersionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, + "resource_type": "layerVersion*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias", + "privilege": "GetPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop channels and multiplexes", - "privilege": "BatchStop", + "access_level": "Read", + "description": "Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version", + "privilege": "GetProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" + "resource_type": "function alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex" + "resource_type": "function version" } ] }, { "access_level": "Write", - "description": "Grants permission to add and remove actions from a channel's schedule", - "privilege": "BatchUpdateSchedule", + "description": "(Deprecated) Grants permission to invoke a function asynchronously", + "privilege": "InvokeAsync", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to cancel an input device transfer", - "privilege": "CancelInputDeviceTransfer", + "description": "Grants permission to invoke an AWS Lambda function", + "privilege": "InvokeFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a channel", - "privilege": "CreateChannel", + "access_level": "List", + "description": "Grants permission to retrieve a list of aliases for an AWS Lambda function", + "privilege": "ListAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an input", - "privilege": "CreateInput", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda code signing configs", + "privilege": "ListCodeSigningConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an input security group", - "privilege": "CreateInputSecurityGroup", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda event source mappings", + "privilege": "ListEventSourceMappings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a multiplex", - "privilege": "CreateMultiplex", + "access_level": "List", + "description": "Grants permission to retrieve a list of configurations for asynchronous invocation for a function", + "privilege": "ListFunctionEventInvokeConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a multiplex program", - "privilege": "CreateMultiplexProgram", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function", + "privilege": "ListFunctions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "CreateTags", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned", + "privilege": "ListFunctionsByCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "reservation" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "code signing config*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a channel", - "privilege": "DeleteChannel", + "access_level": "List", + "description": "Grants permission to retrieve a list of versions of an AWS Lambda layer", + "privilege": "ListLayerVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an input", - "privilege": "DeleteInput", + "access_level": "List", + "description": "Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer", + "privilege": "ListLayers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an input security group", - "privilege": "DeleteInputSecurityGroup", + "access_level": "List", + "description": "Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function", + "privilege": "ListProvisionedConcurrencyConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a multiplex", - "privilege": "DeleteMultiplex", + "access_level": "Read", + "description": "Grants permission to retrieve a list of tags for an AWS Lambda function", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "function*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a multiplex program", - "privilege": "DeleteMultiplexProgram", + "access_level": "List", + "description": "Grants permission to retrieve a list of versions for an AWS Lambda function", + "privilege": "ListVersionsByFunction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "function*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an expired reservation", - "privilege": "DeleteReservation", + "description": "Grants permission to create an AWS Lambda layer", + "privilege": "PublishLayerVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "layer*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete all schedule actions for a channel", - "privilege": "DeleteSchedule", + "description": "Grants permission to create an AWS Lambda function version", + "privilege": "PublishVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "function*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "DeleteTags", + "access_level": "Write", + "description": "Grants permission to attach a code signing config to an AWS Lambda function", + "privilege": "PutFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" + "resource_type": "code signing config*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation" + "resource_type": "function*" }, { "condition_keys": [ - "aws:TagKeys" + "lambda:CodeSigningConfigArn" ], "dependent_actions": [], "resource_type": "" @@ -96422,177 +106752,255 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a channel", - "privilege": "DescribeChannel", + "access_level": "Write", + "description": "Grants permission to configure reserved concurrency for an AWS Lambda function", + "privilege": "PutFunctionConcurrency", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input", - "privilege": "DescribeInput", + "access_level": "Write", + "description": "Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias", + "privilege": "PutFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input device", - "privilege": "DescribeInputDevice", + "access_level": "Write", + "description": "Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version", + "privilege": "PutProvisionedConcurrencyConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "function alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "function version" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input device thumbnail", - "privilege": "DescribeInputDeviceThumbnail", + "access_level": "Permissions management", + "description": "Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer", + "privilege": "RemoveLayerVersionPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "layerVersion*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an input security group", - "privilege": "DescribeInputSecurityGroup", + "access_level": "Permissions management", + "description": "Grants permission to revoke function-use permission from an AWS service or another account", + "privilege": "RemovePermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:Principal" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a multiplex", - "privilege": "DescribeMultiplex", + "access_level": "Tagging", + "description": "Grants permission to add tags to an AWS Lambda function", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a multiplex program", - "privilege": "DescribeMultiplexProgram", + "access_level": "Tagging", + "description": "Grants permission to remove tags from an AWS Lambda function", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a reservation offering", - "privilege": "DescribeOffering", + "access_level": "Write", + "description": "Grants permission to update the configuration of an AWS Lambda function's alias", + "privilege": "UpdateAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "offering*" + "resource_type": "function*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get details about a reservation", - "privilege": "DescribeReservation", + "access_level": "Write", + "description": "Grants permission to update an AWS Lambda code signing config", + "privilege": "UpdateCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "code signing config*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view a list of actions scheduled on a channel", - "privilege": "DescribeSchedule", + "access_level": "Write", + "description": "Grants permission to update the configuration of an AWS Lambda event source mapping", + "privilege": "UpdateEventSourceMapping", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "eventSourceMapping*" + }, + { + "condition_keys": [ + "lambda:FunctionArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list channels", - "privilege": "ListChannels", + "access_level": "Write", + "description": "Grants permission to update the code of an AWS Lambda function", + "privilege": "UpdateFunctionCode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] }, { - "access_level": "List", - "description": "Grants permission to list input device transfers", - "privilege": "ListInputDeviceTransfers", + "access_level": "Write", + "description": "Grants permission to update the code signing config of an AWS Lambda function", + "privilege": "UpdateFunctionCodeSigningConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "code signing config*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "function*" } ] }, { - "access_level": "List", - "description": "Grants permission to list input devices", - "privilege": "ListInputDevices", + "access_level": "Write", + "description": "Grants permission to modify the version-specific settings of an AWS Lambda function", + "privilege": "UpdateFunctionConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "function*" + }, + { + "condition_keys": [ + "lambda:Layer", + "lambda:VpcIds", + "lambda:SubnetIds", + "lambda:SecurityGroupIds" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list input security groups", - "privilege": "ListInputSecurityGroups", + "access_level": "Write", + "description": "Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias", + "privilege": "UpdateFunctionEventInvokeConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "function*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:code-signing-config:${CodeSigningConfigId}", + "condition_keys": [], + "resource": "code signing config" }, { - "access_level": "List", - "description": "Grants permission to list inputs", - "privilege": "ListInputs", + "arn": "arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}", + "condition_keys": [], + "resource": "eventSourceMapping" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}", + "condition_keys": [], + "resource": "function" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}", + "condition_keys": [], + "resource": "function alias" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}", + "condition_keys": [], + "resource": "function version" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}", + "condition_keys": [], + "resource": "layer" + }, + { + "arn": "arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}", + "condition_keys": [], + "resource": "layerVersion" + } + ], + "service_name": "AWS Lambda" + }, + { + "conditions": [], + "prefix": "launchwizard", + "privileges": [ + { + "access_level": "Write", + "description": "Delete an application", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], @@ -96602,9 +107010,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list multiplex programs", - "privilege": "ListMultiplexPrograms", + "access_level": "Read", + "description": "Describe provisioning applications", + "privilege": "DescribeProvisionedApp", "resource_types": [ { "condition_keys": [], @@ -96614,9 +107022,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list multiplexes", - "privilege": "ListMultiplexes", + "access_level": "Read", + "description": "Describe provisioning events", + "privilege": "DescribeProvisioningEvents", "resource_types": [ { "condition_keys": [], @@ -96626,9 +107034,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list reservation offerings", - "privilege": "ListOfferings", + "access_level": "Read", + "description": "Get infrastructure suggestion", + "privilege": "GetInfrastructureSuggestion", "resource_types": [ { "condition_keys": [], @@ -96638,9 +107046,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list reservations", - "privilege": "ListReservations", + "access_level": "Read", + "description": "Get customer's ip address", + "privilege": "GetIpAddress", "resource_types": [ { "condition_keys": [], @@ -96650,138 +107058,144 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Get resource cost estimate", + "privilege": "GetResourceCostEstimate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "input-security-group" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "multiplex" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "reservation" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to purchase a reservation offering", - "privilege": "PurchaseOffering", + "access_level": "List", + "description": "List provisioning applications", + "privilege": "ListProvisionedApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "offering*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "reservation*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to reject an input device transfer", - "privilege": "RejectInputDeviceTransfer", + "description": "Start a provisioning", + "privilege": "StartProvisioning", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "" } ] + } + ], + "resources": [], + "service_name": "Launch Wizard" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags in the request.", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to a Lex resource.", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the set of tag keys in the request.", + "type": "String" + }, + { + "condition": "lex:associatedIntents", + "description": "Enables you to control access based on the intents included in the request.", + "type": "String" + }, + { + "condition": "lex:associatedSlotTypes", + "description": "Enables you to control access based on the slot types included in the request.", + "type": "String" }, + { + "condition": "lex:channelType", + "description": "Enables you to control access based on the channel type included in the request.", + "type": "String" + } + ], + "prefix": "lex", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to start a channel", - "privilege": "StartChannel", + "description": "Creates a new version based on the $LATEST version of the specified bot.", + "privilege": "CreateBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "bot version*" } ] }, { "access_level": "Write", - "description": "Grants permission to start a multiplex", - "privilege": "StartMultiplex", + "description": "Creates a new version based on the $LATEST version of the specified intent.", + "privilege": "CreateIntentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "intent version*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a channel", - "privilege": "StopChannel", + "description": "Creates a new version based on the $LATEST version of the specified slot type.", + "privilege": "CreateSlotTypeVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "slottype version*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a multiplex", - "privilege": "StopMultiplex", + "description": "Deletes all versions of a bot.", + "privilege": "DeleteBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "bot version*" } ] }, { "access_level": "Write", - "description": "Grants permission to transfer an input device", - "privilege": "TransferInputDevice", + "description": "Deletes an alias for a specific bot.", + "privilege": "DeleteBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a channel", - "privilege": "UpdateChannel", + "description": "Deletes the association between a Amazon Lex bot alias and a messaging platform.", + "privilege": "DeleteBotChannelAssociation", "resource_types": [ { "condition_keys": [], @@ -96792,267 +107206,198 @@ }, { "access_level": "Write", - "description": "Grants permission to update the class of a channel", - "privilege": "UpdateChannelClass", + "description": "Deletes a specific version of a bot.", + "privilege": "DeleteBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channel*" + "resource_type": "bot version*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input", - "privilege": "UpdateInput", + "description": "Deletes all versions of an intent.", + "privilege": "DeleteIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input*" + "resource_type": "intent version*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input device", - "privilege": "UpdateInputDevice", + "description": "Deletes a specific version of an intent.", + "privilege": "DeleteIntentVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-device*" + "resource_type": "intent version*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an input security group", - "privilege": "UpdateInputSecurityGroup", + "description": "Removes session information for a specified bot, alias, and user ID.", + "privilege": "DeleteSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "input-security-group*" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { "access_level": "Write", - "description": "Grants permission to update a multiplex", - "privilege": "UpdateMultiplex", + "description": "Deletes all versions of a slot type.", + "privilege": "DeleteSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "slottype version*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a multiplex program", - "privilege": "UpdateMultiplexProgram", + "description": "Deletes a specific version of a slot type.", + "privilege": "DeleteSlotTypeVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "multiplex*" + "resource_type": "slottype version*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a reservation", - "privilege": "UpdateReservation", + "description": "Deletes the information Amazon Lex maintains for utterances on a specific bot and userId.", + "privilege": "DeleteUtterances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "reservation*" + "resource_type": "bot version*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:channel:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channel" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:input:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "input" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputDevice:*", - "condition_keys": [], - "resource": "input-device" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputSecurityGroup:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "input-security-group" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:multiplex:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "multiplex" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:reservation:*", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "reservation" - }, - { - "arn": "arn:${Partition}:medialive:${Region}:${Account}:offering:*", - "condition_keys": [], - "resource": "offering" - } - ], - "service_name": "AWS Elemental MediaLive" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "", - "type": "String" - } - ], - "prefix": "mediapackage", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a channel in AWS Elemental MediaPackage.", - "privilege": "CreateChannel", + "access_level": "Read", + "description": "Returns information for a specific bot. In addition to the bot name, the bot version or alias is required.", + "privilege": "GetBot", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a harvest job in AWS Elemental MediaPackage.", - "privilege": "CreateHarvestJob", + "access_level": "Read", + "description": "Returns information about a Amazon Lex bot alias.", + "privilege": "GetBotAlias", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an endpoint in AWS Elemental MediaPackage.", - "privilege": "CreateOriginEndpoint", + "access_level": "List", + "description": "Returns a list of aliases for a given Amazon Lex bot.", + "privilege": "GetBotAliases", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a channel in AWS Elemental MediaPackage.", - "privilege": "DeleteChannel", + "access_level": "Read", + "description": "Returns information about the association between a Amazon Lex bot and a messaging platform.", + "privilege": "GetBotChannelAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an endpoint in AWS Elemental MediaPackage.", - "privilege": "DeleteOriginEndpoint", + "access_level": "List", + "description": "Returns a list of all of the channels associated with a single bot.", + "privilege": "GetBotChannelAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of a channel in AWS Elemental MediaPackage.", - "privilege": "DescribeChannel", + "access_level": "List", + "description": "Returns information for all versions of a specific bot.", + "privilege": "GetBotVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "bot version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of a harvest job in AWS Elemental MediaPackage.", - "privilege": "DescribeHarvestJob", + "access_level": "List", + "description": "Returns information for the $LATEST version of all bots, subject to filters provided by the client.", + "privilege": "GetBots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "harvest_jobs*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view the details of an endpoint in AWS Elemental MediaPackage.", - "privilege": "DescribeOriginEndpoint", + "description": "Returns information about a built-in intent.", + "privilege": "GetBuiltinIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to view a list of channels in AWS Elemental MediaPackage.", - "privilege": "ListChannels", + "description": "Gets a list of built-in intents that meet the specified criteria.", + "privilege": "GetBuiltinIntents", "resource_types": [ { "condition_keys": [], @@ -97063,8 +107408,8 @@ }, { "access_level": "Read", - "description": "Grants permission to view a list of harvest jobs in AWS Elemental MediaPackage.", - "privilege": "ListHarvestJobs", + "description": "Gets a list of built-in slot types that meet the specified criteria.", + "privilege": "GetBuiltinSlotTypes", "resource_types": [ { "condition_keys": [], @@ -97075,324 +107420,294 @@ }, { "access_level": "Read", - "description": "Grants permission to view a list of endpoints in AWS Elemental MediaPackage.", - "privilege": "ListOriginEndpoints", + "description": "Exports Amazon Lex Resource in a requested format.", + "privilege": "GetExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version*" } ] }, { "access_level": "Read", - "description": "Grants permission to list the tags assigned to a Channel or OriginEndpoint.", - "privilege": "ListTagsForResource", + "description": "Gets information about an import job started with StartImport.", + "privilege": "GetImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "harvest_jobs" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "origin_endpoints" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage.", - "privilege": "RotateIngestEndpointCredentials", + "access_level": "Read", + "description": "Returns information for a specific intent. In addition to the intent name, you must also specify the intent version.", + "privilege": "GetIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "intent version*" } ] }, { - "access_level": "Write", - "description": "", - "privilege": "TagResource", + "access_level": "List", + "description": "Returns information for all versions of a specific intent.", + "privilege": "GetIntentVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, + "resource_type": "intent version*" + } + ] + }, + { + "access_level": "List", + "description": "Returns information for the $LATEST version of all intents, subject to filters provided by the client.", + "privilege": "GetIntents", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "harvest_jobs" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view an ongoing or completed migration", + "privilege": "GetMigration", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete tags to a Channel or OriginEndpoint.", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to view list of migrations from Amazon Lex v1 to Amazon Lex v2", + "privilege": "GetMigrations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Returns session information for a specified bot, alias, and user ID.", + "privilege": "GetSession", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "harvest_jobs" + "resource_type": "bot alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version" } ] }, { - "access_level": "Write", - "description": "Grants permission to make changes to a channel in AWS Elemental MediaPackage.", - "privilege": "UpdateChannel", + "access_level": "Read", + "description": "Returns information about a specific version of a slot type. In addition to specifying the slot type name, you must also specify the slot type version.", + "privilege": "GetSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "channels*" + "resource_type": "slottype version*" } ] }, { - "access_level": "Write", - "description": "Grants permission to make changes to an endpoint in AWS Elemental MediaPackage.", - "privilege": "UpdateOriginEndpoint", + "access_level": "List", + "description": "Returns information for all versions of a specific slot type.", + "privilege": "GetSlotTypeVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "origin_endpoints*" + "resource_type": "slottype version*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:channels/${ChannelIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "channels" - }, - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:origin_endpoints/${OriginEndpointIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "origin_endpoints" - }, - { - "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:harvest_jobs/${HarvestJobIdentifier}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "harvest_jobs" - } - ], - "service_name": "AWS Elemental MediaPackage" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "mediapackage-vod", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create an asset in AWS Elemental MediaPackage", - "privilege": "CreateAsset", + "access_level": "List", + "description": "Returns information for the $LATEST version of all slot types, subject to filters provided by the client.", + "privilege": "GetSlotTypes", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a packaging configuration in AWS Elemental MediaPackage", - "privilege": "CreatePackagingConfiguration", + "access_level": "List", + "description": "Returns a view of aggregate utterance data for versions of a bot for a recent time period.", + "privilege": "GetUtterancesView", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a packaging group in AWS Elemental MediaPackage", - "privilege": "CreatePackagingGroup", + "access_level": "Read", + "description": "Lists tags for a Lex resource", + "privilege": "ListTagsForResource", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "channel" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an asset in AWS Elemental MediaPackage", - "privilege": "DeleteAsset", + "description": "Sends user input (text or speech) to Amazon Lex.", + "privilege": "PostContent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets*" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a packaging configuration in AWS Elemental MediaPackage", - "privilege": "DeletePackagingConfiguration", + "description": "Sends user input (text-only) to Amazon Lex.", + "privilege": "PostText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations*" + "resource_type": "bot alias" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot version" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a packaging group in AWS Elemental MediaPackage", - "privilege": "DeletePackagingGroup", + "description": "Creates or updates the $LATEST version of a Amazon Lex conversational bot.", + "privilege": "PutBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups*" + "resource_type": "bot version*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of an asset in AWS Elemental MediaPackage", - "privilege": "DescribeAsset", + "access_level": "Write", + "description": "Creates or updates an alias for the specific bot.", + "privilege": "PutBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets*" + "resource_type": "bot alias*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of a packaging configuration in AWS Elemental MediaPackage", - "privilege": "DescribePackagingConfiguration", + "access_level": "Write", + "description": "Creates or updates the $LATEST version of an intent.", + "privilege": "PutIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations*" + "resource_type": "intent version*" } ] }, { - "access_level": "Read", - "description": "Grants permission to view the details of a packaging group in AWS Elemental MediaPackage", - "privilege": "DescribePackagingGroup", + "access_level": "Write", + "description": "Creates a new session or modifies an existing session with an Amazon Lex bot.", + "privilege": "PutSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to view a list of assets in AWS Elemental MediaPackage", - "privilege": "ListAssets", - "resource_types": [ + "resource_type": "bot alias" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot version" } ] }, { - "access_level": "List", - "description": "Grants permission to view a list of packaging configurations in AWS Elemental MediaPackage", - "privilege": "ListPackagingConfigurations", + "access_level": "Write", + "description": "Creates or updates the $LATEST version of a slot type.", + "privilege": "PutSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "slottype version*" } ] }, { - "access_level": "List", - "description": "Grants permission to view a list of packaging groups in AWS Elemental MediaPackage", - "privilege": "ListPackagingGroups", + "access_level": "Write", + "description": "Starts a job to import a resource to Amazon Lex.", + "privilege": "StartImport", "resource_types": [ { "condition_keys": [], @@ -97402,51 +107717,41 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list the tags assigned to a PackagingGroup, PackagingConfiguration, or Asset.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to migrate a bot from Amazon Lex v1 to Amazon Lex v2", + "privilege": "StartMigration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "packaging-configurations" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "packaging-groups" + "resource_type": "bot version*" } ] }, { - "access_level": "Write", - "description": "Grants permission to assign tags to a PackagingGroup, PackagingConfiguration, or Asset.", + "access_level": "Tagging", + "description": "Adds or overwrites tags to a Lex resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations" + "resource_type": "bot alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups" + "resource_type": "channel" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -97454,28 +107759,29 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete tags from a PackagingGroup, PackagingConfiguration, or Asset.", + "access_level": "Tagging", + "description": "Removes tags from a Lex resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assets" + "resource_type": "bot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-configurations" + "resource_type": "bot alias" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "packaging-groups" + "resource_type": "channel" }, { "condition_keys": [ - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -97485,169 +107791,228 @@ ], "resources": [ { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:assets/${AssetIdentifier}", + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "assets" + "resource": "bot" }, { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-configurations/${PackagingConfigurationIdentifier}", + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotVersion}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "packaging-configurations" + "resource": "bot version" }, { - "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-groups/${PackagingGroupIdentifier}", + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot:${BotName}:${BotAlias}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "packaging-groups" + "resource": "bot alias" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-channel:${BotName}:${BotAlias}:${ChannelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channel" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:intent:${IntentName}:${IntentVersion}", + "condition_keys": [], + "resource": "intent version" + }, + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:slottype:${SlotName}:${SlotVersion}", + "condition_keys": [], + "resource": "slottype version" } ], - "service_name": "AWS Elemental MediaPackage VOD" + "service_name": "Amazon Lex" }, { - "conditions": [], - "prefix": "mediastore", + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags attached to a Lex resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the set of tag keys in the request.", + "type": "String" + } + ], + "prefix": "lex", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create containers.", - "privilege": "CreateContainer", + "description": "Grants permission to build an existing bot locale in a bot", + "privilege": "BuildBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete any container in the current account.", - "privilege": "DeleteContainer", + "description": "Grants permission to create a new bot and a test bot alias pointing to the DRAFT bot version", + "privilege": "CreateBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "bot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the access policy of any container in the current account.", - "privilege": "DeleteContainerPolicy", + "access_level": "Write", + "description": "Grants permission to create a new bot alias in a bot", + "privilege": "CreateBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "bot alias*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the CORS policy from any container in the current account.", - "privilege": "DeleteCorsPolicy", + "description": "Grants permission to create a bot channel in an existing bot", + "privilege": "CreateBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the lifecycle policy from any container in the current account.", - "privilege": "DeleteLifecyclePolicy", + "description": "Grants permission to create a new bot locale in an existing bot", + "privilege": "CreateBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the metric policy from any container in the current account.", - "privilege": "DeleteMetricPolicy", + "description": "Grants permission to create a new version of an existing bot", + "privilege": "CreateBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete objects.", - "privilege": "DeleteObject", + "description": "Grants permission to create an export for an existing resource", + "privilege": "CreateExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve details on any container in the current account.", - "privilege": "DescribeContainer", + "access_level": "Write", + "description": "Grants permission to create a new intent in an existing bot locale", + "privilege": "CreateIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve object metadata.", - "privilege": "DescribeObject", + "access_level": "Write", + "description": "Grants permission to create a new resource policy for a Lex resource", + "privilege": "CreateResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the access policy of any container in the current account.", - "privilege": "GetContainerPolicy", + "access_level": "Write", + "description": "Grants permission to create a new slot in an intent", + "privilege": "CreateSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the CORS policy of any container in the current account.", - "privilege": "GetCorsPolicy", + "access_level": "Write", + "description": "Grants permission to create a new slot type in an existing bot locale", + "privilege": "CreateSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the lifecycle policy that is assigned to any container in the current account.", - "privilege": "GetLifecyclePolicy", + "access_level": "Write", + "description": "Grants permission to create an upload url for import file", + "privilege": "CreateUploadUrl", "resource_types": [ { "condition_keys": [], @@ -97657,441 +108022,418 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the metric policy that is assigned to any container in the current account.", - "privilege": "GetMetricPolicy", + "access_level": "Write", + "description": "Grants permission to delete an existing bot", + "privilege": "DeleteBot", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "lex:DeleteBotAlias", + "lex:DeleteBotChannel", + "lex:DeleteBotLocale", + "lex:DeleteBotVersion", + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType" + ], + "resource_type": "bot*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve objects.", - "privilege": "GetObject", + "access_level": "Write", + "description": "Grants permission to delete an existing bot alias in a bot", + "privilege": "DeleteBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of containers in the current account.", - "privilege": "ListContainers", + "access_level": "Write", + "description": "Grants permission to delete an existing bot channel", + "privilege": "DeleteBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of objects and folders in the current account.", - "privilege": "ListItems", + "access_level": "Write", + "description": "Grants permission to delete an existing bot locale in a bot", + "privilege": "DeleteBotLocale", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType" + ], + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Grants permission to list tags on any container in the current account.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete an existing bot version", + "privilege": "DeleteBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create or replace the access policy of any container in the current account.", - "privilege": "PutContainerPolicy", + "access_level": "Write", + "description": "Grants permission to delete an existing export", + "privilege": "DeleteExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or modify the CORS policy of any container in the current account.", - "privilege": "PutCorsPolicy", + "description": "Grants permission to delete an existing import", + "privilege": "DeleteImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or modify the lifecycle policy that is assigned to any container in the current account.", - "privilege": "PutLifecyclePolicy", + "description": "Grants permission to delete an existing intent in a bot locale", + "privilege": "DeleteIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or modify the metric policy that is assigned to any container in the current account.", - "privilege": "PutMetricPolicy", + "description": "Grants permission to delete an existing resource policy for a Lex resource", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] }, { "access_level": "Write", - "description": "Grants permission to upload objects.", - "privilege": "PutObject", + "description": "Grants permission to delete session information for a bot alias and user ID", + "privilege": "DeleteSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable access logging on any container in the current account.", - "privilege": "StartAccessLogging", + "description": "Grants permission to delete an existing slot in an intent", + "privilege": "DeleteSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable access logging on any container in the current account.", - "privilege": "StopAccessLogging", + "description": "Grants permission to delete an existing slot type in a bot locale", + "privilege": "DeleteSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to any container in the current account.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot", + "privilege": "DescribeBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from any container in the current account.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot alias", + "privilege": "DescribeBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}", - "condition_keys": [], - "resource": "container" - } - ], - "service_name": "AWS Elemental MediaStore" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "mediatailor", - "privileges": [ - { - "access_level": "Write", - "description": "Deletes the playback configuration for the specified name", - "privilege": "DeletePlaybackConfiguration", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot channel", + "privilege": "DescribeBotChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "playbackConfiguration*" + "resource_type": "bot*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the configuration for the specified name", - "privilege": "GetPlaybackConfiguration", + "description": "Grants permission to retrieve an existing bot locale", + "privilege": "DescribeBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "playbackConfiguration*" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the list of available configurations", - "privilege": "ListPlaybackConfigurations", + "access_level": "Read", + "description": "Grants permission to retrieve an existing bot version.", + "privilege": "DescribeBotVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Read", - "description": "Returns a list of the tags assigned to the specified playback configuration resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to retrieve an existing export", + "privilege": "DescribeExport", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "lex:DescribeBot", + "lex:DescribeBotLocale", + "lex:DescribeIntent", + "lex:DescribeSlot", + "lex:DescribeSlotType", + "lex:ListBotLocales", + "lex:ListIntents", + "lex:ListSlotTypes", + "lex:ListSlots" + ], + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add a new configuration", - "privilege": "PutPlaybackConfiguration", + "access_level": "Read", + "description": "Grants permission to retrieve an existing import", + "privilege": "DescribeImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "playbackConfiguration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Adds tags to the specified playback configuration resource.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve an existing intent", + "privilege": "DescribeIntent", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Tagging", - "description": "Removes tags from the specified playback configuration resource.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve an existing resource policy for a Lex resource", + "privilege": "DescribeResourcePolicy", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:playbackConfiguration/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "playbackConfiguration" - } - ], - "service_name": "AWS Elemental MediaTailor" - }, - { - "conditions": [], - "prefix": "mgh", - "privileges": [ + }, { - "access_level": "Write", - "description": "Associate a given AWS artifact to a MigrationTask", - "privilege": "AssociateCreatedArtifact", + "access_level": "Read", + "description": "Grants permission to retrieve an existing slot", + "privilege": "DescribeSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Associate a given ADS resource to a MigrationTask", - "privilege": "AssociateDiscoveredResource", + "access_level": "Read", + "description": "Grants permission to retrieve an existing slot type", + "privilege": "DescribeSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Create a Migration Hub Home Region Control", - "privilege": "CreateHomeRegionControl", + "access_level": "Read", + "description": "Grants permission to retrieve session information for a bot alias and user ID", + "privilege": "GetSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "Write", - "description": "Create a ProgressUpdateStream", - "privilege": "CreateProgressUpdateStream", + "access_level": "List", + "description": "Grants permission to list bot aliases in an bot", + "privilege": "ListBotAliases", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "progressUpdateStream*" + "resource_type": "bot*" } ] }, { - "access_level": "Write", - "description": "Delete a ProgressUpdateStream", - "privilege": "DeleteProgressUpdateStream", + "access_level": "List", + "description": "Grants permission to list bot channels", + "privilege": "ListBotChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "progressUpdateStream*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Get an Application Discovery Service Application's state", - "privilege": "DescribeApplicationState", + "access_level": "List", + "description": "Grants permission to list bot locales in a bot", + "privilege": "ListBotLocales", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "List", - "description": "List Home Region Controls", - "privilege": "DescribeHomeRegionControls", + "description": "Grants permission to list existing bot versions", + "privilege": "ListBotVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Describe a MigrationTask", - "privilege": "DescribeMigrationTask", + "access_level": "List", + "description": "Grants permission to list existing bots", + "privilege": "ListBots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Disassociate a given AWS artifact from a MigrationTask", - "privilege": "DisassociateCreatedArtifact", + "access_level": "List", + "description": "Grants permission to list built-in intents", + "privilege": "ListBuiltInIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Disassociate a given ADS resource from a MigrationTask", - "privilege": "DisassociateDiscoveredResource", + "access_level": "List", + "description": "Grants permission to list built-in slot types", + "privilege": "ListBuiltInSlotTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Get the Migration Hub Home Region", - "privilege": "GetHomeRegion", + "access_level": "List", + "description": "Grants permission to list existing exports", + "privilege": "ListExports", "resource_types": [ { "condition_keys": [], @@ -98101,288 +108443,364 @@ ] }, { - "access_level": "Write", - "description": "Import a MigrationTask", - "privilege": "ImportMigrationTask", + "access_level": "List", + "description": "Grants permission to list existing imports", + "privilege": "ListImports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "List associated created artifacts for a MigrationTask", - "privilege": "ListCreatedArtifacts", + "description": "Grants permission to list intents in a bot", + "privilege": "ListIntents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot*" } ] }, { "access_level": "List", - "description": "List associated ADS resources from MigrationTask", - "privilege": "ListDiscoveredResources", + "description": "Grants permission to list slot types in a bot", + "privilege": "ListSlotTypes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot*" } ] }, { "access_level": "List", - "description": "List MigrationTasks", - "privilege": "ListMigrationTasks", + "description": "Grants permission to list slots in an intent", + "privilege": "ListSlots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "List", - "description": "List ProgressUpdateStreams", - "privilege": "ListProgressUpdateStreams", + "access_level": "Read", + "description": "Grants permission to lists tags for a Lex resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] }, { "access_level": "Write", - "description": "Update an Application Discovery Service Application's state", - "privilege": "NotifyApplicationState", + "description": "Grants permission to create a new session or modify an existing session for a bot alias and user ID", + "privilege": "PutSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Notify latest MigrationTask state", - "privilege": "NotifyMigrationTaskState", + "description": "Grants permission to send user input (text-only) to an bot alias", + "privilege": "RecognizeText", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Put ResourceAttributes", - "privilege": "PutResourceAttributes", + "description": "Grants permission to send user input (text or speech) to an bot alias", + "privilege": "RecognizeUtterance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "migrationTask*" + "resource_type": "bot alias*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}", - "condition_keys": [], - "resource": "progressUpdateStream" }, { - "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}/migrationTask/${Task}", - "condition_keys": [], - "resource": "migrationTask" - } - ], - "service_name": "AWS Migration Hub" - }, - { - "conditions": [], - "prefix": "mobileanalytics", - "privileges": [ - { - "access_level": "Read", - "description": "Grant access to financial metrics for an app", - "privilege": "GetFinancialReports", + "access_level": "Write", + "description": "Grants permission to stream user input (speech/text/DTMF) to a bot alias", + "privilege": "StartConversation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot alias*" } ] }, { - "access_level": "Read", - "description": "Grant access to standard metrics for an app", - "privilege": "GetReports", + "access_level": "Write", + "description": "Grants permission to start a new import with the uploaded import file", + "privilege": "StartImport", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "lex:CreateBot", + "lex:CreateBotLocale", + "lex:CreateIntent", + "lex:CreateSlot", + "lex:CreateSlotType", + "lex:DeleteBotLocale", + "lex:DeleteIntent", + "lex:DeleteSlot", + "lex:DeleteSlotType", + "lex:UpdateBot", + "lex:UpdateBotLocale", + "lex:UpdateIntent", + "lex:UpdateSlot", + "lex:UpdateSlotType" + ], + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "The PutEvents operation records one or more events", - "privilege": "PutEvents", + "access_level": "Tagging", + "description": "Grants permission to add or overwrite tags of a Lex resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Amazon Mobile Analytics" - }, - { - "conditions": [], - "prefix": "mobilehub", - "privileges": [ + }, { - "access_level": "Write", - "description": "Create a project", - "privilege": "CreateProject", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a Lex resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enable AWS Mobile Hub in the account by creating the required service role", - "privilege": "CreateServiceRole", + "description": "Grants permission to update an existing bot", + "privilege": "UpdateBot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Delete the specified project", - "privilege": "DeleteProject", + "description": "Grants permission to update an existing bot alias", + "privilege": "UpdateBotAlias", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "bot alias*" } ] }, { "access_level": "Write", - "description": "Delete a saved snapshot of project configuration", - "privilege": "DeleteProjectSnapshot", + "description": "Grants permission to update an existing bot locale", + "privilege": "UpdateBotLocale", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { "access_level": "Write", - "description": "Deploy changes to the specified stage", - "privilege": "DeployToStage", + "description": "Grants permission to update an existing export", + "privilege": "UpdateExport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Describe the download bundle", - "privilege": "DescribeBundle", + "access_level": "Write", + "description": "Grants permission to update an existing intent", + "privilege": "UpdateIntent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Export the download bundle", - "privilege": "ExportBundle", + "access_level": "Write", + "description": "Grants permission to update an existing resource policy for a Lex resource", + "privilege": "UpdateResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "bot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bot alias" } ] }, { - "access_level": "Read", - "description": "Export the project configuration", - "privilege": "ExportProject", + "access_level": "Write", + "description": "Grants permission to update an existing slot", + "privilege": "UpdateSlot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "bot*" } ] }, { - "access_level": "Read", - "description": "Generate project parameters required for code generation", - "privilege": "GenerateProjectParameters", + "access_level": "Write", + "description": "Grants permission to update an existing slot type", + "privilege": "UpdateSlotType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "bot*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot/${BotId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot" }, { - "access_level": "Read", - "description": "Get project configuration and resources", - "privilege": "GetProject", + "arn": "arn:${Partition}:lex:${Region}:${Account}:bot-alias/${BotId}/${BotAliasId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "bot alias" + } + ], + "service_name": "Amazon Lex V2" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + }, + { + "condition": "license-manager:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + } + ], + "prefix": "license-manager", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept a grant", + "privilege": "AcceptGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "grant*" } ] }, { - "access_level": "Read", - "description": "Fetch the previously exported project configuration snapshot", - "privilege": "GetProjectSnapshot", + "access_level": "Write", + "description": "Grants permission to check in license entitlements back to pool", + "privilege": "CheckInLicense", "resource_types": [ { "condition_keys": [], @@ -98393,20 +108811,20 @@ }, { "access_level": "Write", - "description": "Create a new project from the previously exported project configuration", - "privilege": "ImportProject", + "description": "Grants permission to check out license entitlements for borrow use case", + "privilege": "CheckoutBorrowLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Install a bundle in the project deployments S3 bucket", - "privilege": "InstallBundle", + "description": "Grants permission to check out license entitlements", + "privilege": "CheckoutLicense", "resource_types": [ { "condition_keys": [], @@ -98416,33 +108834,33 @@ ] }, { - "access_level": "List", - "description": "List the available SaaS (Software as a Service) connectors", - "privilege": "ListAvailableConnectors", + "access_level": "Write", + "description": "Grants permission to create a new grant for license", + "privilege": "CreateGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { - "access_level": "List", - "description": "List available features", - "privilege": "ListAvailableFeatures", + "access_level": "Write", + "description": "Grants permission to create new version of grant", + "privilege": "CreateGrantVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "grant*" } ] }, { - "access_level": "List", - "description": "List available regions for projects", - "privilege": "ListAvailableRegions", + "access_level": "Write", + "description": "Grants permission to create a new license", + "privilege": "CreateLicense", "resource_types": [ { "condition_keys": [], @@ -98452,21 +108870,24 @@ ] }, { - "access_level": "List", - "description": "List the available download bundles", - "privilege": "ListBundles", + "access_level": "Tagging", + "description": "Grants permission to create a new license configuration", + "privilege": "CreateLicenseConfiguration", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "List saved snapshots of project configuration", - "privilege": "ListProjectSnapshots", + "access_level": "Write", + "description": "Grants permission to create a report generator for a license configuration", + "privilege": "CreateLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], @@ -98476,1804 +108897,1586 @@ ] }, { - "access_level": "List", - "description": "List projects", - "privilege": "ListProjects", + "access_level": "Write", + "description": "Grants permission to create new version of license.", + "privilege": "CreateLicenseVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Synchronize state of resources into project", - "privilege": "SynchronizeProject", + "description": "Grants permission to create a new token for license", + "privilege": "CreateToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "license*" } ] }, { "access_level": "Write", - "description": "Update project", - "privilege": "UpdateProject", + "description": "Deletes a grant", + "privilege": "DeleteGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "grant*" } ] }, { - "access_level": "Read", - "description": "Validate a mobile hub project.", - "privilege": "ValidateProject", + "access_level": "Write", + "description": "Grants permission to delete a license", + "privilege": "DeleteLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { - "access_level": "Read", - "description": "Verify AWS Mobile Hub is enabled in the account", - "privilege": "VerifyServiceRole", + "access_level": "Write", + "description": "Grants permission to permanently delete a license configuration", + "privilege": "DeleteLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license-configuration*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mobilehub:${Region}:${Account}:project/${ProjectId}", - "condition_keys": [], - "resource": "project" - } - ], - "service_name": "AWS Mobile Hub" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the pinpoint service.", - "type": "String" }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service.", - "type": "String" - } - ], - "prefix": "mobiletargeting", - "privileges": [ { "access_level": "Write", - "description": "Create an app.", - "privilege": "CreateApp", + "description": "Grants permission to delete a report generator", + "privilege": "DeleteLicenseManagerReportGenerator", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "report-generator*" } ] }, { "access_level": "Write", - "description": "Create a campaign for an app.", - "privilege": "CreateCampaign", + "description": "Grants permission to delete token", + "privilege": "DeleteToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create an email template.", - "privilege": "CreateEmailTemplate", + "description": "Grants permission to extend consumption period of already checkout license entitlements", + "privilege": "ExtendLicenseConsumption", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create an export job that exports endpoint definitions to Amazon S3.", - "privilege": "CreateExportJob", + "access_level": "Read", + "description": "Grants permission to get access token", + "privilege": "GetAccessToken", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Import endpoint definitions from to create a segment.", - "privilege": "CreateImportJob", + "access_level": "Read", + "description": "Grants permission to get a grant", + "privilege": "GetGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "grant*" } ] }, { - "access_level": "Write", - "description": "Create a Journey for an app.", - "privilege": "CreateJourney", + "access_level": "Read", + "description": "Grants permission to get a license", + "privilege": "GetLicense", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { - "access_level": "Write", - "description": "Create a push notification template.", - "privilege": "CreatePushTemplate", + "access_level": "Read", + "description": "Grants permission to get a license configuration", + "privilege": "GetLicenseConfiguration", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Create an Amazon Pinpoint configuration for a recommender model.", - "privilege": "CreateRecommenderConfiguration", + "access_level": "Read", + "description": "Grants permission to get a report generator", + "privilege": "GetLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "report-generator*" } ] }, { - "access_level": "Write", - "description": "Create a segment that is based on endpoint data reported to Pinpoint by your app. To allow a user to create a segment by importing endpoint data from outside of Pinpoint, allow the mobiletargeting:CreateImportJob action.", - "privilege": "CreateSegment", + "access_level": "Read", + "description": "Grants permission to get a license usage", + "privilege": "GetLicenseUsage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "license*" } ] }, { - "access_level": "Write", - "description": "Create an sms message template.", - "privilege": "CreateSmsTemplate", + "access_level": "List", + "description": "Grants permission to get service settings", + "privilege": "GetServiceSettings", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a voice message template.", - "privilege": "CreateVoiceTemplate", + "access_level": "List", + "description": "Grants permission to list associations for a selected license configuration", + "privilege": "ListAssociationsForLicenseConfiguration", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Delete the ADM channel for an app.", - "privilege": "DeleteAdmChannel", + "access_level": "List", + "description": "Grants permission to list distributed grants", + "privilege": "ListDistributedGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the APNs channel for an app.", - "privilege": "DeleteApnsChannel", + "access_level": "List", + "description": "Grants permission to list the license configuration operations that failed", + "privilege": "ListFailuresForLicenseConfigurationOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Delete the APNs sandbox channel for an app.", - "privilege": "DeleteApnsSandboxChannel", + "access_level": "List", + "description": "Grants permission to list license configurations", + "privilege": "ListLicenseConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the APNs VoIP channel for an app.", - "privilege": "DeleteApnsVoipChannel", + "access_level": "List", + "description": "Grants permission to list report generators", + "privilege": "ListLicenseManagerReportGenerators", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "license-configuration" } ] }, { - "access_level": "Write", - "description": "Delete the APNs VoIP sandbox channel for an app.", - "privilege": "DeleteApnsVoipSandboxChannel", + "access_level": "List", + "description": "Grants permission to list license specifications associated with a selected resource", + "privilege": "ListLicenseSpecificationsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete a specific campaign.", - "privilege": "DeleteApp", + "access_level": "List", + "description": "Grants permission to list license versions", + "privilege": "ListLicenseVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "license*" } ] }, { - "access_level": "Write", - "description": "Delete the Baidu channel for an app.", - "privilege": "DeleteBaiduChannel", + "access_level": "List", + "description": "Grants permission to list licenses", + "privilege": "ListLicenses", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete a specific campaign.", - "privilege": "DeleteCampaign", + "access_level": "List", + "description": "Grants permission to list received grants", + "privilege": "ListReceivedGrants", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the email channel for an app.", - "privilege": "DeleteEmailChannel", + "access_level": "List", + "description": "Grants permission to list received licenses", + "privilege": "ListReceivedLicenses", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete an email template or an email template version.", - "privilege": "DeleteEmailTemplate", + "access_level": "List", + "description": "Grants permission to list resource inventory", + "privilege": "ListResourceInventory", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete an endpoint.", - "privilege": "DeleteEndpoint", + "access_level": "List", + "description": "Grants permission to list tags for a selected resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Delete the event stream for an app.", - "privilege": "DeleteEventStream", + "access_level": "List", + "description": "Grants permission to list tokens", + "privilege": "ListTokens", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete the GCM channel for an app.", - "privilege": "DeleteGcmChannel", + "access_level": "List", + "description": "Grants permission to list usage records for selected license configuration", + "privilege": "ListUsageForLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Write", - "description": "Delete a specific journey.", - "privilege": "DeleteJourney", + "description": "Grants permission to reject a grant", + "privilege": "RejectGrant", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "grant*" } ] }, { - "access_level": "Write", - "description": "Delete a push notification template or a push notification template version.", - "privilege": "DeletePushTemplate", + "access_level": "Tagging", + "description": "Grants permission to tag a selected resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "license-configuration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete an Amazon Pinpoint configuration for a recommender model.", - "privilege": "DeleteRecommenderConfiguration", + "access_level": "Tagging", + "description": "Grants permission to untag a selected resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Write", - "description": "Delete a specific segment.", - "privilege": "DeleteSegment", + "description": "Grants permission to update an existing license configuration", + "privilege": "UpdateLicenseConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "license-configuration*" } ] }, { "access_level": "Write", - "description": "Delete the SMS channel for an app.", - "privilege": "DeleteSmsChannel", + "description": "Grants permission to update a report generator for a license configuration", + "privilege": "UpdateLicenseManagerReportGenerator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "report-generator*" } ] }, { "access_level": "Write", - "description": "Delete an sms message template or an sms message template version.", - "privilege": "DeleteSmsTemplate", + "description": "Grants permission to updates license specifications for a selected resource", + "privilege": "UpdateLicenseSpecificationsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "license-configuration*" } ] }, { - "access_level": "Write", - "description": "Delete all of the endpoints that are associated with a user ID.", - "privilege": "DeleteUserEndpoints", + "access_level": "Permissions management", + "description": "Grants permission to updates service settings", + "privilege": "UpdateServiceSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:license-manager:${Region}:${Account}:license-configuration:${LicenseConfigurationId}", + "condition_keys": [ + "license-manager:ResourceTag/${TagKey}" + ], + "resource": "license-configuration" + }, + { + "arn": "arn:${Partition}:license-manager::${Account}:license:${LicenseId}", + "condition_keys": [], + "resource": "license" + }, + { + "arn": "arn:${Partition}:license-manager::${Account}:grant:${GrantId}", + "condition_keys": [], + "resource": "grant" + }, + { + "arn": "arn:${Partition}:license-manager:${Region}:${Account}:report-generator:${ReportGeneratorId}", + "condition_keys": [ + "license-manager:ResourceTag/${TagKey}" + ], + "resource": "report-generator" + } + ], + "service_name": "AWS License Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "lightsail", + "privileges": [ { "access_level": "Write", - "description": "Delete the Voice channel for an app.", - "privilege": "DeleteVoiceChannel", + "description": "Grants permission to create a static IP address that can be attached to an instance", + "privilege": "AllocateStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "StaticIp*" } ] }, { "access_level": "Write", - "description": "Delete a voice message template or a voice message template version.", - "privilege": "DeleteVoiceTemplate", + "description": "Grants permission to attach an SSL/TLS certificate to your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "AttachCertificateToDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieve information about the Amazon Device Messaging (ADM) channel for an app.", - "privilege": "GetAdmChannel", - "resource_types": [ + "resource_type": "Certificate*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Distribution*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs channel for an app.", - "privilege": "GetApnsChannel", + "access_level": "Write", + "description": "Grants permission to attach a disk to an instance", + "privilege": "AttachDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieve information about the APNs sandbox channel for an app.", - "privilege": "GetApnsSandboxChannel", - "resource_types": [ + "resource_type": "Disk*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the APNs VoIP channel for an app.", - "privilege": "GetApnsVoipChannel", + "access_level": "Write", + "description": "Grants permission to attach one or more instances to a load balancer", + "privilege": "AttachInstancesToLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieve information about the APNs VoIP sandbox channel for an app.", - "privilege": "GetApnsVoipSandboxChannel", - "resource_types": [ + "resource_type": "Instance*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific app in your Amazon Pinpoint account.", - "privilege": "GetApp", + "access_level": "Write", + "description": "Grants permission to attach a TLS certificate to a load balancer", + "privilege": "AttachLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "List", - "description": "Retrieve the default settings for an app.", - "privilege": "GetApplicationSettings", + "access_level": "Write", + "description": "Grants permission to attach a static IP address to an instance", + "privilege": "AttachStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - } - ] - }, - { - "access_level": "List", - "description": "Retrieve a list of apps in your Amazon Pinpoint account.", - "privilege": "GetApps", - "resource_types": [ + "resource_type": "Instance*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "StaticIp*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the Baidu channel for an app.", - "privilege": "GetBaiduChannel", + "access_level": "Write", + "description": "Grants permission to close a public port of an instance", + "privilege": "CloseInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific campaign.", - "privilege": "GetCampaign", + "access_level": "Write", + "description": "Grants permission to copy a snapshot from one AWS Region to another in Amazon Lightsail", + "privilege": "CopySnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "DiskSnapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "InstanceSnapshot" } ] }, { - "access_level": "List", - "description": "Retrieve information about the activities performed by a campaign.", - "privilege": "GetCampaignActivities", + "access_level": "Write", + "description": "Grants permission to create an Amazon Lightsail bucket", + "privilege": "CreateBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Bucket*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific campaign version.", - "privilege": "GetCampaignVersion", + "access_level": "Write", + "description": "Grants permission to create a new access key for the specified bucket", + "privilege": "CreateBucketAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "Bucket*" } ] }, { - "access_level": "List", - "description": "Retrieve information about the current and prior versions of a campaign.", - "privilege": "GetCampaignVersions", + "access_level": "Write", + "description": "Grants permission to create an SSL/TLS certificate", + "privilege": "CreateCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns*" + "resource_type": "Certificate*" } ] }, { - "access_level": "List", - "description": "Retrieve information about all campaigns for an app.", - "privilege": "GetCampaigns", + "access_level": "Write", + "description": "Grants permission to create a new Amazon EC2 instance from an exported Amazon Lightsail snapshot", + "privilege": "CreateCloudFormationStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "ExportSnapshotRecord*" } ] }, { - "access_level": "List", - "description": "Get all channels information for your app.", - "privilege": "GetChannels", + "access_level": "Write", + "description": "Grants permission to create an email or SMS text message contact method", + "privilege": "CreateContactMethod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Obtain information about the email channel in an app.", - "privilege": "GetEmailChannel", + "access_level": "Write", + "description": "Grants permission to create an Amazon Lightsail container service", + "privilege": "CreateContainerService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "ContainerService*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an email template.", - "privilege": "GetEmailTemplate", + "access_level": "Write", + "description": "Grants permission to create a deployment for your Amazon Lightsail container service", + "privilege": "CreateContainerServiceDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "ContainerService*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific endpoint.", - "privilege": "GetEndpoint", + "access_level": "Write", + "description": "Grants permission to create a temporary set of log in credentials that you can use to log in to the Docker process on your local machine", + "privilege": "CreateContainerServiceRegistryLogin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the event stream for an app.", - "privilege": "GetEventStream", + "access_level": "Write", + "description": "Grants permission to create a disk", + "privilege": "CreateDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Obtain information about a specific export job.", - "privilege": "GetExportJob", + "access_level": "Write", + "description": "Grants permission to create a disk from snapshot", + "privilege": "CreateDiskFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve a list of all of the export jobs for an app.", - "privilege": "GetExportJobs", + "access_level": "Write", + "description": "Grants permission to create a disk snapshot", + "privilege": "CreateDiskSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about the GCM channel for an app.", - "privilege": "GetGcmChannel", + "access_level": "Write", + "description": "Grants permission to create an Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "CreateDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Distribution*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific import job.", - "privilege": "GetImportJob", + "access_level": "Write", + "description": "Grants permission to create a domain resource for the specified domain name", + "privilege": "CreateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Domain*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about all import jobs for an app.", - "privilege": "GetImportJobs", + "access_level": "Write", + "description": "Grants permission to create one or more DNS record entries for a domain resource: Address (A), canonical name (CNAME), mail exchanger (MX), name server (NS), start of authority (SOA), service locator (SRV), or text (TXT)", + "privilege": "CreateDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Domain*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific journey.", - "privilege": "GetJourney", + "access_level": "Write", + "description": "Grants permission to create an instance snapshot", + "privilege": "CreateInstanceSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "journeys*" + "resource_type": "InstanceSnapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an push notification template.", - "privilege": "GetPushTemplate", + "access_level": "Write", + "description": "Grants permission to create one or more instances", + "privilege": "CreateInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "KeyPair*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about an Amazon Pinpoint configuration for a recommender model.", - "privilege": "GetRecommenderConfiguration", + "access_level": "Write", + "description": "Grants permission to create one or more instances based on an instance snapshot", + "privilege": "CreateInstancesFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" - } - ] - }, - { - "access_level": "List", - "description": "Retrieve information about all the recommender model configurations that are associated with an Amazon Pinpoint account.", - "privilege": "GetRecommenderConfigurations", - "resource_types": [ + "resource_type": "Instance*" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "InstanceSnapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific segment.", - "privilege": "GetSegment", + "access_level": "Write", + "description": "Grants permission to create a key pair used to authenticate and connect to an instance", + "privilege": "CreateKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "KeyPair*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about jobs that export endpoint definitions from segments to Amazon S3.", - "privilege": "GetSegmentExportJobs", + "access_level": "Write", + "description": "Grants permission to create a load balancer", + "privilege": "CreateLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "LoadBalancer*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about jobs that create segments by importing endpoint definitions from .", - "privilege": "GetSegmentImportJobs", + "access_level": "Write", + "description": "Grants permission to create a load balancer TLS certificate", + "privilege": "CreateLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific segment version.", - "privilege": "GetSegmentVersion", + "access_level": "Write", + "description": "Grants permission to create a new relational database", + "privilege": "CreateRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "RelationalDatabase*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about the current and prior versions of a segment.", - "privilege": "GetSegmentVersions", + "access_level": "Write", + "description": "Grants permission to create a new relational database from a snapshot", + "privilege": "CreateRelationalDatabaseFromSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "RelationalDatabase*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "segments*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieve information about the segments for an app.", - "privilege": "GetSegments", + "access_level": "Write", + "description": "Grants permission to create a relational database snapshot", + "privilege": "CreateRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "RelationalDatabaseSnapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Obtain information about the SMS channel in an app.", - "privilege": "GetSmsChannel", + "access_level": "Write", + "description": "Grants permission to delete an alarm", + "privilege": "DeleteAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Alarm*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of an sms message template.", - "privilege": "GetSmsTemplate", + "access_level": "Write", + "description": "Grants permission to delete an automatic snapshot of an instance or disk", + "privilege": "DeleteAutoSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - } - ] - }, - { - "access_level": "Read", - "description": "Retrieve information about the endpoints that are associated with a user ID.", - "privilege": "GetUserEndpoints", - "resource_types": [ + "resource_type": "Disk" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance" } ] }, { - "access_level": "Read", - "description": "Obtain information about the Voice channel in an app.", - "privilege": "GetVoiceChannel", + "access_level": "Write", + "description": "Grants permission to delete an Amazon Lightsail bucket", + "privilege": "DeleteBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Bucket*" } ] }, { - "access_level": "Read", - "description": "Retrieve information about a specific or the active version of a voice message template.", - "privilege": "GetVoiceTemplate", + "access_level": "Write", + "description": "Grants permission to delete an access key for the specified Amazon Lightsail bucket", + "privilege": "DeleteBucketAccessKey", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "Bucket*" } ] }, { - "access_level": "List", - "description": "Retrieve information about all journeys for an app.", - "privilege": "ListJourneys", + "access_level": "Write", + "description": "Grants permission to delete an SSL/TLS certificate", + "privilege": "DeleteCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Certificate*" } ] }, { - "access_level": "List", - "description": "List tags for a resource.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete a contact method", + "privilege": "DeleteContactMethod", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments" + "resource_type": "ContactMethod*" } ] }, { - "access_level": "List", - "description": "Retrieve all versions about a specific template.", - "privilege": "ListTemplateVersions", + "access_level": "Write", + "description": "Grants permission to delete a container image that is registered to your Amazon Lightsail container service", + "privilege": "DeleteContainerImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "ContainerService*" } ] }, { - "access_level": "List", - "description": "Retrieve metadata about the queried templates.", - "privilege": "ListTemplates", + "access_level": "Write", + "description": "Grants permission to delete your Amazon Lightsail container service", + "privilege": "DeleteContainerService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "ContainerService*" } ] }, { - "access_level": "Read", - "description": "Obtain metadata for a phone number, such as the number type (mobile, landline, or VoIP), location, and provider.", - "privilege": "PhoneNumberValidate", + "access_level": "Write", + "description": "Grants permission to delete a disk", + "privilege": "DeleteDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Create or update an event stream for an app.", - "privilege": "PutEventStream", + "description": "Grants permission to delete a disk snapshot", + "privilege": "DeleteDiskSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Create or update events for an app.", - "privilege": "PutEvents", + "description": "Grants permission to delete your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "DeleteDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Used to remove the attributes for an app.", - "privilege": "RemoveAttributes", + "description": "Grants permission to delete a domain resource and all of its DNS records", + "privilege": "DeleteDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "Send an SMS message or push notification to specific endpoints.", - "privilege": "SendMessages", + "description": "Grants permission to delete a DNS record entry for a domain resource", + "privilege": "DeleteDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "Send an SMS message or push notification to all endpoints that are associated with a specific user ID.", - "privilege": "SendUsersMessages", + "description": "Grants permission to delete an instance", + "privilege": "DeleteInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" } ] }, { - "access_level": "Tagging", - "description": "Adds tags to a resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to delete an instance snapshot", + "privilege": "DeleteInstanceSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "InstanceSnapshot*" } ] }, { - "access_level": "Tagging", - "description": "Removes tags from a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete a key pair used to authenticate and connect to an instance", + "privilege": "DeleteKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "campaigns" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "KeyPair*" } ] }, { "access_level": "Write", - "description": "Update the Amazon Device Messaging (ADM) channel for an app.", - "privilege": "UpdateAdmChannel", + "description": "Grants permission to delete the known host key or certificate used by the Amazon Lightsail browser-based SSH or RDP clients to authenticate an instance", + "privilege": "DeleteKnownHostKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) channel for an app.", - "privilege": "UpdateApnsChannel", + "description": "Grants permission to delete a load balancer", + "privilege": "DeleteLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) sandbox channel for an app.", - "privilege": "UpdateApnsSandboxChannel", + "description": "Grants permission to delete a load balancer TLS certificate", + "privilege": "DeleteLoadBalancerTlsCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) VoIP channel for an app.", - "privilege": "UpdateApnsVoipChannel", + "description": "Grants permission to delete a relational database", + "privilege": "DeleteRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "RelationalDatabase*" } ] }, { "access_level": "Write", - "description": "Update the Apple Push Notification service (APNs) VoIP sandbox channel for an app.", - "privilege": "UpdateApnsVoipSandboxChannel", + "description": "Grants permission to delete a relational database snapshot", + "privilege": "DeleteRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "RelationalDatabaseSnapshot*" } ] }, { "access_level": "Write", - "description": "Update the default settings for an app.", - "privilege": "UpdateApplicationSettings", + "description": "Grants permission to detach an SSL/TLS certificate from your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "DetachCertificateFromDistribution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Update the Baidu channel for an app.", - "privilege": "UpdateBaiduChannel", + "description": "Grants permission to detach a disk from an instance", + "privilege": "DetachDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk*" } ] }, { "access_level": "Write", - "description": "Update a specific campaign.", - "privilege": "UpdateCampaign", + "description": "Grants permission to detach one or more instances from a load balancer", + "privilege": "DetachInstancesFromLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaigns*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Write", - "description": "Update the email channel for an app.", - "privilege": "UpdateEmailChannel", + "description": "Grants permission to detach a static IP from an instance to which it is attached", + "privilege": "DetachStaticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Instance*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StaticIp*" } ] }, { "access_level": "Write", - "description": "Update a specific email template under the same version or generate a new version.", - "privilege": "UpdateEmailTemplate", + "description": "Grants permission to disable an add-on for an Amazon Lightsail resource", + "privilege": "DisableAddOn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "Disk" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance" } ] }, { "access_level": "Write", - "description": "Create an endpoint or update the information for an endpoint.", - "privilege": "UpdateEndpoint", + "description": "Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region", + "privilege": "DownloadDefaultKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "KeyPair*" } ] }, { "access_level": "Write", - "description": "Create or update endpoints as a batch operation.", - "privilege": "UpdateEndpointsBatch", + "description": "Grants permission to enable or modify an add-on for an Amazon Lightsail resource", + "privilege": "EnableAddOn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "Disk" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Instance" } ] }, { "access_level": "Write", - "description": "Update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key that allows to send push notifications to your Android app.", - "privilege": "UpdateGcmChannel", + "description": "Grants permission to export an Amazon Lightsail snapshot to Amazon EC2", + "privilege": "ExportSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific journey.", - "privilege": "UpdateJourney", + "access_level": "Read", + "description": "Grants permission to get the names of all active (not deleted) resources", + "privilege": "GetActiveNames", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific journey state.", - "privilege": "UpdateJourneyState", + "access_level": "Read", + "description": "Grants permission to view information about the configured alarms", + "privilege": "GetAlarms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "journeys*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific push notification template under the same version or generate a new version.", - "privilege": "UpdatePushTemplate", + "access_level": "Read", + "description": "Grants permission to view the available automatic snapshots for an instance or disk", + "privilege": "GetAutoSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update an Amazon Pinpoint configuration for a recommender model.", - "privilege": "UpdateRecommenderConfiguration", + "access_level": "Read", + "description": "Grants permission to get a list of instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a pre-installed application or development stack. The software that runs on your instance depends on the blueprint you define when creating the instance", + "privilege": "GetBlueprints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recommenders*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific segment.", - "privilege": "UpdateSegment", + "access_level": "Read", + "description": "Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket", + "privilege": "GetBucketAccessKeys", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "segments*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update the SMS channel for an app.", - "privilege": "UpdateSmsChannel", + "access_level": "Read", + "description": "Grants permission to get the bundles that can be applied to an Amazon Lightsail bucket", + "privilege": "GetBucketBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific sms message template under the same version or generate a new version.", - "privilege": "UpdateSmsTemplate", + "access_level": "Read", + "description": "Grants permission to get the data points of a specific metric for an Amazon Lightsail bucket", + "privilege": "GetBucketMetricData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Upate the active version parameter of a specific template.", - "privilege": "UpdateTemplateActiveVersion", + "access_level": "Read", + "description": "Grants permission to get information about one or more Amazon Lightsail buckets", + "privilege": "GetBuckets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update the Voice channel for an app.", - "privilege": "UpdateVoiceChannel", + "access_level": "Read", + "description": "Grants permission to get a list of instance bundles. You can use a bundle to create a new instance with a set of performance specifications, such as CPU count, disk size, RAM size, and network transfer allowance. The cost of your instance depends on the bundle you define when creating the instance", + "privilege": "GetBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "apps*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Update a specific voice message template under the same version or generate a new version.", - "privilege": "UpdateVoiceTemplate", + "access_level": "Read", + "description": "Grants permission to view information about one or more Amazon Lightsail SSL/TLS certificates", + "privilege": "GetCertificates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "templates*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "apps" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/campaigns/${CampaignId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "campaigns" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/journeys/${JourneyId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "journeys" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/segments/${SegmentId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "segments" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/${ChannelType}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "templates" - }, - { - "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:recommenders/${RecommenderId}", - "condition_keys": [], - "resource": "recommenders" - } - ], - "service_name": "Amazon Pinpoint" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by the tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by the tags attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions by the tag keys in the request", - "type": "String" - } - ], - "prefix": "monitron", - "privileges": [ - { - "access_level": "Permissions management", - "description": "Grants permission to associate a user with the project as an administrator", - "privilege": "AssociateProjectAdminUser", + "access_level": "Read", + "description": "Grants permission to get information about all CloudFormation stacks used to create Amazon EC2 resources from exported Amazon Lightsail snapshots", + "privilege": "GetCloudFormationStackRecords", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:AssociateProfile", - "sso:GetManagedApplicationInstance", - "sso:GetProfile", - "sso:ListDirectoryAssociations", - "sso:ListProfiles" - ], - "resource_type": "project*" + "dependent_actions": [], + "resource_type": "CloudFormationStackRecord*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a project", - "privilege": "CreateProject", + "access_level": "Read", + "description": "Grants permission to view information about the configured contact methods", + "privilege": "GetContactMethods", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "kms:CreateGrant", - "sso:CreateManagedApplicationInstance", - "sso:DeleteManagedApplicationInstance" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a project", - "privilege": "DeleteProject", + "access_level": "Read", + "description": "Grants permission to view information about Amazon Lightsail containers, such as the current version of the Lightsail Control (lightsailctl) plugin", + "privilege": "GetContainerAPIMetadata", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso:DeleteManagedApplicationInstance" - ], - "resource_type": "project*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to disassociate an administrator from the project", - "privilege": "DisassociateProjectAdminUser", + "access_level": "Read", + "description": "Grants permission to view the container images that are registered to your Amazon Lightsail container service", + "privilege": "GetContainerImages", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:DisassociateProfile", - "sso:GetManagedApplicationInstance", - "sso:GetProfile", - "sso:ListDirectoryAssociations", - "sso:ListProfiles" - ], - "resource_type": "project*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get information about a project", - "privilege": "GetProject", + "description": "Grants permission to view the log events of a container of your Amazon Lightsail container service", + "privilege": "GetContainerLog", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an administrator who is associated with the project", - "privilege": "GetProjectAdminUser", + "description": "Grants permission to view the deployments for your Amazon Lightsail container service", + "privilege": "GetContainerServiceDeployments", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:GetManagedApplicationInstance" - ], - "resource_type": "project*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to list all administrators associated with the project", - "privilege": "ListProjectAdminUsers", + "access_level": "Read", + "description": "Grants permission to view the data points of a specific metric of your Amazon Lightsail container service", + "privilege": "GetContainerServiceMetricData", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "sso-directory:DescribeUsers", - "sso:GetManagedApplicationInstance" - ], - "resource_type": "project*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all projects", - "privilege": "ListProjects", + "access_level": "Read", + "description": "Grants permission to view the list of powers that can be specified for your Amazon Lightsail container services", + "privilege": "GetContainerServicePowers", "resource_types": [ { "condition_keys": [], @@ -100284,350 +110487,332 @@ }, { "access_level": "Read", - "description": "Grants permission to list all tags for a resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to view information about one or more of your Amazon Lightsail container services", + "privilege": "GetContainerServices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to get information about a disk", + "privilege": "GetDisk", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, + "resource_type": "Disk*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a disk snapshot", + "privilege": "GetDiskSnapshot", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Disk*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to get information about all disk snapshots", + "privilege": "GetDiskSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project" - }, + "resource_type": "Disk*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about all disks", + "privilege": "GetDisks", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a project", - "privilege": "UpdateProject", + "access_level": "Read", + "description": "Grants permission to view the list of bundles that can be applied to you Amazon Lightsail content delivery network (CDN) distributions", + "privilege": "GetDistributionBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the timestamp and status of the last cache reset of a specific Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "GetDistributionLatestCacheReset", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:monitron:${Region}:${Account}:project/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "project" - } - ], - "service_name": "Amazon Monitron" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view the data points of a specific metric for an Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "GetDistributionMetricData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "aws:TagKeys", - "description": "", - "type": "String" - } - ], - "prefix": "mq", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a broker.", - "privilege": "CreateBroker", + "access_level": "Read", + "description": "Grants permission to view information about one or more of your Amazon Lightsail content delivery network (CDN) distributions", + "privilege": "GetDistributions", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreateSecurityGroup", - "ec2:CreateVpcEndpoint", - "ec2:DescribeInternetGateways", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:ModifyNetworkInterfaceAttribute", - "iam:CreateServiceLinkedRole", - "route53:AssociateVPCWithHostedZone" - ], + "condition_keys": [], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and engine version).", - "privilege": "CreateConfiguration", + "access_level": "Read", + "description": "Grants permission to get DNS records for a domain resource", + "privilege": "GetDomain", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create tags.", - "privilege": "CreateTags", + "access_level": "Read", + "description": "Grants permission to get DNS records for all domain resources", + "privilege": "GetDomains", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" - }, + "resource_type": "Domain*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about all records of exported Amazon Lightsail snapshots to Amazon EC2", + "privilege": "GetExportSnapshotRecords", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations" - }, + "resource_type": "ExportSnapshotRecord*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about an instance", + "privilege": "GetInstance", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an ActiveMQ user.", - "privilege": "CreateUser", + "description": "Grants permission to get temporary keys you can use to authenticate and connect to an instance", + "privilege": "GetInstanceAccessDetails", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "Instance*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a broker.", - "privilege": "DeleteBroker", + "access_level": "Read", + "description": "Grants permission to get the data points for the specified metric of an instance", + "privilege": "GetInstanceMetricData", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DeleteVpcEndpoints", - "ec2:DetachNetworkInterface" - ], - "resource_type": "brokers*" + "dependent_actions": [], + "resource_type": "Instance*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete tags.", - "privilege": "DeleteTags", + "access_level": "Read", + "description": "Grants permission to get the port states of an instance", + "privilege": "GetInstancePortStates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" - }, + "resource_type": "Instance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about an instance snapshot", + "privilege": "GetInstanceSnapshot", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations" - }, + "resource_type": "InstanceSnapshot*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about all instance snapshots", + "privilege": "GetInstanceSnapshots", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "InstanceSnapshot*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an ActiveMQ user.", - "privilege": "DeleteUser", + "access_level": "Read", + "description": "Grants permission to get the state of an instance", + "privilege": "GetInstanceState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "Instance*" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about the specified broker.", - "privilege": "DescribeBroker", + "description": "Grants permission to get information about all instances", + "privilege": "GetInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "Instance*" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about broker engines.", - "privilege": "DescribeBrokerEngineTypes", + "description": "Grants permission to get information about a key pair", + "privilege": "GetKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "KeyPair*" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about the broker instance options", - "privilege": "DescribeBrokerInstanceOptions", + "description": "Grants permission to get information about all key pairs", + "privilege": "GetKeyPairs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "KeyPair*" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about the specified configuration.", - "privilege": "DescribeConfiguration", + "description": "Grants permision to get information about a load balancer", + "privilege": "GetLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Read", - "description": "Grants permission to return the specified configuration revision for the specified configuration.", - "privilege": "DescribeConfigurationRevision", + "description": "Grants permission to get the data points for the specified metric of a load balancer", + "privilege": "GetLoadBalancerMetricData", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "LoadBalancer*" } ] }, { "access_level": "Read", - "description": "Grants permission to return information about an ActiveMQ user.", - "privilege": "DescribeUser", + "description": "Grants permission to get information about a load balancer's TLS certificates", + "privilege": "GetLoadBalancerTlsCertificates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all brokers.", - "privilege": "ListBrokers", + "access_level": "Read", + "description": "Grants permission to get information about load balancers", + "privilege": "GetLoadBalancers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "LoadBalancer*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all existing revisions for the specified configuration.", - "privilege": "ListConfigurationRevisions", + "access_level": "Read", + "description": "Grants permission to get information about an operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", + "privilege": "GetOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all configurations.", - "privilege": "ListConfigurations", + "access_level": "Read", + "description": "Grants permission to get information about all operations. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on", + "privilege": "GetOperations", "resource_types": [ { "condition_keys": [], @@ -100637,527 +110822,502 @@ ] }, { - "access_level": "List", - "description": "Grants permission to return a list of tags.", - "privilege": "ListTags", + "access_level": "Read", + "description": "Grants permission to get operations for a resource", + "privilege": "GetOperationsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers" + "resource_type": "Domain" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations" + "resource_type": "Instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "InstanceSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "KeyPair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StaticIp" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of all ActiveMQ users.", - "privilege": "ListUsers", + "access_level": "Read", + "description": "Grants permission to get a list of all valid AWS Regions for Amazon Lightsail", + "privilege": "GetRegions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to reboot a broker.", - "privilege": "RebootBroker", + "access_level": "Read", + "description": "Grants permission to get information about a relational database", + "privilege": "GetRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add a pending configuration change to a broker.", - "privilege": "UpdateBroker", + "access_level": "Read", + "description": "Grants permission to get a list of relational database images, or blueprints. You can use a blueprint to create a new database running a specific database engine. The database engine that runs on your database depends on the blueprint you define when creating the relational database", + "privilege": "GetRelationalDatabaseBlueprints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the specified configuration.", - "privilege": "UpdateConfiguration", + "access_level": "Read", + "description": "Grants permission to get a list of relational database bundles. You can use a bundle to create a new database with a set of performance specifications, such as CPU count, disk size, RAM size, network transfer allowance, and standard of high availability. The cost of your database depends on the bundle you define when creating the relational database", + "privilege": "GetRelationalDatabaseBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configurations*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the information for an ActiveMQ user.", - "privilege": "UpdateUser", + "access_level": "Read", + "description": "Grants permission to get events for a relational database", + "privilege": "GetRelationalDatabaseEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "brokers*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:mq:${Region}:${Account}:broker:${broker-id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "brokers" }, { - "arn": "arn:${Partition}:mq:${Region}:${Account}:configuration:${configuration-id}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "configurations" - } - ], - "service_name": "Amazon MQ" - }, - { - "conditions": [], - "prefix": "neptune-db", - "privileges": [ - { - "access_level": "Write", - "description": "Connect to database", - "privilege": "connect", + "access_level": "Read", + "description": "Grants permission to get events for the specified log stream of a relational database", + "privilege": "GetRelationalDatabaseLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "database*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database", - "condition_keys": [], - "resource": "database" - } - ], - "service_name": "Amazon Neptune" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", - "type": "String" + "access_level": "Read", + "description": "Grants permission to get the log streams available for a relational database", + "privilege": "GetRelationalDatabaseLogStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "network-firewall", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an association between a firewall policy and a firewall", - "privilege": "AssociateFirewallPolicy", + "description": "Grants permission to get the master user password of a relational database", + "privilege": "GetRelationalDatabaseMasterUserPassword", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the data points for the specified metric of a relational database", + "privilege": "GetRelationalDatabaseMetricData", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate VPC subnets to a firewall", - "privilege": "AssociateSubnets", + "access_level": "Read", + "description": "Grants permission to get the parameters of a relational database", + "privilege": "GetRelationalDatabaseParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall", - "privilege": "CreateFirewall", + "access_level": "Read", + "description": "Grants permission to get information about a relational database snapshot", + "privilege": "GetRelationalDatabaseSnapshot", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall policy", - "privilege": "CreateFirewallPolicy", + "access_level": "Read", + "description": "Grants permission to get information about all relational database snapshots", + "privilege": "GetRelationalDatabaseSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "RelationalDatabase*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about all relational databases", + "privilege": "GetRelationalDatabases", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "RelationalDatabase*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a static IP", + "privilege": "GetStaticIp", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, + "resource_type": "StaticIp*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about all static IPs", + "privilege": "GetStaticIps", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StaticIp*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall rule group", - "privilege": "CreateRuleGroup", + "description": "Grants permission to import a public key from a key pair", + "privilege": "ImportKeyPair", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "KeyPair*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a boolean value indicating whether the Amazon Lightsail virtual private cloud (VPC) is peered", + "privilege": "IsVpcPeered", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall", - "privilege": "DeleteFirewall", + "description": "Grants permission to add, or open a public port of an instance", + "privilege": "OpenInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall policy", - "privilege": "DeleteFirewallPolicy", + "description": "Grants permission to try to peer the Amazon Lightsail virtual private cloud (VPC) with the default VPC", + "privilege": "PeerVpc", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a resource policy for a firewall policy or rule group", - "privilege": "DeleteResourcePolicy", + "description": "Grants permission to creates or update an alarm, and associate it with the specified metric", + "privilege": "PutAlarm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Alarm*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a rule group", - "privilege": "DeleteRuleGroup", + "description": "Grants permission to set the specified open ports for an instance, and closes all ports for every protocol not included in the request", + "privilege": "PutInstancePublicPorts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "Instance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reboot an instance that is in a running state", + "privilege": "RebootInstance", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Instance*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall", - "privilege": "DescribeFirewall", + "access_level": "Write", + "description": "Grants permission to reboot a relational database that is in a running state", + "privilege": "RebootRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall policy", - "privilege": "DescribeFirewallPolicy", + "access_level": "Write", + "description": "Grants permission to register a container image to your Amazon Lightsail container service", + "privilege": "RegisterContainerImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "ContainerService*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a static IP", + "privilege": "ReleaseStaticIp", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "StaticIp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete currently cached content from your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "ResetDistributionCache", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Distribution*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the logging configuration of a firewall", - "privilege": "DescribeLoggingConfiguration", + "access_level": "Write", + "description": "Grants permission to send a verification request to an email contact method to ensure it's owned by the requester", + "privilege": "SendContactMethodVerification", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "ContactMethod*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a resource policy for a firewall policy or rule group", - "privilege": "DescribeResourcePolicy", + "access_level": "Write", + "description": "Grants permission to set the IP address type for a Amazon Lightsail resource", + "privilege": "SetIpAddressType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" + "resource_type": "Distribution" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "Instance" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "LoadBalancer" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a rule group", - "privilege": "DescribeRuleGroup", + "access_level": "Write", + "description": "Grants permission to set the Amazon Lightsail resources that can access the specified Amazon Lightsail bucket", + "privilege": "SetResourceAccessForBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "Bucket*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Instance*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate VPC subnets from a firewall", - "privilege": "DisassociateSubnets", + "description": "Grants permission to start an instance that is in a stopped state", + "privilege": "StartInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Instance*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewall policies", - "privilege": "ListFirewallPolicies", + "access_level": "Write", + "description": "Grants permission to start a relational database that is in a stopped state", + "privilege": "StartRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewalls", - "privilege": "ListFirewalls", + "access_level": "Write", + "description": "Grants permission to stop an instance that is in a running state", + "privilege": "StopInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Instance*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the metadata for rule groups", - "privilege": "ListRuleGroups", + "access_level": "Write", + "description": "Grants permission to stop a relational database that is in a running state", + "privilege": "StopRelationalDatabase", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "RelationalDatabase*" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Disk" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "DiskSnapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "Domain" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to put a resource policy for a firewall policy or rule group", - "privilege": "PutResourcePolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy" + "resource_type": "Instance" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "InstanceSnapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to attach tags to a resource", - "privilege": "TagResource", - "resource_types": [ + "resource_type": "KeyPair" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "LoadBalancer" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "RelationalDatabase" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "RelationalDatabaseSnapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "StaticIp" }, { "condition_keys": [ @@ -101169,33 +111329,88 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to test an alarm by displaying a banner on the Amazon Lightsail console or if a notification trigger is configured for the specified alarm, by sending a notification to the notification protocol", + "privilege": "TestAlarm", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Alarm*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to try to unpeer the Amazon Lightsail virtual private cloud (VPC) from the default VPC", + "privilege": "UnpeerVpc", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", + "description": "Grants permission to untag a resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Disk" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "DiskSnapshot" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" + "resource_type": "Domain" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "InstanceSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "KeyPair" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "LoadBalancer" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabase" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RelationalDatabaseSnapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StaticIp" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -101205,455 +111420,512 @@ }, { "access_level": "Write", - "description": "Grants permission to add or remove delete protection for a firewall", - "privilege": "UpdateFirewallDeleteProtection", + "description": "Grants permission to update an existing Amazon Lightsail bucket", + "privilege": "UpdateBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Bucket*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the description for a firewall", - "privilege": "UpdateFirewallDescription", + "description": "Grants permission to update the bundle, or storage plan, of an existing Amazon Lightsail bucket", + "privilege": "UpdateBucketBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Bucket*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a firewall policy", - "privilege": "UpdateFirewallPolicy", + "description": "Grants permission to update the configuration of your Amazon Lightsail container service, such as its power, scale, and public domain names", + "privilege": "UpdateContainerService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "ContainerService*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing Amazon Lightsail content delivery network (CDN) distribution or its configuration", + "privilege": "UpdateDistribution", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or remove firewall policy change protection for a firewall", - "privilege": "UpdateFirewallPolicyChangeProtection", + "description": "Grants permission to update the bundle of your Amazon Lightsail content delivery network (CDN) distribution", + "privilege": "UpdateDistributionBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Distribution*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the logging configuration of a firewall", - "privilege": "UpdateLoggingConfiguration", + "description": "Grants permission to update a domain recordset after it is created", + "privilege": "UpdateDomainEntry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "Domain*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a rule group", - "privilege": "UpdateRuleGroup", + "description": "Grants permission to update a load balancer attribute, such as the health check path and session stickiness", + "privilege": "UpdateLoadBalancerAttribute", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "LoadBalancer*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a relational database", + "privilege": "UpdateRelationalDatabase", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "RelationalDatabase*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or remove subnet change protection for a firewall", - "privilege": "UpdateSubnetChangeProtection", + "description": "Grants permission to update the parameters of a relational database", + "privilege": "UpdateRelationalDatabaseParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Domain/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Firewall" + "resource": "Domain" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Instance/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "FirewallPolicy" + "resource": "Instance" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:InstanceSnapshot/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatefulRuleGroup" + "resource": "InstanceSnapshot" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:KeyPair/${Id}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "StatelessRuleGroup" - } - ], - "service_name": "AWS Network Firewall" - }, - { - "conditions": [ + "resource": "KeyPair" + }, { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:StaticIp/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StaticIp" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tag value associated with the resource", - "type": "String" + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Disk/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Disk" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "network-firewall", - "privileges": [ + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "DiskSnapshot" + }, { - "access_level": "Write", - "description": "Grants permission to create an association between a firewall policy and a firewall", - "privilege": "AssociateFirewallPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - } - ] + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancer/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "LoadBalancer" }, { - "access_level": "Write", - "description": "Grants permission to associate VPC subnets to a firewall", - "privilege": "AssociateSubnets", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Firewall*" - } - ] + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:LoadBalancerTlsCertificate/${Id}", + "condition_keys": [], + "resource": "LoadBalancerTlsCertificate" }, { - "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall", - "privilege": "CreateFirewall", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "Firewall*" - }, + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ExportSnapshotRecord/${Id}", + "condition_keys": [], + "resource": "ExportSnapshotRecord" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:CloudFormationStackRecord/${Id}", + "condition_keys": [], + "resource": "CloudFormationStackRecord" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabase/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "RelationalDatabase" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:RelationalDatabaseSnapshot/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "RelationalDatabaseSnapshot" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Alarm/${Id}", + "condition_keys": [], + "resource": "Alarm" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Certificate/${Id}", + "condition_keys": [], + "resource": "Certificate" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContactMethod/${Id}", + "condition_keys": [], + "resource": "ContactMethod" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:ContainerService/${Id}", + "condition_keys": [], + "resource": "ContainerService" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Distribution/${Id}", + "condition_keys": [], + "resource": "Distribution" + }, + { + "arn": "arn:${Partition}:lightsail:${Region}:${Account}:Bucket/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Bucket" + } + ], + "service_name": "Amazon Lightsail" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + } + ], + "prefix": "logs", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permissions to associate the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group", + "privilege": "AssociateKmsKey", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall firewall policy", - "privilege": "CreateFirewallPolicy", + "description": "Grants permissions to cancel an export task if it is in PENDING or RUNNING state", + "privilege": "CancelExportTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Network Firewall rule group", - "privilege": "CreateRuleGroup", + "description": "Grants permissions to create an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket", + "privilege": "CreateExportTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create the log delivery", + "privilege": "CreateLogDelivery", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall", - "privilege": "DeleteFirewall", + "description": "Grants permissions to create a new log group with the specified name", + "privilege": "CreateLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a firewall policy", - "privilege": "DeleteFirewallPolicy", + "description": "Grants permissions to create a new log stream with the specified name", + "privilege": "CreateLogStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a resource policy for a firewall policy or rule group", - "privilege": "DeleteResourcePolicy", + "description": "Grants permissions to delete the destination with the specified name", + "privilege": "DeleteDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a rule group", - "privilege": "DeleteRuleGroup", + "description": "Grants permissions to delete the log delivery information for specified log delivery", + "privilege": "DeleteLogDelivery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete the log group with the specified name", + "privilege": "DeleteLogGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "log-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall", - "privilege": "DescribeFirewall", + "access_level": "Write", + "description": "Grants permissions to delete a log stream", + "privilege": "DeleteLogStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-stream*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a firewall policy", - "privilege": "DescribeFirewallPolicy", + "access_level": "Write", + "description": "Grants permissions to delete a metric filter associated with the specified log group", + "privilege": "DeleteMetricFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete a saved CloudWatch Logs Insights query definition", + "privilege": "DeleteQueryDefinition", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permissions to delete a resource policy from this account", + "privilege": "DeleteResourcePolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the logging configuration of a firewall", - "privilege": "DescribeLoggingConfiguration", + "access_level": "Write", + "description": "Grants permissions to delete the retention policy of the specified log group", + "privilege": "DeleteRetentionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a resource policy for a firewall policy or rule group", - "privilege": "DescribeResourcePolicy", + "access_level": "Write", + "description": "Grants permissions to delete a subscription filter associated with the specified log group", + "privilege": "DeleteSubscriptionFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to return all the destinations that are associated with the AWS account making the request", + "privilege": "DescribeDestinations", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to return all the export tasks that are associated with the AWS account making the request", + "privilege": "DescribeExportTasks", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the data objects that define a rule group", - "privilege": "DescribeRuleGroup", + "access_level": "List", + "description": "Grants permissions to return all the log groups that are associated with the AWS account making the request", + "privilege": "DescribeLogGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to return all the log streams that are associated with the specified log group", + "privilege": "DescribeLogStreams", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate VPC subnets from a firewall", - "privilege": "DisassociateSubnets", + "access_level": "List", + "description": "Grants permissions to return all the metrics filters associated with the specified log group", + "privilege": "DescribeMetricFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-group*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewall policies", - "privilege": "ListFirewallPolicies", + "description": "Grants permissions to return a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account", + "privilege": "DescribeQueries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve the metadata for firewalls", - "privilege": "ListFirewalls", + "description": "Grants permissions to return a paginated list of your saved CloudWatch Logs Insights query definitions", + "privilege": "DescribeQueryDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve the metadata for rule groups", - "privilege": "ListRuleGroups", + "description": "Grants permissions to return all the resource policies in this account", + "privilege": "DescribeResourcePolicies", "resource_types": [ { "condition_keys": [], @@ -101664,312 +111936,352 @@ }, { "access_level": "List", - "description": "Grants permission to retrieve the tags for a resource", - "privilege": "ListTagsForResource", + "description": "Grants permissions to return all the subscription filters associated with the specified log group", + "privilege": "DescribeSubscriptionFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to disassociate the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group", + "privilege": "DisassociateKmsKey", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve log events, optionally filtered by a filter pattern from the specified log group", + "privilege": "FilterLogEvents", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get the log delivery information for specified log delivery", + "privilege": "GetLogDelivery", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to put a resource policy for a firewall policy or rule group", - "privilege": "PutResourcePolicy", + "access_level": "Read", + "description": "Grants permissions to retrieve log events from the specified log stream", + "privilege": "GetLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy" - }, + "resource_type": "log-stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to return a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field", + "privilege": "GetLogGroupFields", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve all the fields and values of a single log event", + "privilege": "GetLogRecord", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to attach tags to a resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permissions to return the results from the specified query", + "privilege": "GetQueryResults", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list all the log deliveries for specified account and/or log source", + "privilege": "ListLogDeliveries", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list the tags for the specified log group", + "privilege": "ListTagsLogGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create or update a Destination", + "privilege": "PutDestination", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "iam:PassRole" ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permissions to create or update an access policy associated with an existing Destination", + "privilege": "PutDestinationPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to upload a batch of log events to the specified log stream", + "privilege": "PutLogEvents", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, + "resource_type": "log-stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create or update a metric filter and associates it with the specified log group", + "privilege": "PutMetricFilter", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to create or update a query definition", + "privilege": "PutQueryDefinition", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to add or remove delete protection for a firewall", - "privilege": "UpdateFirewallDeleteProtection", + "access_level": "Permissions management", + "description": "Grants permissions to create or update a resource policy allowing other AWS services to put log events to this account", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the description for a firewall", - "privilege": "UpdateFirewallDescription", + "description": "Grants permissions to set the retention of the specified log group", + "privilege": "PutRetentionPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a firewall policy", - "privilege": "UpdateFirewallPolicy", + "description": "Grants permissions to create or update a subscription filter and associates it with the specified log group", + "privilege": "PutSubscriptionFilter", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "FirewallPolicy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "log-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to schedules a query of a log group using CloudWatch Logs Insights", + "privilege": "StartQuery", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add or remove firewall policy change protection for a firewall", - "privilege": "UpdateFirewallPolicyChangeProtection", + "access_level": "Read", + "description": "Grants permissions to stop a CloudWatch Logs Insights query that is in progress", + "privilege": "StopQuery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the logging configuration of a firewall", - "privilege": "UpdateLoggingConfiguration", + "access_level": "Tagging", + "description": "Grants permissions to add or update the specified tags for the specified log group", + "privilege": "TagLogGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "log-group*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a rule group", - "privilege": "UpdateRuleGroup", + "access_level": "Read", + "description": "Grants permissions to test the filter pattern of a metric filter against a sample of log event messages", + "privilege": "TestMetricFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatefulRuleGroup" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permissions to remove the specified tags from the specified log group", + "privilege": "UntagLogGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "StatelessRuleGroup" + "resource_type": "log-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to add or remove subnet change protection for a firewall", - "privilege": "UpdateSubnetChangeProtection", + "description": "Grants permissions to update the log delivery information for specified log delivery", + "privilege": "UpdateLogDelivery", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Firewall*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "Firewall" - }, - { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "FirewallPolicy" + "resource": "log-group" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "StatefulRuleGroup" + "arn": "arn:${Partition}:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}", + "condition_keys": [], + "resource": "log-stream" }, { - "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "StatelessRuleGroup" + "arn": "arn:${Partition}:logs:${Region}:${Account}:destination:${DestinationName}", + "condition_keys": [], + "resource": "destination" } ], - "service_name": "Network Firewall" + "service_name": "Amazon CloudWatch Logs" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "networkmanager:cgwArn", - "description": "Controls which customer gateways can be associated or disassociated", - "type": "String" - }, - { - "condition": "networkmanager:tgwArn", - "description": "Controls which transit gateways can be registered or deregistered", - "type": "String" - }, - { - "condition": "networkmanager:tgwConnectPeerArn", - "description": "Controls which connect peers can be associated or disassociated", + "description": "Filters actions based on the presence of tag keys in the request", "type": "String" } ], - "prefix": "networkmanager", + "prefix": "lookoutequipment", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a customer gateway to a device", - "privilege": "AssociateCustomerGateway", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link" + "resource_type": "dataset*" }, { "condition_keys": [ - "networkmanager:cgwArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -101978,49 +112290,48 @@ }, { "access_level": "Write", - "description": "Grants permission to associate a link to a device", - "privilege": "AssociateLink", + "description": "Grants permission to create an inference scheduler for a trained model", + "privilege": "CreateInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "inference-scheduler*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "model*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a transit gateway connect peer to a device", - "privilege": "AssociateTransitGatewayConnectPeer", + "description": "Grants permission to create a model that is trained on a dataset", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "dataset*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "model*" }, { "condition_keys": [ - "networkmanager:tgwConnectPeerArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -102029,199 +112340,259 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new connection", - "privilege": "CreateConnection", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an inference scheduler", + "privilege": "DeleteInferenceScheduler", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "inference-scheduler*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new device", - "privilege": "CreateDevice", + "description": "Grants permission to delete a model", + "privilege": "DeleteModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "model*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a data ingestion job", + "privilege": "DescribeDataIngestionJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new global network", - "privilege": "CreateGlobalNetwork", + "access_level": "Read", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataset", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new link", - "privilege": "CreateLink", + "access_level": "Read", + "description": "Grants permission to describe an inference scheduler", + "privilege": "DescribeInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "inference-scheduler*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a model", + "privilege": "DescribeModel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" - }, + "resource_type": "model*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the data ingestion jobs in your account or for a particular dataset", + "privilege": "ListDataIngestionJobs", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "dataset*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new site", - "privilege": "CreateSite", + "access_level": "List", + "description": "Grants permission to list the datasets in your account", + "privilege": "ListDatasets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the inference executions for an inference scheduler", + "privilege": "ListInferenceExecutions", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "inference-scheduler*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a connection", - "privilege": "DeleteConnection", + "access_level": "List", + "description": "Grants permission to list the inference schedulers in your account", + "privilege": "ListInferenceSchedulers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the models in your account", + "privilege": "ListModels", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a device", - "privilege": "DeleteDevice", + "access_level": "Read", + "description": "Grants permission to list the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "dataset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "inference-scheduler" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a global network", - "privilege": "DeleteGlobalNetwork", + "description": "Grants permission to start a data ingestion job for a dataset", + "privilege": "StartDataIngestionJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "dataset*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a link", - "privilege": "DeleteLink", + "description": "Grants permission to start an inference scheduler", + "privilege": "StartInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "inference-scheduler*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an inference scheduler", + "privilege": "StopInferenceScheduler", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "inference-scheduler*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a site", - "privilege": "DeleteSite", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "dataset" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "site*" + "resource_type": "inference-scheduler" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister a transit gateway from a global network", - "privilege": "DeregisterTransitGateway", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "dataset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "inference-scheduler" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" }, { "condition_keys": [ - "networkmanager:tgwArn" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -102229,71 +112600,126 @@ ] }, { - "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "DescribeGlobalNetworks", + "access_level": "Write", + "description": "Grants permission to update an inference scheduler", + "privilege": "UpdateInferenceScheduler", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" + "resource_type": "inference-scheduler*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lookoutequipment:${Region}:${AccountId}:dataset/${DatasetName}/${DatasetId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:model/${ModelName}/${ModelId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "model" + }, + { + "arn": "arn:${Partition}:lookoutequipment:${Region}:${Account}:inference-scheduler/${InferenceSchedulerName}/${InferenceSchedulerId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "inference-scheduler" + } + ], + "service_name": "Amazon Lookout for Equipment" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "lookoutmetrics", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to disassociate a customer gateway from a device", - "privilege": "DisassociateCustomerGateway", + "description": "Grants permission to activate an anomaly detector", + "privilege": "ActivateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run a backtest with an anomaly detector", + "privilege": "BackTestAnomalyDetector", + "resource_types": [ { - "condition_keys": [ - "networkmanager:cgwArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a link from a device", - "privilege": "DisassociateLink", + "description": "Grants permission to create an alert for an anomaly detector", + "privilege": "CreateAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "Alert*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "AnomalyDetector*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "link*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate a transit gateway connect peer from a device", - "privilege": "DisassociateTransitGatewayConnectPeer", + "description": "Grants permission to create an anomaly detector", + "privilege": "CreateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "AnomalyDetector*" }, { "condition_keys": [ - "networkmanager:tgwConnectPeerArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -102301,218 +112727,263 @@ ] }, { - "access_level": "List", - "description": "Grants permission to describe connections", - "privilege": "GetConnections", + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateMetricSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "AnomalyDetector*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" + "resource_type": "MetricSet*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to describe customer gateway associations", - "privilege": "GetCustomerGatewayAssociations", + "access_level": "Write", + "description": "Grants permission to delete an alert", + "privilege": "DeleteAlert", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "Alert*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe devices", - "privilege": "GetDevices", + "access_level": "Write", + "description": "Grants permission to delete an anomaly detector", + "privilege": "DeleteAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about an alert", + "privilege": "DescribeAlert", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" + "resource_type": "Alert*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe link associations", - "privilege": "GetLinkAssociations", + "access_level": "Read", + "description": "Grants permission to get information about an anomaly detection job", + "privilege": "DescribeAnomalyDetectionExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about an anomaly detector", + "privilege": "DescribeAnomalyDetector", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about a dataset", + "privilege": "DescribeMetricSet", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "MetricSet*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe links", - "privilege": "GetLinks", + "access_level": "Read", + "description": "Grants permission to get details about a group of affected metrics", + "privilege": "GetAnomalyGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get data quality metrics for an anomaly detector", + "privilege": "GetDataQualityMetrics", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "AnomalyDetector*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe global networks", - "privilege": "GetSites", + "access_level": "Read", + "description": "Grants permission to get feedback on affected metrics for an anomaly group", + "privilege": "GetFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a selection of sample records from an Amazon S3 datasource", + "privilege": "GetSampleData", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to describe transit gateway connect peer associations", - "privilege": "GetTransitGatewayConnectPeerAssociations", + "description": "Grants permission to get a list of alerts for a detector", + "privilege": "ListAlerts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "AnomalyDetector" } ] }, { "access_level": "List", - "description": "Grants permission to describe transit gateway registrations", - "privilege": "GetTransitGatewayRegistrations", + "description": "Grants permission to get a list of anomaly detectors", + "privilege": "ListAnomalyDetectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to lists tag for a Network Manager resource", - "privilege": "ListTagsForResource", + "access_level": "List", + "description": "Grants permission to get a list of anomaly groups", + "privilege": "ListAnomalyGroupSummaries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of affected metrics for a measure in an anomaly group", + "privilege": "ListAnomalyGroupTimeSeries", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "AnomalyDetector*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of datasets", + "privilege": "ListMetricSets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network" - }, + "resource_type": "AnomalyDetector" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of tags for a detector, dataset, or alert", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "Alert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "AnomalyDetector" }, { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "MetricSet" } ] }, { "access_level": "Write", - "description": "Grants permission to register a transit gateway to a global network", - "privilege": "RegisterTransitGateway", + "description": "Grants permission to add feedback for an affected metric in an anomaly group", + "privilege": "PutFeedback", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [ - "networkmanager:tgwArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to tag a Network Manager resource", + "description": "Grants permission to add tags to a detector, dataset, or alert", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network" + "resource_type": "Alert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "AnomalyDetector" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "MetricSet" }, { "condition_keys": [ @@ -102527,33 +112998,23 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag a Network Manager resource", + "description": "Grants permission to remove tags from a detector, dataset, or alert", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network" + "resource_type": "Alert" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "link" + "resource_type": "AnomalyDetector" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "site" + "resource_type": "MetricSet" }, { "condition_keys": [ @@ -102566,240 +113027,194 @@ }, { "access_level": "Write", - "description": "Grants permission to update a connection", - "privilege": "UpdateConnection", + "description": "Grants permission to update an anomaly detector", + "privilege": "UpdateAnomalyDetector", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "connection*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "AnomalyDetector*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a device", - "privilege": "UpdateDevice", + "description": "Grants permission to update a dataset", + "privilege": "UpdateMetricSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" + "resource_type": "MetricSet*" } ] - }, + } + ], + "resources": [ { - "access_level": "Write", - "description": "Grants permission to update a global network", - "privilege": "UpdateGlobalNetwork", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a link", - "privilege": "UpdateLink", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "link*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a site", - "privilege": "UpdateSite", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-network*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "site*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}", + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:AnomalyDetector:${AnomalyDetectorName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "global-network" + "resource": "AnomalyDetector" }, { - "arn": "arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}", + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:MetricSet/${AnomalyDetectorName}/${MetricSetName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "site" + "resource": "MetricSet" }, { - "arn": "arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}", + "arn": "arn:${Partition}:lookoutmetrics:${Region}:${Account}:Alert:${AlertName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "link" + "resource": "Alert" + } + ], + "service_name": "Amazon Lookout for Metrics" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" }, { - "arn": "arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" }, { - "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "connection" + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" } ], - "service_name": "Network Manager" - }, - { - "conditions": [], - "prefix": "opsworks", + "prefix": "lookoutvision", "privileges": [ { "access_level": "Write", - "description": "Assign a registered instance to a layer", - "privilege": "AssignInstance", + "description": "Grants permission to create a dataset manifest", + "privilege": "CreateDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Assigns one of the stack's registered Amazon EBS volumes to a specified instance", - "privilege": "AssignVolume", + "description": "Grants permission to create a new anomaly detection model", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Associates one of the stack's registered Elastic IP addresses with a specified instance", - "privilege": "AssociateElasticIp", + "description": "Grants permission to create a new project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Attaches an Elastic Load Balancing load balancer to a specified layer", - "privilege": "AttachElasticLoadBalancer", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a clone of a specified stack", - "privilege": "CloneStack", + "description": "Grants permission to delete a model and all associated assets", + "privilege": "DeleteModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Creates an app for a specified stack", - "privilege": "CreateApp", + "description": "Grants permission to permanently remove a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Runs deployment or stack commands", - "privilege": "CreateDeployment", + "access_level": "Read", + "description": "Grants permission to show detailed information about dataset manifest", + "privilege": "DescribeDataset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates an instance in a specified stack", - "privilege": "CreateInstance", + "access_level": "Read", + "description": "Grants permission to show detailed information about a model", + "privilege": "DescribeModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Creates a layer", - "privilege": "CreateLayer", + "access_level": "Read", + "description": "Grants permission to show detailed information about a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Creates a new stack", - "privilege": "CreateStack", + "access_level": "Read", + "description": "Grants permission to provides state information about a running anomaly detection job", + "privilege": "DescribeTrialDetection", "resource_types": [ { "condition_keys": [], @@ -102810,68 +113225,68 @@ }, { "access_level": "Write", - "description": "Creates a new user profile", - "privilege": "CreateUserProfile", + "description": "Grants permission to invoke detection of anomalies", + "privilege": "DetectAnomalies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Deletes a specified app", - "privilege": "DeleteApp", + "access_level": "Read", + "description": "Grants permission to list the contents of dataset manifest", + "privilege": "ListDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a specified instance, which terminates the associated Amazon EC2 instance", - "privilege": "DeleteInstance", + "access_level": "List", + "description": "Grants permission to list all models associated with a project", + "privilege": "ListModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a specified layer", - "privilege": "DeleteLayer", + "access_level": "List", + "description": "Grants permission to list all projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a specified stack", - "privilege": "DeleteStack", + "access_level": "Read", + "description": "Grant permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model" } ] }, { - "access_level": "Write", - "description": "Deletes a user profile", - "privilege": "DeleteUserProfile", + "access_level": "List", + "description": "Grants permission to list all anomaly detection jobs", + "privilege": "ListTrialDetections", "resource_types": [ { "condition_keys": [], @@ -102882,632 +113297,835 @@ }, { "access_level": "Write", - "description": "Deletes a user profile", - "privilege": "DeregisterEcsCluster", + "description": "Grants permission to start anomaly detection model", + "privilege": "StartModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model*" } ] }, { "access_level": "Write", - "description": "Deregisters a specified Elastic IP address", - "privilege": "DeregisterElasticIp", + "description": "Grants permission to start bulk detection of anomalies for a set of images stored in an S3 bucket", + "privilege": "StartTrialDetection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deregister a registered Amazon EC2 or on-premises instance", - "privilege": "DeregisterInstance", + "description": "Grants permission to stop anomaly detection model", + "privilege": "StopModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Deregisters an Amazon RDS instance", - "privilege": "DeregisterRdsDbInstance", + "access_level": "Tagging", + "description": "Grant permission to tag a resource with given key value pairs", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deregisters an Amazon EBS volume", - "privilege": "DeregisterVolume", + "access_level": "Tagging", + "description": "Grant permission to remove the tag with the given key from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Describes the available AWS OpsWorks agent versions", - "privilege": "DescribeAgentVersions", + "access_level": "Write", + "description": "Grants permission to update a training or test dataset manifest", + "privilege": "UpdateDatasetEntries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:model/${ProjectName}/${ModelVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "model" }, { - "access_level": "List", - "description": "Requests a description of a specified set of apps", - "privilege": "DescribeApps", + "arn": "arn:${Partition}:lookoutvision:${Region}:${Account}:project/${ProjectName}", + "condition_keys": [], + "resource": "project" + } + ], + "service_name": "Amazon Lookout for Vision" + }, + { + "conditions": [], + "prefix": "machinelearning", + "privileges": [ + { + "access_level": "Tagging", + "description": "Adds one or more tags to an object, up to a limit of 10. Each tag consists of a key and an optional value", + "privilege": "AddTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel" } ] }, { - "access_level": "List", - "description": "Describes the results of specified commands", - "privilege": "DescribeCommands", + "access_level": "Write", + "description": "Generates predictions for a group of observations", + "privilege": "CreateBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Requests a description of a specified set of deployments", - "privilege": "DescribeDeployments", + "access_level": "Write", + "description": "Creates a DataSource object from an Amazon RDS", + "privilege": "CreateDataSourceFromRDS", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { - "access_level": "List", - "description": "Describes Amazon ECS clusters that are registered with a stack", - "privilege": "DescribeEcsClusters", + "access_level": "Write", + "description": "Creates a DataSource from a database hosted on an Amazon Redshift cluster", + "privilege": "CreateDataSourceFromRedshift", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { - "access_level": "List", - "description": "Describes Elastic IP addresses", - "privilege": "DescribeElasticIps", + "access_level": "Write", + "description": "Creates a DataSource object from S3", + "privilege": "CreateDataSourceFromS3", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { - "access_level": "List", - "description": "Describes a stack's Elastic Load Balancing instances", - "privilege": "DescribeElasticLoadBalancers", + "access_level": "Write", + "description": "Creates a new Evaluation of an MLModel", + "privilege": "CreateEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Requests a description of a set of instances", - "privilege": "DescribeInstances", + "access_level": "Write", + "description": "Creates a new MLModel", + "privilege": "CreateMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Requests a description of one or more layers in a specified stack", - "privilege": "DescribeLayers", + "access_level": "Write", + "description": "Creates a real-time endpoint for the MLModel", + "privilege": "CreateRealtimeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Describes load-based auto scaling configurations for specified layers", - "privilege": "DescribeLoadBasedAutoScaling", + "access_level": "Write", + "description": "Assigns the DELETED status to a BatchPrediction, rendering it unusable", + "privilege": "DeleteBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction*" } ] }, { - "access_level": "List", - "description": "Describes a user's SSH information", - "privilege": "DescribeMyUserProfile", + "access_level": "Write", + "description": "Assigns the DELETED status to a DataSource, rendering it unusable", + "privilege": "DeleteDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "datasource*" } ] }, { - "access_level": "List", - "description": "Describes the permissions for a specified stack", - "privilege": "DescribePermissions", + "access_level": "Write", + "description": "Assigns the DELETED status to an Evaluation, rendering it unusable", + "privilege": "DeleteEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "evaluation*" } ] }, { - "access_level": "List", - "description": "Describe an instance's RAID arrays", - "privilege": "DescribeRaidArrays", + "access_level": "Write", + "description": "Assigns the DELETED status to an MLModel, rendering it unusable", + "privilege": "DeleteMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Describes Amazon RDS instances", - "privilege": "DescribeRdsDbInstances", + "access_level": "Write", + "description": "Deletes a real time endpoint of an MLModel", + "privilege": "DeleteRealtimeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Describes AWS OpsWorks service errors", - "privilege": "DescribeServiceErrors", + "access_level": "Tagging", + "description": "Deletes the specified tags associated with an ML object. After this operation is complete, you can't recover deleted tags", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel" } ] }, { "access_level": "List", - "description": "Requests a description of a stack's provisioning parameters", - "privilege": "DescribeStackProvisioningParameters", + "description": "Returns a list of BatchPrediction operations that match the search criteria in the request", + "privilege": "DescribeBatchPredictions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Describes the number of layers and apps in a specified stack, and the number of instances in each state, such as running_setup or online", - "privilege": "DescribeStackSummary", + "description": "Returns a list of DataSource that match the search criteria in the request", + "privilege": "DescribeDataSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Requests a description of one or more stacks", - "privilege": "DescribeStacks", + "description": "Returns a list of DescribeEvaluations that match the search criteria in the request", + "privilege": "DescribeEvaluations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Describes time-based auto scaling configurations for specified instances", - "privilege": "DescribeTimeBasedAutoScaling", + "description": "Returns a list of MLModel that match the search criteria in the request", + "privilege": "DescribeMLModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Describe specified users", - "privilege": "DescribeUserProfiles", + "description": "Describes one or more of the tags for your Amazon ML object", + "privilege": "DescribeTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "batchprediction" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "evaluation" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "mlmodel" } ] }, { - "access_level": "List", - "description": "Describes an instance's Amazon EBS volumes", - "privilege": "DescribeVolumes", + "access_level": "Read", + "description": "Returns a BatchPrediction that includes detailed metadata, status, and data file information", + "privilege": "GetBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction*" } ] }, { - "access_level": "Write", - "description": "Detaches a specified Elastic Load Balancing instance from its layer", - "privilege": "DetachElasticLoadBalancer", + "access_level": "Read", + "description": "Returns a DataSource that includes metadata and data file information, as well as the current status of the DataSource", + "privilege": "GetDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { - "access_level": "Write", - "description": "Disassociates an Elastic IP address from its instance", - "privilege": "DisassociateElasticIp", + "access_level": "Read", + "description": "Returns an Evaluation that includes metadata as well as the current status of the Evaluation", + "privilege": "GetEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { "access_level": "Read", - "description": "Gets a generated host name for the specified layer, based on the current host name theme", - "privilege": "GetHostnameSuggestion", + "description": "Returns an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel", + "privilege": "GetMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] }, { "access_level": "Write", - "description": "Grants RDP access to a Windows instance for a specified time period", - "privilege": "GrantAccess", + "description": "Generates a prediction for the observation using the specified ML Model", + "privilege": "Predict", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] }, { - "access_level": "List", - "description": "Returns a list of tags that are applied to the specified stack or layer", - "privilege": "ListTags", + "access_level": "Write", + "description": "Updates the BatchPredictionName of a BatchPrediction", + "privilege": "UpdateBatchPrediction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "batchprediction*" } ] }, { "access_level": "Write", - "description": "Reboots a specified instance", - "privilege": "RebootInstance", + "description": "Updates the DataSourceName of a DataSource", + "privilege": "UpdateDataSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "datasource*" } ] }, { "access_level": "Write", - "description": "Registers a specified Amazon ECS cluster with a stack", - "privilege": "RegisterEcsCluster", + "description": "Updates the EvaluationName of an Evaluation", + "privilege": "UpdateEvaluation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "evaluation*" } ] }, { "access_level": "Write", - "description": "Registers an Elastic IP address with a specified stack", - "privilege": "RegisterElasticIp", + "description": "Updates the MLModelName and the ScoreThreshold of an MLModel", + "privilege": "UpdateMLModel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "mlmodel*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:batchprediction/${BatchPredictionId}", + "condition_keys": [], + "resource": "batchprediction" + }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:datasource/${DatasourceId}", + "condition_keys": [], + "resource": "datasource" + }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:evaluation/${EvaluationId}", + "condition_keys": [], + "resource": "evaluation" }, + { + "arn": "arn:${Partition}:machinelearning:${Region}:${Account}:mlmodel/${MlModelId}", + "condition_keys": [], + "resource": "mlmodel" + } + ], + "service_name": "Amazon Machine Learning" + }, + { + "conditions": [ + { + "condition": "aws:SourceArn", + "description": "Allow access to the specified actions only when the request operates on the specified aws resource", + "type": "Arn" + } + ], + "prefix": "macie", + "privileges": [ { "access_level": "Write", - "description": "Registers instances with a specified stack that were created outside of AWS OpsWorks", - "privilege": "RegisterInstance", + "description": "Enables the user to associate a specified AWS account with Amazon Macie as a member account.", + "privilege": "AssociateMemberAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Registers an Amazon RDS instance with a stack", - "privilege": "RegisterRdsDbInstance", + "description": "Enables the user to associate specified S3 resources with Amazon Macie for monitoring and data classification.", + "privilege": "AssociateS3Resources", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:SourceArn" + ], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Registers an Amazon EBS volume with a specified stack", - "privilege": "RegisterVolume", + "description": "Enables the user to remove the specified member account from Amazon Macie.", + "privilege": "DisassociateMemberAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Specify the load-based auto scaling configuration for a specified layer", - "privilege": "SetLoadBasedAutoScaling", + "description": "Enables the user to remove specified S3 resources from being monitored by Amazon Macie.", + "privilege": "DisassociateS3Resources", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:SourceArn" + ], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Specifies a user's permissions", - "privilege": "SetPermission", + "access_level": "List", + "description": "Enables the user to list all Amazon Macie member accounts for the current Macie master account.", + "privilege": "ListMemberAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Specify the time-based auto scaling configuration for a specified instance", - "privilege": "SetTimeBasedAutoScaling", + "access_level": "List", + "description": "Enables the user to list all the S3 resources associated with Amazon Macie.", + "privilege": "ListS3Resources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Starts a specified instance", - "privilege": "StartInstance", + "description": "Enables the user to update the classification types for the specified S3 resources.", + "privilege": "UpdateS3Resources", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:SourceArn" + ], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] + } + ], + "resources": [], + "service_name": "Amazon Macie Classic" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs that are associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "macie2", + "privileges": [ { "access_level": "Write", - "description": "Starts a stack's instances", - "privilege": "StartStack", + "description": "Grants permission to accept an Amazon Macie membership invitation", + "privilege": "AcceptInvitation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Stops a specified instance", - "privilege": "StopInstance", + "access_level": "Read", + "description": "Grants permission to retrieve information about one or more custom data identifiers", + "privilege": "BatchGetCustomDataIdentifiers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "CustomDataIdentifier*" } ] }, { "access_level": "Write", - "description": "Stops a specified stack", - "privilege": "StopStack", + "description": "Grants permission to create and define the settings for a sensitive data discovery job", + "privilege": "CreateClassificationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "ClassificationJob*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Apply tags to a specified stack or layer", - "privilege": "TagResource", + "description": "Grants permission to create and define the settings for a custom data identifier", + "privilege": "CreateCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "CustomDataIdentifier*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Unassigns a registered instance from all of it's layers", - "privilege": "UnassignInstance", + "description": "Grants permission to create and define the settings for a findings filter", + "privilege": "CreateFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "FindingsFilter*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Unassigns an assigned Amazon EBS volume", - "privilege": "UnassignVolume", + "description": "Grants permission to send an Amazon Macie membership invitation", + "privilege": "CreateInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Removes tags from a specified stack or layer", - "privilege": "UntagResource", + "description": "Grants permission to associate an account with an Amazon Macie administrator account", + "privilege": "CreateMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "Member*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates a specified app", - "privilege": "UpdateApp", + "description": "Grants permission to create sample findings", + "privilege": "CreateSampleFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates a registered Elastic IP address's name", - "privilege": "UpdateElasticIp", + "description": "Grants permission to decline Amazon Macie membership invitations", + "privilege": "DeclineInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates a specified instance", - "privilege": "UpdateInstance", + "description": "Grants permission to delete a custom data identifier", + "privilege": "DeleteCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "CustomDataIdentifier*" } ] }, { "access_level": "Write", - "description": "Updates a specified layer", - "privilege": "UpdateLayer", + "description": "Grants permission to delete a findings filter", + "privilege": "DeleteFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "FindingsFilter*" } ] }, { "access_level": "Write", - "description": "Updates a user's SSH public key", - "privilege": "UpdateMyUserProfile", + "description": "Grants permission to delete Amazon Macie membership invitations", + "privilege": "DeleteInvitations", "resource_types": [ { "condition_keys": [], @@ -103518,70 +114136,56 @@ }, { "access_level": "Write", - "description": "Updates an Amazon RDS instance", - "privilege": "UpdateRdsDbInstance", + "description": "Grants permission to delete the association between an Amazon Macie administrator account and an account", + "privilege": "DeleteMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "Member*" } ] }, { - "access_level": "Write", - "description": "Updates a specified stack", - "privilege": "UpdateStack", + "access_level": "Read", + "description": "Grants permission to retrieve statistical data and other information about S3 buckets that Amazon Macie monitors and analyzes", + "privilege": "DescribeBuckets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Updates a specified user profile", - "privilege": "UpdateUserProfile", + "access_level": "Read", + "description": "Grants permission to retrieve information about the status and settings for a sensitive data discovery job", + "privilege": "DescribeClassificationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ClassificationJob*" } ] }, { - "access_level": "Write", - "description": "Updates an Amazon EBS volume's name or mount point", - "privilege": "UpdateVolume", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Macie configuration settings for an AWS organization", + "privilege": "DescribeOrganizationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stack" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:opsworks:${Region}:${Account}:stack/${StackId}/", - "condition_keys": [], - "resource": "stack" - } - ], - "service_name": "AWS OpsWorks" - }, - { - "conditions": [], - "prefix": "opsworks-cm", - "privileges": [ + }, { "access_level": "Write", - "description": "Associate a node to a configuration management server.", - "privilege": "AssociateNode", + "description": "Grants permission to disable an Amazon Macie account, which also deletes Macie resources for the account", + "privilege": "DisableMacie", "resource_types": [ { "condition_keys": [], @@ -103592,8 +114196,8 @@ }, { "access_level": "Write", - "description": "Create a backup for the specified server.", - "privilege": "CreateBackup", + "description": "Grants permission to disable an account as the delegated Amazon Macie administrator account for an AWS organization", + "privilege": "DisableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], @@ -103604,8 +114208,8 @@ }, { "access_level": "Write", - "description": "Create a new server.", - "privilege": "CreateServer", + "description": "Grants an Amazon Macie member account with permission to disassociate from its Macie administrator account", + "privilege": "DisassociateFromAdministratorAccount", "resource_types": [ { "condition_keys": [], @@ -103616,8 +114220,8 @@ }, { "access_level": "Write", - "description": "Delete the specified backup and possibly its S3 bucket.", - "privilege": "DeleteBackup", + "description": "(Deprecated) Grants an Amazon Macie member account with permission to disassociate from its Macie administrator account", + "privilege": "DisassociateFromMasterAccount", "resource_types": [ { "condition_keys": [], @@ -103628,20 +114232,20 @@ }, { "access_level": "Write", - "description": "Deletes the specified server with his corresponding CF stack and possibly the S3 bucket.", - "privilege": "DeleteServer", + "description": "Grants an Amazon Macie administrator account with permission to disassociate from a Macie member account", + "privilege": "DisassociateMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Member*" } ] }, { - "access_level": "List", - "description": "Describe the service limits for the user's account.", - "privilege": "DescribeAccountAttributes", + "access_level": "Write", + "description": "Grants permission to enable and specify the configuration settings for a new Amazon Macie account", + "privilege": "EnableMacie", "resource_types": [ { "condition_keys": [], @@ -103651,9 +114255,9 @@ ] }, { - "access_level": "List", - "description": "Describe a single backup, all backups of a specified server or all backups of the user's account.", - "privilege": "DescribeBackups", + "access_level": "Write", + "description": "Grants permission to enable an account as the delegated Amazon Macie administrator account for an AWS organization", + "privilege": "EnableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], @@ -103663,9 +114267,9 @@ ] }, { - "access_level": "List", - "description": "Describe all events of the specified server.", - "privilege": "DescribeEvents", + "access_level": "Read", + "description": "Grants permission to retrieve information about the Amazon Macie administrator account for an account", + "privilege": "GetAdministratorAccount", "resource_types": [ { "condition_keys": [], @@ -103675,9 +114279,9 @@ ] }, { - "access_level": "List", - "description": "Describe the association status for the specified node token and the specified server.", - "privilege": "DescribeNodeAssociationStatus", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes", + "privilege": "GetBucketStatistics", "resource_types": [ { "condition_keys": [], @@ -103687,9 +114291,9 @@ ] }, { - "access_level": "List", - "description": "Describes the specified server or all servers of the user's account.", - "privilege": "DescribeServers", + "access_level": "Read", + "description": "Grants permission to retrieve the settings for exporting sensitive data discovery results", + "privilege": "GetClassificationExportConfiguration", "resource_types": [ { "condition_keys": [], @@ -103699,21 +114303,21 @@ ] }, { - "access_level": "Write", - "description": "Disassociates a specified node from a server.", - "privilege": "DisassociateNode", + "access_level": "Read", + "description": "Grants permission to retrieve information about the settings for a custom data identifier", + "privilege": "GetCustomDataIdentifier", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "CustomDataIdentifier*" } ] }, { - "access_level": "List", - "description": "List the tags that are applied to the specified server or backup.", - "privilege": "ListTagsForResource", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated statistical data about findings", + "privilege": "GetFindingStatistics", "resource_types": [ { "condition_keys": [], @@ -103723,9 +114327,9 @@ ] }, { - "access_level": "Write", - "description": "Applies a backup to specified server. Possibly swaps out the ec2-instance if specified.", - "privilege": "RestoreServer", + "access_level": "Read", + "description": "Grants permission to retrieve the details of one or more findings", + "privilege": "GetFindings", "resource_types": [ { "condition_keys": [], @@ -103735,21 +114339,21 @@ ] }, { - "access_level": "Write", - "description": "Start the server maintenance immediately.", - "privilege": "StartMaintenance", + "access_level": "Read", + "description": "Grants permission to retrieve information about the settings for a findings filter", + "privilege": "GetFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FindingsFilter*" } ] }, { - "access_level": "Tagging", - "description": "Applies tags to the specified server or backup.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to retrieve the configuration settings for publishing findings to AWS Security Hub", + "privilege": "GetFindingsPublicationConfiguration", "resource_types": [ { "condition_keys": [], @@ -103759,9 +114363,9 @@ ] }, { - "access_level": "Tagging", - "description": "Removes tags from the specified server or backup.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to retrieve the count of Amazon Macie membership invitations that were received by an account", + "privilege": "GetInvitationsCount", "resource_types": [ { "condition_keys": [], @@ -103771,9 +114375,9 @@ ] }, { - "access_level": "Write", - "description": "Update general server settings.", - "privilege": "UpdateServer", + "access_level": "Read", + "description": "Grants permission to retrieve information about the status and configuration settings for an Amazon Macie account", + "privilege": "GetMacieSession", "resource_types": [ { "condition_keys": [], @@ -103783,9 +114387,9 @@ ] }, { - "access_level": "Write", - "description": "Update server settings specific to the configuration management type.", - "privilege": "UpdateServerEngineAttributes", + "access_level": "Read", + "description": "(Deprecated) Grants permission to retrieve information about the Amazon Macie administrator account for an account", + "privilege": "GetMasterAccount", "resource_types": [ { "condition_keys": [], @@ -103793,133 +114397,71 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS OpsWorks Configuration Management" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "organizations:PolicyType", - "description": "Enables you to filter the request to only the specified policy type names.", - "type": "String" - }, - { - "condition": "organizations:ServicePrincipal", - "description": "Enables you to filter the request to only the specified service principal names.", - "type": "String" - } - ], - "prefix": "organizations", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request.", - "privilege": "AcceptHandshake", + "access_level": "Read", + "description": "Grants permission to retrieve information about an account that's associated with an Amazon Macie administrator account", + "privilege": "GetMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "Member*" } ] }, { - "access_level": "Write", - "description": "Grants permission to attach a policy to a root, an organizational unit, or an individual account.", - "privilege": "AttachPolicy", + "access_level": "Read", + "description": "Grants permission to retrieve quotas and aggregated usage data for one or more accounts", + "privilege": "GetUsageStatistics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" - }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a handshake.", - "privilege": "CancelHandshake", + "access_level": "Read", + "description": "Grants permission to retrieve aggregated usage data for an account", + "privilege": "GetUsageTotals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request.", - "privilege": "CreateAccount", + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about the status and settings for one or more sensitive data discovery jobs", + "privilege": "ListClassificationJobs", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AWS GovCloud (US) account.", - "privilege": "CreateGovCloudAccount", + "access_level": "List", + "description": "Grants permission to retrieve information about all custom data identifiers", + "privilege": "ListCustomDataIdentifiers", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the master account of the new organization.", - "privilege": "CreateOrganization", + "access_level": "List", + "description": "Grants permission to retrieve a subset of information about one or more findings", + "privilege": "ListFindings", "resource_types": [ { "condition_keys": [], @@ -103929,62 +114471,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create an organizational unit (OU) within a root or parent OU.", - "privilege": "CreateOrganizationalUnit", + "access_level": "List", + "description": "Grants permission to retrieve information about all findings filters", + "privilege": "ListFindingsFilters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account.", - "privilege": "CreatePolicy", + "access_level": "List", + "description": "Grants permission to retrieve information about all the Amazon Macie membership invitations that were received by an account", + "privilege": "ListInvitations", "resource_types": [ { - "condition_keys": [ - "organizations:PolicyType", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request.", - "privilege": "DeclineHandshake", + "access_level": "List", + "description": "Grants permission to retrieve information about managed data identifiers", + "privilege": "ListManagedDataIdentifiers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "handshake*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the organization.", - "privilege": "DeleteOrganization", + "access_level": "List", + "description": "Grants permission to retrieve information about the Amazon Macie member accounts that are associated with a Macie administrator account", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], @@ -103994,71 +114519,57 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an organizational unit from a root or another OU.", - "privilege": "DeleteOrganizationalUnit", + "access_level": "List", + "description": "Grants permission to retrieve information about the delegated, Amazon Macie administrator account for an AWS organization", + "privilege": "ListOrganizationAdminAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a policy from your organization.", - "privilege": "DeletePolicy", + "access_level": "Read", + "description": "Grants permission to retrieve the tags for an Amazon Macie resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal.", - "privilege": "DeregisterDelegatedAdministrator", + "description": "Grants permission to create or update the settings for storing sensitive data discovery results", + "privilege": "PutClassificationExportConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" - }, - { - "condition_keys": [ - "organizations:ServicePrincipal" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve Organizations-related details about the specified account.", - "privilege": "DescribeAccount", + "access_level": "Write", + "description": "Grants permission to update the configuration settings for publishing findings to AWS Security Hub", + "privilege": "PutFindingsPublicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the current status of an asynchronous request to create an account.", - "privilege": "DescribeCreateAccountStatus", + "description": "Grants permission to retrieve statistical data and other information about AWS resources that Amazon Macie monitors and analyzes", + "privilege": "SearchResources", "resource_types": [ { "condition_keys": [], @@ -104068,18 +114579,14 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the effective policy for an account.", - "privilege": "DescribeEffectivePolicy", + "access_level": "Tagging", + "description": "Grants permission to add or update the tags for an Amazon Macie resource", + "privilege": "TagResource", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account*" - }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -104087,21 +114594,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about a previously requested handshake.", - "privilege": "DescribeHandshake", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "handshake*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieves details about the organization that the calling credentials belong to.", - "privilege": "DescribeOrganization", + "access_level": "Write", + "description": "Grants permission to test a custom data identifier", + "privilege": "TestCustomDataIdentifier", "resource_types": [ { "condition_keys": [], @@ -104111,30 +114606,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about an organizational unit (OU).", - "privilege": "DescribeOrganizationalUnit", + "access_level": "Tagging", + "description": "Grants permission to remove tags from an Amazon Macie resource", + "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "organizationalunit*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieves details about a policy.", - "privilege": "DescribePolicy", + "access_level": "Write", + "description": "Grants permission to change the status of a sensitive data discovery job", + "privilege": "UpdateClassificationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "ClassificationJob*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -104143,32 +114641,18 @@ }, { "access_level": "Write", - "description": "Grants permission to detach a policy from a target root, organizational unit, or account.", - "privilege": "DetachPolicy", + "description": "Grants permission to update the settings for a findings filter", + "privilege": "UpdateFindingsFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "resource_type": "FindingsFilter*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -104177,13 +114661,11 @@ }, { "access_level": "Write", - "description": "Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", - "privilege": "DisableAWSServiceAccess", + "description": "Grants permission to suspend or re-enable an Amazon Macie account, or update the configuration settings for a Macie account", + "privilege": "UpdateMacieSession", "resource_types": [ { - "condition_keys": [ - "organizations:ServicePrincipal" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -104191,62 +114673,97 @@ }, { "access_level": "Write", - "description": "Grants permission to disable an organization policy type in a root.", - "privilege": "DisablePolicyType", + "description": "Grants an Amazon Macie administrator account with permission to suspend or re-enable a Macie member account", + "privilege": "UpdateMemberSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "root*" - }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", - "privilege": "EnableAWSServiceAccess", + "description": "Grants permission to update Amazon Macie configuration settings for an AWS organization", + "privilege": "UpdateOrganizationConfiguration", "resource_types": [ { - "condition_keys": [ - "organizations:ServicePrincipal" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:macie2:${Region}:${Account}:classification-job/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ClassificationJob" }, { - "access_level": "Write", - "description": "Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features.", - "privilege": "EnableAllFeatures", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "arn": "arn:${Partition}:macie2:${Region}:${Account}:custom-data-identifier/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "CustomDataIdentifier" + }, + { + "arn": "arn:${Partition}:macie2:${Region}:${Account}:findings-filter/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "FindingsFilter" + }, + { + "arn": "arn:${Partition}:macie2:${Region}:${Account}:member/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Member" + } + ], + "service_name": "Amazon Macie" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with an Amazon Managed Blockchain resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "managedblockchain", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to enable a policy type in a root.", - "privilege": "EnablePolicyType", + "description": "Grants permission to create a member of an Amazon Managed Blockchain network", + "privilege": "CreateMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "root*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "network*" }, { "condition_keys": [ - "organizations:PolicyType" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -104255,199 +114772,171 @@ }, { "access_level": "Write", - "description": "Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account.", - "privilege": "InviteAccountToOrganization", + "description": "Grants permission to create an Amazon Managed Blockchain network", + "privilege": "CreateNetwork", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account" - }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a member account from its parent organization.", - "privilege": "LeaveOrganization", + "description": "Grants permission to create a node within a member of an Amazon Managed Blockchain network", + "privilege": "CreateNode", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization.", - "privilege": "ListAWSServiceAccessForOrganization", - "resource_types": [ + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "member" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all of the the accounts in the organization.", - "privilege": "ListAccounts", - "resource_types": [ + "resource_type": "network" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU).", - "privilege": "ListAccountsForParent", + "access_level": "Write", + "description": "Grants permission to create a proposal that other blockchain network members can vote on to add or remove a member in an Amazon Managed Blockchain network", + "privilege": "CreateProposal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "network*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "root" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the OUs or accounts that are contained in a parent OU or root.", - "privilege": "ListChildren", + "access_level": "Write", + "description": "Grants permission to delete a member and all associated resources from an Amazon Managed Blockchain network", + "privilege": "DeleteMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "resource_type": "member*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization.", - "privilege": "ListCreateAccountStatus", + "access_level": "Write", + "description": "Grants permission to delete a node from a member of an Amazon Managed Blockchain network", + "privilege": "DeleteNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "node*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the AWS accounts that are designated as delegated administrators in this organization.", - "privilege": "ListDelegatedAdministrators", + "access_level": "Read", + "description": "Grants permission to return detailed information about a member of an Amazon Managed Blockchain network", + "privilege": "GetMember", "resource_types": [ { - "condition_keys": [ - "organizations:ServicePrincipal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "member*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization.", - "privilege": "ListDelegatedServicesForAccount", + "access_level": "Read", + "description": "Grants permission to return detailed information about an Amazon Managed Blockchain network", + "privilege": "GetNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the handshakes that are associated with an account.", - "privilege": "ListHandshakesForAccount", + "access_level": "Read", + "description": "Grants permission to return detailed information about a node within a member of an Amazon Managed Blockchain network", + "privilege": "GetNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "node*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the handshakes that are associated with the organization.", - "privilege": "ListHandshakesForOrganization", + "access_level": "Read", + "description": "Grants permission to return detailed information about a proposal of an Amazon Managed Blockchain network", + "privilege": "GetProposal", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "proposal*" } ] }, { "access_level": "List", - "description": "Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root.", - "privilege": "ListOrganizationalUnitsForParent", + "description": "Grants permission to list the invitations extended to the active AWS account from any Managed Blockchain network", + "privilege": "ListInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account.", - "privilege": "ListParents", + "description": "Grants permission to list the members of an Amazon Managed Blockchain network and the properties of their memberships", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "network*" } ] }, { "access_level": "List", - "description": "Grants permission to list all of the policies in an organization.", - "privilege": "ListPolicies", + "description": "Grants permission to list the Amazon Managed Blockchain networks in which the current AWS account participates", + "privilege": "ListNetworks", "resource_types": [ { - "condition_keys": [ - "organizations:PolicyType" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -104455,168 +114944,118 @@ }, { "access_level": "List", - "description": "Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account.", - "privilege": "ListPoliciesForTarget", + "description": "Grants permission to list the nodes within a member of an Amazon Managed Blockchain network", + "privilege": "ListNodes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "member" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" - }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "network" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the roots that are defined in the organization.", - "privilege": "ListRoots", + "access_level": "Read", + "description": "Grants permission to list all votes for a proposal, including the value of the vote and the unique identifier of the member that cast the vote for the given Amazon Managed Blockchain network", + "privilege": "ListProposalVotes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "proposal*" } ] }, { "access_level": "List", - "description": "Grants permission to list all tags for the specified resource.", - "privilege": "ListTagsForResource", + "description": "Grants permission to list proposals for the given Amazon Managed Blockchain network", + "privilege": "ListProposals", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "root" + "resource_type": "network*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the roots, OUs, and accounts to which a policy is attached.", - "privilege": "ListTargetsForPolicy", + "access_level": "Read", + "description": "Grants permission to view tags associated with an Amazon Managed Blockchain resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy*" + "resource_type": "invitation" }, - { - "condition_keys": [ - "organizations:PolicyType" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to move an account from its current root or OU to another parent root or OU.", - "privilege": "MoveAccount", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "member" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "network" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal.", - "privilege": "RegisterDelegatedAdministrator", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "account*" + "resource_type": "node" }, { - "condition_keys": [ - "organizations:ServicePrincipal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "proposal" } ] }, { "access_level": "Write", - "description": "Grants permission to removes the specified account from the organization.", - "privilege": "RemoveAccountFromOrganization", + "description": "Grants permission to reject the invitation to join the blockchain network", + "privilege": "RejectInvitation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account*" + "resource_type": "invitation*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add one or more tags to the specified resource.", + "description": "Grants permission to add tags to an Amazon Managed Blockchain resource", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" + "resource_type": "invitation" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "member" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy" + "resource_type": "network" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "node" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proposal" }, { "condition_keys": [ @@ -104630,28 +115069,33 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from the specified resource.", + "description": "Grants permission to remove tags from an Amazon Managed Blockchain resource", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "account" + "resource_type": "invitation" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "organizationalunit" + "resource_type": "member" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "policy" + "resource_type": "network" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "root" + "resource_type": "node" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proposal" }, { "condition_keys": [ @@ -104664,91 +115108,92 @@ }, { "access_level": "Write", - "description": "Grants permission to rename an organizational unit (OU).", - "privilege": "UpdateOrganizationalUnit", + "description": "Grants permission to update a member of an Amazon Managed Blockchain network", + "privilege": "UpdateMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "organizationalunit*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "member*" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing policy with a new name, description, or content.", - "privilege": "UpdatePolicy", + "description": "Grants permission to update a node from a member of an Amazon Managed Blockchain network", + "privilege": "UpdateNode", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "policy*" - }, - { - "condition_keys": [ - "organizations:PolicyType" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" ], + "resource_type": "node*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cast a vote for a proposal on behalf of the blockchain network member specified", + "privilege": "VoteOnProposal", + "resource_types": [ + { + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "proposal*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:account/o-${OrganizationId}/${AccountId}", + "arn": "arn:${Partition}:managedblockchain:${Region}::networks/${NetworkId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "account" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}", - "condition_keys": [], - "resource": "handshake" - }, - { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:organization/o-${OrganizationId}", - "condition_keys": [], - "resource": "organization" + "resource": "network" }, { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}", + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:members/${MemberId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "organizationalunit" + "resource": "member" }, { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}", + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:nodes/${NodeId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "policy" + "resource": "node" }, { - "arn": "arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}", - "condition_keys": [], - "resource": "awspolicy" + "arn": "arn:${Partition}:managedblockchain:${Region}::proposals/${ProposalId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proposal" }, { - "arn": "arn:${Partition}:organizations::${MasterAccountId}:root/o-${OrganizationId}/r-${RootId}", + "arn": "arn:${Partition}:managedblockchain:${Region}:${Account}:invitations/${InvitationId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "root" + "resource": "invitation" } ], - "service_name": "AWS Organizations" + "service_name": "Amazon Managed Blockchain" }, { "conditions": [], - "prefix": "outposts", + "prefix": "marketplacecommerceanalytics", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an Outpost", - "privilege": "CreateOutpost", + "description": "Request a data set to be published to your Amazon S3 bucket.", + "privilege": "GenerateDataSet", "resource_types": [ { "condition_keys": [], @@ -104759,8 +115204,8 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an Outpost", - "privilege": "DeleteOutpost", + "description": "Request a support data set to be published to your Amazon S3 bucket.", + "privilege": "StartSupportDataExport", "resource_types": [ { "condition_keys": [], @@ -104768,11 +115213,19 @@ "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "AWS Marketplace Commerce Analytics Service" + }, + { + "conditions": [], + "prefix": "mechanicalturk", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete an site", - "privilege": "DeleteSite", + "description": "The AcceptQualificationRequest operation grants a Worker's request for a Qualification", + "privilege": "AcceptQualificationRequest", "resource_types": [ { "condition_keys": [], @@ -104782,9 +115235,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get information about the specified Outpost", - "privilege": "GetOutpost", + "access_level": "Write", + "description": "The ApproveAssignment operation approves the results of a completed assignment", + "privilege": "ApproveAssignment", "resource_types": [ { "condition_keys": [], @@ -104794,9 +115247,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list the instance types for the specified Outpost", - "privilege": "GetOutpostInstanceTypes", + "access_level": "Write", + "description": "The AssociateQualificationWithWorker operation gives a Worker a Qualification", + "privilege": "AssociateQualificationWithWorker", "resource_types": [ { "condition_keys": [], @@ -104806,9 +115259,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the Outposts for your AWS account", - "privilege": "ListOutposts", + "access_level": "Write", + "description": "The CreateAdditionalAssignmentsForHIT operation increases the maximum number of assignments of an existing HIT", + "privilege": "CreateAdditionalAssignmentsForHIT", "resource_types": [ { "condition_keys": [], @@ -104818,9 +115271,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the sites for your AWS account", - "privilege": "ListSites", + "access_level": "Write", + "description": "The CreateHIT operation creates a new HIT (Human Intelligence Task)", + "privilege": "CreateHIT", "resource_types": [ { "condition_keys": [], @@ -104830,9 +115283,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "The CreateHITType operation creates a new HIT type", + "privilege": "CreateHITType", "resource_types": [ { "condition_keys": [], @@ -104843,8 +115296,8 @@ }, { "access_level": "Write", - "description": "Grants permission to add tags to a resource", - "privilege": "TagResource", + "description": "The CreateHITWithHITType operation creates a new Human Intelligence Task (HIT) using an existing HITTypeID generated by the CreateHITType operation", + "privilege": "CreateHITWithHITType", "resource_types": [ { "condition_keys": [], @@ -104855,8 +115308,8 @@ }, { "access_level": "Write", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "description": "The CreateQualificationType operation creates a new Qualification type, which is represented by a QualificationType data structure", + "privilege": "CreateQualificationType", "resource_types": [ { "condition_keys": [], @@ -104864,41 +115317,14 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS Outposts" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - } - ], - "prefix": "panorama", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama application", - "privilege": "CreateApp", + "description": "The CreateWorkerBlock operation allows you to prevent a Worker from working on your HITs", + "privilege": "CreateWorkerBlock", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -104906,8 +115332,8 @@ }, { "access_level": "Write", - "description": "Grants permission to deploy an AWS Panorama application", - "privilege": "CreateAppDeployment", + "description": "The DeleteHIT operation disposes of a HIT that is no longer needed", + "privilege": "DeleteHIT", "resource_types": [ { "condition_keys": [], @@ -104918,40 +115344,32 @@ }, { "access_level": "Write", - "description": "Grants permission to create a version of an AWS Panorama application", - "privilege": "CreateAppVersion", + "description": "The DeleteQualificationType disposes a Qualification type and disposes any HIT types that are associated with the Qualification type", + "privilege": "DeleteQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "appVersion*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an AWS Panorama datasource", - "privilege": "CreateDataSource", + "description": "The DeleteWorkerBlock operation allows you to reinstate a blocked Worker to work on your HITs", + "privilege": "DeleteWorkerBlock", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to configure a deployment for an AWS Panorama application", - "privilege": "CreateDeploymentConfiguration", + "description": "The DisassociateQualificationFromWorker revokes a previously granted Qualification from a user", + "privilege": "DisassociateQualificationFromWorker", "resource_types": [ { "condition_keys": [], @@ -104961,24 +115379,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to register an AWS Panorama Appliance", - "privilege": "CreateDevice", + "access_level": "Read", + "description": "The GetAccountBalance operation retrieves the amount of money in your Amazon Mechanical Turk account", + "privilege": "GetAccountBalance", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to apply a software update to an AWS Panorama Appliance", - "privilege": "CreateDeviceUpdate", + "access_level": "Read", + "description": "The GetAssignment retrieves an assignment with an AssignmentStatus value of Submitted, Approved, or Rejected, using the assignment's ID", + "privilege": "GetAssignment", "resource_types": [ { "condition_keys": [], @@ -104988,120 +115403,117 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to generate a list of cameras on the same network as an AWS Panorama Appliance", - "privilege": "CreateInputs", + "access_level": "Read", + "description": "The GetFileUploadURL operation generates and returns a temporary URL", + "privilege": "GetFileUploadURL", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to import a machine learning model into AWS Panorama", - "privilege": "CreateModel", + "access_level": "Read", + "description": "The GetHIT operation retrieves the details of the specified HIT", + "privilege": "GetHIT", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to generate a list of streams available to an AWS Panorama Appliance", - "privilege": "CreateStreams", + "access_level": "Read", + "description": "The GetQualificationScore operation returns the value of a Worker's Qualification for a given Qualification type", + "privilege": "GetQualificationScore", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Panorama application", - "privilege": "DeleteApp", + "access_level": "Read", + "description": "The GetQualificationType operation retrieves information about a Qualification type using its ID", + "privilege": "GetQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a version of an AWS Panorama application", - "privilege": "DeleteAppVersion", + "access_level": "List", + "description": "The ListAssignmentsForHIT operation retrieves completed assignments for a HIT", + "privilege": "ListAssignmentsForHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AWS Panorama datasource", - "privilege": "DeleteDataSource", + "access_level": "List", + "description": "The ListBonusPayments operation retrieves the amounts of bonuses you have paid to Workers for a given HIT or assignment", + "privilege": "ListBonusPayments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister an AWS Panorama Appliance", - "privilege": "DeleteDevice", + "access_level": "List", + "description": "The ListHITs operation returns all of a Requester's HITs", + "privilege": "ListHITs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a machine learning model from AWS Panorama", - "privilege": "DeleteModel", + "access_level": "List", + "description": "The ListHITsForQualificationType operation returns the HITs that use the given QualififcationType for a QualificationRequirement", + "privilege": "ListHITsForQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama application", - "privilege": "DescribeApp", + "access_level": "List", + "description": "The ListQualificationRequests operation retrieves requests for Qualifications of a particular Qualification type", + "privilege": "ListQualificationRequests", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a deployment for an AWS Panorama application", - "privilege": "DescribeAppDeployment", + "access_level": "List", + "description": "The ListQualificationTypes operation searches for Qualification types using the specified search query, and returns a list of Qualification types", + "privilege": "ListQualificationTypes", "resource_types": [ { "condition_keys": [], @@ -105111,45 +115523,45 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a version of an AWS Panorama application", - "privilege": "DescribeAppVersion", + "access_level": "List", + "description": "The ListReviewPolicyResultsForHIT operation retrieves the computed results and the actions taken in the course of executing your Review Policies during a CreateHIT operation", + "privilege": "ListReviewPolicyResultsForHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a datasource in AWS Panorama", - "privilege": "DescribeDataSource", + "access_level": "List", + "description": "The ListReviewableHITs operation returns all of a Requester's HITs that have not been approved or rejected", + "privilege": "ListReviewableHITs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about an AWS Panorama Appliance", - "privilege": "DescribeDevice", + "access_level": "List", + "description": "The ListWorkersBlocks operation retrieves a list of Workers who are blocked from working on your HITs", + "privilege": "ListWorkerBlocks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a software update for an AWS Panorama Appliance", - "privilege": "DescribeDeviceUpdate", + "access_level": "List", + "description": "The ListWorkersWithQualificationType operation returns all of the Workers with a given Qualification type", + "privilege": "ListWorkersWithQualificationType", "resource_types": [ { "condition_keys": [], @@ -105159,21 +115571,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a machine learning model in AWS Panorama", - "privilege": "DescribeModel", + "access_level": "Write", + "description": "The NotifyWorkers operation sends an email to one or more Workers that you specify with the Worker ID", + "privilege": "NotifyWorkers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a software version for the AWS Panorama Appliance", - "privilege": "DescribeSoftware", + "access_level": "Write", + "description": "The RejectAssignment operation rejects the results of a completed assignment", + "privilege": "RejectAssignment", "resource_types": [ { "condition_keys": [], @@ -105183,9 +115595,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to view details about a deployment configuration for an AWS Panorama application", - "privilege": "GetDeploymentConfiguration", + "access_level": "Write", + "description": "The RejectQualificationRequest operation rejects a user's request for a Qualification", + "privilege": "RejectQualificationRequest", "resource_types": [ { "condition_keys": [], @@ -105195,33 +115607,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of cameras generated with CreateInputs", - "privilege": "GetInputs", + "access_level": "Write", + "description": "The SendBonus operation issues a payment of money from your account to a Worker", + "privilege": "SendBonus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of streams generated with CreateStreams", - "privilege": "GetStreams", + "access_level": "Write", + "description": "The SendTestEventNotification operation causes Amazon Mechanical Turk to send a notification message as if a HIT event occurred, according to the provided notification specification", + "privilege": "SendTestEventNotification", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to generate a WebSocket endpoint for communication with AWS Panorama", - "privilege": "GetWebSocketURL", + "access_level": "Write", + "description": "The UpdateExpirationForHIT operation allows you extend the expiration time of a HIT beyond is current expiration or expire a HIT immediately", + "privilege": "UpdateExpirationForHIT", "resource_types": [ { "condition_keys": [], @@ -105231,9 +115643,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of deployments for an AWS Panorama application", - "privilege": "ListAppDeploymentOperations", + "access_level": "Write", + "description": "The UpdateHITReviewStatus operation toggles the status of a HIT", + "privilege": "UpdateHITReviewStatus", "resource_types": [ { "condition_keys": [], @@ -105243,21 +115655,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of application versions in AWS Panorama", - "privilege": "ListAppVersions", + "access_level": "Write", + "description": "The UpdateHITTypeOfHIT operation allows you to change the HITType properties of a HIT", + "privilege": "UpdateHITTypeOfHIT", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of applications in AWS Panorama", - "privilege": "ListApps", + "access_level": "Write", + "description": "The UpdateNotificationSettings operation creates, updates, disables or re-enables notifications for a HIT type", + "privilege": "UpdateNotificationSettings", "resource_types": [ { "condition_keys": [], @@ -105267,21 +115679,29 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of datasources in AWS Panorama", - "privilege": "ListDataSources", + "access_level": "Write", + "description": "The UpdateQualificationType operation modifies the attributes of an existing Qualification type, which is represented by a QualificationType data structure", + "privilege": "UpdateQualificationType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] - }, + } + ], + "resources": [], + "service_name": "Amazon Mechanical Turk" + }, + { + "conditions": [], + "prefix": "mediaconnect", + "privileges": [ { - "access_level": "List", - "description": "Grants permission to retrieve a list of deployment configurations in AWS Panorama", - "privilege": "ListDeploymentConfigurations", + "access_level": "Write", + "description": "Grants permission to add media streams to any flow", + "privilege": "AddFlowMediaStreams", "resource_types": [ { "condition_keys": [], @@ -105291,9 +115711,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of software updates for an AWS Panorama Appliance", - "privilege": "ListDeviceUpdates", + "access_level": "Write", + "description": "Grants permission to add outputs to any flow", + "privilege": "AddFlowOutputs", "resource_types": [ { "condition_keys": [], @@ -105303,9 +115723,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of appliances in AWS Panorama", - "privilege": "ListDevices", + "access_level": "Write", + "description": "Grants permission to add sources to any flow", + "privilege": "AddFlowSources", "resource_types": [ { "condition_keys": [], @@ -105315,9 +115735,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of models in AWS Panorama", - "privilege": "ListModels", + "access_level": "Write", + "description": "Grants permission to add VPC interfaces to any flow", + "privilege": "AddFlowVpcInterfaces", "resource_types": [ { "condition_keys": [], @@ -105327,141 +115747,177 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve a list of tags for a resource in AWS Panorama", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to create flows", + "privilege": "CreateFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataSource" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete flows", + "privilege": "DeleteFlow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to display the details of a flow including the flow ARN, name, and Availability Zone, as well as details about the source, outputs, and entitlements", + "privilege": "DescribeFlow", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a resource in AWS Panorama", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to display the details of an offering", + "privilege": "DescribeOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to display the details of a reservation", + "privilege": "DescribeReservation", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to grant entitlements on any flow", + "privilege": "GrantFlowEntitlements", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to display a list of all entitlements that have been granted to the account", + "privilege": "ListEntitlements", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource in AWS Panorama", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to display a list of flows that are associated with this account", + "privilege": "ListFlows", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to display a list of all offerings that are available to the account in the current AWS Region", + "privilege": "ListOfferings", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to display a list of all reservations that have been purchased by the account in the current AWS Region", + "privilege": "ListReservations", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to display a list of all tags associated with a resource", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an AWS Panorama application", - "privilege": "UpdateApp", + "description": "Grants permission to purchase an offering", + "privilege": "PurchaseOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the version-specific configuration of an AWS Panorama application", - "privilege": "UpdateAppConfiguration", + "description": "Grants permission to remove media streams from any flow", + "privilege": "RemoveFlowMediaStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an AWS Panorama datasource", - "privilege": "UpdateDataSource", + "description": "Grants permission to remove outputs from any flow", + "privilege": "RemoveFlowOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataSource*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to modify basic settings for an AWS Panorama Appliance", - "privilege": "UpdateDevice", + "description": "Grants permission to remove sources from any flow", + "privilege": "RemoveFlowSource", "resource_types": [ { "condition_keys": [], @@ -105469,449 +115925,397 @@ "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:device/${DeviceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:dataSource/${DeviceName}/${DataSourceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataSource" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:model/${ModelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "model" - }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "app" }, - { - "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}:{AppVersion}", - "condition_keys": [], - "resource": "appVersion" - } - ], - "service_name": "AWS Panorama" - }, - { - "conditions": [], - "prefix": "personalize", - "privileges": [ { "access_level": "Write", - "description": "Creates a batch inference job", - "privilege": "CreateBatchInferenceJob", + "description": "Grants permission to remove VPC interfaces from any flow", + "privilege": "RemoveFlowVpcInterface", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchInferenceJob*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a campaign", - "privilege": "CreateCampaign", + "description": "Grants permission to revoke entitlements on any flow", + "privilege": "RevokeFlowEntitlement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a dataset", - "privilege": "CreateDataset", + "description": "Grants permission to start flows", + "privilege": "StartFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a dataset group", - "privilege": "CreateDatasetGroup", + "description": "Grants permission to stop flows", + "privilege": "StopFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a dataset import job", - "privilege": "CreateDatasetImportJob", + "access_level": "Tagging", + "description": "Grants permission to associate tags with resources", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates an event tracker", - "privilege": "CreateEventTracker", + "access_level": "Tagging", + "description": "Grants permission to remove tags from resources", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a filter", - "privilege": "CreateFilter", + "description": "Grants permission to update flows", + "privilege": "UpdateFlow", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a schema", - "privilege": "CreateSchema", + "description": "Grants permission to update entitlements on any flow", + "privilege": "UpdateFlowEntitlement", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a solution", - "privilege": "CreateSolution", + "description": "Grants permission to update media streams on any flow", + "privilege": "UpdateFlowMediaStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a solution version", - "privilege": "CreateSolutionVersion", + "description": "Grants permission to update outputs on any flow", + "privilege": "UpdateFlowOutput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a campaign", - "privilege": "DeleteCampaign", + "description": "Grants permission to update the source of any flow", + "privilege": "UpdateFlowSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:entitlement:${FlowId}:${EntitlementName}", + "condition_keys": [], + "resource": "Entitlement" }, { - "access_level": "Write", - "description": "Deletes a dataset", - "privilege": "DeleteDataset", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset*" - } - ] + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:flow:${FlowId}:${FlowName}", + "condition_keys": [], + "resource": "Flow" }, { - "access_level": "Write", - "description": "Deletes a dataset group", - "privilege": "DeleteDatasetGroup", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasetGroup*" - } - ] + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:output:${OutputId}:${OutputName}", + "condition_keys": [], + "resource": "Output" }, { - "access_level": "Write", - "description": "Deletes an event tracker", - "privilege": "DeleteEventTracker", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventTracker*" - } - ] + "arn": "arn:${Partition}:mediaconnect:${Region}:${Account}:source:${SourceId}:${SourceName}", + "condition_keys": [], + "resource": "Source" + } + ], + "service_name": "AWS Elemental MediaConnect" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "mediaconvert", + "privileges": [ { "access_level": "Write", - "description": "Deletes a filter", - "privilege": "DeleteFilter", + "description": "Grants permission to associate an AWS Certificate Manager (ACM) Amazon Resource Name (ARN) with AWS Elemental MediaConvert.", + "privilege": "AssociateCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a schema", - "privilege": "DeleteSchema", + "description": "Grants permission to cancel an AWS Elemental MediaConvert job that is waiting in queue", + "privilege": "CancelJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "Job*" } ] }, { "access_level": "Write", - "description": "Deletes a solution including all versions of the solution", - "privilege": "DeleteSolution", + "description": "Grants permission to create and submit an AWS Elemental MediaConvert job", + "privilege": "CreateJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes an algorithm", - "privilege": "DescribeAlgorithm", - "resource_types": [ + "resource_type": "JobTemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "algorithm*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes a batch inference job", - "privilege": "DescribeBatchInferenceJob", - "resource_types": [ + "resource_type": "Preset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "batchInferenceJob*" + "resource_type": "Queue" } ] }, { - "access_level": "Read", - "description": "Describes a campaign", - "privilege": "DescribeCampaign", + "access_level": "Write", + "description": "Grants permission to create an AWS Elemental MediaConvert custom job template", + "privilege": "CreateJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes a dataset", - "privilege": "DescribeDataset", - "resource_types": [ + "resource_type": "Preset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes a dataset group", - "privilege": "DescribeDatasetGroup", - "resource_types": [ + "resource_type": "Queue" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "datasetGroup*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a dataset import job", - "privilege": "DescribeDatasetImportJob", + "access_level": "Write", + "description": "Grants permission to create an AWS Elemental MediaConvert custom output preset", + "privilege": "CreatePreset", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "datasetImportJob*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes an event tracker", - "privilege": "DescribeEventTracker", + "access_level": "Write", + "description": "Grants permission to create an AWS Elemental MediaConvert job queue", + "privilege": "CreateQueue", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "eventTracker*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a feature transformation", - "privilege": "DescribeFeatureTransformation", + "access_level": "Write", + "description": "Grants permission to delete an AWS Elemental MediaConvert custom job template", + "privilege": "DeleteJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "featureTransformation*" + "resource_type": "JobTemplate*" } ] }, { - "access_level": "Read", - "description": "Describes a filter", - "privilege": "DescribeFilter", + "access_level": "Write", + "description": "Grants permission to delete an AWS Elemental MediaConvert custom output preset", + "privilege": "DeletePreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "filter*" + "resource_type": "Preset*" } ] }, { - "access_level": "Read", - "description": "Describes a recipe", - "privilege": "DescribeRecipe", + "access_level": "Write", + "description": "Grants permission to delete an AWS Elemental MediaConvert job queue", + "privilege": "DeleteQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "recipe*" + "resource_type": "Queue*" } ] }, { - "access_level": "Read", - "description": "Describes a schema", - "privilege": "DescribeSchema", + "access_level": "List", + "description": "Grants permission to subscribe to the AWS Elemental MediaConvert service, by sending a request for an account-specific endpoint. All transcoding requests must be sent to the endpoint that the service returns.", + "privilege": "DescribeEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes a solution", - "privilege": "DescribeSolution", + "access_level": "Write", + "description": "Grants permission to remove an association between the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate and an AWS Elemental MediaConvert resource.", + "privilege": "DisassociateCertificate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Describes a version of a solution", - "privilege": "DescribeSolutionVersion", + "description": "Grants permission to get an AWS Elemental MediaConvert job", + "privilege": "GetJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "Job*" } ] }, { "access_level": "Read", - "description": "Gets a re-ranked list of recommendations", - "privilege": "GetPersonalizedRanking", + "description": "Grants permission to get an AWS Elemental MediaConvert job template", + "privilege": "GetJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "JobTemplate*" } ] }, { "access_level": "Read", - "description": "Gets a list of recommendations from a campaign", - "privilege": "GetRecommendations", + "description": "Grants permission to get an AWS Elemental MediaConvert output preset", + "privilege": "GetPreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "Preset*" } ] }, { "access_level": "Read", - "description": "Gets metrics for a solution version", - "privilege": "GetSolutionMetrics", + "description": "Grants permission to get an AWS Elemental MediaConvert job queue", + "privilege": "GetQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "solution*" + "resource_type": "Queue*" } ] }, { "access_level": "List", - "description": "Lists batch inference jobs", - "privilege": "ListBatchInferenceJobs", + "description": "Grants permission to list AWS Elemental MediaConvert job templates", + "privilege": "ListJobTemplates", "resource_types": [ { "condition_keys": [], @@ -105922,20 +116326,20 @@ }, { "access_level": "List", - "description": "Lists campaigns", - "privilege": "ListCampaigns", + "description": "Grants permission to list AWS Elemental MediaConvert jobs", + "privilege": "ListJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue" } ] }, { "access_level": "List", - "description": "Lists dataset groups", - "privilege": "ListDatasetGroups", + "description": "Grants permission to list AWS Elemental MediaConvert output presets", + "privilege": "ListPresets", "resource_types": [ { "condition_keys": [], @@ -105946,8 +116350,8 @@ }, { "access_level": "List", - "description": "Lists dataset import jobs", - "privilege": "ListDatasetImportJobs", + "description": "Grants permission to list AWS Elemental MediaConvert job queues", + "privilege": "ListQueues", "resource_types": [ { "condition_keys": [], @@ -105957,604 +116361,694 @@ ] }, { - "access_level": "List", - "description": "Lists datasets", - "privilege": "ListDatasets", + "access_level": "Read", + "description": "Grants permission to retrieve the tags for a MediaConvert queue, preset, or job template", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists event trackers", - "privilege": "ListEventTrackers", - "resource_types": [ + "resource_type": "JobTemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists filters", - "privilege": "ListFilters", - "resource_types": [ + "resource_type": "Preset" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Queue" } ] }, { - "access_level": "List", - "description": "Lists recipes", - "privilege": "ListRecipes", + "access_level": "Tagging", + "description": "Grants permission to add tags to a MediaConvert queue, preset, or job template", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists schemas", - "privilege": "ListSchemas", - "resource_types": [ + "resource_type": "JobTemplate" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists versions of a solution", - "privilege": "ListSolutionVersions", - "resource_types": [ + "resource_type": "Preset" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists solutions", - "privilege": "ListSolutions", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a MediaConvert queue, preset, or job template", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "JobTemplate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Records real time event data", - "privilege": "PutEvents", + "description": "Grants permission to update an AWS Elemental MediaConvert custom job template", + "privilege": "UpdateJobTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventTracker*" - } - ] - }, - { - "access_level": "Write", - "description": "Ingest Items data", - "privilege": "PutItems", - "resource_types": [ + "resource_type": "JobTemplate*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "Preset" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Queue" } ] }, { "access_level": "Write", - "description": "Ingest Users data", - "privilege": "PutUsers", + "description": "Grants permission to update an AWS Elemental MediaConvert custom output preset", + "privilege": "UpdatePreset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "Preset*" } ] }, { "access_level": "Write", - "description": "Updates a campaign", - "privilege": "UpdateCampaign", + "description": "Grants permission to update an AWS Elemental MediaConvert job queue", + "privilege": "UpdateQueue", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "campaign*" + "resource_type": "Queue*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:schema/${ResourceId}", - "condition_keys": [], - "resource": "schema" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:feature-transformation/${ResourceId}", - "condition_keys": [], - "resource": "featureTransformation" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset/${ResourceId}", - "condition_keys": [], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-group/${ResourceId}", - "condition_keys": [], - "resource": "datasetGroup" - }, - { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-import-job/${ResourceId}", + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobs/${JobId}", "condition_keys": [], - "resource": "datasetImportJob" + "resource": "Job" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:solution/${ResourceId}", - "condition_keys": [], - "resource": "solution" + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:queues/${QueueName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Queue" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:campaign/${ResourceId}", - "condition_keys": [], - "resource": "campaign" + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:presets/${PresetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Preset" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:event-tracker/${ResourceId}", - "condition_keys": [], - "resource": "eventTracker" + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:jobTemplates/${JobTemplateName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "JobTemplate" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:recipe/${ResourceId}", + "arn": "arn:${Partition}:mediaconvert:${Region}:${Account}:certificates/${CertificateArn}", "condition_keys": [], - "resource": "recipe" - }, + "resource": "CertificateAssociation" + } + ], + "service_name": "AWS Elemental MediaConvert" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:algorithm/${ResourceId}", - "condition_keys": [], - "resource": "algorithm" + "condition": "aws:RequestTag/${TagKey}", + "description": "The tag for a MediaLive request", + "type": "String" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:batch-inference-job/${ResourceId}", - "condition_keys": [], - "resource": "batchInferenceJob" + "condition": "aws:ResourceTag/${TagKey}", + "description": "The tag for a MediaLive resource", + "type": "String" }, { - "arn": "arn:${Partition}:personalize:${Region}:${Account}:filter/${ResourceId}", - "condition_keys": [], - "resource": "filter" + "condition": "aws:TagKeys", + "description": "The tag keys for a MediaLive resource or request", + "type": "String" } ], - "service_name": "Amazon Personalize" - }, - { - "conditions": [], - "prefix": "pi", + "prefix": "medialive", "privileges": [ { - "access_level": "Read", - "description": "For a specific time period, retrieve the top N dimension keys for a metric.", - "privilege": "DescribeDimensionKeys", + "access_level": "Write", + "description": "Grants permission to accept an input device transfer", + "privilege": "AcceptInputDeviceTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "metric-resource*" + "resource_type": "input-device*" } ] }, { - "access_level": "Read", - "description": "Retrieve PI metrics for a set of data sources, over a time period.", - "privilege": "GetResourceMetrics", + "access_level": "Write", + "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes", + "privilege": "BatchDelete", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "metric-resource*" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:pi:${Region}:${Account}:metrics/${ServiceType}/${Identifier}", - "condition_keys": [], - "resource": "metric-resource" - } - ], - "service_name": "AWS Performance Insights" - }, - { - "conditions": [], - "prefix": "polly", - "privileges": [ + }, { "access_level": "Write", - "description": "Grants permissions to delete the specified pronunciation lexicon stored in an AWS Region", - "privilege": "DeleteLexicon", + "description": "Grants permission to start channels and multiplexes", + "privilege": "BatchStart", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" } ] }, { - "access_level": "List", - "description": "Grants permissions to describe the list of voices that are available for use when requesting speech synthesis", - "privilege": "DescribeVoices", + "access_level": "Write", + "description": "Grants permission to stop channels and multiplexes", + "privilege": "BatchStop", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" } ] }, { - "access_level": "Read", - "description": "Grants permissions to retrieve the content of the specified pronunciation lexicon stored in an AWS Region", - "privilege": "GetLexicon", + "access_level": "Write", + "description": "Grants permission to add and remove actions from a channel's schedule", + "privilege": "BatchUpdateSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to get information about specific speech synthesis task", - "privilege": "GetSpeechSynthesisTask", + "access_level": "Write", + "description": "Grants permission to cancel an input device transfer", + "privilege": "CancelInputDeviceTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input-device*" } ] }, { - "access_level": "List", - "description": "Grants permisions to list the pronunciation lexicons stored in an AWS Region", - "privilege": "ListLexicons", + "access_level": "Write", + "description": "Grants permission to create a channel", + "privilege": "CreateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permissions to list requested speech synthesis tasks", - "privilege": "ListSpeechSynthesisTasks", + "access_level": "Write", + "description": "Grants permission to create an input", + "privilege": "CreateInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "input*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to store a pronunciation lexicon in an AWS Region", - "privilege": "PutLexicon", + "description": "Grants permission to create an input security group", + "privilege": "CreateInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon*" + "resource_type": "input-security-group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permissions to synthesize long inputs to the provided S3 location", - "privilege": "StartSpeechSynthesisTask", + "description": "Grants permission to create a multiplex", + "privilege": "CreateMultiplex", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "s3:PutObject" + "dependent_actions": [], + "resource_type": "multiplex*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "lexicon" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permissions to synthesize speech", - "privilege": "SynthesizeSpeech", + "access_level": "Write", + "description": "Grants permission to create a multiplex program", + "privilege": "CreateMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "lexicon" + "resource_type": "multiplex*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:polly:${Region}:${Account}:lexicon/${LexiconName}", - "condition_keys": [], - "resource": "lexicon" - } - ], - "service_name": "Amazon Polly" - }, - { - "conditions": [], - "prefix": "pricing", - "privileges": [ + }, { - "access_level": "Read", - "description": "Returns the service details for all (paginated) services (if serviceCode is not set) or service detail for a particular service (if given serviceCode).", - "privilege": "DescribeServices", + "access_level": "Write", + "description": "Grants permission to create a partner input", + "privilege": "CreatePartnerInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "input*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns all (paginated) possible values for a given attribute.", - "privilege": "GetAttributeValues", + "access_level": "Tagging", + "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "CreateTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns all matching products with given search criteria.", - "privilege": "GetProducts", + "access_level": "Write", + "description": "Grants permission to delete a channel", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] - } - ], - "resources": [], - "service_name": "AWS Price List" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by a key that is present in the request the user makes to the pinpoint service.", - "type": "String" }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service.", - "type": "String" - } - ], - "prefix": "profile", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to add a profile key", - "privilege": "AddProfileKey", + "description": "Grants permission to delete an input", + "privilege": "DeleteInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a Domain", - "privilege": "CreateDomain", + "description": "Grants permission to delete an input security group", + "privilege": "DeleteInputSecurityGroup", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "input-security-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a profile in the domain", - "privilege": "CreateProfile", + "description": "Grants permission to delete a multiplex", + "privilege": "DeleteMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a Domain", - "privilege": "DeleteDomain", + "description": "Grants permission to delete a multiplex program", + "privilege": "DeleteMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a integration in a domain", - "privilege": "DeleteIntegration", + "description": "Grants permission to delete an expired reservation", + "privilege": "DeleteReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "reservation*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete all schedule actions for a channel", + "privilege": "DeleteSchedule", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile", - "privilege": "DeleteProfile", + "access_level": "Tagging", + "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "channel" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "input-security-group" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiplex" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "reservation" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile key", - "privilege": "DeleteProfileKey", + "access_level": "Read", + "description": "Grants permission to get details about a channel", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a profile object", - "privilege": "DeleteProfileObject", + "access_level": "Read", + "description": "Grants permission to describe an input", + "privilege": "DescribeInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "input*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an input device", + "privilege": "DescribeInputDevice", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "input-device*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a specific profile object type in the domain", - "privilege": "DeleteProfileObjectType", + "access_level": "Read", + "description": "Grants permission to describe an input device thumbnail", + "privilege": "DescribeInputDeviceThumbnail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "input-device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an input security group", + "privilege": "DescribeInputSecurityGroup", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "input-security-group*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a specific domain in an account", - "privilege": "GetDomain", + "description": "Grants permission to describe a multiplex", + "privilege": "DescribeMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "multiplex*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a specific integrations in a domain", - "privilege": "GetIntegration", + "description": "Grants permission to describe a multiplex program", + "privilege": "DescribeMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "multiplex*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get details about a reservation offering", + "privilege": "DescribeOffering", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "offering*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a specific profile object type in the domain", - "privilege": "GetProfileObjectType", + "description": "Grants permission to get details about a reservation", + "privilege": "DescribeReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "reservation*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view a list of actions scheduled on a channel", + "privilege": "DescribeSchedule", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "channel*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a specific object type template", - "privilege": "GetProfileObjectTypeTemplate", + "access_level": "List", + "description": "Grants permission to list channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], @@ -106565,8 +117059,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the integrations in the account", - "privilege": "ListAccountIntegrations", + "description": "Grants permission to list input device transfers", + "privilege": "ListInputDeviceTransfers", "resource_types": [ { "condition_keys": [], @@ -106577,8 +117071,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all the domains in an account", - "privilege": "ListDomains", + "description": "Grants permission to list input devices", + "privilege": "ListInputDevices", "resource_types": [ { "condition_keys": [], @@ -106589,20 +117083,20 @@ }, { "access_level": "List", - "description": "Grants permission to list all the integrations in a specific domain", - "privilege": "ListIntegrations", + "description": "Grants permission to list input security groups", + "privilege": "ListInputSecurityGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all the profile object type templates in the account", - "privilege": "ListProfileObjectTypeTemplates", + "description": "Grants permission to list inputs", + "privilege": "ListInputs", "resource_types": [ { "condition_keys": [], @@ -106613,37 +117107,44 @@ }, { "access_level": "List", - "description": "Grants permission to list all the profile object types in the domain", - "privilege": "ListProfileObjectTypes", + "description": "Grants permission to list multiplex programs", + "privilege": "ListMultiplexPrograms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all the profile objects for a profile", - "privilege": "ListProfileObjects", + "description": "Grants permission to list multiplexes", + "privilege": "ListMultiplexes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list reservation offerings", + "privilege": "ListOfferings", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to list reservations", + "privilege": "ListReservations", "resource_types": [ { "condition_keys": [], @@ -106653,61 +117154,51 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to put a integration in a domain", - "privilege": "PutIntegration", + "access_level": "List", + "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "channel" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "integrations*" + "resource_type": "input" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to put an object for a profile", - "privilege": "PutProfileObject", - "resource_types": [ + "resource_type": "input-security-group" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "multiplex" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "reservation" } ] }, { "access_level": "Write", - "description": "Grants permission to put a specific profile object type in the domain", - "privilege": "PutProfileObjectType", + "description": "Grants permission to purchase a reservation offering", + "privilege": "PurchaseOffering", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "offering*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "object-types*" + "resource_type": "reservation*" }, { "condition_keys": [ @@ -106720,731 +117211,867 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to search for profiles in a domain", - "privilege": "SearchProfiles", + "access_level": "Write", + "description": "Grants permission to reject an input device transfer", + "privilege": "RejectInputDeviceTransfer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "input-device*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to adds tags to a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to start a channel", + "privilege": "StartChannel", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to start a multiplex", + "privilege": "StartMultiplex", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a Domain", - "privilege": "UpdateDomain", + "description": "Grants permission to stop a channel", + "privilege": "StopChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a profile in the domain", - "privilege": "UpdateProfile", + "description": "Grants permission to stop a multiplex", + "privilege": "StopMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domains*" + "resource_type": "multiplex*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "domains" - }, - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/object-types/${ObjectTypeName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "object-types" }, - { - "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/integrations/${Uri}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "integrations" - } - ], - "service_name": "Amazon Connect Customer Profiles" - }, - { - "conditions": [], - "prefix": "proton", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an environment", - "privilege": "CreateEnvironment", + "description": "Grants permission to transfer an input device", + "privilege": "TransferInputDevice", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "environment*" + "dependent_actions": [], + "resource_type": "input-device*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment template", - "privilege": "CreateEnvironmentTemplate", + "description": "Grants permission to update a channel", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment template major version", - "privilege": "CreateEnvironmentTemplateMajorVersion", + "description": "Grants permission to update the class of a channel", + "privilege": "UpdateChannelClass", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an environment template minor version", - "privilege": "CreateEnvironmentTemplateMinorVersion", + "description": "Grants permission to update an input", + "privilege": "UpdateInput", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "input*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service", - "privilege": "CreateService", + "description": "Grants permission to update an input device", + "privilege": "UpdateInputDevice", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "codestar-connections:PassConnection" - ], - "resource_type": "service*" + "dependent_actions": [], + "resource_type": "input-device*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service template", - "privilege": "CreateServiceTemplate", + "description": "Grants permission to update an input security group", + "privilege": "UpdateInputSecurityGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "input-security-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service template major version", - "privilege": "CreateServiceTemplateMajorVersion", + "description": "Grants permission to update a multiplex", + "privilege": "UpdateMultiplex", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a service template minor version", - "privilege": "CreateServiceTemplateMinorVersion", + "description": "Grants permission to update a multiplex program", + "privilege": "UpdateMultiplexProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "multiplex*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the account role settings", - "privilege": "DeleteAccountRoles", + "description": "Grants permission to update a reservation", + "privilege": "UpdateReservation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "reservation*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:channel:*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channel" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:input:*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "input" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputDevice:*", + "condition_keys": [], + "resource": "input-device" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:inputSecurityGroup:*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "input-security-group" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:multiplex:*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "multiplex" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:reservation:*", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "reservation" + }, + { + "arn": "arn:${Partition}:medialive:${Region}:${Account}:offering:*", + "condition_keys": [], + "resource": "offering" + } + ], + "service_name": "AWS Elemental MediaLive" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tag for a MediaPackage request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tag for a MediaPackage resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys for a MediaPackage resource or request", + "type": "String" + } + ], + "prefix": "mediapackage", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete an environment", - "privilege": "DeleteEnvironment", + "description": "Grants permission to configure access logs for a Channel", + "privilege": "ConfigureLogs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "channels*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an environment template", - "privilege": "DeleteEnvironmentTemplate", + "description": "Grants permission to create a channel in AWS Elemental MediaPackage", + "privilege": "CreateChannel", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an environment template major version", - "privilege": "DeleteEnvironmentTemplateMajorVersion", + "description": "Grants permission to create a harvest job in AWS Elemental MediaPackage", + "privilege": "CreateHarvestJob", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an environment template minor version", - "privilege": "DeleteEnvironmentTemplateMinorVersion", + "description": "Grants permission to create an endpoint in AWS Elemental MediaPackage", + "privilege": "CreateOriginEndpoint", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a service", - "privilege": "DeleteService", + "description": "Grants permission to delete a channel in AWS Elemental MediaPackage", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "channels*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a service template", - "privilege": "DeleteServiceTemplate", + "description": "Grants permission to delete an endpoint in AWS Elemental MediaPackage", + "privilege": "DeleteOriginEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "origin_endpoints*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a service template major version", - "privilege": "DeleteServiceTemplateMajorVersion", + "access_level": "Read", + "description": "Grants permission to view the details of a channel in AWS Elemental MediaPackage", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "channels*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a service template minor version", - "privilege": "DeleteServiceTemplateMinorVersion", + "access_level": "Read", + "description": "Grants permission to view the details of a harvest job in AWS Elemental MediaPackage", + "privilege": "DescribeHarvestJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "harvest_jobs*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the account role settings", - "privilege": "GetAccountRoles", + "description": "Grants permission to view the details of an endpoint in AWS Elemental MediaPackage", + "privilege": "DescribeOriginEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "origin_endpoints*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment", - "privilege": "GetEnvironment", + "description": "Grants permission to view a list of channels in AWS Elemental MediaPackage", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment template", - "privilege": "GetEnvironmentTemplate", + "description": "Grants permission to view a list of harvest jobs in AWS Elemental MediaPackage", + "privilege": "ListHarvestJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment template major version", - "privilege": "GetEnvironmentTemplateMajorVersion", + "description": "Grants permission to view a list of endpoints in AWS Elemental MediaPackage", + "privilege": "ListOriginEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe an environment template minor version", - "privilege": "GetEnvironmentTemplateMinorVersion", + "description": "Grants permission to list the tags assigned to a Channel or OriginEndpoint", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "channels" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "harvest_jobs" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "origin_endpoints" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a service", - "privilege": "GetService", + "access_level": "Write", + "description": "Grants permission to rotate credentials for the first IngestEndpoint of a Channel in AWS Elemental MediaPackage", + "privilege": "RotateChannelCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "channels*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a service instance", - "privilege": "GetServiceInstance", + "access_level": "Write", + "description": "Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage", + "privilege": "RotateIngestEndpointCredentials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-instance*" + "resource_type": "channels*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a service template", - "privilege": "GetServiceTemplate", + "access_level": "Tagging", + "description": "Grants permission to tag a MediaPackage resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "channels" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "harvest_jobs" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "origin_endpoints" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a service template major version", - "privilege": "GetServiceTemplateMajorVersion", + "access_level": "Tagging", + "description": "Grants permission to delete tags to a Channel or OriginEndpoint", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "channels" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "harvest_jobs" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "origin_endpoints" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a service template minor version", - "privilege": "GetServiceTemplateMinorVersion", + "access_level": "Write", + "description": "Grants permission to make changes to a channel in AWS Elemental MediaPackage", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "channels*" } ] }, { - "access_level": "List", - "description": "Grants permission to list environment template major versions", - "privilege": "ListEnvironmentTemplateMajorVersions", + "access_level": "Write", + "description": "Grants permission to make changes to an endpoint in AWS Elemental MediaPackage", + "privilege": "UpdateOriginEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "origin_endpoints*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:channels/${ChannelIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channels" }, { - "access_level": "List", - "description": "Grants permission to list environment template minor versions", - "privilege": "ListEnvironmentTemplateMinorVersions", + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:origin_endpoints/${OriginEndpointIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "origin_endpoints" + }, + { + "arn": "arn:${Partition}:mediapackage:${Region}:${Account}:harvest_jobs/${HarvestJobIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "harvest_jobs" + } + ], + "service_name": "AWS Elemental MediaPackage" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "mediapackage-vod", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to configure egress access logs for a PackagingGroup", + "privilege": "ConfigureLogs", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "environment-template*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "packaging-groups*" } ] }, { - "access_level": "List", - "description": "Grants permission to list environment templates", - "privilege": "ListEnvironmentTemplates", + "access_level": "Write", + "description": "Grants permission to create an asset in AWS Elemental MediaPackage", + "privilege": "CreateAsset", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list environments", - "privilege": "ListEnvironments", + "access_level": "Write", + "description": "Grants permission to create a packaging configuration in AWS Elemental MediaPackage", + "privilege": "CreatePackagingConfiguration", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list service instances", - "privilege": "ListServiceInstances", + "access_level": "Write", + "description": "Grants permission to create a packaging group in AWS Elemental MediaPackage", + "privilege": "CreatePackagingGroup", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list service template major versions", - "privilege": "ListServiceTemplateMajorVersions", + "access_level": "Write", + "description": "Grants permission to delete an asset in AWS Elemental MediaPackage", + "privilege": "DeleteAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "assets*" } ] }, { - "access_level": "List", - "description": "Grants permission to list service template minor versions", - "privilege": "ListServiceTemplateMinorVersions", + "access_level": "Write", + "description": "Grants permission to delete a packaging configuration in AWS Elemental MediaPackage", + "privilege": "DeletePackagingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "packaging-configurations*" } ] }, { - "access_level": "List", - "description": "Grants permission to list service templates", - "privilege": "ListServiceTemplates", + "access_level": "Write", + "description": "Grants permission to delete a packaging group in AWS Elemental MediaPackage", + "privilege": "DeletePackagingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "packaging-groups*" } ] }, { - "access_level": "List", - "description": "Grants permission to list services", - "privilege": "ListServices", + "access_level": "Read", + "description": "Grants permission to view the details of an asset in AWS Elemental MediaPackage", + "privilege": "DescribeAsset", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "assets*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the account role settings", - "privilege": "UpdateAccountRoles", + "access_level": "Read", + "description": "Grants permission to view the details of a packaging configuration in AWS Elemental MediaPackage", + "privilege": "DescribePackagingConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "packaging-configurations*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an environment", - "privilege": "UpdateEnvironment", + "access_level": "Read", + "description": "Grants permission to view the details of a packaging group in AWS Elemental MediaPackage", + "privilege": "DescribePackagingGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "environment*" + "dependent_actions": [], + "resource_type": "packaging-groups*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an environment template", - "privilege": "UpdateEnvironmentTemplate", + "access_level": "List", + "description": "Grants permission to view a list of assets in AWS Elemental MediaPackage", + "privilege": "ListAssets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an environment template major version", - "privilege": "UpdateEnvironmentTemplateMajorVersion", + "access_level": "List", + "description": "Grants permission to view a list of packaging configurations in AWS Elemental MediaPackage", + "privilege": "ListPackagingConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an environment template minor version", - "privilege": "UpdateEnvironmentTemplateMinorVersion", + "access_level": "List", + "description": "Grants permission to view a list of packaging groups in AWS Elemental MediaPackage", + "privilege": "ListPackagingGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "environment-template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a service", - "privilege": "UpdateService", + "access_level": "Read", + "description": "Grants permission to list the tags assigned to a PackagingGroup, PackagingConfiguration, or Asset.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a service instance", - "privilege": "UpdateServiceInstance", - "resource_types": [ + "resource_type": "assets" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-instance*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a service pipeline", - "privilege": "UpdateServicePipeline", - "resource_types": [ + "resource_type": "packaging-configurations" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "packaging-groups" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a service template", - "privilege": "UpdateServiceTemplate", + "access_level": "Tagging", + "description": "Grants permission to assign tags to a PackagingGroup, PackagingConfiguration, or Asset.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "assets" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-configurations" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-groups" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a service template major version", - "privilege": "UpdateServiceTemplateMajorVersion", + "access_level": "Tagging", + "description": "Grants permission to delete tags from a PackagingGroup, PackagingConfiguration, or Asset.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "assets" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-configurations" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "packaging-groups" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update a service template minor version", - "privilege": "UpdateServiceTemplateMinorVersion", + "description": "Grants permission to update a packaging group in AWS Elemental MediaPackage", + "privilege": "UpdatePackagingGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service-template*" + "resource_type": "packaging-groups*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}", - "condition_keys": [], - "resource": "environment-template" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}", - "condition_keys": [], - "resource": "environment-template-major-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", - "condition_keys": [], - "resource": "environment-template-minor-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}", - "condition_keys": [], - "resource": "service-template" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}", - "condition_keys": [], - "resource": "service-template-major-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", - "condition_keys": [], - "resource": "service-template-minor-version" - }, - { - "arn": "arn:${Partition}:proton:${Region}:${Account}:environment/${EnvironmentName}", - "condition_keys": [], - "resource": "environment" + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:assets/${AssetIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "assets" }, { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${ServiceName}", - "condition_keys": [], - "resource": "service" + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-configurations/${PackagingConfigurationIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "packaging-configurations" }, { - "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${ServiceName}/service-instance/${ServiceInstanceName}", - "condition_keys": [], - "resource": "service-instance" + "arn": "arn:${Partition}:mediapackage-vod:${Region}:${Account}:packaging-groups/${PackagingGroupIdentifier}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "packaging-groups" } ], - "service_name": "AWS Proton" + "service_name": "AWS Elemental MediaPackage VOD" }, { "conditions": [], - "prefix": "purchase-orders", + "prefix": "mediastore", "privileges": [ { "access_level": "Write", - "description": "Modify purchase orders and details", - "privilege": "ModifyPurchaseOrders", + "description": "Grants permission to create containers.", + "privilege": "CreateContainer", "resource_types": [ { "condition_keys": [], @@ -107454,9 +118081,9 @@ ] }, { - "access_level": "Read", - "description": "View purchase orders and details", - "privilege": "ViewPurchaseOrders", + "access_level": "Write", + "description": "Grants permission to delete any container in the current account.", + "privilege": "DeleteContainer", "resource_types": [ { "condition_keys": [], @@ -107464,199 +118091,167 @@ "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "AWS Purchase Orders Console" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "qldb", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to cancel a journal kinesis stream", - "privilege": "CancelJournalKinesisStream", + "access_level": "Permissions management", + "description": "Grants permission to delete the access policy of any container in the current account.", + "privilege": "DeleteContainerPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a ledger", - "privilege": "CreateLedger", + "description": "Grants permission to delete the CORS policy from any container in the current account.", + "privilege": "DeleteCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a ledger", - "privilege": "DeleteLedger", + "description": "Grants permission to delete the lifecycle policy from any container in the current account.", + "privilege": "DeleteLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe information about a journal kinesis stream", - "privilege": "DescribeJournalKinesisStream", + "access_level": "Write", + "description": "Grants permission to delete the metric policy from any container in the current account.", + "privilege": "DeleteMetricPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe information about a journal export job", - "privilege": "DescribeJournalS3Export", + "access_level": "Write", + "description": "Grants permission to delete objects.", + "privilege": "DeleteObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a ledger", - "privilege": "DescribeLedger", + "access_level": "List", + "description": "Grants permission to retrieve details on any container in the current account.", + "privilege": "DescribeContainer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to send commands to a ledger via the console", - "privilege": "ExecuteStatement", + "access_level": "List", + "description": "Grants permission to retrieve object metadata.", + "privilege": "DescribeObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to export journal contents to an Amazon S3 bucket", - "privilege": "ExportJournalToS3", + "access_level": "Read", + "description": "Grants permission to retrieve the access policy of any container in the current account.", + "privilege": "GetContainerPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a block from a ledger for a given BlockAddress", - "privilege": "GetBlock", + "description": "Grants permission to retrieve the CORS policy of any container in the current account.", + "privilege": "GetCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a digest from a ledger for a given BlockAddress", - "privilege": "GetDigest", + "description": "Grants permission to retrieve the lifecycle policy that is assigned to any container in the current account.", + "privilege": "GetLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve a revision for a given document ID and a given BlockAddress", - "privilege": "GetRevision", + "description": "Grants permission to retrieve the metric policy that is assigned to any container in the current account.", + "privilege": "GetMetricPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to insert sample application data via the console", - "privilege": "InsertSampleData", + "access_level": "Read", + "description": "Grants permission to retrieve objects.", + "privilege": "GetObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list journal kinesis streams for a specified ledger", - "privilege": "ListJournalKinesisStreamsForLedger", + "description": "Grants permission to retrieve a list of containers in the current account.", + "privilege": "ListContainers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list journal export jobs for all ledgers", - "privilege": "ListJournalS3Exports", + "description": "Grants permission to retrieve a list of objects and folders in the current account.", + "privilege": "ListItems", "resource_types": [ { "condition_keys": [], @@ -107666,21 +118261,21 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list journal export jobs for a specified ledger", - "privilege": "ListJournalS3ExportsForLedger", + "access_level": "Read", + "description": "Grants permission to list tags on any container in the current account.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list existing ledgers", - "privilege": "ListLedgers", + "access_level": "Permissions management", + "description": "Grants permission to create or replace the access policy of any container in the current account.", + "privilege": "PutContainerPolicy", "resource_types": [ { "condition_keys": [], @@ -107690,68 +118285,72 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list tags for a resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to add or modify the CORS policy of any container in the current account.", + "privilege": "PutCorsPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to send commands to a ledger", - "privilege": "SendCommand", + "description": "Grants permission to add or modify the lifecycle policy that is assigned to any container in the current account.", + "privilege": "PutLifecyclePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to view a ledger's catalog via the console", - "privilege": "ShowCatalog", + "description": "Grants permission to add or modify the metric policy that is assigned to any container in the current account.", + "privilege": "PutMetricPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to stream journal contents to a Kinesis Data Stream", - "privilege": "StreamJournalToKinesis", + "description": "Grants permission to upload objects.", + "privilege": "PutObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "stream*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to enable access logging on any container in the current account.", + "privilege": "StartAccessLogging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable access logging on any container in the current account.", + "privilege": "StopAccessLogging", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -107759,99 +118358,63 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove one or more tags to a resource", - "privilege": "UntagResource", + "description": "Grants permission to add tags to any container in the current account.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update properties on a ledger", - "privilege": "UpdateLedger", + "access_level": "Tagging", + "description": "Grants permission to remove tags from any container in the current account.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ledger*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ledger" - }, - { - "arn": "arn:${Partition}:qldb:${Region}:${Account}:stream/${LedgerName}/${StreamId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "stream" + "arn": "arn:${Partition}:mediastore:${Region}:${Account}:container/${ContainerName}", + "condition_keys": [], + "resource": "container" } ], - "service_name": "Amazon QLDB" + "service_name": "AWS Elemental MediaStore" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access by tag key-value pairs in the request", + "description": "Filters actions based on the presence of tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access by tag key-value pairs attached to the resource", + "description": "Filters actions based on tag key-value pairs attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access by tag keys", - "type": "String" - }, - { - "condition": "quicksight:IamArn", - "description": "Filters access by IAM user or role ARN", - "type": "String" - }, - { - "condition": "quicksight:SessionName", - "description": "Filters access by session name", - "type": "String" - }, - { - "condition": "quicksight:UserName", - "description": "Filters access by user name", + "description": "Filters actions based on the presence of tag keys in the request", "type": "String" } ], - "prefix": "quicksight", + "prefix": "mediatailor", "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel a SPICE ingestions on a dataset", - "privilege": "CancelIngestion", + "description": "Grants permission to create a new channel", + "privilege": "CreateChannel", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "ingestion*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -107864,40 +118427,40 @@ }, { "access_level": "Write", - "description": "Grants permission to create an account customization for QuickSight account or namespace", - "privilege": "CreateAccountCustomization", + "description": "Grants permission to create a new program on the channel with the specified channel name", + "privilege": "CreateProgram", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight administrators, authors, and readers", - "privilege": "CreateAdmin", + "description": "Grants permission to create a new source location", + "privilege": "CreateSourceLocation", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create an analysis from a template", - "privilege": "CreateAnalysis", + "description": "Grants permission to create a new VOD source on the source location with the specified source location name", + "privilege": "CreateVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "sourceLocation*" }, { "condition_keys": [ @@ -107911,235 +118474,208 @@ }, { "access_level": "Write", - "description": "Grants permission to create a custom permissions resource for restricting user access", - "privilege": "CreateCustomPermissions", + "description": "Grants permission to delete the channel with the specified channel name", + "privilege": "DeleteChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a QuickSight Dashboard", - "privilege": "CreateDashboard", + "access_level": "Permissions management", + "description": "Grants permission to delete the IAM policy on the channel with the specified channel name", + "privilege": "DeleteChannelPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a dataset", - "privilege": "CreateDataSet", + "description": "Deletes the playback configuration for the specified name", + "privilege": "DeletePlaybackConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "quicksight:PassDataSource" - ], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "playbackConfiguration*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a data source", - "privilege": "CreateDataSource", + "description": "Grants permission to delete the program with the specified program name on the channel with the specified channel name", + "privilege": "DeleteProgram", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "program*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a QuickSight group", - "privilege": "CreateGroup", + "description": "Grants permission to delete the source location with the specified source location name", + "privilege": "DeleteSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "sourceLocation*" } ] }, { "access_level": "Write", - "description": "Grants permission to add a QuickSight user to a QuickSight group", - "privilege": "CreateGroupMembership", + "description": "Grants permission to delete the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "DeleteVodSource", "resource_types": [ { - "condition_keys": [ - "quicksight:UserName" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "sourceLocation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vodSource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight", - "privilege": "CreateIAMPolicyAssignment", + "access_level": "Read", + "description": "Grants permission to retrieve the channel with the specified channel name", + "privilege": "DescribeChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to start a SPICE ingestion on a dataset", - "privilege": "CreateIngestion", + "access_level": "Read", + "description": "Grants permission to retrieve the program with the specified program name on the channel with the specified channel name", + "privilege": "DescribeProgram", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ingestion*" + "resource_type": "channel*" }, { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "program*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an QuickSight namespace", - "privilege": "CreateNamespace", + "access_level": "Read", + "description": "Grants permission to retrieve the source location with the specified source location name", + "privilege": "DescribeSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight readers", - "privilege": "CreateReader", + "access_level": "Read", + "description": "Grants permission to retrieve the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "DescribeVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "sourceLocation*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vodSource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a template", - "privilege": "CreateTemplate", + "access_level": "Read", + "description": "Grants permission to read the IAM policy on the channel with the specified channel name", + "privilege": "GetChannelPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a template alias", - "privilege": "CreateTemplateAlias", + "access_level": "Read", + "description": "Grants permission to retrieve the schedule of programs on the channel with the specified channel name", + "privilege": "GetChannelSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grant permission to create a theme", - "privilege": "CreateTheme", + "access_level": "Read", + "description": "Grants permission to retrieve the configuration for the specified name", + "privilege": "GetPlaybackConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "playbackConfiguration*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an alias for a theme version", - "privilege": "CreateThemeAlias", + "access_level": "Read", + "description": "Grants permission to retrieve the list of alerts on a resource", + "privilege": "ListAlerts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to provision Amazon QuickSight authors and readers", - "privilege": "CreateUser", + "access_level": "Read", + "description": "Grants permission to retrieve the list of existing channels", + "privilege": "ListChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a VPC connection", - "privilege": "CreateVPCConnection", + "access_level": "List", + "description": "Grants permission to retrieve the list of available configurations", + "privilege": "ListPlaybackConfigurations", "resource_types": [ { "condition_keys": [], @@ -108149,63 +118685,58 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to delete an account customization for QuickSight account or namespace", - "privilege": "DeleteAccountCustomization", + "access_level": "Read", + "description": "Grants permission to retrieve the list of existing source locations", + "privilege": "ListSourceLocations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete an analysis", - "privilege": "DeleteAnalysis", + "access_level": "Read", + "description": "Returns a list of the tags assigned to the specified playback configuration resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a custom permissions resource", - "privilege": "DeleteCustomPermissions", + "access_level": "Read", + "description": "Grants permission to retrieve the list of existing VOD sources on the source location with the specified source location name", + "privilege": "ListVodSources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "sourceLocation*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a QuickSight Dashboard", - "privilege": "DeleteDashboard", + "access_level": "Permissions management", + "description": "Grants permission to set the IAM policy on the channel with the specified channel name", + "privilege": "PutChannelPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a dataset", - "privilege": "DeleteDataSet", + "description": "Grants permission to add a new configuration", + "privilege": "PutPlaybackConfiguration", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dataset*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -108218,256 +118749,368 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a data source", - "privilege": "DeleteDataSource", + "description": "Grants permission to start the channel with the specified channel name", + "privilege": "StartChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a user group from QuickSight", - "privilege": "DeleteGroup", + "description": "Grants permission to stop the channel with the specified channel name", + "privilege": "StopChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "channel*" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove a user from a group so that he/she is no longer a member of the group", - "privilege": "DeleteGroupMembership", + "access_level": "Tagging", + "description": "Adds tags to the specified playback configuration resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [ - "quicksight:UserName" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an existing assignment", - "privilege": "DeleteIAMPolicyAssignment", + "access_level": "Tagging", + "description": "Removes tags from the specified playback configuration resource", + "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a QuickSight namespace", - "privilege": "DeleteNamespace", + "description": "Grants permission to update the channel with the specified channel name", + "privilege": "UpdateChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "channel*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a template", - "privilege": "DeleteTemplate", + "description": "Grants permission to update the source location with the specified source location name", + "privilege": "UpdateSourceLocation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "sourceLocation*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a template alias", - "privilege": "DeleteTemplateAlias", + "description": "Grants permission to update the VOD source with the specified VOD source name on the source location with the specified source location name", + "privilege": "UpdateVodSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a theme", - "privilege": "DeleteTheme", - "resource_types": [ + "resource_type": "sourceLocation*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "vodSource*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:playbackConfiguration/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "playbackConfiguration" }, { - "access_level": "Write", - "description": "Grants permission to delete the alias of a theme", - "privilege": "DeleteThemeAlias", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "theme*" - } - ] + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:channel/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "channel" + }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:program/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "program" }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:sourceLocation/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "sourceLocation" + }, + { + "arn": "arn:${Partition}:mediatailor:${Region}:${Account}:vodSource/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "vodSource" + } + ], + "service_name": "AWS Elemental MediaTailor" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "memorydb", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete a QuickSight user, given the user name", - "privilege": "DeleteUser", + "description": "Grants permissions to apply service updates", + "privilege": "BatchUpdateClusters", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "s3:GetObject" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to deletes a user identified by its principal ID", - "privilege": "DeleteUserByPrincipalId", + "description": "Grants permissions to make a copy of an existing snapshot", + "privilege": "CopySnapshot", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "memorydb:TagResource", + "s3:DeleteObject", + "s3:GetBucketAcl", + "s3:PutObject" + ], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a VPC connection", - "privilege": "DeleteVPCConnection", + "description": "Grants permissions to create a new access control list", + "privilege": "CreateAcl", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an account customization for QuickSight account or namespace", - "privilege": "DescribeAccountCustomization", + "access_level": "Write", + "description": "Grants permissions to create a cluster", + "privilege": "CreateCluster", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "memorydb:TagResource", + "s3:GetObject" + ], + "resource_type": "acl*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe the administrative account settings for QuickSight account", - "privilege": "DescribeAccountSettings", - "resource_types": [ + "resource_type": "parametergroup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe an analysis", - "privilege": "DescribeAnalysis", - "resource_types": [ + "resource_type": "subnetgroup*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "snapshot" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for an analysis", - "privilege": "DescribeAnalysisPermissions", + "access_level": "Write", + "description": "Grants permissions to create a new parameter group", + "privilege": "CreateParameterGroup", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "analysis*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to describe a custom permissions resource in a QuickSight account", - "privilege": "DescribeCustomPermissions", + "description": "Grants permissions to create a backup of a cluster at the current point in time", + "privilege": "CreateSnapshot", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "memorydb:TagResource", + "s3:DeleteObject", + "s3:GetBucketAcl", + "s3:PutObject" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight Dashboard", - "privilege": "DescribeDashboard", + "access_level": "Write", + "description": "Grants permissions to create a new subnet group", + "privilege": "CreateSubnetGroup", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe permissions for a QuickSight Dashboard", - "privilege": "DescribeDashboardPermissions", + "access_level": "Write", + "description": "Grants permissions to create a new user", + "privilege": "CreateUser", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard*" + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "memorydb:TagResource" + ], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a dataset", - "privilege": "DescribeDataSet", + "access_level": "Write", + "description": "Grants permissions to delete an access control list", + "privilege": "DeleteAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "acl*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108475,19 +119118,29 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to describe the resource policy of a dataset", - "privilege": "DescribeDataSetPermissions", + "access_level": "Write", + "description": "Grants permissions to delete a previously provisioned cluster", + "privilege": "DeleteCluster", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" + "resource_type": "snapshot" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108495,19 +119148,18 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a data source", - "privilege": "DescribeDataSource", + "access_level": "Write", + "description": "Grants permissions to delete a parameter group", + "privilege": "DeleteParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "parametergroup*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108515,19 +119167,18 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to describe the resource policy of a data source", - "privilege": "DescribeDataSourcePermissions", + "access_level": "Write", + "description": "Grants permissions to delete a snapshot", + "privilege": "DeleteSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" + "resource_type": "snapshot*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108535,43 +119186,62 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a QuickSight group", - "privilege": "DescribeGroup", + "access_level": "Write", + "description": "Grants permissions to delete a subnet group", + "privilege": "DeleteSubnetGroup", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an existing assignment", - "privilege": "DescribeIAMPolicyAssignment", + "access_level": "Write", + "description": "Grants permissions to delete a user", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a SPICE ingestion on a dataset", - "privilege": "DescribeIngestion", + "description": "Grants permissions to retrieve information about access control lists", + "privilege": "DescribeAcls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ingestion*" + "resource_type": "acl*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108580,205 +119250,301 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a QuickSight namespace", - "privilege": "DescribeNamespace", + "description": "Grants permissions to retrieve information about all provisioned clusters if no cluster identifier is specified, or about a specific cluster if a cluster identifier is supplied", + "privilege": "DescribeClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a template", - "privilege": "DescribeTemplate", + "description": "Grants permissions to list of the available engines and their versions", + "privilege": "DescribeEngineVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a template alias", - "privilege": "DescribeTemplateAlias", + "description": "Grants permissions to retrieve events related to clusters, subnet groups, and parameter groups", + "privilege": "DescribeEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe permissions for a template", - "privilege": "DescribeTemplatePermissions", + "description": "Grants permissions to retrieve information about parameter groups", + "privilege": "DescribeParameterGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a theme", - "privilege": "DescribeTheme", + "description": "Grants permissions to retrieve a detailed parameter list for a particular parameter group", + "privilege": "DescribeParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a theme alias", - "privilege": "DescribeThemeAlias", + "description": "Grants permissions to retrieve details of the service updates", + "privilege": "DescribeServiceUpdates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe permissions for a theme", - "privilege": "DescribeThemePermissions", + "description": "Grants permissions to retrieve information about cluster snapshots", + "privilege": "DescribeSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a QuickSight user given the user name", - "privilege": "DescribeUser", + "description": "Grants permissions to retrieve a list of subnet group", + "privilege": "DescribeSubnetGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get an auth code representing a QuickSight user", - "privilege": "GetAuthCode", + "description": "Grants permissions to retrieve information about users", + "privilege": "DescribeUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a URL used to embed a QuickSight Dashboard", - "privilege": "GetDashboardEmbedUrl", + "access_level": "Write", + "description": "Grants permissions to test automatic failover on a specified shard in a cluster", + "privilege": "FailoverShard", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight", - "privilege": "GetGroupMapping", + "description": "Grants permissions to list available node type updates", + "privilege": "ListNodeTypeUpdates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get a URL to embed QuickSight console experience", - "privilege": "GetSessionEmbedUrl", + "description": "Grants permissions to list cost allocation tags", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all analyses in an account", - "privilege": "ListAnalyses", - "resource_types": [ + "resource_type": "acl" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to list custom permissions resources in QuickSight account", - "privilege": "ListCustomPermissions", + "description": "Grants permissions to modify the parameters of a parameter group to the engine or system default value", + "privilege": "ResetParameterGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all versions of a QuickSight Dashboard", - "privilege": "ListDashboardVersions", + "access_level": "Tagging", + "description": "Grants permissions to add up to 10 cost allocation tags to the named resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all Dashboards in a QuickSight Account", - "privilege": "ListDashboards", - "resource_types": [ + "resource_type": "acl" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all datasets", - "privilege": "ListDataSets", - "resource_types": [ + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, { "condition_keys": [ + "aws:TagKeys", "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108786,14 +119552,44 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all data sources", - "privilege": "ListDataSources", + "access_level": "Tagging", + "description": "Grants permissions to remove the tags identified by the TagKeys list from a resource", + "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "acl" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108801,62 +119597,77 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list member users in a group", - "privilege": "ListGroupMemberships", + "access_level": "Write", + "description": "Grants permissions to update an access control list", + "privilege": "UpdateAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all user groups in QuickSight", - "privilege": "ListGroups", - "resource_types": [ + "resource_type": "acl*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all assignments in the current Amazon QuickSight account", - "privilege": "ListIAMPolicyAssignments", + "access_level": "Write", + "description": "Grants permissions to update the settings for a cluster", + "privilege": "UpdateCluster", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" + ], + "resource_type": "cluster*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all assignments assigned to a user and the groups it belongs", - "privilege": "ListIAMPolicyAssignmentsForUser", - "resource_types": [ + "resource_type": "acl" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "parametergroup" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to list all SPICE ingestions on a dataset", - "privilege": "ListIngestions", + "access_level": "Write", + "description": "Grants permissions to update parameters in a parameter group", + "privilege": "UpdateParameterGroup", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -108865,234 +119676,289 @@ }, { "access_level": "Write", - "description": "Grants permission to lists all namespaces in a QuickSight account", - "privilege": "ListNamespaces", + "description": "Grants permissions to update a subnet group", + "privilege": "UpdateSubnetGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags of a QuickSight resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permissions to update a user", + "privilege": "UpdateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" + "resource_type": "user*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "dashboard" - }, + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:parametergroup/${ParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "parametergroup" + }, + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:subnetgroup/${SubnetGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "subnetgroup" + }, + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:cluster/${ClusterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:snapshot/${SnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "snapshot" + }, + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:user/${UserName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "user" + }, + { + "arn": "arn:${Partition}:memorydb:${Region}:${Account}:acl/${AclName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "acl" + } + ], + "service_name": "Amazon MemoryDB" + }, + { + "conditions": [], + "prefix": "mgh", + "privileges": [ + { + "access_level": "Write", + "description": "Associate a given AWS artifact to a MigrationTask", + "privilege": "AssociateCreatedArtifact", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template" - }, + "resource_type": "migrationTask*" + } + ] + }, + { + "access_level": "Write", + "description": "Associate a given ADS resource to a MigrationTask", + "privilege": "AssociateDiscoveredResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme" + "resource_type": "migrationTask*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all aliases for a template", - "privilege": "ListTemplateAliases", + "access_level": "Write", + "description": "Create a Migration Hub Home Region Control", + "privilege": "CreateHomeRegionControl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all versions of a template", - "privilege": "ListTemplateVersions", + "access_level": "Write", + "description": "Create a ProgressUpdateStream", + "privilege": "CreateProgressUpdateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "progressUpdateStream*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all templates in a QuickSight account", - "privilege": "ListTemplates", + "access_level": "Write", + "description": "Delete a ProgressUpdateStream", + "privilege": "DeleteProgressUpdateStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "progressUpdateStream*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all aliases of a theme", - "privilege": "ListThemeAliases", + "access_level": "Read", + "description": "Get an Application Discovery Service Application's state", + "privilege": "DescribeApplicationState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list all versions of a theme", - "privilege": "ListThemeVersions", + "description": "List Home Region Controls", + "privilege": "DescribeHomeRegionControls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all themes in an account", - "privilege": "ListThemes", + "access_level": "Read", + "description": "Describe a MigrationTask", + "privilege": "DescribeMigrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "migrationTask*" } ] }, { - "access_level": "List", - "description": "Grants permission to list groups that a given user is a member of", - "privilege": "ListUserGroups", + "access_level": "Write", + "description": "Disassociate a given AWS artifact from a MigrationTask", + "privilege": "DisassociateCreatedArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "migrationTask*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the QuickSight users belonging to this account", - "privilege": "ListUsers", + "access_level": "Write", + "description": "Disassociate a given ADS resource from a MigrationTask", + "privilege": "DisassociateDiscoveredResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "migrationTask*" } ] }, { "access_level": "Read", - "description": "Grants permission to use a dataset for a template", - "privilege": "PassDataSet", + "description": "Get the Migration Hub Home Region", + "privilege": "GetHomeRegion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to use a data source for a data set", - "privilege": "PassDataSource", + "access_level": "Write", + "description": "Import a MigrationTask", + "privilege": "ImportMigrationTask", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "migrationTask*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request", - "privilege": "RegisterUser", + "access_level": "List", + "description": "List Application statuses", + "privilege": "ListApplicationStates", "resource_types": [ { - "condition_keys": [ - "quicksight:IamArn", - "quicksight:SessionName" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to restore a deleted analysis", - "privilege": "RestoreAnalysis", + "access_level": "List", + "description": "List associated created artifacts for a MigrationTask", + "privilege": "ListCreatedArtifacts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "migrationTask*" } ] }, { "access_level": "List", - "description": "Grants permission to search for a sub-set of analyses", - "privilege": "SearchAnalyses", + "description": "List associated ADS resources from MigrationTask", + "privilege": "ListDiscoveredResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "migrationTask*" } ] }, { "access_level": "List", - "description": "Grants permission to search for a sub-set of QuickSight Dashboards", - "privilege": "SearchDashboards", + "description": "List MigrationTasks", + "privilege": "ListMigrationTasks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", - "privilege": "SearchDirectoryGroups", + "access_level": "List", + "description": "List ProgressUpdateStreams", + "privilege": "ListProgressUpdateStreams", "resource_types": [ { "condition_keys": [], @@ -109103,8 +119969,8 @@ }, { "access_level": "Write", - "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", - "privilege": "SetGroupMapping", + "description": "Update an Application Discovery Service Application's state", + "privilege": "NotifyApplicationState", "resource_types": [ { "condition_keys": [], @@ -109115,116 +119981,109 @@ }, { "access_level": "Write", - "description": "Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition", - "privilege": "Subscribe", + "description": "Notify latest MigrationTask state", + "privilege": "NotifyMigrationTaskState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "migrationTask*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add tags to a QuickSight resource", - "privilege": "TagResource", + "access_level": "Write", + "description": "Put ResourceAttributes", + "privilege": "PutResourceAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "theme" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "migrationTask*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}", + "condition_keys": [], + "resource": "progressUpdateStream" + }, + { + "arn": "arn:${Partition}:mgh:${Region}:${Account}:progressUpdateStream/${Stream}/migrationTask/${Task}", + "condition_keys": [], + "resource": "migrationTask" + } + ], + "service_name": "AWS Migration Hub" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "mgn", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight", - "privilege": "Unsubscribe", + "description": "Grants permission to create volume snapshot group", + "privilege": "BatchCreateVolumeSnapshotGroupForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from a QuickSight resource", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to batch delete snapshot request", + "privilege": "BatchDeleteSnapshotRequestForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dashboard" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "template" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "theme" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an account customization for QuickSight account or namespace", - "privilege": "UpdateAccountCustomization", + "description": "Grants permission to change source server life cycle state", + "privilege": "ChangeServerLifeCycleState", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "customization*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the administrative account settings for QuickSight account", - "privilege": "UpdateAccountSettings", + "description": "Grants permission to create replication configuration template", + "privilege": "CreateReplicationConfigurationTemplate", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -109232,567 +120091,342 @@ }, { "access_level": "Write", - "description": "Grants permission to update an analysis", - "privilege": "UpdateAnalysis", + "description": "Grants permission to delete job", + "privilege": "DeleteJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "JobResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update permissions for an analysis", - "privilege": "UpdateAnalysisPermissions", + "description": "Grants permission to delete replication configuration template", + "privilege": "DeleteReplicationConfigurationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "analysis*" + "resource_type": "ReplicationConfigurationTemplateResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a custom permissions resource", - "privilege": "UpdateCustomPermissions", + "description": "Grants permission to delete source server", + "privilege": "DeleteSourceServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a QuickSight Dashboard", - "privilege": "UpdateDashboard", + "access_level": "Read", + "description": "Grants permission to describe job log items", + "privilege": "DescribeJobLogItems", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "JobResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update permissions for a QuickSight Dashboard", - "privilege": "UpdateDashboardPermissions", + "access_level": "List", + "description": "Grants permission to describe jobs", + "privilege": "DescribeJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a QuickSight Dashboard\u2019s Published Version", - "privilege": "UpdateDashboardPublishedVersion", + "access_level": "List", + "description": "Grants permission to describe replication configuration template", + "privilege": "DescribeReplicationConfigurationTemplates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dashboard*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a dataset", - "privilege": "UpdateDataSet", + "access_level": "Read", + "description": "Grants permission to describe replication server associations", + "privilege": "DescribeReplicationServerAssociationsForMgn", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "quicksight:PassDataSource" - ], - "resource_type": "dataset*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "datasource" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update the resource policy of a dataset", - "privilege": "UpdateDataSetPermissions", + "access_level": "Read", + "description": "Grants permission to describe snapshots requests", + "privilege": "DescribeSnapshotRequestsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dataset*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a data source", - "privilege": "UpdateDataSource", + "access_level": "List", + "description": "Grants permission to describe source servers", + "privilege": "DescribeSourceServers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to update the resource policy of a data source", - "privilege": "UpdateDataSourcePermissions", + "access_level": "Write", + "description": "Grants permission to disconnect source server from service", + "privilege": "DisconnectFromService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "datasource*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Grants permission to change group description", - "privilege": "UpdateGroup", + "description": "Grants permission to finalize cutover", + "privilege": "FinalizeCutover", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an existing assignment", - "privilege": "UpdateIAMPolicyAssignment", + "access_level": "Read", + "description": "Grants permission to get agent command", + "privilege": "GetAgentCommandForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "assignment*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a template", - "privilege": "UpdateTemplate", + "access_level": "Read", + "description": "Grants permission to get agent confirmed resume info", + "privilege": "GetAgentConfirmedResumeInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a template alias", - "privilege": "UpdateTemplateAlias", + "access_level": "Read", + "description": "Grants permission to get agent installation assets", + "privilege": "GetAgentInstallationAssetsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update permissions for a template", - "privilege": "UpdateTemplatePermissions", + "access_level": "Read", + "description": "Grants permission to get agent replication info", + "privilege": "GetAgentReplicationInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "template*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a theme", - "privilege": "UpdateTheme", + "access_level": "Read", + "description": "Grants permission to get agent runtime configuration", + "privilege": "GetAgentRuntimeConfigurationForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the alias of a theme", - "privilege": "UpdateThemeAlias", + "access_level": "Read", + "description": "Grants permission to get agent snapshots credits", + "privilege": "GetAgentSnapshotCreditsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update permissions for a theme", - "privilege": "UpdateThemePermissions", + "access_level": "Read", + "description": "Grants permission to get channel commands", + "privilege": "GetChannelCommandsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "theme*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update an Amazon QuickSight user", - "privilege": "UpdateUser", + "access_level": "Read", + "description": "Grants permission to get launch configuration", + "privilege": "GetLaunchConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user*" + "resource_type": "SourceServerResource*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}", - "condition_keys": [], - "resource": "user" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}", - "condition_keys": [], - "resource": "group" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "analysis" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dashboard" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "template" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "datasource" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dataset" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "ingestion" - }, - { - "arn": "arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "theme" - }, - { - "arn": "arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}", - "condition_keys": [], - "resource": "assignment" - }, - { - "arn": "arn:${Partition}:quicksight::${Account}:customization/${ResourceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "customization" - }, - { - "arn": "arn:${Partition}:quicksight::${Account}:namespace/${ResourceId}", - "condition_keys": [], - "resource": "namespace" - } - ], - "service_name": "Amazon QuickSight" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Specifies a tag key and value pair that must be used when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Indicates that the action can only be performed on resources that have the specified tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Specifies the tag keys that can be used when creating or tagging a resource share", - "type": "String" - }, - { - "condition": "ram:AllowsExternalPrincipals", - "description": "Indicates that the action can only be performed on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization", - "type": "Bool" - }, - { - "condition": "ram:PermissionArn", - "description": "Indicates that the action can only be performed on a resource using the specified Permission ARN.", - "type": "Arn" - }, - { - "condition": "ram:Principal", - "description": "Principals with the specified format can be associated to or disassociated from a resource share", - "type": "String" - }, - { - "condition": "ram:RequestedAllowsExternalPrincipals", - "description": "The request must have the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization", - "type": "Bool" - }, - { - "condition": "ram:RequestedResourceType", - "description": "Indicates that the action can only be performed on the specified resource type", - "type": "String" - }, - { - "condition": "ram:ResourceArn", - "description": "Indicates that the action can only be performed on a resource with the specified ARN.", - "type": "Arn" - }, - { - "condition": "ram:ResourceShareName", - "description": "Indicates that the action can only be performed on a resource share with the specified name.", - "type": "String" }, { - "condition": "ram:ShareOwnerAccountId", - "description": "Indicates that the action can only be performed on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner\u2019s account ID.", - "type": "String" - } - ], - "prefix": "ram", - "privileges": [ - { - "access_level": "Write", - "description": "Accept the specified resource share invitation", - "privilege": "AcceptResourceShareInvitation", + "access_level": "Read", + "description": "Grants permission to get replication configuration", + "privilege": "GetReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share-invitation*" - }, - { - "condition_keys": [ - "ram:ShareOwnerAccountId" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Associates resource(s) and/or principal(s) to a resource share", - "privilege": "AssociateResourceShare", + "description": "Grants permission to initialize service", + "privilege": "InitializeService", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "resource-share*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:Principal", - "ram:RequestedResourceType", - "ram:ResourceArn" + "dependent_actions": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:CreateServiceLinkedRole", + "iam:GetInstanceProfile" ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Associate a Permission with a Resource Share", - "privilege": "AssociateResourceSharePermission", + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "resource-share*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:AllowsExternalPrincipals", - "ram:ResourceShareName", - "ram:PermissionArn" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create resource share with provided resource(s) and/or principal(s)", - "privilege": "CreateResourceShare", + "description": "Grants permission to mark source server as archived", + "privilege": "MarkAsArchived", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "ram:RequestedResourceType", - "ram:ResourceArn", - "ram:RequestedAllowsExternalPrincipals", - "ram:Principal" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Delete resource share", - "privilege": "DeleteResourceShare", + "description": "Grants permission to notify agent authentication", + "privilege": "NotifyAgentAuthenticationForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Disassociates resource(s) and/or principal(s) from a resource share", - "privilege": "DisassociateResourceShare", + "description": "Grants permission to notify agent is connected", + "privilege": "NotifyAgentConnectedForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:Principal", - "ram:RequestedResourceType", - "ram:ResourceArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Disassociate a Permission from a Resource Share", - "privilege": "DisassociateResourceSharePermission", + "description": "Grants permission to notify agent is disconnected", + "privilege": "NotifyAgentDisconnectedForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to notify agent replication progress", + "privilege": "NotifyAgentReplicationProgressForMgn", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register agent", + "privilege": "RegisterAgentForMgn", + "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:AllowsExternalPrincipals", - "ram:ResourceShareName", - "ram:PermissionArn" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -109801,51 +120435,44 @@ }, { "access_level": "Write", - "description": "Grants permission to access customer's organization and create a SLR in the customer's account", - "privilege": "EnableSharingWithAwsOrganization", + "description": "Grants permission to retry replication", + "privilege": "RetryDataReplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Gets the contents of an AWS RAM permission", - "privilege": "GetPermission", + "access_level": "Write", + "description": "Grants permission to send agent logs", + "privilege": "SendAgentLogsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "permission*" - }, - { - "condition_keys": [ - "ram:PermissionArn" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Gets the policies for the specified resources that you own and have shared", - "privilege": "GetResourcePolicies", + "access_level": "Write", + "description": "Grants permission to send agent metrics", + "privilege": "SendAgentMetricsForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { - "access_level": "Read", - "description": "Get a set of resource share associations from a provided list or with a specified status of the specified type", - "privilege": "GetResourceShareAssociations", + "access_level": "Write", + "description": "Grants permission to send channel command result", + "privilege": "SendChannelCommandResultForMgn", "resource_types": [ { "condition_keys": [], @@ -109855,9 +120482,9 @@ ] }, { - "access_level": "Read", - "description": "Get resource share invitations by the specified invitation arn or those for the resource share", - "privilege": "GetResourceShareInvitations", + "access_level": "Write", + "description": "Grants permission to send client logs", + "privilege": "SendClientLogsForMgn", "resource_types": [ { "condition_keys": [], @@ -109867,9 +120494,9 @@ ] }, { - "access_level": "Read", - "description": "Get a set of resource shares from a provided list or with a specified status", - "privilege": "GetResourceShares", + "access_level": "Write", + "description": "Grants permission to send client metrics", + "privilege": "SendClientMetricsForMgn", "resource_types": [ { "condition_keys": [], @@ -109879,56 +120506,153 @@ ] }, { - "access_level": "Read", - "description": "Lists the resources in a resource share that is shared with you but that the invitation is still pending for", - "privilege": "ListPendingInvitationResources", + "access_level": "Write", + "description": "Grants permission to start cutover", + "privilege": "StartCutover", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateSecurityGroup", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:ReportInstanceStatus", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "iam:PassRole", + "mgn:ListTagsForResource" + ], + "resource_type": "SourceServerResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "resource-share-invitation*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the AWS RAM permissions", - "privilege": "ListPermissions", + "access_level": "Write", + "description": "Grants permission to start test", + "privilege": "StartTest", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:CreateSecurityGroup", + "ec2:CreateSnapshot", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:DeleteLaunchTemplateVersions", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImages", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstances", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:DetachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", + "ec2:ReportInstanceStatus", + "ec2:RevokeSecurityGroupEgress", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "iam:PassRole", + "mgn:ListTagsForResource" + ], + "resource_type": "SourceServerResource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the principals that you have shared resources with or that have shared resources with you", - "privilege": "ListPrincipals", + "access_level": "Tagging", + "description": "Grants permission to assign a resource tag", + "privilege": "TagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "List the Permissions associated with a Resource Share", - "privilege": "ListResourceSharePermissions", + "access_level": "Write", + "description": "Grants permission to terminate target instances", + "privilege": "TerminateTargetInstances", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "resource-share*" + "dependent_actions": [ + "ec2:DeleteVolume", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:TerminateInstances" + ], + "resource_type": "SourceServerResource*" }, { "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -109936,428 +120660,361 @@ ] }, { - "access_level": "List", - "description": "Lists the shareable resource types supported by AWS RAM", - "privilege": "ListResourceTypes", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the resources that you added to a resource shares or the resources that are shared with you", - "privilege": "ListResources", + "access_level": "Write", + "description": "Grants permission to update agent backlog", + "privilege": "UpdateAgentBacklogForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Use this API action to promote the resource share", - "privilege": "PromoteResourceShareCreatedFromPolicy", + "description": "Grants permission to update agent conversion info", + "privilege": "UpdateAgentConversionInfoForMgn", "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Reject the specified resource share invitation", - "privilege": "RejectResourceShareInvitation", + "description": "Grants permission to update agent replication info", + "privilege": "UpdateAgentReplicationInfoForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share-invitation*" - }, - { - "condition_keys": [ - "ram:ShareOwnerAccountId" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Tag the specified resources share", - "privilege": "TagResource", + "description": "Grants permission to update agent replication process state", + "privilege": "UpdateAgentReplicationProcessStateForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Untag the specified resource share", - "privilege": "UntagResource", + "description": "Grants permission to update agent source properties", + "privilege": "UpdateAgentSourcePropertiesForMgn", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update launch configuration", + "privilege": "UpdateLaunchConfiguration", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "SourceServerResource*" } ] }, { "access_level": "Write", - "description": "Update attributes of the resource share", - "privilege": "UpdateResourceShare", + "description": "Grants permission to update replication configuration", + "privilege": "UpdateReplicationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resource-share*" - }, + "resource_type": "SourceServerResource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update replication configuration template", + "privilege": "UpdateReplicationConfigurationTemplate", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:ResourceShareName", - "ram:AllowsExternalPrincipals", - "ram:RequestedAllowsExternalPrincipals" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "ReplicationConfigurationTemplateResource*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}", + "arn": "arn:${Partition}:mgn:${Region}:${Account}:job/${jobID}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "ram:AllowsExternalPrincipals", - "ram:ResourceShareName" + "aws:ResourceTag/${TagKey}" ], - "resource": "resource-share" + "resource": "JobResource" }, { - "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}", - "condition_keys": [], - "resource": "resource-share-invitation" + "arn": "arn:${Partition}:mgn:${Region}:${Account}:replication-configuration-template/${replicationConfigurationTemplateID}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ReplicationConfigurationTemplateResource" }, { - "arn": "arn:${Partition}:ram::${Account}:permission/${ResourcePath}", + "arn": "arn:${Partition}:mgn:${Region}:${Account}:source-server/${sourceServerID}", "condition_keys": [ - "ram:PermissionArn" + "aws:ResourceTag/${TagKey}" ], - "resource": "permission" + "resource": "SourceServerResource" } ], - "service_name": "AWS Resource Access Manager" + "service_name": "AWS Application Migration Service" }, { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "rds:DatabaseClass", - "description": "Filters access by the type of DB instance class", - "type": "String" - }, - { - "condition": "rds:DatabaseEngine", - "description": "Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API", - "type": "String" - }, - { - "condition": "rds:DatabaseName", - "description": "Filters access by the user-defined name of the database on the DB instance", - "type": "String" - }, - { - "condition": "rds:EndpointType", - "description": "Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM", - "type": "String" - }, - { - "condition": "rds:MultiAz", - "description": "Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true", - "type": "Boolean" - }, - { - "condition": "rds:Piops", - "description": "Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0", - "type": "Numeric" - }, - { - "condition": "rds:StorageEncrypted", - "description": "Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true", - "type": "Boolean" - }, - { - "condition": "rds:StorageSize", - "description": "Filters access by the storage volume size (in GB)", - "type": "Numeric" - }, - { - "condition": "rds:Vpc", - "description": "Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true", - "type": "Boolean" - }, - { - "condition": "rds:cluster-pg-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster parameter group", - "type": "String" - }, - { - "condition": "rds:cluster-snapshot-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster snapshot", - "type": "String" - }, - { - "condition": "rds:cluster-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB cluster", - "type": "String" - }, - { - "condition": "rds:db-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB instance", - "type": "String" - }, - { - "condition": "rds:es-tag/${TagKey}", - "description": "Filters access by the tag attached to an event subscription", - "type": "String" - }, - { - "condition": "rds:og-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB option group", - "type": "String" - }, - { - "condition": "rds:pg-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB parameter group", - "type": "String" - }, - { - "condition": "rds:req-tag/${TagKey}", - "description": "Filters access by the set of tag keys and values that can be used to tag a resource", - "type": "String" - }, - { - "condition": "rds:ri-tag/${TagKey}", - "description": "Filters access by the tag attached to a reserved DB instance", - "type": "String" - }, + "conditions": [], + "prefix": "mobileanalytics", + "privileges": [ { - "condition": "rds:secgrp-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB security group", - "type": "String" + "access_level": "Read", + "description": "Grant access to financial metrics for an app", + "privilege": "GetFinancialReports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "rds:snapshot-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB snapshot", - "type": "String" + "access_level": "Read", + "description": "Grant access to standard metrics for an app", + "privilege": "GetReports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "rds:subgrp-tag/${TagKey}", - "description": "Filters access by the tag attached to a DB subnet group", - "type": "String" + "access_level": "Write", + "description": "The PutEvents operation records one or more events", + "privilege": "PutEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], - "prefix": "rds", + "resources": [], + "service_name": "Amazon Mobile Analytics" + }, + { + "conditions": [], + "prefix": "mobilehub", "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster", - "privilege": "AddRoleToDBCluster", + "description": "Create a project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance", - "privilege": "AddRoleToDBInstance", + "description": "Enable AWS Mobile Hub in the account by creating the required service role", + "privilege": "CreateServiceRole", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to add a source identifier to an existing RDS event notification subscription", - "privilege": "AddSourceIdentifierToSubscription", + "description": "Delete the specified project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "project*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add metadata tags to an Amazon RDS resource", - "privilege": "AddTagsToResource", + "access_level": "Write", + "description": "Delete a saved snapshot of project configuration", + "privilege": "DeleteProjectSnapshot", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "es" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Deploy changes to the specified stage", + "privilege": "DeployToStage", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Describe the download bundle", + "privilege": "DescribeBundle", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Export the download bundle", + "privilege": "ExportBundle", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Export the project configuration", + "privilege": "ExportProject", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Generate project parameters required for code generation", + "privilege": "GenerateProjectParameters", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Get project configuration and resources", + "privilege": "GetProject", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Fetch the previously exported project configuration snapshot", + "privilege": "GetProjectSnapshot", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to apply a pending maintenance action to a resource", - "privilege": "ApplyPendingMaintenanceAction", + "description": "Create a new project from the previously exported project configuration", + "privilege": "ImportProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization", - "privilege": "AuthorizeDBSecurityGroupIngress", + "access_level": "Write", + "description": "Install a bundle in the project deployments S3 bucket", + "privilege": "InstallBundle", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster", - "privilege": "BacktrackDBCluster", + "access_level": "List", + "description": "List the available SaaS (Software as a Service) connectors", + "privilege": "ListAvailableConnectors", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel an export task in progress", - "privilege": "CancelExportTask", + "access_level": "List", + "description": "List available features", + "privilege": "ListAvailableFeatures", "resource_types": [ { "condition_keys": [], @@ -110367,187 +121024,141 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to copy the specified DB cluster parameter group", - "privilege": "CopyDBClusterParameterGroup", + "access_level": "List", + "description": "List available regions for projects", + "privilege": "ListAvailableRegions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a snapshot of a DB cluster", - "privilege": "CopyDBClusterSnapshot", + "access_level": "List", + "description": "List the available download bundles", + "privilege": "ListBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to copy the specified DB parameter group", - "privilege": "CopyDBParameterGroup", + "access_level": "List", + "description": "List saved snapshots of project configuration", + "privilege": "ListProjectSnapshots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to copy the specified DB snapshot", - "privilege": "CopyDBSnapshot", + "access_level": "List", + "description": "List projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to copy the specified option group", - "privilege": "CopyOptionGroup", + "description": "Synchronize state of resources into project", + "privilege": "SynchronizeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new Amazon Aurora DB cluster", - "privilege": "CreateDBCluster", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-pg*" - }, + "description": "Update project", + "privilege": "UpdateProject", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Validate a mobile hub project.", + "privilege": "ValidateProject", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:StorageEncrypted" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster", - "privilege": "CreateDBClusterEndpoint", + "access_level": "Read", + "description": "Verify AWS Mobile Hub is enabled in the account", + "privilege": "VerifyServiceRole", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-endpoint*" - }, - { - "condition_keys": [ - "rds:EndpointType", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:mobilehub:${Region}:${Account}:project/${ProjectId}", + "condition_keys": [], + "resource": "project" + } + ], + "service_name": "AWS Mobile Hub" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the pinpoint service.", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair.", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the pinpoint service.", + "type": "String" + } + ], + "prefix": "mobiletargeting", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a new DB cluster parameter group", - "privilege": "CreateDBClusterParameterGroup", + "description": "Create an app.", + "privilege": "CreateApp", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-pg*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110556,24 +121167,19 @@ }, { "access_level": "Write", - "description": "Grants permission to create a snapshot of a DB cluster", - "privilege": "CreateDBClusterSnapshot", + "description": "Create a campaign for an app.", + "privilege": "CreateCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110582,41 +121188,14 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance", - "privilege": "CreateDBInstance", + "description": "Create an email template.", + "privilege": "CreateEmailTemplate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pg*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "secgrp*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subgrp*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110625,52 +121204,43 @@ }, { "access_level": "Write", - "description": "Grants permission to create a DB instance that acts as a Read Replica of a source DB instance", - "privilege": "CreateDBInstanceReadReplica", + "description": "Create an export job that exports endpoint definitions to Amazon S3.", + "privilege": "CreateExportJob", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - }, + "resource_type": "apps*" + } + ] + }, + { + "access_level": "Write", + "description": "Import endpoint definitions from to create a segment.", + "privilege": "CreateImportJob", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new DB parameter group", - "privilege": "CreateDBParameterGroup", + "description": "Create a Journey for an app.", + "privilege": "CreateJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "apps*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110679,62 +121249,47 @@ }, { "access_level": "Write", - "description": "Grants permission to create a database proxy", - "privilege": "CreateDBProxy", + "description": "Create a push notification template.", + "privilege": "CreatePushTemplate", "resource_types": [ { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [ - "iam:PassRole" + "aws:TagKeys", + "aws:ResourceTag/${TagKey}" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new DB security group. DB security groups control access to a DB instance", - "privilege": "CreateDBSecurityGroup", + "description": "Create an Amazon Pinpoint configuration for a recommender model.", + "privilege": "CreateRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a DBSnapshot", - "privilege": "CreateDBSnapshot", + "description": "Create a segment that is based on endpoint data reported to Pinpoint by your app. To allow a user to create a segment by importing endpoint data from outside of Pinpoint, allow the mobiletargeting:CreateImportJob action.", + "privilege": "CreateSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "apps*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110743,19 +121298,14 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB subnet group", - "privilege": "CreateDBSubnetGroup", + "description": "Create an sms message template.", + "privilege": "CreateSmsTemplate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subgrp*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110764,19 +121314,14 @@ }, { "access_level": "Write", - "description": "Grants permission to create an RDS event notification subscription", - "privilege": "CreateEventSubscription", + "description": "Create a voice message template.", + "privilege": "CreateVoiceTemplate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "es*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -110785,1055 +121330,1072 @@ }, { "access_level": "Write", - "description": "Grants permission to create an Aurora global database spread across multiple regions", - "privilege": "CreateGlobalCluster", + "description": "Delete the ADM channel for an app.", + "privilege": "DeleteAdmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new option group", - "privilege": "CreateOptionGroup", + "description": "Delete the APNs channel for an app.", + "privilege": "DeleteApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation", - "privilege": "CrossRegionCommunication", + "description": "Delete the APNs sandbox channel for an app.", + "privilege": "DeleteApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a previously provisioned DB cluster", - "privilege": "DeleteDBCluster", + "description": "Delete the APNs VoIP channel for an app.", + "privilege": "DeleteApnsVoipChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster", - "privilege": "DeleteDBClusterEndpoint", + "description": "Delete the APNs VoIP sandbox channel for an app.", + "privilege": "DeleteApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a specified DB cluster parameter group", - "privilege": "DeleteDBClusterParameterGroup", + "description": "Delete a specific campaign.", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB cluster snapshot", - "privilege": "DeleteDBClusterSnapshot", + "description": "Delete the Baidu channel for an app.", + "privilege": "DeleteBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a previously provisioned DB instance", - "privilege": "DeleteDBInstance", + "description": "Delete a specific campaign.", + "privilege": "DeleteCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID", - "privilege": "DeleteDBInstanceAutomatedBackup", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "campaigns*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a specified DBParameterGroup", - "privilege": "DeleteDBParameterGroup", + "description": "Delete the email channel for an app.", + "privilege": "DeleteEmailChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a database proxy", - "privilege": "DeleteDBProxy", + "description": "Delete an email template or an email template version.", + "privilege": "DeleteEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB security group", - "privilege": "DeleteDBSecurityGroup", + "description": "Delete an endpoint.", + "privilege": "DeleteEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DBSnapshot", - "privilege": "DeleteDBSnapshot", + "description": "Delete the event stream for an app.", + "privilege": "DeleteEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a DB subnet group", - "privilege": "DeleteDBSubnetGroup", + "description": "Delete the GCM channel for an app.", + "privilege": "DeleteGcmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an RDS event notification subscription", - "privilege": "DeleteEventSubscription", + "description": "Delete a specific journey.", + "privilege": "DeleteJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "journeys*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a global database cluster", - "privilege": "DeleteGlobalCluster", + "description": "Delete a push notification template or a push notification template version.", + "privilege": "DeletePushTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an existing option group", - "privilege": "DeleteOptionGroup", + "description": "Delete an Amazon Pinpoint configuration for a recommender model.", + "privilege": "DeleteRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "recommenders*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove targets from a database proxy target group", - "privilege": "DeregisterDBProxyTargets", + "description": "Delete a specific segment.", + "privilege": "DeleteSegment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "segments*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all of the attributes for a customer account", - "privilege": "DescribeAccountAttributes", + "access_level": "Write", + "description": "Delete the SMS channel for an app.", + "privilege": "DeleteSmsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Lists the set of CA certificates provided by Amazon RDS for this AWS account", - "privilege": "DescribeCertificates", + "access_level": "Write", + "description": "Delete an sms message template or an sms message template version.", + "privilege": "DeleteSmsTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about backtracks for a DB cluster", - "privilege": "DescribeDBClusterBacktracks", + "access_level": "Write", + "description": "Delete all of the endpoints that are associated with a user ID.", + "privilege": "DeleteUserEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about endpoints for an Amazon Aurora DB cluster", - "privilege": "DescribeDBClusterEndpoints", + "access_level": "Write", + "description": "Delete the Voice channel for an app.", + "privilege": "DeleteVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBClusterParameterGroup descriptions", - "privilege": "DescribeDBClusterParameterGroups", + "access_level": "Write", + "description": "Delete a voice message template or a voice message template version.", + "privilege": "DeleteVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Grants permission to return the detailed parameter list for a particular DB cluster parameter group", - "privilege": "DescribeDBClusterParameters", + "access_level": "Read", + "description": "Retrieve information about the Amazon Device Messaging (ADM) channel for an app.", + "privilege": "GetAdmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot", - "privilege": "DescribeDBClusterSnapshotAttributes", + "access_level": "Read", + "description": "Retrieve information about the APNs channel for an app.", + "privilege": "GetApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about DB cluster snapshots", - "privilege": "DescribeDBClusterSnapshots", + "access_level": "Read", + "description": "Retrieve information about the APNs sandbox channel for an app.", + "privilege": "GetApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about provisioned Aurora DB clusters", - "privilege": "DescribeDBClusters", + "access_level": "Read", + "description": "Retrieve information about the APNs VoIP channel for an app.", + "privilege": "GetApnsVoipChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of the available DB engines", - "privilege": "DescribeDBEngineVersions", + "access_level": "Read", + "description": "Retrieve information about the APNs VoIP sandbox channel for an app.", + "privilege": "GetApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of automated backups for both current and deleted instances", - "privilege": "DescribeDBInstanceAutomatedBackups", + "access_level": "Read", + "description": "Retrieve information about a specific app in your Amazon Pinpoint account.", + "privilege": "GetApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about provisioned RDS instances", - "privilege": "DescribeDBInstances", + "access_level": "Read", + "description": "Retrieves (queries) pre-aggregated data for a standard metric that applies to an application.", + "privilege": "GetApplicationDateRangeKpi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "apps*" } ] }, { "access_level": "List", - "description": "Grants permission to return a list of DB log files for the DB instance", - "privilege": "DescribeDBLogFiles", + "description": "Retrieve the default settings for an app.", + "privilege": "GetApplicationSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBParameterGroup descriptions", - "privilege": "DescribeDBParameterGroups", + "access_level": "Read", + "description": "Retrieve a list of apps in your Amazon Pinpoint account.", + "privilege": "GetApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return the detailed parameter list for a particular DB parameter group", - "privilege": "DescribeDBParameters", + "access_level": "Read", + "description": "Retrieve information about the Baidu channel for an app.", + "privilege": "GetBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to view proxies", - "privilege": "DescribeDBProxies", + "access_level": "Read", + "description": "Retrieve information about a specific campaign.", + "privilege": "GetCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to view database proxy target group details", - "privilege": "DescribeDBProxyTargetGroups", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Grants permission to view database proxy target details", - "privilege": "DescribeDBProxyTargets", + "description": "Retrieve information about the activities performed by a campaign.", + "privilege": "GetCampaignActivities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" - }, + "resource_type": "campaigns*" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieves (queries) pre-aggregated data for a standard metric that applies to a campaign.", + "privilege": "GetCampaignDateRangeKpi", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "campaigns*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of DBSecurityGroup descriptions", - "privilege": "DescribeDBSecurityGroups", + "access_level": "Read", + "description": "Retrieve information about a specific campaign version.", + "privilege": "GetCampaignVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot", - "privilege": "DescribeDBSnapshotAttributes", - "resource_types": [ + "resource_type": "apps*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Grants permission to return information about DB snapshots", - "privilege": "DescribeDBSnapshots", + "description": "Retrieve information about the current and prior versions of a campaign.", + "privilege": "GetCampaignVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" + "resource_type": "campaigns*" } ] }, { "access_level": "List", - "description": "Grants permission to return a list of DBSubnetGroup descriptions", - "privilege": "DescribeDBSubnetGroups", + "description": "Retrieve information about all campaigns for an app.", + "privilege": "GetCampaigns", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "apps*" } ] }, { "access_level": "List", - "description": "Grants permission to return the default engine and system parameter information for the cluster database engine", - "privilege": "DescribeEngineDefaultClusterParameters", + "description": "Get all channels information for your app.", + "privilege": "GetChannels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return the default engine and system parameter information for the specified database engine", - "privilege": "DescribeEngineDefaultParameters", + "access_level": "Read", + "description": "Obtain information about the email channel in an app.", + "privilege": "GetEmailChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type", - "privilege": "DescribeEventCategories", + "access_level": "Read", + "description": "Retrieve information about a specific or the active version of an email template.", + "privilege": "GetEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "templates*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the subscription descriptions for a customer account", - "privilege": "DescribeEventSubscriptions", + "access_level": "Read", + "description": "Retrieve information about a specific endpoint.", + "privilege": "GetEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days", - "privilege": "DescribeEvents", + "access_level": "Read", + "description": "Retrieve information about the event stream for an app.", + "privilege": "GetEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about the export tasks", - "privilege": "DescribeExportTasks", + "access_level": "Read", + "description": "Obtain information about a specific export job.", + "privilege": "GetExportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "List", - "description": "Grants permission to return information about Aurora global database clusters", - "privilege": "DescribeGlobalClusters", + "description": "Retrieve a list of all of the export jobs for an app.", + "privilege": "GetExportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe all available options", - "privilege": "DescribeOptionGroupOptions", + "access_level": "Read", + "description": "Retrieve information about the GCM channel for an app.", + "privilege": "GetGcmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to describe the available option groups", - "privilege": "DescribeOptionGroups", + "access_level": "Read", + "description": "Retrieve information about a specific import job.", + "privilege": "GetImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "apps*" } ] }, { "access_level": "List", - "description": "Grants permission to return a list of orderable DB instance options for the specified engine", - "privilege": "DescribeOrderableDBInstanceOptions", + "description": "Retrieve information about all import jobs for an app.", + "privilege": "GetImportJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action", - "privilege": "DescribePendingMaintenanceActions", + "access_level": "Read", + "description": "Retrieve information about a specific journey.", + "privilege": "GetJourney", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" + "resource_type": "journeys*" } ] }, { - "access_level": "List", - "description": "Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance", - "privilege": "DescribeReservedDBInstances", + "access_level": "Read", + "description": "Retrieves (queries) pre-aggregated data for a standard engagement metric that applies to a journey.", + "privilege": "GetJourneyDateRangeKpi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri*" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "journeys*" } ] }, { - "access_level": "List", - "description": "Grants permission to list available reserved DB instance offerings", - "privilege": "DescribeReservedDBInstancesOfferings", + "access_level": "Read", + "description": "Retrieves (queries) pre-aggregated data for a standard execution metric that applies to a journey activity.", + "privilege": "GetJourneyExecutionActivityMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "journeys*" } ] }, { - "access_level": "List", - "description": "Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from", - "privilege": "DescribeSourceRegions", + "access_level": "Read", + "description": "Retrieves (queries) pre-aggregated data for a standard execution metric that applies to a journey.", + "privilege": "GetJourneyExecutionMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "journeys*" } ] }, { - "access_level": "List", - "description": "Grants permission to list available modifications you can make to your DB instance", - "privilege": "DescribeValidDBInstanceModifications", + "access_level": "Read", + "description": "Retrieve information about a specific or the active version of an push notification template.", + "privilege": "GetPushTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "templates*" } ] }, { "access_level": "Read", - "description": "Grants permission to download all or a portion of the specified log file, up to 1 MB in size", - "privilege": "DownloadDBLogFilePortion", + "description": "Retrieve information about an Amazon Pinpoint configuration for a recommender model.", + "privilege": "GetRecommenderConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "recommenders*" } ] }, { - "access_level": "Write", - "description": "Grants permission to force a failover for a DB cluster", - "privilege": "FailoverDBCluster", + "access_level": "List", + "description": "Retrieve information about all the recommender model configurations that are associated with an Amazon Pinpoint account.", + "privilege": "GetRecommenderConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to list all tags on an Amazon RDS resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to mobiletargeting:GetReports", + "privilege": "GetReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieve information about a specific segment.", + "privilege": "GetSegment", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og" - }, + "resource_type": "segments*" + } + ] + }, + { + "access_level": "List", + "description": "Retrieve information about jobs that export endpoint definitions from segments to Amazon S3.", + "privilege": "GetSegmentExportJobs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "proxy" - }, + "resource_type": "segments*" + } + ] + }, + { + "access_level": "List", + "description": "Retrieve information about jobs that create segments by importing endpoint definitions from .", + "privilege": "GetSegmentImportJobs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp" - }, + "resource_type": "segments*" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieve information about a specific segment version.", + "privilege": "GetSegmentVersion", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp" + "resource_type": "segments*" + } + ] + }, + { + "access_level": "List", + "description": "Retrieve information about the current and prior versions of a segment.", + "privilege": "GetSegmentVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group" + "resource_type": "segments*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify current cluster capacity for an Amazon Aurora Severless DB cluster", - "privilege": "ModifyCurrentDBClusterCapacity", + "access_level": "List", + "description": "Retrieve information about the segments for an app.", + "privilege": "GetSegments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a setting for an Amazon Aurora DB cluster", - "privilege": "ModifyDBCluster", + "access_level": "Read", + "description": "Obtain information about the SMS channel in an app.", + "privilege": "GetSmsChannel", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" - }, + "resource_type": "apps*" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieve information about a specific or the active version of an sms message template.", + "privilege": "GetSmsTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster", - "privilege": "ModifyDBClusterEndpoint", + "access_level": "Read", + "description": "Retrieve information about the endpoints that are associated with a user ID.", + "privilege": "GetUserEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-endpoint*" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB cluster parameter group", - "privilege": "ModifyDBClusterParameterGroup", + "access_level": "Read", + "description": "Obtain information about the Voice channel in an app.", + "privilege": "GetVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot", - "privilege": "ModifyDBClusterSnapshotAttribute", + "access_level": "Read", + "description": "Retrieve information about a specific or the active version of a voice message template.", + "privilege": "GetVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify settings for a DB instance", - "privilege": "ModifyDBInstance", + "access_level": "List", + "description": "Retrieve information about all journeys for an app.", + "privilege": "ListJourneys", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, + "dependent_actions": [], + "resource_type": "apps*" + } + ] + }, + { + "access_level": "Read", + "description": "List tags for a resource.", + "privilege": "ListTagsForResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "apps" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "campaigns" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "segments" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB parameter group", - "privilege": "ModifyDBParameterGroup", + "access_level": "List", + "description": "Retrieve all versions about a specific template.", + "privilege": "ListTemplateVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify database proxy", - "privilege": "ModifyDBProxy", + "access_level": "List", + "description": "Retrieve metadata about the queried templates.", + "privilege": "ListTemplates", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "proxy*" + "dependent_actions": [], + "resource_type": "templates*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify target group for a database proxy", - "privilege": "ModifyDBProxyTargetGroup", + "access_level": "Read", + "description": "Obtain metadata for a phone number, such as the number type (mobile, landline, or VoIP), location, and provider.", + "privilege": "PhoneNumberValidate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "phone-number-validate*" } ] }, { "access_level": "Write", - "description": "Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version", - "privilege": "ModifyDBSnapshot", + "description": "Create or update an event stream for an app.", + "privilege": "PutEventStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot", - "privilege": "ModifyDBSnapshotAttribute", + "description": "Create or update events for an app.", + "privilege": "PutEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an existing DB subnet group", - "privilege": "ModifyDBSubnetGroup", + "description": "Used to remove the attributes for an app.", + "privilege": "RemoveAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify an existing RDS event notification subscription", - "privilege": "ModifyEventSubscription", + "description": "Send an SMS message or push notification to specific endpoints.", + "privilege": "SendMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify a setting for an Amazon Aurora global cluster", - "privilege": "ModifyGlobalCluster", + "description": "Send an SMS message or push notification to all endpoints that are associated with a specific user ID.", + "privilege": "SendUsersMessages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "apps*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing option group", - "privilege": "ModifyOptionGroup", + "access_level": "Tagging", + "description": "Adds tags to a resource.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" + "dependent_actions": [], + "resource_type": "apps" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaigns" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "segments" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], - "resource_type": "og*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to promote a Read Replica DB instance to a standalone DB instance", - "privilege": "PromoteReadReplica", + "access_level": "Tagging", + "description": "Removes tags from a resource.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to promote a Read Replica DB cluster to a standalone DB cluster", - "privilege": "PromoteReadReplicaDBCluster", - "resource_types": [ + "resource_type": "apps" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to purchase a reserved DB instance offering", - "privilege": "PurchaseReservedDBInstancesOffering", - "resource_types": [ + "resource_type": "campaigns" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri*" + "resource_type": "segments" }, { "condition_keys": [ @@ -111847,145 +122409,139 @@ }, { "access_level": "Write", - "description": "Grants permission to restart the database engine service", - "privilege": "RebootDBInstance", + "description": "Update the Amazon Device Messaging (ADM) channel for an app.", + "privilege": "UpdateAdmChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to add targets to a database proxy target group", - "privilege": "RegisterDBProxyTargets", + "description": "Update the Apple Push Notification service (APNs) channel for an app.", + "privilege": "UpdateApnsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster", - "privilege": "RemoveFromGlobalCluster", + "description": "Update the Apple Push Notification service (APNs) sandbox channel for an app.", + "privilege": "UpdateApnsSandboxChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "global-cluster*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster", - "privilege": "RemoveRoleFromDBCluster", + "description": "Update the Apple Push Notification service (APNs) VoIP channel for an app.", + "privilege": "UpdateApnsVoipChannel", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" + "dependent_actions": [], + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance", - "privilege": "RemoveRoleFromDBInstance", + "description": "Update the Apple Push Notification service (APNs) VoIP sandbox channel for an app.", + "privilege": "UpdateApnsVoipSandboxChannel", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" + "dependent_actions": [], + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove a source identifier from an existing RDS event notification subscription", - "privilege": "RemoveSourceIdentifierFromSubscription", + "description": "Update the default settings for an app.", + "privilege": "UpdateApplicationSettings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "es*" + "resource_type": "apps*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove metadata tags from an Amazon RDS resource", - "privilege": "RemoveTagsFromResource", + "access_level": "Write", + "description": "Update the Baidu channel for an app.", + "privilege": "UpdateBaiduChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "es" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "pg" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "proxy" - }, + "resource_type": "apps*" + } + ] + }, + { + "access_level": "Write", + "description": "Update a specific campaign.", + "privilege": "UpdateCampaign", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "ri" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp" + "resource_type": "campaigns*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "snapshot" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Update the email channel for an app.", + "privilege": "UpdateEmailChannel", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp" - }, + "resource_type": "apps*" + } + ] + }, + { + "access_level": "Write", + "description": "Update a specific email template under the same version or generate a new version.", + "privilege": "UpdateEmailTemplate", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "target-group" + "resource_type": "templates*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -111994,81 +122550,59 @@ }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB cluster parameter group to the default value", - "privilege": "ResetDBClusterParameterGroup", + "description": "Create an endpoint or update the information for an endpoint.", + "privilege": "UpdateEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-pg*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a DB parameter group to the engine/system default value", - "privilege": "ResetDBParameterGroup", + "description": "Create or update endpoints as a batch operation.", + "privilege": "UpdateEndpointsBatch", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pg*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket", - "privilege": "RestoreDBClusterFromS3", + "description": "Update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key that allows to send push notifications to your Android app.", + "privilege": "UpdateGcmChannel", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:StorageEncrypted" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new DB cluster from a DB cluster snapshot", - "privilege": "RestoreDBClusterFromSnapshot", + "description": "Update a specific journey.", + "privilege": "UpdateJourney", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster-snapshot*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "journeys*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -112077,31 +122611,23 @@ }, { "access_level": "Write", - "description": "Grants permission to restore a DB cluster to an arbitrary point in time", - "privilege": "RestoreDBClusterToPointInTime", + "description": "Update a specific journey state.", + "privilege": "UpdateJourneyState", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "cluster*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "journeys*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -112110,36 +122636,18 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance from a DB snapshot", - "privilege": "RestoreDBInstanceFromDBSnapshot", + "description": "Update a specific push notification template under the same version or generate a new version.", + "privilege": "UpdatePushTemplate", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "og*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "templates*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -112148,54 +122656,35 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new DB instance from an Amazon S3 bucket", - "privilege": "RestoreDBInstanceFromS3", + "description": "Update an Amazon Pinpoint configuration for a recommender model.", + "privilege": "UpdateRecommenderConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "recommenders*" } ] }, { "access_level": "Write", - "description": "Grants permission to restore a DB instance to an arbitrary point in time", - "privilege": "RestoreDBInstanceToPointInTime", + "description": "Update a specific segment.", + "privilege": "UpdateSegment", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "db*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "og*" + "resource_type": "apps*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subgrp*" + "resource_type": "segments*" }, { "condition_keys": [ "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "rds:req-tag/${TagKey}" + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -112204,293 +122693,184 @@ }, { "access_level": "Write", - "description": "Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups", - "privilege": "RevokeDBSecurityGroupIngress", + "description": "Update the SMS channel for an app.", + "privilege": "UpdateSmsChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "secgrp*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to start Activity Stream", - "privilege": "StartActivityStream", + "description": "Update a specific sms message template under the same version or generate a new version.", + "privilege": "UpdateSmsTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Starts the DB cluster", - "privilege": "StartDBCluster", - "resource_types": [ + "resource_type": "templates*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to start the DB instance", - "privilege": "StartDBInstance", + "description": "Upate the active version parameter of a specific template.", + "privilege": "UpdateTemplateActiveVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "db*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a new Export task for a DB snapshot", - "privilege": "StartExportTask", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "" + "resource_type": "templates*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop Activity Stream", - "privilege": "StopActivityStream", + "description": "Update the Voice channel for an app.", + "privilege": "UpdateVoiceChannel", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "apps*" } ] }, { "access_level": "Write", - "description": "Grants permission to stop the DB cluster", - "privilege": "StopDBCluster", + "description": "Update a specific voice message template under the same version or generate a new version.", + "privilege": "UpdateVoiceTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to stop the DB instance", - "privilege": "StopDBInstance", - "resource_types": [ + "resource_type": "templates*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "db*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-tag/${TagKey}" - ], - "resource": "cluster" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cluster-endpoint" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-pg-tag/${TagKey}" - ], - "resource": "cluster-pg" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:cluster-snapshot-tag/${TagKey}" - ], - "resource": "cluster-snapshot" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:DatabaseClass", - "rds:DatabaseEngine", - "rds:DatabaseName", - "rds:MultiAz", - "rds:Piops", - "rds:StorageEncrypted", - "rds:StorageSize", - "rds:Vpc", - "rds:db-tag/${TagKey}" - ], - "resource": "db" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:es-tag/${TagKey}" - ], - "resource": "es" - }, - { - "arn": "arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}", - "condition_keys": [], - "resource": "global-cluster" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:og-tag/${TagKey}" - ], - "resource": "og" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:pg-tag/${TagKey}" - ], - "resource": "pg" + "resource": "apps" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/campaigns/${CampaignId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "proxy" - }, - { - "arn": "arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:ri-tag/${TagKey}" - ], - "resource": "ri" + "resource": "campaigns" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/journeys/${JourneyId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:secgrp-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "secgrp" + "resource": "journeys" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:apps/${AppId}/segments/${SegmentId}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:snapshot-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "snapshot" + "resource": "segments" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/${ChannelType}", "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "rds:subgrp-tag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], - "resource": "subgrp" + "resource": "templates" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}", + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:recommenders/${RecommenderId}", "condition_keys": [], - "resource": "target" + "resource": "recommenders" }, { - "arn": "arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "target-group" + "arn": "arn:${Partition}:mobiletargeting:${Region}:${Account}:phone/number/validate", + "condition_keys": [], + "resource": "phone-number-validate" } ], - "service_name": "Amazon RDS" + "service_name": "Amazon Pinpoint" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", + "description": "Filters access by the tag key-value pairs in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", + "description": "Filters access by the tags attached to the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys associated with the resource", + "description": "Filters actions by the tag keys in the request", "type": "String" } ], - "prefix": "rds-data", + "prefix": "monitron", "privileges": [ { - "access_level": "Write", - "description": "Grants permission to run a batch SQL statement over an array of data", - "privilege": "BatchExecuteStatement", - "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to start a SQL transaction", - "privilege": "BeginTransaction", + "access_level": "Permissions management", + "description": "Grants permission to associate a user with the project as an administrator", + "privilege": "AssociateProjectAdminUser", "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "condition_keys": [], + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:AssociateProfile", + "sso:GetManagedApplicationInstance", + "sso:GetProfile", + "sso:ListDirectoryAssociations", + "sso:ListProfiles" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { "access_level": "Write", - "description": "Grants permission to end a SQL transaction started with the BeginTransaction operation and commits the changes", - "privilege": "CommitTransaction", + "description": "Grants permission to create a project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [ - "aws:ResourceTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [ - "rds-data:BeginTransaction" + "iam:CreateServiceLinkedRole", + "kms:CreateGrant", + "sso:CreateManagedApplicationInstance", + "sso:DeleteManagedApplicationInstance" ], "resource_type": "" } @@ -112498,237 +122878,143 @@ }, { "access_level": "Write", - "description": "Grants permission to run one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation", - "privilege": "ExecuteSql", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to run a SQL statement against a database", - "privilege": "ExecuteStatement", - "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to perform a rollback of a transaction. Rolling back a transaction cancels its changes", - "privilege": "RollbackTransaction", - "resource_types": [ - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], "dependent_actions": [ - "rds-data:BeginTransaction" + "sso:DeleteManagedApplicationInstance" ], - "resource_type": "" + "resource_type": "project*" } ] - } - ], - "resources": [], - "service_name": "Amazon RDS Data API" - }, - { - "conditions": [], - "prefix": "rds-db", - "privileges": [ + }, { "access_level": "Permissions management", - "description": "Allows IAM role or user to connect to RDS database", - "privilege": "connect", + "description": "Grants permission to disassociate an administrator from the project", + "privilege": "DisassociateProjectAdminUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "db-user*" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:DisassociateProfile", + "sso:GetManagedApplicationInstance", + "sso:GetProfile", + "sso:ListDirectoryAssociations", + "sso:ListProfiles" + ], + "resource_type": "project*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}", - "condition_keys": [], - "resource": "db-user" - } - ], - "service_name": "Amazon RDS IAM Authentication" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - }, - { - "condition": "redshift:DbName", - "description": "Filters access by the database name", - "type": "String" - }, - { - "condition": "redshift:DbUser", - "description": "Filters access by the database user name", - "type": "String" }, { - "condition": "redshift:DurationSeconds", - "description": "Filters access by the number of seconds until a temporary credential set expires", - "type": "String" - } - ], - "prefix": "redshift", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration", - "privilege": "AcceptReservedNodeExchange", + "access_level": "Read", + "description": "Grants permission to get information about a project", + "privilege": "GetProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "project*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group", - "privilege": "AuthorizeClusterSecurityGroupIngress", + "access_level": "Read", + "description": "Grants permission to describe an administrator who is associated with the project", + "privilege": "GetProjectAdminUser", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup*" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:GetManagedApplicationInstance" + ], + "resource_type": "project*" } ] }, { "access_level": "Permissions management", - "description": "Grants permission to the specified AWS account to restore a snapshot", - "privilege": "AuthorizeSnapshotAccess", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete snapshots in a batch of size upto 100", - "privilege": "BatchDeleteClusterSnapshots", + "description": "Grants permission to list all administrators associated with the project", + "privilege": "ListProjectAdminUsers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" + "dependent_actions": [ + "sso-directory:DescribeUsers", + "sso:GetManagedApplicationInstance" + ], + "resource_type": "project*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify settings for a list of snapshots", - "privilege": "BatchModifyClusterSnapshots", + "access_level": "List", + "description": "Grants permission to list all projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a query through the Amazon Redshift console", - "privilege": "CancelQuery", + "access_level": "Read", + "description": "Grants permission to list all tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to see queries in the Amazon Redshift console", - "privilege": "CancelQuerySession", - "resource_types": [ + "resource_type": "project" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to cancel a resize operation", - "privilege": "CancelResize", + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to copy a cluster snapshot", - "privilege": "CopyClusterSnapshot", - "resource_types": [ + "resource_type": "project" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a cluster", - "privilege": "CreateCluster", + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "project" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -112738,54 +123024,91 @@ }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift parameter group", - "privilege": "CreateClusterParameterGroup", + "description": "Grants permission to update a project", + "privilege": "UpdateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "project*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:monitron:${Region}:${Account}:project/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "project" + } + ], + "service_name": "Amazon Monitron" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by the tags associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "mq", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift security group", - "privilege": "CreateClusterSecurityGroup", + "description": "Grants permission to create a broker", + "privilege": "CreateBroker", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], - "dependent_actions": [], + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:CreateSecurityGroup", + "ec2:CreateVpcEndpoint", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfacePermissions", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "ec2:ModifyNetworkInterfaceAttribute", + "iam:CreateServiceLinkedRole", + "route53:AssociateVPCWithHostedZone" + ], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a manual snapshot of the specified cluster", - "privilege": "CreateClusterSnapshot", + "description": "Grants permission to create a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and engine version)", + "privilege": "CreateConfiguration", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" - }, { "condition_keys": [ "aws:RequestTag/${TagKey}", @@ -112797,14 +123120,19 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift subnet group", - "privilege": "CreateClusterSubnetGroup", + "access_level": "Tagging", + "description": "Grants permission to create tags", + "privilege": "CreateTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "brokers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurations" }, { "condition_keys": [ @@ -112817,57 +123145,51 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to automatically create the specified Amazon Redshift user if it does not exist", - "privilege": "CreateClusterUser", + "access_level": "Write", + "description": "Grants permission to create an ActiveMQ user", + "privilege": "CreateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbuser*" - }, - { - "condition_keys": [ - "redshift:DbUser" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift event notification subscription", - "privilege": "CreateEventSubscription", + "description": "Grants permission to delete a broker", + "privilege": "DeleteBroker", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventsubscription*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "dependent_actions": [ + "ec2:DeleteNetworkInterface", + "ec2:DeleteNetworkInterfacePermission", + "ec2:DeleteVpcEndpoints", + "ec2:DetachNetworkInterface" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM", - "privilege": "CreateHsmClientCertificate", + "access_level": "Tagging", + "description": "Grants permission to delete tags", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate*" + "resource_type": "brokers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurations" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -112877,40 +123199,32 @@ }, { "access_level": "Write", - "description": "Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM)", - "privilege": "CreateHsmConfiguration", + "description": "Grants permission to delete an ActiveMQ user", + "privilege": "DeleteUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create saved SQL queries through the Amazon Redshift console", - "privilege": "CreateSavedQuery", + "access_level": "Read", + "description": "Grants permission to return information about the specified broker", + "privilege": "DescribeBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an Amazon Redshift scheduled action", - "privilege": "CreateScheduledAction", + "access_level": "Read", + "description": "Grants permission to return information about broker engines", + "privilege": "DescribeBrokerEngineTypes", "resource_types": [ { "condition_keys": [], @@ -112920,361 +123234,310 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region", - "privilege": "CreateSnapshotCopyGrant", + "access_level": "Read", + "description": "Grants permission to return information about the broker instance options", + "privilege": "DescribeBrokerInstanceOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a snapshot schedule", - "privilege": "CreateSnapshotSchedule", + "access_level": "Read", + "description": "Grants permission to return information about the specified configuration", + "privilege": "DescribeConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a specified resource", - "privilege": "CreateTags", + "access_level": "Read", + "description": "Grants permission to return the specified configuration revision for the specified configuration", + "privilege": "DescribeConfigurationRevision", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbname" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbuser" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventsubscription" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmclientcertificate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmconfiguration" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "parametergroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshotcopygrant" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshotschedule" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "subnetgroup" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a previously provisioned cluster", - "privilege": "DeleteCluster", + "access_level": "Read", + "description": "Grants permission to return information about an ActiveMQ user", + "privilege": "DescribeUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "brokers*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift parameter group", - "privilege": "DeleteClusterParameterGroup", + "access_level": "List", + "description": "Grants permission to return a list of all brokers", + "privilege": "ListBrokers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift security group", - "privilege": "DeleteClusterSecurityGroup", + "access_level": "List", + "description": "Grants permission to return a list of all existing revisions for the specified configuration", + "privilege": "ListConfigurationRevisions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup*" + "resource_type": "configurations*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a manual snapshot", - "privilege": "DeleteClusterSnapshot", + "access_level": "List", + "description": "Grants permission to return a list of all configurations", + "privilege": "ListConfigurations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a cluster subnet group", - "privilege": "DeleteClusterSubnetGroup", + "access_level": "List", + "description": "Grants permission to return a list of tags", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "brokers" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configurations" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift event notification subscription", - "privilege": "DeleteEventSubscription", + "access_level": "List", + "description": "Grants permission to return a list of all ActiveMQ users", + "privilege": "ListUsers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventsubscription*" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an HSM client certificate", - "privilege": "DeleteHsmClientCertificate", + "description": "Grants permission to reboot a broker", + "privilege": "RebootBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate*" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift HSM configuration", - "privilege": "DeleteHsmConfiguration", + "description": "Grants permission to add a pending configuration change to a broker", + "privilege": "UpdateBroker", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration*" + "resource_type": "brokers*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete saved SQL queries through the Amazon Redshift console", - "privilege": "DeleteSavedQueries", + "description": "Grants permission to update the specified configuration", + "privilege": "UpdateConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "configurations*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete an Amazon Redshift scheduled action", - "privilege": "DeleteScheduledAction", + "description": "Grants permission to update the information for an ActiveMQ user", + "privilege": "UpdateUser", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "brokers*" } ] - }, + } + ], + "resources": [ { - "access_level": "Write", - "description": "Grants permission to delete a snapshot copy grant", - "privilege": "DeleteSnapshotCopyGrant", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshotcopygrant*" - } - ] + "arn": "arn:${Partition}:mq:${Region}:${Account}:broker:${broker-id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "brokers" }, + { + "arn": "arn:${Partition}:mq:${Region}:${Account}:configuration:${configuration-id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "configurations" + } + ], + "service_name": "Amazon MQ" + }, + { + "conditions": [], + "prefix": "neptune-db", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete a snapshot schedule", - "privilege": "DeleteSnapshotSchedule", + "description": "Connect to database", + "privilege": "connect", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" + "resource_type": "database*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:neptune-db:${Region}:${Account}:${RelativeId}/database", + "condition_keys": [], + "resource": "database" + } + ], + "service_name": "Amazon Neptune" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" }, { - "access_level": "Tagging", - "description": "Grants permission to delete a tag or tags from a resource", - "privilege": "DeleteTags", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tag value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + } + ], + "prefix": "network-firewall", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an association between a firewall policy and a firewall", + "privilege": "AssociateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbname" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbuser" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "eventsubscription" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmclientcertificate" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hsmconfiguration" + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup" - }, + "resource_type": "FirewallPolicy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate VPC subnets to a firewall", + "privilege": "AssociateSubnets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup" - }, + "resource_type": "Firewall*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall firewall", + "privilege": "CreateFirewall", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" + "resource_type": "FirewallPolicy*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "snapshot" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall firewall policy", + "privilege": "CreateFirewallPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "StatelessRuleGroup" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -113283,285 +123546,218 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe attributes attached to the specified AWS account", - "privilege": "DescribeAccountAttributes", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall rule group", + "privilege": "CreateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe database revisions for a cluster", - "privilege": "DescribeClusterDbRevisions", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group", - "privilege": "DescribeClusterParameterGroups", - "resource_types": [ + "resource_type": "StatelessRuleGroup" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe parameters contained within an Amazon Redshift parameter group", - "privilege": "DescribeClusterParameters", + "access_level": "Write", + "description": "Grants permission to delete a firewall", + "privilege": "DeleteFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift security groups", - "privilege": "DescribeClusterSecurityGroups", + "access_level": "Write", + "description": "Grants permission to delete a firewall policy", + "privilege": "DeleteFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots", - "privilege": "DescribeClusterSnapshots", + "access_level": "Write", + "description": "Grants permission to delete a resource policy for a firewall policy or rule group", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups", - "privilege": "DescribeClusterSubnetGroups", - "resource_types": [ + "resource_type": "FirewallPolicy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe available maintenance tracks", - "privilege": "DescribeClusterTracks", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe available Amazon Redshift cluster versions", - "privilege": "DescribeClusterVersions", + "access_level": "Write", + "description": "Grants permission to delete a rule group", + "privilege": "DeleteRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe properties of provisioned clusters", - "privilege": "DescribeClusters", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Read", - "description": "Grants permission to describe parameter settings for a parameter group family", - "privilege": "DescribeDefaultClusterParameters", + "description": "Grants permission to retrieve the data objects that define a firewall", + "privilege": "DescribeFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe event categories for all event source types, or for a specified source type", - "privilege": "DescribeEventCategories", + "description": "Grants permission to retrieve the data objects that define a firewall policy", + "privilege": "DescribeFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account", - "privilege": "DescribeEventSubscriptions", - "resource_types": [ + "resource_type": "FirewallPolicy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days", - "privilege": "DescribeEvents", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Read", - "description": "Grants permission to describe HSM client certificates", - "privilege": "DescribeHsmClientCertificates", + "description": "Grants permission to describe the logging configuration of a firewall", + "privilege": "DescribeLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe Amazon Redshift HSM configurations", - "privilege": "DescribeHsmConfigurations", + "description": "Grants permission to describe a resource policy for a firewall policy or rule group", + "privilege": "DescribeResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster", - "privilege": "DescribeLoggingStatus", - "resource_types": [ + "resource_type": "FirewallPolicy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type", - "privilege": "DescribeNodeConfigurationOptions", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Read", - "description": "Grants permission to describe orderable cluster options", - "privilege": "DescribeOrderableClusterOptions", + "description": "Grants permission to retrieve the data objects that define a rule group", + "privilege": "DescribeRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a query through the Amazon Redshift console", - "privilege": "DescribeQuery", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe available reserved node offerings by Amazon Redshift", - "privilege": "DescribeReservedNodeOfferings", + "access_level": "Write", + "description": "Grants permission to disassociate VPC subnets from a firewall", + "privilege": "DisassociateSubnets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the reserved nodes", - "privilege": "DescribeReservedNodes", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for firewall policies", + "privilege": "ListFirewallPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the last resize operation for a cluster", - "privilege": "DescribeResize", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for firewalls", + "privilege": "ListFirewalls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe saved queries through the Amazon Redshift console", - "privilege": "DescribeSavedQueries", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for rule groups", + "privilege": "ListRuleGroups", "resource_types": [ { "condition_keys": [], @@ -113571,256 +123767,325 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe created Amazon Redshift scheduled actions", - "privilege": "DescribeScheduledActions", + "access_level": "List", + "description": "Grants permission to retrieve the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region", - "privilege": "DescribeSnapshotCopyGrants", - "resource_types": [ + "resource_type": "Firewall*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe snapshot schedules", - "privilege": "DescribeSnapshotSchedules", - "resource_types": [ + "resource_type": "FirewallPolicy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe account level backups storage size and provisional storage", - "privilege": "DescribeStorage", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a table through the Amazon Redshift console", - "privilege": "DescribeTable", + "access_level": "Write", + "description": "Grants permission to put a resource policy for a firewall policy or rule group", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action", - "privilege": "DescribeTableRestoreStatus", - "resource_types": [ + "resource_type": "FirewallPolicy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe tags", - "privilege": "DescribeTags", + "access_level": "Tagging", + "description": "Grants permission to attach tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster" + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbgroup" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbname" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbuser" + "resource_type": "StatelessRuleGroup" }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "eventsubscription" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmclientcertificate" + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hsmconfiguration" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup" + "resource_type": "StatelessRuleGroup" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "securitygroupingress-cidr" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add or remove delete protection for a firewall", + "privilege": "UpdateFirewallDeleteProtection", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup" - }, + "resource_type": "Firewall*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the description for a firewall", + "privilege": "UpdateFirewallDescription", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot" - }, + "resource_type": "Firewall*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a firewall policy", + "privilege": "UpdateFirewallPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotcopygrant" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule" + "resource_type": "StatefulRuleGroup" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to disable logging information, such as queries and connection attempts, for a cluster", - "privilege": "DisableLogging", + "description": "Grants permission to add or remove firewall policy change protection for a firewall", + "privilege": "UpdateFirewallPolicyChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable the automatic copy of snapshots for a cluster", - "privilege": "DisableSnapshotCopy", + "description": "Grants permission to modify the logging configuration of a firewall", + "privilege": "UpdateLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to enable logging information, such as queries and connection attempts, for a cluster", - "privilege": "EnableLogging", + "description": "Grants permission to modify a rule group", + "privilege": "UpdateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to enable the automatic copy of snapshots for a cluster", - "privilege": "EnableSnapshotCopy", + "description": "Grants permission to add or remove subnet change protection for a firewall", + "privilege": "UpdateSubnetChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Firewall" + }, + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "FirewallPolicy" + }, + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StatefulRuleGroup" + }, + { + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "StatelessRuleGroup" + } + ], + "service_name": "AWS Network Firewall" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tag value associated with the resource", + "type": "String" }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + } + ], + "prefix": "network-firewall", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to execute a query through the Amazon Redshift console", - "privilege": "ExecuteQuery", + "description": "Grants permission to create an association between a firewall policy and a firewall", + "privilege": "AssociateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "Read", - "description": "Grants permission to fetch query results through the Amazon Redshift console", - "privilege": "FetchResults", + "access_level": "Write", + "description": "Grants permission to associate VPC subnets to a firewall", + "privilege": "AssociateSubnets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account", - "privilege": "GetClusterCredentials", + "description": "Grants permission to create an AWS Network Firewall firewall", + "privilege": "CreateFirewall", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbuser*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dbgroup" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbname" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [ - "redshift:DbName", - "redshift:DbUser", - "redshift:DurationSeconds" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -113828,249 +124093,248 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node", - "privilege": "GetReservedNodeExchangeOfferings", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall firewall policy", + "privilege": "CreateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to join the specified Amazon Redshift group", - "privilege": "JoinGroup", - "resource_types": [ + "resource_type": "FirewallPolicy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "dbgroup*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list databases through the Amazon Redshift console", - "privilege": "ListDatabases", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list saved queries through the Amazon Redshift console", - "privilege": "ListSavedQueries", + "access_level": "Write", + "description": "Grants permission to create an AWS Network Firewall rule group", + "privilege": "CreateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list schemas through the Amazon Redshift console", - "privilege": "ListSchemas", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tables through the Amazon Redshift console", - "privilege": "ListTables", + "access_level": "Write", + "description": "Grants permission to delete a firewall", + "privilege": "DeleteFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the settings of a cluster", - "privilege": "ModifyCluster", + "description": "Grants permission to delete a firewall policy", + "privilege": "DeleteFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "FirewallPolicy*" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the database revision of a cluster", - "privilege": "ModifyClusterDbRevision", + "description": "Grants permission to delete a resource policy for a firewall policy or rule group", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services", - "privilege": "ModifyClusterIamRoles", - "resource_types": [ + "resource_type": "FirewallPolicy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the maintenance settings of a cluster", - "privilege": "ModifyClusterMaintenance", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the parameters of a parameter group", - "privilege": "ModifyClusterParameterGroup", + "description": "Grants permission to delete a rule group", + "privilege": "DeleteRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to modify the settings of a snapshot", - "privilege": "ModifyClusterSnapshot", - "resource_types": [ + "resource_type": "StatefulRuleGroup" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a snapshot schedule for a cluster", - "privilege": "ModifyClusterSnapshotSchedule", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a firewall", + "privilege": "DescribeFirewall", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a cluster subnet group to include the specified list of VPC subnets", - "privilege": "ModifyClusterSubnetGroup", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a firewall policy", + "privilege": "DescribeFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "subnetgroup*" + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing Amazon Redshift event notification subscription", - "privilege": "ModifyEventSubscription", + "access_level": "Read", + "description": "Grants permission to describe the logging configuration of a firewall", + "privilege": "DescribeLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "eventsubscription*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing saved query through the Amazon Redshift console", - "privilege": "ModifySavedQuery", + "access_level": "Read", + "description": "Grants permission to describe a resource policy for a firewall policy or rule group", + "privilege": "DescribeResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "FirewallPolicy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify an existing Amazon Redshift scheduled action", - "privilege": "ModifyScheduledAction", + "access_level": "Read", + "description": "Grants permission to retrieve the data objects that define a rule group", + "privilege": "DescribeRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region", - "privilege": "ModifySnapshotCopyRetentionPeriod", + "description": "Grants permission to disassociate VPC subnets from a firewall", + "privilege": "DisassociateSubnets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Write", - "description": "Grants permission to modify a snapshot schedule", - "privilege": "ModifySnapshotSchedule", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for firewall policies", + "privilege": "ListFirewallPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshotschedule*" + "resource_type": "FirewallPolicy*" } ] }, { - "access_level": "Write", - "description": "Grants permission to pause a cluster", - "privilege": "PauseCluster", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for firewalls", + "privilege": "ListFirewalls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Write", - "description": "Grants permission to purchase a reserved node", - "privilege": "PurchaseReservedNodeOffering", + "access_level": "List", + "description": "Grants permission to retrieve the metadata for rule groups", + "privilege": "ListRuleGroups", "resource_types": [ { "condition_keys": [], @@ -114080,1001 +124344,1290 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to reboot a cluster", - "privilege": "RebootCluster", + "access_level": "List", + "description": "Grants permission to retrieve the tags for a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to \"engine-default\"", - "privilege": "ResetClusterParameterGroup", + "description": "Grants permission to put a resource policy for a firewall policy or rule group", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "parametergroup*" + "resource_type": "FirewallPolicy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Write", - "description": "Grants permission to change the size of a cluster", - "privilege": "ResizeCluster", + "access_level": "Tagging", + "description": "Grants permission to attach tags to a resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a cluster from a snapshot", - "privilege": "RestoreFromClusterSnapshot", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "FirewallPolicy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create a table from a table in an Amazon Redshift cluster snapshot", - "privilege": "RestoreTableFromClusterSnapshot", + "description": "Grants permission to add or remove delete protection for a firewall", + "privilege": "UpdateFirewallDeleteProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "Firewall*" } ] }, { "access_level": "Write", - "description": "Grants permission to resume a cluster", - "privilege": "ResumeCluster", + "description": "Grants permission to modify the description for a firewall", + "privilege": "UpdateFirewallDescription", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group", - "privilege": "RevokeClusterSecurityGroupIngress", + "access_level": "Write", + "description": "Grants permission to modify a firewall policy", + "privilege": "UpdateFirewallPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroup*" + "resource_type": "FirewallPolicy*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "securitygroupingress-ec2securitygroup*" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to revoke access from the specified AWS account to restore a snapshot", - "privilege": "RevokeSnapshotAccess", + "access_level": "Write", + "description": "Grants permission to add or remove firewall policy change protection for a firewall", + "privilege": "UpdateFirewallPolicyChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "snapshot*" + "resource_type": "Firewall*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to rotate an encryption key for a cluster", - "privilege": "RotateEncryptionKey", + "access_level": "Write", + "description": "Grants permission to modify the logging configuration of a firewall", + "privilege": "UpdateLoggingConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "cluster*" + "resource_type": "Firewall*" } ] }, { - "access_level": "List", - "description": "Grants permission to view query results through the Amazon Redshift console", - "privilege": "ViewQueriesFromConsole", + "access_level": "Write", + "description": "Grants permission to modify a rule group", + "privilege": "UpdateRuleGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "StatefulRuleGroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "StatelessRuleGroup" } ] }, { - "access_level": "List", - "description": "Grants permission to terminate running queries and loads through the Amazon Redshift console", - "privilege": "ViewQueriesInConsole", + "access_level": "Write", + "description": "Grants permission to add or remove subnet change protection for a firewall", + "privilege": "UpdateSubnetChangeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Firewall*" } ] } ], "resources": [ { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall/${Name}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "cluster" + "resource": "Firewall" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbgroup" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbname" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dbuser" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "eventsubscription" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "hsmclientcertificate" - }, - { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}", + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:firewall-policy/${Name}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "hsmconfiguration" + "resource": "FirewallPolicy" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}", + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "parametergroup" + "resource": "StatefulRuleGroup" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}", + "arn": "arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "securitygroup" - }, + "resource": "StatelessRuleGroup" + } + ], + "service_name": "Network Firewall" + }, + { + "conditions": [ { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "securitygroupingress-cidr" + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "securitygroupingress-ec2securitygroup" + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshot" + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshotcopygrant" + "condition": "networkmanager:cgwArn", + "description": "Controls which customer gateways can be associated or disassociated", + "type": "String" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "snapshotschedule" + "condition": "networkmanager:tgwArn", + "description": "Controls which transit gateways can be registered or deregistered", + "type": "String" }, { - "arn": "arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "subnetgroup" + "condition": "networkmanager:tgwConnectPeerArn", + "description": "Controls which connect peers can be associated or disassociated", + "type": "String" } ], - "service_name": "Amazon Redshift" - }, - { - "conditions": [], - "prefix": "redshift-data", + "prefix": "networkmanager", "privileges": [ { "access_level": "Write", - "description": "Grants permission to cancel a running query", - "privilege": "CancelStatement", + "description": "Grants permission to associate a customer gateway to a device", + "privilege": "AssociateCustomerGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [ + "networkmanager:cgwArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve detailed information about a statement execution", - "privilege": "DescribeStatement", + "access_level": "Write", + "description": "Grants permission to associate a link to a device", + "privilege": "AssociateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve metadata about a particular table", - "privilege": "DescribeTable", + "access_level": "Write", + "description": "Grants permission to associate a transit gateway connect peer to a device", + "privilege": "AssociateTransitGatewayConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [ + "networkmanager:tgwConnectPeerArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to execute a query", - "privilege": "ExecuteStatement", + "description": "Grants permission to create a new connection", + "privilege": "CreateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to fetch the result of a query", - "privilege": "GetStatementResult", + "access_level": "Write", + "description": "Grants permission to create a new device", + "privilege": "CreateDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list databases for a given cluster", - "privilege": "ListDatabases", + "access_level": "Write", + "description": "Grants permission to create a new global network", + "privilege": "CreateGlobalNetwork", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list schemas for a given cluster", - "privilege": "ListSchemas", + "access_level": "Write", + "description": "Grants permission to create a new link", + "privilege": "CreateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list queries for a given principal", - "privilege": "ListStatements", + "access_level": "Write", + "description": "Grants permission to create a new site", + "privilege": "CreateSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tables for a given cluster", - "privilege": "ListTables", + "access_level": "Write", + "description": "Grants permission to delete a connection", + "privilege": "DeleteConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - } - ], - "resources": [], - "service_name": "Amazon Redshift Data API" - }, - { - "conditions": [], - "prefix": "rekognition", - "privileges": [ - { - "access_level": "Read", - "description": "Compares a face in source input image with each face detected in the target input image.", - "privilege": "CompareFaces", - "resource_types": [ + "resource_type": "connection*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Creates a collection in an AWS region. You can then add faces to the collection using the IndexFaces API.", - "privilege": "CreateCollection", + "description": "Grants permission to delete a device", + "privilege": "DeleteDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Creates a new Amazon Rekognition Custom Labels project.", - "privilege": "CreateProject", + "description": "Grants permission to delete a global network", + "privilege": "DeleteGlobalNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Creates a new version of a model and begins training.", - "privilege": "CreateProjectVersion", + "description": "Grants permission to delete a link", + "privilege": "DeleteLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "global-network*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "link*" } ] }, { "access_level": "Write", - "description": "Creates an Amazon Rekognition stream processor that you can use to detect and recognize faces in a streaming video.", - "privilege": "CreateStreamProcessor", + "description": "Grants permission to delete a site", + "privilege": "DeleteSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "global-network*" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "site*" } ] }, { "access_level": "Write", - "description": "Deletes the specified collection. Note that this operation removes all faces in the collection.", - "privilege": "DeleteCollection", + "description": "Grants permission to deregister a transit gateway from a global network", + "privilege": "DeregisterTransitGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:tgwArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes faces from a collection.", - "privilege": "DeleteFaces", + "access_level": "List", + "description": "Grants permission to describe global networks", + "privilege": "DescribeGlobalNetworks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "global-network" } ] }, { "access_level": "Write", - "description": "Deletes a project.", - "privilege": "DeleteProject", + "description": "Grants permission to disassociate a customer gateway from a device", + "privilege": "DisassociateCustomerGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:cgwArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes a model.", - "privilege": "DeleteProjectVersion", + "description": "Grants permission to disassociate a link from a device", + "privilege": "DisassociateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link*" } ] }, { "access_level": "Write", - "description": "Deletes the stream processor identified by Name.", - "privilege": "DeleteStreamProcessor", + "description": "Grants permission to disassociate a transit gateway connect peer from a device", + "privilege": "DisassociateTransitGatewayConnectPeer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:tgwConnectPeerArn" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes the specified collection.", - "privilege": "DescribeCollection", + "access_level": "List", + "description": "Grants permission to describe connections", + "privilege": "GetConnections", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" - } - ] - }, - { - "access_level": "Read", - "description": "Lists and describes the model versions in an Amazon Rekognition Custom Labels project.", - "privilege": "DescribeProjectVersions", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "connection" } ] }, { - "access_level": "Read", - "description": "Lists and gets information about your Amazon Rekognition Custom Labels projects.", - "privilege": "DescribeProjects", + "access_level": "List", + "description": "Grants permission to describe customer gateway associations", + "privilege": "GetCustomerGatewayAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Provides information about a stream processor created by CreateStreamProcessor.", - "privilege": "DescribeStreamProcessor", + "access_level": "List", + "description": "Grants permission to describe devices", + "privilege": "GetDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" - } - ] - }, - { - "access_level": "Read", - "description": "Detects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model version.", - "privilege": "DetectCustomLabels", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "device" } ] }, { - "access_level": "Read", - "description": "Detects human faces within an image (JPEG or PNG) provided as input.", - "privilege": "DetectFaces", + "access_level": "List", + "description": "Grants permission to describe link associations", + "privilege": "GetLinkAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Detects instances of real-world labels within an image (JPEG or PNG) provided as input.", - "privilege": "DetectLabels", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Detects moderation labels within input image.", - "privilege": "DetectModerationLabels", - "resource_types": [ + "resource_type": "device" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "link" } ] }, { - "access_level": "Read", - "description": "Detects Protective Equipment in the input image.", - "privilege": "DetectProtectiveEquipment", + "access_level": "List", + "description": "Grants permission to describe links", + "privilege": "GetLinks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Detects text in the input image and converts it into machine-readable text.", - "privilege": "DetectText", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "link" } ] }, { - "access_level": "Read", - "description": "Gets the name and additional information about a celebrity based on his or her Rekognition ID.", - "privilege": "GetCelebrityInfo", + "access_level": "List", + "description": "Grants permission to describe global networks", + "privilege": "GetSites", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Gets the celebrity recognition results for a Rekognition Video analysis started by StartCelebrityRecognition.", - "privilege": "GetCelebrityRecognition", - "resource_types": [ + "resource_type": "global-network*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "site" } ] }, { - "access_level": "Read", - "description": "Gets the content moderation analysis results for a Rekognition Video analysis started by StartContentModeration.", - "privilege": "GetContentModeration", + "access_level": "List", + "description": "Grants permission to describe transit gateway connect peer associations", + "privilege": "GetTransitGatewayConnectPeerAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Gets face detection results for a Rekognition Video analysis started by StartFaceDetection.", - "privilege": "GetFaceDetection", + "access_level": "List", + "description": "Grants permission to describe transit gateway registrations", + "privilege": "GetTransitGatewayRegistrations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "global-network*" } ] }, { "access_level": "Read", - "description": "Gets the face search results for Rekognition Video face search started by StartFaceSearch.", - "privilege": "GetFaceSearch", + "description": "Grants permission to lists tag for a Network Manager resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets the label detection results of a Rekognition Video analysis started by StartLabelDetection.", - "privilege": "GetLabelDetection", + "access_level": "Write", + "description": "Grants permission to register a transit gateway to a global network", + "privilege": "RegisterTransitGateway", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "global-network*" + }, + { + "condition_keys": [ + "networkmanager:tgwArn" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets information about people detected within a video.", - "privilege": "GetPersonTracking", + "access_level": "Tagging", + "description": "Grants permission to tag a Network Manager resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets segment detection results for a Rekognition Video analysis started by StartSegmentDetection.", - "privilege": "GetSegmentDetection", + "access_level": "Tagging", + "description": "Grants permission to untag a Network Manager resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets text detection results for a Rekognition Video analysis started by StartTextDetection.", - "privilege": "GetTextDetection", + "access_level": "Write", + "description": "Grants permission to update a connection", + "privilege": "UpdateConnection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "connection*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" } ] }, { "access_level": "Write", - "description": "Detects faces in the input image and adds them to the specified collection.", - "privilege": "IndexFaces", + "description": "Grants permission to update a device", + "privilege": "UpdateDevice", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "device*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Returns a list of collection IDs in your account.", - "privilege": "ListCollections", + "access_level": "Write", + "description": "Grants permission to update a global network", + "privilege": "UpdateGlobalNetwork", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "global-network*" } ] }, { - "access_level": "Read", - "description": "Returns metadata for faces in the specified collection.", - "privilege": "ListFaces", + "access_level": "Write", + "description": "Grants permission to update a link", + "privilege": "UpdateLink", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "collection*" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "link*" } ] }, { - "access_level": "List", - "description": "Gets a list of stream processors that you have created with CreateStreamProcessor.", - "privilege": "ListStreamProcessors", + "access_level": "Write", + "description": "Grants permission to update a site", + "privilege": "UpdateSite", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "global-network*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "site*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:networkmanager::${Account}:global-network/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "global-network" }, { - "access_level": "Read", - "description": "Returns an array of celebrities recognized in the input image.", - "privilege": "RecognizeCelebrities", + "arn": "arn:${Partition}:networkmanager::${Account}:site/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "site" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:link/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "link" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:device/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "device" + }, + { + "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connection" + } + ], + "service_name": "Network Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a tag key and value pair that is allowed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair of a resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by a list of tag keys that are allowed in the request", + "type": "String" + }, + { + "condition": "nimble:createdBy", + "description": "Filters access based on the createdBy request parameter or the ID of the creator of the resource", + "type": "String" + }, + { + "condition": "nimble:ownedBy", + "description": "Filters access based on the ownedBy request parameter or the ID of the owner of the resource", + "type": "String" + }, + { + "condition": "nimble:principalId", + "description": "Filters access based on the principalId request parameter", + "type": "String" + }, + { + "condition": "nimble:requesterPrincipalId", + "description": "Filters access to Nimble Studio portal using the ID of the logged in user", + "type": "String" + }, + { + "condition": "nimble:studioId", + "description": "Filters access to resources in a specific studio", + "type": "ARN" + } + ], + "prefix": "nimble", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept EULAs", + "privilege": "AcceptEulas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "eula*" } ] }, { - "access_level": "Read", - "description": "For a given input face ID, searches the specified collection for matching faces.", - "privilege": "SearchFaces", + "access_level": "Write", + "description": "Grants permission to create a launch profile", + "privilege": "CreateLaunchProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "collection*" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:RunInstances" + ], + "resource_type": "studio*" } ] }, { - "access_level": "Read", - "description": "For a given input image, first detects the largest face in the image, and then searches the specified collection for matching faces.", - "privilege": "SearchFacesByImage", + "access_level": "Write", + "description": "Grants permission to create a streaming image", + "privilege": "CreateStreamingImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "collection*" + "dependent_actions": [ + "ec2:DescribeImages", + "ec2:DescribeSnapshots", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySnapshotAttribute", + "ec2:RegisterImage" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous recognition of celebrities in a video.", - "privilege": "StartCelebrityRecognition", + "description": "Grants permission to create a streaming session", + "privilege": "CreateStreamingSession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "nimble:GetLaunchProfile", + "nimble:GetLaunchProfileInitialization", + "nimble:ListEulaAcceptances" + ], + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of explicit or suggestive adult content in a video.", - "privilege": "StartContentModeration", + "description": "Grants permission to create a StreamingSessionStream", + "privilege": "CreateStreamingSessionStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "streaming-session*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of faces in a video.", - "privilege": "StartFaceDetection", + "description": "Grants permission to create a studio", + "privilege": "CreateStudio", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "iam:PassRole", + "sso:CreateManagedApplicationInstance" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Starts the asynchronous search for faces in a collection that match the faces of persons detected in a video.", - "privilege": "StartFaceSearch", + "description": "Grants permission to create a studio component. A studio component designates a network resource to which a launch profile will provide access", + "privilege": "CreateStudioComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "collection*" + "dependent_actions": [ + "ds:AuthorizeApplication", + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of labels in a video.", - "privilege": "StartLabelDetection", + "description": "Grants permission to delete a launch profile", + "privilege": "DeleteLaunchProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Starts the asynchronous tracking of persons in a video.", - "privilege": "StartPersonTracking", + "description": "Grants permission to delete a launch profile member", + "privilege": "DeleteLaunchProfileMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Starts the deployment of a model version.", - "privilege": "StartProjectVersion", + "description": "Grants permission to delete a streaming image", + "privilege": "DeleteStreamingImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "projectversion*" + "dependent_actions": [ + "ec2:DeleteSnapshot", + "ec2:DeregisterImage", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySnapshotAttribute" + ], + "resource_type": "streaming-image*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of segments in a video.", - "privilege": "StartSegmentDetection", + "description": "Grants permission to delete a streaming session", + "privilege": "DeleteStreamingSession", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "ec2:DeleteNetworkInterface" + ], + "resource_type": "streaming-session*" } ] }, { "access_level": "Write", - "description": "Starts processing a stream processor.", - "privilege": "StartStreamProcessor", + "description": "Grants permission to delete a studio", + "privilege": "DeleteStudio", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "streamprocessor*" + "dependent_actions": [ + "sso:DeleteManagedApplicationInstance" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Starts asynchronous detection of text in a video.", - "privilege": "StartTextDetection", + "description": "Grants permission to delete a studio component", + "privilege": "DeleteStudioComponent", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "" + "dependent_actions": [ + "ds:UnauthorizeApplication" + ], + "resource_type": "studio-component*" } ] }, { "access_level": "Write", - "description": "Stops a deployed model version.", - "privilege": "StopProjectVersion", + "description": "Grants permission to delete a studio member", + "privilege": "DeleteStudioMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "projectversion*" + "resource_type": "studio*" } ] }, { - "access_level": "Write", - "description": "Stops a running stream processor that was created by CreateStreamProcessor.", - "privilege": "StopStreamProcessor", + "access_level": "Read", + "description": "Grants permission to get a EULA", + "privilege": "GetEula", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "streamprocessor*" + "resource_type": "eula*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:collection/${CollectionId}", - "condition_keys": [], - "resource": "collection" - }, - { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:streamprocessor/${StreamprocessorId}", - "condition_keys": [], - "resource": "streamprocessor" - }, - { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/${CreationTimestamp}", - "condition_keys": [], - "resource": "project" }, { - "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/version/${VersionName}/${CreationTimestamp}", - "condition_keys": [], - "resource": "projectversion" - } - ], - "service_name": "Amazon Rekognition" - }, - { - "conditions": [], - "prefix": "resource-explorer", - "privileges": [ - { - "access_level": "List", - "description": "Grants permission to retrieve the resource types currently supported by Tag Editor", - "privilege": "ListResourceTypes", + "access_level": "Read", + "description": "Grants permission to allow Nimble Studio portal to show the appropriate features for this account", + "privilege": "GetFeatureMap", "resource_types": [ { "condition_keys": [], @@ -115084,212 +125637,178 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve the identifiers of the resources in the AWS account", - "privilege": "ListResources", + "access_level": "Read", + "description": "Grants permission to get a launch profile", + "privilege": "GetLaunchProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the tags attached to the specified resource identifiers", - "privilege": "ListTags", + "description": "Grants permission to get a launch profile's details, which includes the summary of studio components and streaming images used by the launch profile", + "privilege": "GetLaunchProfileDetails", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "tag:GetResources" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "launch-profile*" } ] - } - ], - "resources": [], - "service_name": "AWS Tag Editor" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "resource-groups", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a resource group with a specified name, description, and resource query", - "privilege": "CreateGroup", + "access_level": "Read", + "description": "Grants permission to get a launch profile initialization. A launch profile initialization is a dereferenced version of a launch profile, including attached studio component connection information", + "privilege": "GetLaunchProfileInitialization", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "condition_keys": [], + "dependent_actions": [ + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a specified resource group", - "privilege": "DeleteGroup", + "access_level": "Read", + "description": "Grants permission to get a launch profile member", + "privilege": "GetLaunchProfileMember", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "launch-profile*" } ] }, { "access_level": "Read", - "description": "Grants permission to get information of a specified resource group", - "privilege": "GetGroup", + "description": "Grants permission to get a streaming image", + "privilege": "GetStreamingImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "streaming-image*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the service configuration associated with the specified resource group", - "privilege": "GetGroupConfiguration", + "description": "Grants permission to get a streaming session", + "privilege": "GetStreamingSession", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "streaming-session*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the query associated with a specified resource group", - "privilege": "GetGroupQuery", + "description": "Grants permission to get a streaming session stream", + "privilege": "GetStreamingSessionStream", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "streaming-session*" } ] }, { "access_level": "Read", - "description": "Grants permission to get the tags associated with a specified resource group", - "privilege": "GetTags", + "description": "Grants permission to get a studio", + "privilege": "GetStudio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add the specified resources to the specified group", - "privilege": "GroupResources", + "access_level": "Read", + "description": "Grants permission to get a studio component", + "privilege": "GetStudioComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio-component*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the resources that are members of a specified resource group", - "privilege": "ListGroupResources", + "access_level": "Read", + "description": "Grants permission to get a studio member", + "privilege": "GetStudioMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "cloudformation:DescribeStacks", - "cloudformation:ListStackResources", - "tag:GetResources" - ], - "resource_type": "group*" + "dependent_actions": [], + "resource_type": "studio*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all resource groups in your account", - "privilege": "ListGroups", + "access_level": "Read", + "description": "Grants permission to list EULA acceptances", + "privilege": "ListEulaAcceptances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "eula-acceptance*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add a resource-based policy for the specified group", - "privilege": "PutGroupPolicy", + "access_level": "Read", + "description": "Grants permission to list EULAs", + "privilege": "ListEulas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "eula*" } ] }, { - "access_level": "List", - "description": "Grants permission to search for AWS resources matching the given query", - "privilege": "SearchResources", + "access_level": "Read", + "description": "Grants permission to list launch profile members", + "privilege": "ListLaunchProfileMembers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "cloudformation:DescribeStacks", - "cloudformation:ListStackResources", - "tag:GetResources" - ], - "resource_type": "" + "dependent_actions": [], + "resource_type": "launch-profile*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a specified resource group", - "privilege": "Tag", + "access_level": "Read", + "description": "Grants permission to list launch profiles", + "privilege": "ListLaunchProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "nimble:principalId" ], "dependent_actions": [], "resource_type": "" @@ -115297,30 +125816,31 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove the specified resources from the specified group", - "privilege": "UngroupResources", + "access_level": "Read", + "description": "Grants permission to list streaming images", + "privilege": "ListStreamingImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags associated with a specified resource group", - "privilege": "Untag", + "access_level": "Read", + "description": "Grants permission to list streaming sessions", + "privilege": "ListStreamingSessions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" }, { "condition_keys": [ - "aws:TagKeys" + "nimble:createdBy", + "nimble:ownedBy" ], "dependent_actions": [], "resource_type": "" @@ -115328,171 +125848,163 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update a specified resource group", - "privilege": "UpdateGroup", + "access_level": "Read", + "description": "Grants permission to list studio components", + "privilege": "ListStudioComponents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the query associated with a specified resource group", - "privilege": "UpdateGroupQuery", + "access_level": "Read", + "description": "Grants permission to list studio members", + "privilege": "ListStudioMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "group*" + "resource_type": "studio*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "group" - } - ], - "service_name": "AWS Resource Groups" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "", - "type": "String" + "access_level": "Read", + "description": "Grants permission to list all studios", + "privilege": "ListStudios", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "aws:TagKeys", - "description": "", - "type": "String" - } - ], - "prefix": "robomaker", - "privileges": [ - { - "access_level": "Write", - "description": "Delete one or more worlds in a batch operation", - "privilege": "BatchDeleteWorlds", + "access_level": "Read", + "description": "Grants permission to list all tags on a Nimble Studio resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Describe multiple simulation jobs", - "privilege": "BatchDescribeSimulationJob", - "resource_types": [ + "resource_type": "launch-profile" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Cancel a deployment job", - "privilege": "CancelDeploymentJob", - "resource_types": [ + "resource_type": "streaming-image" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentJob*" - } - ] - }, - { - "access_level": "Write", - "description": "Cancel a simulation job", - "privilege": "CancelSimulationJob", - "resource_types": [ + "resource_type": "streaming-session" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationJob*" + "resource_type": "studio" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-component" } ] }, { "access_level": "Write", - "description": "Cancel a simulation job batch", - "privilege": "CancelSimulationJobBatch", + "description": "Grants permission to add/update launch profile members", + "privilege": "PutLaunchProfileMembers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJobBatch*" + "dependent_actions": [ + "sso-directory:DescribeUsers" + ], + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Cancel a world export job", - "privilege": "CancelWorldExportJob", + "description": "Grants permission to report metrics and logs for the Nimble Studio portal to monitor application health", + "privilege": "PutStudioLogEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldExportJob*" + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Cancel a world generation job", - "privilege": "CancelWorldGenerationJob", + "description": "Grants permission to add/update studio members", + "privilege": "PutStudioMembers", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldGenerationJob*" + "dependent_actions": [ + "sso-directory:DescribeUsers" + ], + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Create a deployment job", - "privilege": "CreateDeploymentJob", + "description": "Grants permission to repair the studio's AWS SSO configuration", + "privilege": "StartStudioSSOConfigurationRepair", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "sso:CreateManagedApplicationInstance", + "sso:GetManagedApplicationInstance" ], - "resource_type": "" + "resource_type": "studio*" } ] }, { - "access_level": "Write", - "description": "Create a deployment fleet that represents a logical group of robots running the same robot application", - "privilege": "CreateFleet", + "access_level": "Tagging", + "description": "Grants permission to add or overwrite one or more tags for the specified Nimble Studio resource", + "privilege": "TagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "launch-profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streaming-image" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streaming-session" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-component" + }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -115500,528 +126012,567 @@ ] }, { - "access_level": "Write", - "description": "Create a robot that can be registered to a fleet", - "privilege": "CreateRobot", + "access_level": "Tagging", + "description": "Grants permission to disassociate one or more tags from the specified Nimble Studio resource", + "privilege": "UntagResource", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "launch-profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streaming-image" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streaming-session" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "studio-component" + }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "aws:TagKeys" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a robot application", - "privilege": "CreateRobotApplication", + "description": "Grants permission to update a launch profile", + "privilege": "UpdateLaunchProfile", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Create a snapshot of a robot application", - "privilege": "CreateRobotApplicationVersion", + "description": "Grants permission to update a launch profile member", + "privilege": "UpdateLaunchProfileMember", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "s3:GetObject" - ], - "resource_type": "robotApplication*" + "dependent_actions": [], + "resource_type": "launch-profile*" } ] }, { "access_level": "Write", - "description": "Create a simulation application", - "privilege": "CreateSimulationApplication", + "description": "Grants permission to update a streaming image", + "privilege": "UpdateStreamingImage", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "streaming-image*" } ] }, { "access_level": "Write", - "description": "Create a snapshot of a simulation application", - "privilege": "CreateSimulationApplicationVersion", + "description": "Grants permission to update a studio", + "privilege": "UpdateStudio", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "s3:GetObject" + "iam:PassRole" ], - "resource_type": "simulationApplication*" + "resource_type": "studio*" } ] }, { "access_level": "Write", - "description": "Create a simulation job", - "privilege": "CreateSimulationJob", + "description": "Grants permission to update a studio component", + "privilege": "UpdateStudioComponent", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [ - "iam:CreateServiceLinkedRole" + "ds:AuthorizeApplication", + "ds:DescribeDirectories", + "ec2:DescribeSecurityGroups", + "fsx:DescribeFileSystems" ], - "resource_type": "" + "resource_type": "studio-component*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio/${studioId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "studio" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-image/${streamingImageId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "streaming-image" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:studio-component/${studioComponentId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "studio-component" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:launch-profile/${launchProfileId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "launch-profile" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:streaming-session/${streamingSessionId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:createdBy", + "nimble:ownedBy" + ], + "resource": "streaming-session" + }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula/${eulaId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:requesterPrincipalId" + ], + "resource": "eula" }, + { + "arn": "arn:${Partition}:nimble:${Region}:${Account}:eula-acceptance/${eulaAcceptanceId}", + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:ResourceTag/${TagKey}", + "aws:TagKeys", + "nimble:studioId" + ], + "resource": "eula-acceptance" + } + ], + "service_name": "Amazon Nimble Studio" + }, + { + "conditions": [], + "prefix": "opsworks", + "privileges": [ { "access_level": "Write", - "description": "Create a world export job", - "privilege": "CreateWorldExportJob", + "description": "Assign a registered instance to a layer", + "privilege": "AssignInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "world*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Create a world generation job", - "privilege": "CreateWorldGenerationJob", + "description": "Assigns one of the stack's registered Amazon EBS volumes to a specified instance", + "privilege": "AssignVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldTemplate*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Create a world template", - "privilege": "CreateWorldTemplate", + "description": "Associates one of the stack's registered Elastic IP addresses with a specified instance", + "privilege": "AssociateElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Delete a deployment fleet", - "privilege": "DeleteFleet", + "description": "Attaches an Elastic Load Balancing load balancer to a specified layer", + "privilege": "AttachElasticLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Delete a robot", - "privilege": "DeleteRobot", + "description": "Creates a clone of a specified stack", + "privilege": "CloneStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "robot*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Delete a robot application", - "privilege": "DeleteRobotApplication", + "description": "Creates an app for a specified stack", + "privilege": "CreateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "robotApplication*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Delete a simulation application", - "privilege": "DeleteSimulationApplication", + "description": "Runs deployment or stack commands", + "privilege": "CreateDeployment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationApplication*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Delete a world template", - "privilege": "DeleteWorldTemplate", + "description": "Creates an instance in a specified stack", + "privilege": "CreateInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldTemplate*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Deregister a robot from a fleet", - "privilege": "DeregisterRobot", + "description": "Creates a layer", + "privilege": "CreateLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robot*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a deployment job", - "privilege": "DescribeDeploymentJob", + "access_level": "Write", + "description": "Creates a new stack", + "privilege": "CreateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentJob*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a deployment fleet", - "privilege": "DescribeFleet", + "access_level": "Write", + "description": "Creates a new user profile", + "privilege": "CreateUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a robot", - "privilege": "DescribeRobot", + "access_level": "Write", + "description": "Deletes a specified app", + "privilege": "DeleteApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "robot*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a robot application", - "privilege": "DescribeRobotApplication", + "access_level": "Write", + "description": "Deletes a specified instance, which terminates the associated Amazon EC2 instance", + "privilege": "DeleteInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "robotApplication*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a simulation application", - "privilege": "DescribeSimulationApplication", + "access_level": "Write", + "description": "Deletes a specified layer", + "privilege": "DeleteLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationApplication*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a simulation job", - "privilege": "DescribeSimulationJob", + "access_level": "Write", + "description": "Deletes a specified stack", + "privilege": "DeleteStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationJob*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a simulation job batch", - "privilege": "DescribeSimulationJobBatch", + "access_level": "Write", + "description": "Deletes a user profile", + "privilege": "DeleteUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationJobBatch*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describe a world", - "privilege": "DescribeWorld", + "access_level": "Write", + "description": "Deletes a user profile", + "privilege": "DeregisterEcsCluster", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "world*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a world export job", - "privilege": "DescribeWorldExportJob", + "access_level": "Write", + "description": "Deregisters a specified Elastic IP address", + "privilege": "DeregisterElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldExportJob*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a world generation job", - "privilege": "DescribeWorldGenerationJob", + "access_level": "Write", + "description": "Deregister a registered Amazon EC2 or on-premises instance", + "privilege": "DeregisterInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldGenerationJob*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Describe a world template", - "privilege": "DescribeWorldTemplate", + "access_level": "Write", + "description": "Deregisters an Amazon RDS instance", + "privilege": "DeregisterRdsDbInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldTemplate*" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Get the body of a world template", - "privilege": "GetWorldTemplateBody", + "access_level": "Write", + "description": "Deregisters an Amazon EBS volume", + "privilege": "DeregisterVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldTemplate*" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List deployment jobs", - "privilege": "ListDeploymentJobs", + "description": "Describes the available AWS OpsWorks agent versions", + "privilege": "DescribeAgentVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List fleets", - "privilege": "ListFleets", + "description": "Requests a description of a specified set of apps", + "privilege": "DescribeApps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List robot applications", - "privilege": "ListRobotApplications", + "description": "Describes the results of specified commands", + "privilege": "DescribeCommands", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List robots", - "privilege": "ListRobots", + "description": "Requests a description of a specified set of deployments", + "privilege": "DescribeDeployments", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List simulation applications", - "privilege": "ListSimulationApplications", + "description": "Describes Amazon ECS clusters that are registered with a stack", + "privilege": "DescribeEcsClusters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List simulation job batches", - "privilege": "ListSimulationJobBatches", + "description": "Describes Elastic IP addresses", + "privilege": "DescribeElasticIps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List simulation jobs", - "privilege": "ListSimulationJobs", + "description": "Describes a stack's Elastic Load Balancing instances", + "privilege": "DescribeElasticLoadBalancers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "Lists supported availability zones", - "privilege": "ListSupportedAvailabilityZones", + "description": "Requests a description of a set of instances", + "privilege": "DescribeInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List tags for a RoboMaker resource.", - "privilege": "ListTagsForResource", + "description": "Requests a description of one or more layers in a specified stack", + "privilege": "DescribeLayers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deploymentJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robotApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJobBatch" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "world" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldExportJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldGenerationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldTemplate" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List world export jobs", - "privilege": "ListWorldExportJobs", + "description": "Describes load-based auto scaling configurations for specified layers", + "privilege": "DescribeLoadBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "List", - "description": "List world generation jobs", - "privilege": "ListWorldGenerationJobs", + "description": "Describes a user's SSH information", + "privilege": "DescribeMyUserProfile", "resource_types": [ { "condition_keys": [], @@ -116032,8 +126583,8 @@ }, { "access_level": "List", - "description": "List world templates", - "privilege": "ListWorldTemplates", + "description": "Describes the operating systems that are supported by AWS OpsWorks Stacks", + "privilege": "DescribeOperatingSystems", "resource_types": [ { "condition_keys": [], @@ -116044,231 +126595,104 @@ }, { "access_level": "List", - "description": "List worlds", - "privilege": "ListWorlds", + "description": "Describes the permissions for a specified stack", + "privilege": "DescribePermissions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Register a robot to a fleet", - "privilege": "RegisterRobot", + "access_level": "List", + "description": "Describe an instance's RAID arrays", + "privilege": "DescribeRaidArrays", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robot*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Restart a running simulation job", - "privilege": "RestartSimulationJob", + "access_level": "List", + "description": "Describes Amazon RDS instances", + "privilege": "DescribeRdsDbInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationJob*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Create a simulation job batch", - "privilege": "StartSimulationJobBatch", + "access_level": "List", + "description": "Describes AWS OpsWorks service errors", + "privilege": "DescribeServiceErrors", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "" + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Ensures the most recently deployed robot application is deployed to all robots in the fleet", - "privilege": "SyncDeploymentJob", + "access_level": "List", + "description": "Requests a description of a stack's provisioning parameters", + "privilege": "DescribeStackProvisioningParameters", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole" - ], - "resource_type": "deploymentFleet*" + "dependent_actions": [], + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Add tags to a RoboMaker resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Describes the number of layers and apps in a specified stack, and the number of instances in each state, such as running_setup or online", + "privilege": "DescribeStackSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deploymentJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robotApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJobBatch" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "world" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldExportJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldGenerationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldTemplate" - }, - { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Remove tags from a RoboMaker resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Requests a description of one or more stacks", + "privilege": "DescribeStacks", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deploymentFleet" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deploymentJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robot" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "robotApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationApplication" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "simulationJobBatch" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "world" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldExportJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldGenerationJob" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "worldTemplate" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Update a robot application", - "privilege": "UpdateRobotApplication", + "access_level": "List", + "description": "Describes time-based auto scaling configurations for specified instances", + "privilege": "DescribeTimeBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "robotApplication*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Report the deployment status for an individual robot", - "privilege": "UpdateRobotDeployment", + "access_level": "List", + "description": "Describe specified users", + "privilege": "DescribeUserProfiles", "resource_types": [ { "condition_keys": [], @@ -116278,433 +126702,333 @@ ] }, { - "access_level": "Write", - "description": "Update a simulation application", - "privilege": "UpdateSimulationApplication", + "access_level": "List", + "description": "Describes an instance's Amazon EBS volumes", + "privilege": "DescribeVolumes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "simulationApplication*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Update a world template", - "privilege": "UpdateWorldTemplate", + "description": "Detaches a specified Elastic Load Balancing instance from its layer", + "privilege": "DetachElasticLoadBalancer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "worldTemplate*" + "resource_type": "stack" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:robot-application/${ApplicationName}/${CreatedOnEpoch}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "robotApplication" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-application/${ApplicationName}/${CreatedOnEpoch}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "simulationApplication" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-job/${SimulationJobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "simulationJob" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-job-batch/${SimulationJobBatchId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "simulationJobBatch" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:deployment-job/${DeploymentJobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deploymentJob" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:robot/${RobotName}/${CreatedOnEpoch}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "robot" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:deployment-fleet/${FleetName}/${CreatedOnEpoch}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deploymentFleet" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-generation-job/${WorldGenerationJobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "worldGenerationJob" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-export-job/${WorldExportJobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "worldExportJob" - }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-template/${WorldTemplateJobId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "worldTemplate" }, - { - "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world/${WorldId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "world" - } - ], - "service_name": "AWS RoboMaker" - }, - { - "conditions": [], - "prefix": "route53", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate an additional Amazon VPC with a private hosted zone", - "privilege": "AssociateVPCWithHostedZone", + "description": "Disassociates an Elastic IP address from its instance", + "privilege": "DisassociateElasticIp", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "ec2:DescribeVpcs" - ], - "resource_type": "vpc*" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name", - "privilege": "ChangeResourceRecordSets", + "access_level": "Read", + "description": "Gets a generated host name for the specified layer, based on the current host name theme", + "privilege": "GetHostnameSuggestion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add, edit, or delete tags for a health check or a hosted zone", - "privilege": "ChangeTagsForResource", + "access_level": "Write", + "description": "Grants RDP access to a Windows instance for a specified time period", + "privilege": "GrantAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" - }, + "resource_type": "stack" + } + ] + }, + { + "access_level": "List", + "description": "Returns a list of tags that are applied to the specified stack or layer", + "privilege": "ListTags", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new health check, which monitors the health and performance of your web applications, web servers, and other resources", - "privilege": "CreateHealthCheck", + "description": "Reboots a specified instance", + "privilege": "RebootInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a public hosted zone, which you use to specify how the Domain Name System (DNS) routes traffic on the Internet for a domain, such as example.com, and its subdomains", - "privilege": "CreateHostedZone", + "description": "Registers a specified Amazon ECS cluster with a stack", + "privilege": "RegisterEcsCluster", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DescribeVpcs" - ], - "resource_type": "vpc" + "dependent_actions": [], + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a configuration for DNS query logging", - "privilege": "CreateQueryLoggingConfig", + "description": "Registers an Elastic IP address with a specified stack", + "privilege": "RegisterElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a delegation set (a group of four name servers) that can be reused by multiple hosted zones", - "privilege": "CreateReusableDelegationSet", + "description": "Registers instances with a specified stack that were created outside of AWS OpsWorks", + "privilege": "RegisterInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a traffic policy, which you use to create multiple DNS records for one domain name (such as example.com) or one subdomain name (such as www.example.com)", - "privilege": "CreateTrafficPolicy", + "description": "Registers an Amazon RDS instance with a stack", + "privilege": "RegisterRdsDbInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create records in a specified hosted zone based on the settings in a specified traffic policy version", - "privilege": "CreateTrafficPolicyInstance", + "description": "Registers an Amazon EBS volume with a specified stack", + "privilege": "RegisterVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "trafficpolicy*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new version of an existing traffic policy", - "privilege": "CreateTrafficPolicyVersion", + "description": "Specify the load-based auto scaling configuration for a specified layer", + "privilege": "SetLoadBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicy*" + "resource_type": "stack" } ] }, { - "access_level": "Write", - "description": "Grants permission to authorize the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request, which associates the VPC with a specified hosted zone that was created by a different account", - "privilege": "CreateVPCAssociationAuthorization", + "access_level": "Permissions management", + "description": "Specifies a user's permissions", + "privilege": "SetPermission", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a health check", - "privilege": "DeleteHealthCheck", + "description": "Specify the time-based auto scaling configuration for a specified instance", + "privilege": "SetTimeBasedAutoScaling", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a hosted zone", - "privilege": "DeleteHostedZone", + "description": "Starts a specified instance", + "privilege": "StartInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a configuration for DNS query logging", - "privilege": "DeleteQueryLoggingConfig", + "description": "Starts a stack's instances", + "privilege": "StartStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "queryloggingconfig*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a reusable delegation set", - "privilege": "DeleteReusableDelegationSet", + "description": "Stops a specified instance", + "privilege": "StopInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "delegationset*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a traffic policy", - "privilege": "DeleteTrafficPolicy", + "description": "Stops a specified stack", + "privilege": "StopStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicy*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a traffic policy instance and all the records that Route 53 created when you created the instance", - "privilege": "DeleteTrafficPolicyInstance", + "description": "Apply tags to a specified stack or layer", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicyinstance*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to remove authorization for associating an Amazon Virtual Private Cloud with a Route 53 private hosted zone", - "privilege": "DeleteVPCAssociationAuthorization", + "description": "Unassigns a registered instance from all of it's layers", + "privilege": "UnassignInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "stack" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an Amazon Virtual Private Cloud from a Route 53 private hosted zone", - "privilege": "DisassociateVPCFromHostedZone", + "description": "Unassigns an assigned Amazon EBS volume", + "privilege": "UnassignVolume", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [ - "ec2:DescribeVpcs" - ], - "resource_type": "hostedzone" - }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "vpc" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the specified limit for the current account, for example, the maximum number of health checks that you can create using the account", - "privilege": "GetAccountLimit", + "access_level": "Write", + "description": "Removes tags from a specified stack or layer", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get the current status of a request to create, update, or delete one or more records", - "privilege": "GetChange", + "access_level": "Write", + "description": "Updates a specified app", + "privilege": "UpdateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "change*" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get a list of the IP ranges that are used by Route 53 health checkers to check the health of your resources", - "privilege": "GetCheckerIpRanges", + "access_level": "Write", + "description": "Updates a registered Elastic IP address's name", + "privilege": "UpdateElasticIp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about whether a specified geographic location is supported for Route 53 geolocation records", - "privilege": "GetGeoLocation", + "access_level": "Write", + "description": "Updates a specified instance", + "privilege": "UpdateInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified health check", - "privilege": "GetHealthCheck", + "access_level": "Write", + "description": "Updates a specified layer", + "privilege": "UpdateLayer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get the number of health checks that are associated with the current AWS account", - "privilege": "GetHealthCheckCount", + "access_level": "Write", + "description": "Updates a user's SSH public key", + "privilege": "UpdateMyUserProfile", "resource_types": [ { "condition_keys": [], @@ -116714,129 +127038,143 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get the reason that a specified health check failed most recently", - "privilege": "GetHealthCheckLastFailureReason", + "access_level": "Write", + "description": "Updates an Amazon RDS instance", + "privilege": "UpdateRdsDbInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get the status of a specified health check", - "privilege": "GetHealthCheckStatus", + "access_level": "Write", + "description": "Updates a specified stack", + "privilege": "UpdateStack", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" + "resource_type": "stack" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about a specified hosted zone including the four name servers that Route 53 assigned to the hosted zone", - "privilege": "GetHostedZone", + "access_level": "Permissions management", + "description": "Updates a specified user profile", + "privilege": "UpdateUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to get the number of hosted zones that are associated with the current AWS account", - "privilege": "GetHostedZoneCount", + "access_level": "Write", + "description": "Updates an Amazon EBS volume's name or mount point", + "privilege": "UpdateVolume", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "stack" } ] - }, + } + ], + "resources": [ { - "access_level": "Read", - "description": "Grants permission to get the specified limit for a specified hosted zone", - "privilege": "GetHostedZoneLimit", + "arn": "arn:${Partition}:opsworks:${Region}:${Account}:stack/${StackId}/", + "condition_keys": [], + "resource": "stack" + } + ], + "service_name": "AWS OpsWorks" + }, + { + "conditions": [], + "prefix": "opsworks-cm", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate a node to a configuration management server", + "privilege": "AssociateNode", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified configuration for DNS query logging", - "privilege": "GetQueryLoggingConfig", + "access_level": "Write", + "description": "Grants permission to create a backup for the specified server", + "privilege": "CreateBackup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "queryloggingconfig*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about a specified reusable delegation set, including the four name servers that are assigned to the delegation set", - "privilege": "GetReusableDelegationSet", + "access_level": "Write", + "description": "Grants permission to create a new server", + "privilege": "CreateServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "delegationset*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the maximum number of hosted zones that you can associate with the specified reusable delegation set", - "privilege": "GetReusableDelegationSetLimit", + "access_level": "Write", + "description": "Grants permission to delete the specified backup and possibly its S3 bucket", + "privilege": "DeleteBackup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "delegationset*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified traffic policy version", - "privilege": "GetTrafficPolicy", + "access_level": "Write", + "description": "Grants permission to delete the specified server with its corresponding CloudFormation stack and possibly the S3 bucket", + "privilege": "DeleteServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicy*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified traffic policy instance", - "privilege": "GetTrafficPolicyInstance", + "access_level": "List", + "description": "Grants permission to describe the service limits for the user's account", + "privilege": "DescribeAccountAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicyinstance*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the number of traffic policy instances that are associated with the current AWS account", - "privilege": "GetTrafficPolicyInstanceCount", + "access_level": "List", + "description": "Grants permission to describe a single backup, all backups of a specified server or all backups of the user's account", + "privilege": "DescribeBackups", "resource_types": [ { "condition_keys": [], @@ -116847,8 +127185,8 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of geographic locations that Route 53 supports for geolocation", - "privilege": "ListGeoLocations", + "description": "Grants permission to describe all events of the specified server", + "privilege": "DescribeEvents", "resource_types": [ { "condition_keys": [], @@ -116859,8 +127197,8 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of the health checks that are associated with the current AWS account", - "privilege": "ListHealthChecks", + "description": "Grants permission to describe the association status for the specified node token and the specified server", + "privilege": "DescribeNodeAssociationStatus", "resource_types": [ { "condition_keys": [], @@ -116871,8 +127209,8 @@ }, { "access_level": "List", - "description": "Grants permission to get a list of the public and private hosted zones that are associated with the current AWS account", - "privilege": "ListHostedZones", + "description": "Grants permission to describe the specified server or all servers of the user's account", + "privilege": "DescribeServers", "resource_types": [ { "condition_keys": [], @@ -116882,9 +127220,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www.", - "privilege": "ListHostedZonesByName", + "access_level": "Write", + "description": "Grants permission to disassociate a specified node from a server", + "privilege": "DisassociateNode", "resource_types": [ { "condition_keys": [], @@ -116894,47 +127232,45 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get a list of all the private hosted zones that a specified VPC is associated with", - "privilege": "ListHostedZonesByVPC", + "access_level": "Read", + "description": "Grants permission to export an engine attribute from a server", + "privilege": "ExportServerEngineAttribute", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "ec2:DescribeVpcs" - ], - "resource_type": "vpc*" + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone.", - "privilege": "ListQueryLoggingConfigs", + "access_level": "Read", + "description": "Grants permission to list the tags that are applied to the specified server or backup", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the records in a specified hosted zone", - "privilege": "ListResourceRecordSets", + "access_level": "Write", + "description": "Grants permission to apply a backup to specified server. Possibly swaps out the ec2-instance if specified", + "privilege": "RestoreServer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the reusable delegation sets that are associated with the current AWS account.", - "privilege": "ListReusableDelegationSets", + "access_level": "Write", + "description": "Grants permission to start the server maintenance immediately", + "privilege": "StartMaintenance", "resource_types": [ { "condition_keys": [], @@ -116944,43 +127280,33 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list tags for one health check or hosted zone", - "privilege": "ListTagsForResource", + "access_level": "Tagging", + "description": "Grants permission to apply tags to the specified server or backup", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hostedzone" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags for up to 10 health checks or hosted zones", - "privilege": "ListTagsForResources", + "access_level": "Tagging", + "description": "Grants permission to remove tags from the specified server or backup", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "hostedzone" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created.", - "privilege": "ListTrafficPolicies", + "access_level": "Write", + "description": "Grants permission to update general server settings", + "privilege": "UpdateServer", "resource_types": [ { "condition_keys": [], @@ -116990,9 +127316,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get information about the traffic policy instances that you created by using the current AWS account", - "privilege": "ListTrafficPolicyInstances", + "access_level": "Write", + "description": "Grants permission to update server settings specific to the configuration management type", + "privilege": "UpdateServerEngineAttributes", "resource_types": [ { "condition_keys": [], @@ -117000,183 +127326,188 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:opsworks-cm::${Account}:server/${ServerName}/${UniqueId}", + "condition_keys": [], + "resource": "server" }, { - "access_level": "List", - "description": "Grants permission to get information about the traffic policy instances that you created in a specified hosted zone", - "privilege": "ListTrafficPolicyInstancesByHostedZone", + "arn": "arn:${Partition}:opsworks-cm::${Account}:backup/${ServerName}-{Date-and-Time-Stamp-of-Backup}", + "condition_keys": [], + "resource": "backup" + } + ], + "service_name": "AWS OpsWorks Configuration Management" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "organizations:PolicyType", + "description": "Enables you to filter the request to only the specified policy type names.", + "type": "String" + }, + { + "condition": "organizations:ServicePrincipal", + "description": "Enables you to filter the request to only the specified service principal names.", + "type": "String" + } + ], + "prefix": "organizations", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request.", + "privilege": "AcceptHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "handshake*" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about the traffic policy instances that you created using a specified traffic policy version", - "privilege": "ListTrafficPolicyInstancesByPolicy", + "access_level": "Write", + "description": "Grants permission to attach a policy to a root, an organizational unit, or an individual account.", + "privilege": "AttachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicy*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get information about all the versions for a specified traffic policy", - "privilege": "ListTrafficPolicyVersions", - "resource_types": [ + "resource_type": "policy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicy*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to get a list of the VPCs that were created by other accounts and that can be associated with a specified hosted zone", - "privilege": "ListVPCAssociationAuthorizations", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hostedzone*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get the value that Route 53 returns in response to a DNS query for a specified record name and type", - "privilege": "TestDNSAnswer", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update an existing health check", - "privilege": "UpdateHealthCheck", + "description": "Grants permission to cancel a handshake.", + "privilege": "CancelHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "healthcheck*" + "resource_type": "handshake*" } ] }, { "access_level": "Write", - "description": "Grants permission to update the comment for a specified hosted zone", - "privilege": "UpdateHostedZoneComment", + "description": "Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request.", + "privilege": "CreateAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "hostedzone*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the comment for a specified traffic policy version", - "privilege": "UpdateTrafficPolicyComment", + "description": "Grants permission to create an AWS GovCloud (US) account.", + "privilege": "CreateGovCloudAccount", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "trafficpolicy*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the records in a specified hosted zone that were created based on the settings in a specified traffic policy version", - "privilege": "UpdateTrafficPolicyInstance", + "description": "Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization.", + "privilege": "CreateOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "trafficpolicyinstance*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:route53:::change/${Id}", - "condition_keys": [], - "resource": "change" - }, - { - "arn": "arn:${Partition}:route53:::delegationset/${Id}", - "condition_keys": [], - "resource": "delegationset" - }, - { - "arn": "arn:${Partition}:route53:::healthcheck/${Id}", - "condition_keys": [], - "resource": "healthcheck" - }, - { - "arn": "arn:${Partition}:route53:::hostedzone/${Id}", - "condition_keys": [], - "resource": "hostedzone" - }, - { - "arn": "arn:${Partition}:route53:::trafficpolicy/${Id}", - "condition_keys": [], - "resource": "trafficpolicy" - }, - { - "arn": "arn:${Partition}:route53:::trafficpolicyinstance/${Id}", - "condition_keys": [], - "resource": "trafficpolicyinstance" }, { - "arn": "arn:${Partition}:route53:::queryloggingconfig/${Id}", - "condition_keys": [], - "resource": "queryloggingconfig" - }, - { - "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}", - "condition_keys": [], - "resource": "vpc" - } - ], - "service_name": "Amazon Route 53" - }, - { - "conditions": [], - "prefix": "route53domains", - "privileges": [ - { - "access_level": "Read", - "description": "Grants permission to check the availability of one domain name", - "privilege": "CheckDomainAvailability", + "access_level": "Write", + "description": "Grants permission to create an organizational unit (OU) within a root or parent OU.", + "privilege": "CreateOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to delete the specified tags for a domain", - "privilege": "DeleteTagsForDomain", + "access_level": "Write", + "description": "Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account.", + "privilege": "CreatePolicy", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -117184,20 +127515,20 @@ }, { "access_level": "Write", - "description": "Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires", - "privilege": "DisableDomainAutoRenew", + "description": "Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request.", + "privilege": "DeclineHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "handshake*" } ] }, { "access_level": "Write", - "description": "Grants permission to remove the transfer lock on the domain (specifically the clientTransferProhibited status) to allow domain transfers", - "privilege": "DisableDomainTransferLock", + "description": "Grants permission to delete the organization.", + "privilege": "DeleteOrganization", "resource_types": [ { "condition_keys": [], @@ -117208,56 +127539,70 @@ }, { "access_level": "Write", - "description": "Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires", - "privilege": "EnableDomainAutoRenew", + "description": "Grants permission to delete an organizational unit from a root or another OU.", + "privilege": "DeleteOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "organizationalunit*" } ] }, { "access_level": "Write", - "description": "Grants permission to set the transfer lock on the domain (specifically the clientTransferProhibited status) to prevent domain transfers", - "privilege": "EnableDomainTransferLock", + "description": "Grants permission to delete a policy from your organization.", + "privilege": "DeletePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to get information about whether the registrant contact has responded", - "privilege": "GetContactReachabilityStatus", + "access_level": "Write", + "description": "Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal.", + "privilege": "DeregisterDelegatedAdministrator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "account*" + }, + { + "condition_keys": [ + "organizations:ServicePrincipal" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get detailed information about a domain", - "privilege": "GetDomainDetail", + "description": "Grants permission to retrieve Organizations-related details about the specified account.", + "privilege": "DescribeAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "account*" } ] }, { "access_level": "Read", - "description": "Grants permission to get a list of suggested domain names given a string, which can either be a domain name or simply a word or phrase (without spaces)", - "privilege": "GetDomainSuggestions", + "description": "Grants permission to retrieve the current status of an asynchronous request to create an account.", + "privilege": "DescribeCreateAccountStatus", "resource_types": [ { "condition_keys": [], @@ -117268,32 +127613,39 @@ }, { "access_level": "Read", - "description": "Grants permission to get the current status of an operation that is not completed", - "privilege": "GetOperationDetail", + "description": "Grants permission to retrieve the effective policy for an account.", + "privilege": "DescribeEffectivePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "account*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the domain names registered with Amazon Route 53 for the current AWS account", - "privilege": "ListDomains", + "access_level": "Read", + "description": "Grants permission to retrieve details about a previously requested handshake.", + "privilege": "DescribeHandshake", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "handshake*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the operation IDs of operations that are not yet complete", - "privilege": "ListOperations", + "access_level": "Read", + "description": "Grants permission to retrieves details about the organization that the calling credentials belong to.", + "privilege": "DescribeOrganization", "resource_types": [ { "condition_keys": [], @@ -117303,72 +127655,79 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all the tags that are associated with the specified domain", - "privilege": "ListTagsForDomain", + "access_level": "Read", + "description": "Grants permission to retrieve details about an organizational unit (OU).", + "privilege": "DescribeOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "organizationalunit*" } ] }, { - "access_level": "Write", - "description": "Grants permission to register domains", - "privilege": "RegisterDomain", + "access_level": "Read", + "description": "Grants permission to retrieves details about a policy.", + "privilege": "DescribePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to renew domains for the specified number of years", - "privilege": "RenewDomain", + "description": "Grants permission to detach a policy from a target root, organizational unit, or account.", + "privilege": "DetachPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to resend the confirmation email to the current email address for the registrant contact", - "privilege": "ResendContactReachabilityEmail", - "resource_types": [ + "resource_type": "policy*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to get the AuthCode for the domain", - "privilege": "RetrieveDomainAuthCode", - "resource_types": [ + "resource_type": "account" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to transfer a domain from another registrar to Amazon Route 53", - "privilege": "TransferDomain", + "description": "Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", + "privilege": "DisableAWSServiceAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:ServicePrincipal" + ], "dependent_actions": [], "resource_type": "" } @@ -117376,23 +127735,32 @@ }, { "access_level": "Write", - "description": "Grants permission to update the contact information for domain", - "privilege": "UpdateDomainContact", + "description": "Grants permission to disable an organization policy type in a root.", + "privilege": "DisablePolicyType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "root*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the domain contact privacy setting", - "privilege": "UpdateDomainContactPrivacy", + "description": "Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.", + "privilege": "EnableAWSServiceAccess", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:ServicePrincipal" + ], "dependent_actions": [], "resource_type": "" } @@ -117400,8 +127768,8 @@ }, { "access_level": "Write", - "description": "Grants permission to replace the current set of name servers for a domain with the specified set of name servers", - "privilege": "UpdateDomainNameservers", + "description": "Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features.", + "privilege": "EnableAllFeatures", "resource_types": [ { "condition_keys": [], @@ -117411,756 +127779,19775 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to add or update tags for a specified domain", - "privilege": "UpdateTagsForDomain", + "access_level": "Write", + "description": "Grants permission to enable a policy type in a root.", + "privilege": "EnablePolicyType", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "root*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get all the domain-related billing records for the current AWS account for a specified period", - "privilege": "ViewBilling", + "access_level": "Write", + "description": "Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account.", + "privilege": "InviteAccountToOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "account" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [], - "service_name": "Amazon Route53 Domains" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - } - ], - "prefix": "route53resolver", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a specified IP address with a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", - "privilege": "AssociateResolverEndpointIpAddress", + "description": "Grants permission to remove a member account from its parent organization.", + "privilege": "LeaveOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate an Amazon VPC with a specified query logging configuration", - "privilege": "AssociateResolverQueryLogConfig", + "access_level": "List", + "description": "Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization.", + "privilege": "ListAWSServiceAccessForOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to associate a specified Resolver rule with a specified VPC", - "privilege": "AssociateResolverRule", + "access_level": "List", + "description": "Grants permission to list all of the the accounts in the organization.", + "privilege": "ListAccounts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound", - "privilege": "CreateResolverEndpoint", + "access_level": "List", + "description": "Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU).", + "privilege": "ListAccountsForParent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to create a Resolver query logging configuration, which defines where you want Resolver to save DNS query logs that originate in your VPCs", - "privilege": "CreateResolverQueryLogConfig", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "root" } ] }, { - "access_level": "Write", - "description": "For DNS queries that originate in your VPC, grants permission to define how to route the queries out of the VPC", - "privilege": "CreateResolverRule", + "access_level": "List", + "description": "Grants permission to list all of the OUs or accounts that are contained in a parent OU or root.", + "privilege": "ListChildren", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete a Resolver endpoint. The effect of deleting a Resolver endpoint depends on whether it's an inbound or an outbound endpoint", - "privilege": "DeleteResolverEndpoint", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" + "resource_type": "root" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Resolver query logging configuration", - "privilege": "DeleteResolverQueryLogConfig", + "access_level": "List", + "description": "Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization.", + "privilege": "ListCreateAccountStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Resolver rule", - "privilege": "DeleteResolverRule", + "access_level": "List", + "description": "Grants permission to list the AWS accounts that are designated as delegated administrators in this organization.", + "privilege": "ListDelegatedAdministrators", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:ServicePrincipal" + ], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove a specified IP address from a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", - "privilege": "DisassociateResolverEndpointIpAddress", + "access_level": "List", + "description": "Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization.", + "privilege": "ListDelegatedServicesForAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" + "resource_type": "account*" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove the association between a specified Resolver query logging configuration and a specified VPC", - "privilege": "DisassociateResolverQueryLogConfig", + "access_level": "List", + "description": "Grants permission to list all of the handshakes that are associated with an account.", + "privilege": "ListHandshakesForAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove the association between a specified Resolver rule and a specified VPC", - "privilege": "DisassociateResolverRule", + "access_level": "List", + "description": "Grants permission to list the handshakes that are associated with the organization.", + "privilege": "ListHandshakesForOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource", - "privilege": "GetResolverDnssecConfig", + "access_level": "List", + "description": "Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root.", + "privilege": "ListOrganizationalUnitsForParent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-dnssec-config*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC", - "privilege": "GetResolverEndpoint", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" + "resource_type": "root" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to", - "privilege": "GetResolverQueryLogConfig", + "access_level": "List", + "description": "Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account.", + "privilege": "ListParents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC", - "privilege": "GetResolverQueryLogConfigAssociation", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "organizationalunit" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified Resolver query logging policy, which specifies the Resolver query logging operations and resources that you want to allow another AWS account to use", - "privilege": "GetResolverQueryLogConfigPolicy", + "access_level": "List", + "description": "Grants permission to list all of the policies in an organization.", + "privilege": "ListPolicies", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "organizations:PolicyType" + ], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to.", - "privilege": "GetResolverRule", + "access_level": "List", + "description": "Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account.", + "privilege": "ListPoliciesForTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about an association between a specified Resolver rule and a VPC", - "privilege": "GetResolverRuleAssociation", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get information about a Resolver rule policy, which specifies the Resolver operations and resources that you want to allow another AWS account to use", - "privilege": "GetResolverRulePolicy", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "root" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the DNSSEC validation support status for DNS queries", - "privilege": "ListResolverDnssecConfigs", + "description": "Grants permission to list all of the roots that are defined in the organization.", + "privilege": "ListRoots", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-dnssec-config*" + "resource_type": "" } ] }, { "access_level": "List", - "description": "For a specified Resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", - "privilege": "ListResolverEndpointIpAddresses", + "description": "Grants permission to list all tags for the specified resource.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all the Resolver endpoints that were created using the current AWS account", - "privilege": "ListResolverEndpoints", - "resource_types": [ + "resource_type": "account" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list information about associations between Amazon VPCs and query logging configurations", - "privilege": "ListResolverQueryLogConfigAssociations", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list information about the specified query logging configurations, which define where you want Resolver to save DNS query logs and specify the VPCs that you want to log queries for", - "privilege": "ListResolverQueryLogConfigs", - "resource_types": [ + "resource_type": "policy" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "root" } ] }, { "access_level": "List", - "description": "Grants permission to list the associations that were created between Resolver rules and VPCs using the current AWS account", - "privilege": "ListResolverRuleAssociations", + "description": "Grants permission to list all the roots, OUs, and accounts to which a policy is attached.", + "privilege": "ListTargetsForPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Resolver rules that were created using the current AWS account", - "privilege": "ListResolverRules", + "access_level": "Write", + "description": "Grants permission to move an account from its current root or OU to another parent root or OU.", + "privilege": "MoveAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list the tags that you associated with the specified resource", - "privilege": "ListTagsForResource", - "resource_types": [ + "resource_type": "account*" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint" + "resource_type": "organizationalunit" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule" + "resource_type": "root" } ] }, { "access_level": "Write", - "description": "Grants permission to specify an AWS account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration", - "privilege": "PutResolverQueryLogConfigPolicy", + "description": "Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal.", + "privilege": "RegisterDelegatedAdministrator", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-query-log-config*" + "resource_type": "account*" + }, + { + "condition_keys": [ + "organizations:ServicePrincipal" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules", - "privilege": "PutResolverRulePolicy", + "description": "Grants permission to removes the specified account from the organization.", + "privilege": "RemoveAccountFromOrganization", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "account*" } ] }, { "access_level": "Tagging", - "description": "Grants permission to add one or more tags to a specified resource", + "description": "Grants permission to add one or more tags to the specified resource.", "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint" + "resource_type": "account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule" + "resource_type": "organizationalunit" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "policy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from a specified resource", + "description": "Grants permission to remove one or more tags from the specified resource.", "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint" + "resource_type": "account" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource", - "privilege": "UpdateResolverDnssecConfig", - "resource_types": [ + "resource_type": "organizationalunit" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-dnssec-config*" + "resource_type": "policy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "root" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update selected settings for an inbound or an outbound Resolver endpoint", - "privilege": "UpdateResolverEndpoint", + "description": "Grants permission to rename an organizational unit (OU).", + "privilege": "UpdateOrganizationalUnit", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-endpoint*" + "resource_type": "organizationalunit*" } ] }, { "access_level": "Write", - "description": "Grants permission to update settings for a specified Resolver rule", - "privilege": "UpdateResolverRule", + "description": "Grants permission to update an existing policy with a new name, description, or content.", + "privilege": "UpdatePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "resolver-rule*" + "resource_type": "policy*" + }, + { + "condition_keys": [ + "organizations:PolicyType" + ], + "dependent_actions": [], + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-dnssec-config/${ResourceId}", + "arn": "arn:${Partition}:organizations::${MasterAccountId}:account/o-${OrganizationId}/${AccountId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "resolver-dnssec-config" + "resource": "account" }, { - "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}", + "arn": "arn:${Partition}:organizations::${MasterAccountId}:handshake/o-${OrganizationId}/${HandshakeType}/h-${HandshakeId}", + "condition_keys": [], + "resource": "handshake" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:organization/o-${OrganizationId}", + "condition_keys": [], + "resource": "organization" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "resolver-query-log-config" + "resource": "organizationalunit" }, { - "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}", + "arn": "arn:${Partition}:organizations::${MasterAccountId}:policy/o-${OrganizationId}/${PolicyType}/p-${PolicyId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "resolver-rule" + "resource": "policy" }, { - "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}", + "arn": "arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}", + "condition_keys": [], + "resource": "awspolicy" + }, + { + "arn": "arn:${Partition}:organizations::${MasterAccountId}:root/o-${OrganizationId}/r-${RootId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "resolver-endpoint" + "resource": "root" } ], - "service_name": "Amazon Route 53 Resolver" + "service_name": "AWS Organizations" }, { - "conditions": [ + "conditions": [], + "prefix": "outposts", + "privileges": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create an Outpost", + "privilege": "CreateOutpost", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete an Outpost", + "privilege": "DeleteOutpost", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete an site", + "privilege": "DeleteSite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:AccessPointNetworkOrigin", - "description": "Filters access by the network origin (Internet or VPC)", - "type": "String" + "access_level": "Read", + "description": "Grants permission to get information about the specified Outpost", + "privilege": "GetOutpost", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:DataAccessPointAccount", - "description": "Filters access by the AWS Account ID that owns the access point", - "type": "String" + "access_level": "Read", + "description": "Grants permission to list the instance types for the specified Outpost", + "privilege": "GetOutpostInstanceTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:DataAccessPointArn", - "description": "Filters access by an access point Amazon Resource Name (ARN)", - "type": "String" + "access_level": "List", + "description": "Grants permission to list the Outposts for your AWS account", + "privilege": "ListOutposts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:ExistingJobOperation", - "description": "Filters access to updating the job priority by operation", - "type": "String" + "access_level": "List", + "description": "Grants permission to list the sites for your AWS account", + "privilege": "ListSites", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:ExistingJobPriority", - "description": "Filters access to cancelling existing jobs by priority range", - "type": "Numeric" + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:ExistingObjectTag/", - "description": "Filters access by existing object tag key and value", - "type": "String" + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:JobSuspendedCause", - "description": "Filters access to cancelling suspended jobs by a specific job suspended cause (for example, AWAITING_CONFIRMATION)", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Outposts" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { - "condition": "s3:LocationConstraint", - "description": "Filters access by a specific Region", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { - "condition": "s3:RequestJobOperation", - "description": "Filters access to creating jobs by operation", + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" + } + ], + "prefix": "panorama", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama application", + "privilege": "CreateApp", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:RequestJobPriority", - "description": "Filters access to creating new jobs by priority range", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to deploy an AWS Panorama application", + "privilege": "CreateAppDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:RequestObjectTag/", - "description": "Filters access by the tag keys and values to be added to objects", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create a version of an AWS Panorama application", + "privilege": "CreateAppVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "appVersion*" + } + ] }, { - "condition": "s3:RequestObjectTagKeys", - "description": "Filters access by the tag keys to be added to objects", - "type": "String" + "access_level": "Write", + "description": "Grants permission to create an AWS Panorama datasource", + "privilege": "CreateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:ResourceAccount", - "description": "Filters access by the resource owner AWS account ID", - "type": "String" + "access_level": "Write", + "description": "Grants permission to configure a deployment for an AWS Panorama application", + "privilege": "CreateDeploymentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:TlsVersion", - "description": "Filters access by the TLS version used by the client", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to register an AWS Panorama Appliance", + "privilege": "CreateDevice", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:VersionId", - "description": "Filters access by a specific object version", - "type": "String" + "access_level": "Write", + "description": "Grants permission to apply a software update to an AWS Panorama Appliance", + "privilege": "CreateDeviceUpdate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:authType", - "description": "Filters access by authentication method", - "type": "String" + "access_level": "Write", + "description": "Grants permission to generate a list of cameras on the same network as an AWS Panorama Appliance", + "privilege": "CreateInputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:delimiter", - "description": "Filters access by delimiter parameter", - "type": "String" + "access_level": "Write", + "description": "Grants permission to import a machine learning model into AWS Panorama", + "privilege": "CreateModel", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:locationconstraint", - "description": "Filters access by a specific Region", - "type": "String" + "access_level": "Write", + "description": "Grants permission to generate a list of streams available to an AWS Panorama Appliance", + "privilege": "CreateStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:max-keys", - "description": "Filters access by maximum number of keys returned in a ListBucket request", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to delete an AWS Panorama application", + "privilege": "DeleteApp", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] }, { - "condition": "s3:object-lock-legal-hold", - "description": "Filters access by object legal hold status", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete a version of an AWS Panorama application", + "privilege": "DeleteAppVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] }, { - "condition": "s3:object-lock-mode", - "description": "Filters access by object retention mode (COMPLIANCE or GOVERNANCE)", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete an AWS Panorama datasource", + "privilege": "DeleteDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource*" + } + ] }, { - "condition": "s3:object-lock-remaining-retention-days", - "description": "Filters access by remaining object retention days", - "type": "String" + "access_level": "Write", + "description": "Grants permission to deregister an AWS Panorama Appliance", + "privilege": "DeleteDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:object-lock-retain-until-date", - "description": "Filters access by object retain-until date", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete a machine learning model from AWS Panorama", + "privilege": "DeleteModel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + } + ] }, { - "condition": "s3:prefix", - "description": "Filters access by key name prefix", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama application", + "privilege": "DescribeApp", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] }, { - "condition": "s3:signatureAge", - "description": "Filters access by the age in milliseconds of the request signature", - "type": "Numeric" + "access_level": "Read", + "description": "Grants permission to view details about a deployment for an AWS Panorama application", + "privilege": "DescribeAppDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:signatureversion", - "description": "Filters access by the version of AWS Signature used on the request", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a version of an AWS Panorama application", + "privilege": "DescribeAppVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] }, { - "condition": "s3:versionid", - "description": "Filters access by a specific object version", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a datasource in AWS Panorama", + "privilege": "DescribeDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource*" + } + ] }, { - "condition": "s3:x-amz-acl", - "description": "Filters access by canned ACL in the request's x-amz-acl header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about an AWS Panorama Appliance", + "privilege": "DescribeDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:x-amz-content-sha256", - "description": "Filters access to unsigned content in your bucket", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a software update for an AWS Panorama Appliance", + "privilege": "DescribeDeviceUpdate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-copy-source", - "description": "Filters access to requests with a specific bucket, prefix, or object as the copy source", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a machine learning model in AWS Panorama", + "privilege": "DescribeModel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + } + ] }, { - "condition": "s3:x-amz-grant-full-control", - "description": "Filters access to requests with the x-amz-grant-full-control (full control) header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a software version for the AWS Panorama Appliance", + "privilege": "DescribeSoftware", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-grant-read", - "description": "Filters access to requests with the x-amz-grant-read (read access) header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to view details about a deployment configuration for an AWS Panorama application", + "privilege": "GetDeploymentConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-grant-read-acp", - "description": "Filters access to requests with the x-amz-grant-read-acp (read permissions for the ACL) header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to retrieve a list of cameras generated with CreateInputs", + "privilege": "GetInputs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:x-amz-grant-write", - "description": "Filters access to requests with the x-amz-grant-write (write access) header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to retrieve a list of streams generated with CreateStreams", + "privilege": "GetStreams", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] }, { - "condition": "s3:x-amz-grant-write-acp", - "description": "Filters access to requests with the x-amz-grant-write-acp (write permissions for the ACL) header", - "type": "String" + "access_level": "Read", + "description": "Grants permission to generate a WebSocket endpoint for communication with AWS Panorama", + "privilege": "GetWebSocketURL", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-metadata-directive", - "description": "Filters access by object metadata behavior (COPY or REPLACE) when objects are copied", - "type": "String" + "access_level": "List", + "description": "Grants permission to retrieve a list of deployments for an AWS Panorama application", + "privilege": "ListAppDeploymentOperations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-server-side-encryption", - "description": "Filters access by server-side encryption", - "type": "String" + "access_level": "List", + "description": "Grants permission to retrieve a list of application versions in AWS Panorama", + "privilege": "ListAppVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] }, { - "condition": "s3:x-amz-server-side-encryption-aws-kms-key-id", - "description": "Filters access by AWS KMS customer managed CMK for server-side encryption", - "type": "String" + "access_level": "List", + "description": "Grants permission to retrieve a list of applications in AWS Panorama", + "privilege": "ListApps", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of datasources in AWS Panorama", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of deployment configurations in AWS Panorama", + "privilege": "ListDeploymentConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of software updates for an AWS Panorama Appliance", + "privilege": "ListDeviceUpdates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of appliances in AWS Panorama", + "privilege": "ListDevices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of models in AWS Panorama", + "privilege": "ListModels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve a list of tags for a resource in AWS Panorama", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a resource in AWS Panorama", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource in AWS Panorama", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an AWS Panorama application", + "privilege": "UpdateApp", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the version-specific configuration of an AWS Panorama application", + "privilege": "UpdateAppConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "app*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an AWS Panorama datasource", + "privilege": "UpdateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataSource*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify basic settings for an AWS Panorama Appliance", + "privilege": "UpdateDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:device/${DeviceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "device" + }, + { + "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:dataSource/${DeviceName}/${DataSourceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataSource" + }, + { + "arn": "arn:${Partition}:panorama:${Region}:${AccountId}:model/${ModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "model" + }, + { + "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "app" + }, + { + "arn": "arn:${Partition}:panorama:${Region}:${Account}:app/${AppName}:{AppVersion}", + "condition_keys": [], + "resource": "appVersion" + } + ], + "service_name": "AWS Panorama" + }, + { + "conditions": [], + "prefix": "personalize", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a batch inference job", + "privilege": "CreateBatchInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchInferenceJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a campaign", + "privilege": "CreateCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset export job", + "privilege": "CreateDatasetExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetExportJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset group", + "privilege": "CreateDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset import job", + "privilege": "CreateDatasetImportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an event tracker", + "privilege": "CreateEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a filter", + "privilege": "CreateFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a schema", + "privilege": "CreateSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a solution", + "privilege": "CreateSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a solution version", + "privilege": "CreateSolutionVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a campaign", + "privilege": "DeleteCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset group", + "privilege": "DeleteDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an event tracker", + "privilege": "DeleteEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a filter", + "privilege": "DeleteFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a schema", + "privilege": "DeleteSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a solution including all versions of the solution", + "privilege": "DeleteSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an algorithm", + "privilege": "DescribeAlgorithm", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "algorithm*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a batch inference job", + "privilege": "DescribeBatchInferenceJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "batchInferenceJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a campaign", + "privilege": "DescribeCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataset", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset export job", + "privilege": "DescribeDatasetExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetExportJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset group", + "privilege": "DescribeDatasetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetGroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset import job", + "privilege": "DescribeDatasetImportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasetImportJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an event tracker", + "privilege": "DescribeEventTracker", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a feature transformation", + "privilege": "DescribeFeatureTransformation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "featureTransformation*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a filter", + "privilege": "DescribeFilter", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "filter*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a recipe", + "privilege": "DescribeRecipe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recipe*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a schema", + "privilege": "DescribeSchema", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a solution", + "privilege": "DescribeSolution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a version of a solution", + "privilege": "DescribeSolutionVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a re-ranked list of recommendations", + "privilege": "GetPersonalizedRanking", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of recommendations from a campaign", + "privilege": "GetRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get metrics for a solution version", + "privilege": "GetSolutionMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list batch inference jobs", + "privilege": "ListBatchInferenceJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list campaigns", + "privilege": "ListCampaigns", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset export jobs", + "privilege": "ListDatasetExportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset groups", + "privilege": "ListDatasetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list dataset import jobs", + "privilege": "ListDatasetImportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list datasets", + "privilege": "ListDatasets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list event trackers", + "privilege": "ListEventTrackers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list filters", + "privilege": "ListFilters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list recipes", + "privilege": "ListRecipes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list schemas", + "privilege": "ListSchemas", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list versions of a solution", + "privilege": "ListSolutionVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list solutions", + "privilege": "ListSolutions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put real time event data", + "privilege": "PutEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventTracker*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to ingest Items data", + "privilege": "PutItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to ingest Users data", + "privilege": "PutUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop a solution version creation", + "privilege": "StopSolutionVersionCreation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "solution*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a campaign", + "privilege": "UpdateCampaign", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "campaign*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:schema/${ResourceId}", + "condition_keys": [], + "resource": "schema" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:feature-transformation/${ResourceId}", + "condition_keys": [], + "resource": "featureTransformation" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset/${ResourceId}", + "condition_keys": [], + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-group/${ResourceId}", + "condition_keys": [], + "resource": "datasetGroup" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-import-job/${ResourceId}", + "condition_keys": [], + "resource": "datasetImportJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:dataset-export-job/${ResourceId}", + "condition_keys": [], + "resource": "datasetExportJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:solution/${ResourceId}", + "condition_keys": [], + "resource": "solution" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:campaign/${ResourceId}", + "condition_keys": [], + "resource": "campaign" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:event-tracker/${ResourceId}", + "condition_keys": [], + "resource": "eventTracker" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:recipe/${ResourceId}", + "condition_keys": [], + "resource": "recipe" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:algorithm/${ResourceId}", + "condition_keys": [], + "resource": "algorithm" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:batch-inference-job/${ResourceId}", + "condition_keys": [], + "resource": "batchInferenceJob" + }, + { + "arn": "arn:${Partition}:personalize:${Region}:${Account}:filter/${ResourceId}", + "condition_keys": [], + "resource": "filter" + } + ], + "service_name": "Amazon Personalize" + }, + { + "conditions": [], + "prefix": "pi", + "privileges": [ + { + "access_level": "Read", + "description": "For a specific time period, retrieve the top N dimension keys for a metric.", + "privilege": "DescribeDimensionKeys", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieve the attributes of the specified dimension group.", + "privilege": "GetDimensionKeyDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + }, + { + "access_level": "Read", + "description": "Retrieve PI metrics for a set of data sources, over a time period.", + "privilege": "GetResourceMetrics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "metric-resource*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:pi:${Region}:${Account}:metrics/${ServiceType}/${Identifier}", + "condition_keys": [], + "resource": "metric-resource" + } + ], + "service_name": "AWS Performance Insights" + }, + { + "conditions": [], + "prefix": "polly", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permissions to delete the specified pronunciation lexicon stored in an AWS Region", + "privilege": "DeleteLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to describe the list of voices that are available for use when requesting speech synthesis", + "privilege": "DescribeVoices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to retrieve the content of the specified pronunciation lexicon stored in an AWS Region", + "privilege": "GetLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to get information about specific speech synthesis task", + "privilege": "GetSpeechSynthesisTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permisions to list the pronunciation lexicons stored in an AWS Region", + "privilege": "ListLexicons", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permissions to list requested speech synthesis tasks", + "privilege": "ListSpeechSynthesisTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to store a pronunciation lexicon in an AWS Region", + "privilege": "PutLexicon", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to synthesize long inputs to the provided S3 location", + "privilege": "StartSpeechSynthesisTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:PutObject" + ], + "resource_type": "lexicon" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to synthesize speech", + "privilege": "SynthesizeSpeech", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "lexicon" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:polly:${Region}:${Account}:lexicon/${LexiconName}", + "condition_keys": [], + "resource": "lexicon" + } + ], + "service_name": "Amazon Polly" + }, + { + "conditions": [], + "prefix": "pricing", + "privileges": [ + { + "access_level": "Read", + "description": "Returns the service details for all (paginated) services (if serviceCode is not set) or service detail for a particular service (if given serviceCode).", + "privilege": "DescribeServices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Returns all (paginated) possible values for a given attribute.", + "privilege": "GetAttributeValues", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Returns all matching products with given search criteria.", + "privilege": "GetProducts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Price List" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the customer profile service", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names present in the request the user makes to the customer profile service", + "type": "String" + } + ], + "prefix": "profile", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to add a profile key", + "privilege": "AddProfileKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Domain", + "privilege": "CreateDomain", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a profile in the domain", + "privilege": "CreateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Domain", + "privilege": "DeleteDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a integration in a domain", + "privilege": "DeleteIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile", + "privilege": "DeleteProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile key", + "privilege": "DeleteProfileKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a profile object", + "privilege": "DeleteProfileObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specific profile object type in the domain", + "privilege": "DeleteProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific domain in an account", + "privilege": "GetDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific integrations in a domain", + "privilege": "GetIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get profile matches", + "privilege": "GetMatches", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific profile object type in the domain", + "privilege": "GetProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a specific object type template", + "privilege": "GetProfileObjectTypeTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the integrations in the account", + "privilege": "ListAccountIntegrations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the domains in an account", + "privilege": "ListDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the integrations in a specific domain", + "privilege": "ListIntegrations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile object type templates in the account", + "privilege": "ListProfileObjectTypeTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile object types in the domain", + "privilege": "ListProfileObjectTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the profile objects for a profile", + "privilege": "ListProfileObjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to merge profiles", + "privilege": "MergeProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a integration in a domain", + "privilege": "PutIntegration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "integrations*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put an object for a profile", + "privilege": "PutProfileObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put a specific profile object type in the domain", + "privilege": "PutProfileObjectType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object-types*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search for profiles in a domain", + "privilege": "SearchProfiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to adds tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a Domain", + "privilege": "UpdateDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a profile in the domain", + "privilege": "UpdateProfile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domains*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "domains" + }, + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/object-types/${ObjectTypeName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "object-types" + }, + { + "arn": "arn:${Partition}:profile:${Region}:${Account}:domains/${DomainName}/integrations/${Uri}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "integrations" + } + ], + "service_name": "Amazon Connect Customer Profiles" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "proton:EnvironmentTemplate", + "description": "Filters actions based on specified environment template related to resource", + "type": "String" + }, + { + "condition": "proton:ServiceTemplate", + "description": "Filters actions based on specified service template related to resource", + "type": "String" + } + ], + "prefix": "proton", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to reject an environment account connection request from another environment account.", + "privilege": "AcceptEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel an environment deployment", + "privilege": "CancelEnvironmentDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a service instance deployment", + "privilege": "CancelServiceInstanceDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a service pipeline deployment", + "privilege": "CancelServicePipelineDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment", + "privilege": "CreateEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment account connection", + "privilege": "CreateEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template", + "privilege": "CreateEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use CreateEnvironmentTemplateVersion instead", + "privilege": "CreateEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use CreateEnvironmentTemplateVersion instead", + "privilege": "CreateEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an environment template version", + "privilege": "CreateEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service", + "privilege": "CreateService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "codestar-connections:PassConnection" + ], + "resource_type": "service*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}", + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template", + "privilege": "CreateServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use CreateServiceTemplateVersion instead", + "privilege": "CreateServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use CreateServiceTemplateVersion instead", + "privilege": "CreateServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a service template version", + "privilege": "CreateServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateAccountSettings instead", + "privilege": "DeleteAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment", + "privilege": "DeleteEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment account connection", + "privilege": "DeleteEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template", + "privilege": "DeleteEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use DeleteEnvironmentTemplateVersion instead", + "privilege": "DeleteEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use DeleteEnvironmentTemplateVersion instead", + "privilege": "DeleteEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an environment template version", + "privilege": "DeleteEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service", + "privilege": "DeleteService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template", + "privilege": "DeleteServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use DeleteServiceTemplateVersion instead", + "privilege": "DeleteServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use DeleteServiceTemplateVersion instead", + "privilege": "DeleteServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a service template version", + "privilege": "DeleteServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "DEPRECATED - use GetAccountSettings instead", + "privilege": "GetAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the account settings", + "privilege": "GetAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment", + "privilege": "GetEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment account connection", + "privilege": "GetEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment template", + "privilege": "GetEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "DEPRECATED - use GetEnvironmentTemplateVersion instead", + "privilege": "GetEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "DEPRECATED - use GetEnvironmentTemplateVersion instead", + "privilege": "GetEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an environment template version", + "privilege": "GetEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service", + "privilege": "GetService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service instance", + "privilege": "GetServiceInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service template", + "privilege": "GetServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "DEPRECATED - use GetServiceTemplateVersion instead", + "privilege": "GetServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "DEPRECATED - use GetServiceTemplateVersion instead", + "privilege": "GetServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a service template version", + "privilege": "GetServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment account connections", + "privilege": "ListEnvironmentAccountConnections", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "List", + "description": "DEPRECATED - use ListEnvironmentTemplateVersions instead", + "privilege": "ListEnvironmentTemplateMajorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "DEPRECATED - use ListEnvironmentTemplateVersions instead", + "privilege": "ListEnvironmentTemplateMinorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment template versions", + "privilege": "ListEnvironmentTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environment templates", + "privilege": "ListEnvironmentTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list environments", + "privilege": "ListEnvironments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service instances", + "privilege": "ListServiceInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "DEPRECATED - use ListServiceTemplateVersions instead", + "privilege": "ListServiceTemplateMajorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "DEPRECATED - use ListServiceTemplateVersions instead", + "privilege": "ListServiceTemplateMinorVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service template versions", + "privilege": "ListServiceTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list service templates", + "privilege": "ListServiceTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list services", + "privilege": "ListServices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to list tags of a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject an environment account connection request from another environment account.", + "privilege": "RejectEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permissions to add tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permissions to remove tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-major-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-minor-version" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template-version" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateAccountSettings instead", + "privilege": "UpdateAccountRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the account settings", + "privilege": "UpdateAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment", + "privilege": "UpdateEnvironment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "environment*" + }, + { + "condition_keys": [ + "proton:EnvironmentTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment account connection", + "privilege": "UpdateEnvironmentAccountConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-account-connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template", + "privilege": "UpdateEnvironmentTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateEnvironmentTemplateVersion instead", + "privilege": "UpdateEnvironmentTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateEnvironmentTemplateVersion instead", + "privilege": "UpdateEnvironmentTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an environment template version", + "privilege": "UpdateEnvironmentTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "environment-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service", + "privilege": "UpdateService", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service instance", + "privilege": "UpdateServiceInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-instance*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service pipeline", + "privilege": "UpdateServicePipeline", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service*" + }, + { + "condition_keys": [ + "proton:ServiceTemplate" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service template", + "privilege": "UpdateServiceTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateServiceTemplateVersion instead", + "privilege": "UpdateServiceTemplateMajorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "DEPRECATED - use UpdateServiceTemplateVersion instead", + "privilege": "UpdateServiceTemplateMinorVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a service template version", + "privilege": "UpdateServiceTemplateVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "service-template*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersion}.${MinorVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-major-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment-template-minor-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersion}.${MinorVersion}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-major-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service-template/${TemplateName}:${MajorVersionId}.${MinorVersionId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-template-minor-version" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "environment" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:service/${ServiceName}/service-instance/${Name}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service-instance" + }, + { + "arn": "arn:${Partition}:proton:${Region}:${Account}:environment-account-connection/${Id}", + "condition_keys": [], + "resource": "environment-account-connection" + } + ], + "service_name": "AWS Proton" + }, + { + "conditions": [], + "prefix": "purchase-orders", + "privileges": [ + { + "access_level": "Write", + "description": "Modify purchase orders and details", + "privilege": "ModifyPurchaseOrders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "View purchase orders and details", + "privilege": "ViewPurchaseOrders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Purchase Orders Console" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "qldb:Purge", + "description": "Filters access by the value of purge that is specified in a PartiQL DROP statement", + "type": "String" + } + ], + "prefix": "qldb", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to cancel a journal kinesis stream", + "privilege": "CancelJournalKinesisStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a ledger", + "privilege": "CreateLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a ledger", + "privilege": "DeleteLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe information about a journal kinesis stream", + "privilege": "DescribeJournalKinesisStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe information about a journal export job", + "privilege": "DescribeJournalS3Export", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a ledger", + "privilege": "DescribeLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send commands to a ledger via the console", + "privilege": "ExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to export journal contents to an Amazon S3 bucket", + "privilege": "ExportJournalToS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a block from a ledger for a given BlockAddress", + "privilege": "GetBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a digest from a ledger for a given BlockAddress", + "privilege": "GetDigest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a revision for a given document ID and a given BlockAddress", + "privilege": "GetRevision", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to insert sample application data via the console", + "privilege": "InsertSampleData", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal kinesis streams for a specified ledger", + "privilege": "ListJournalKinesisStreamsForLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal export jobs for all ledgers", + "privilege": "ListJournalS3Exports", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list journal export jobs for a specified ledger", + "privilege": "ListJournalS3ExportsForLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list existing ledgers", + "privilege": "ListLedgers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an index on a table", + "privilege": "PartiQLCreateIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a table", + "privilege": "PartiQLCreateTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete documents from a table", + "privilege": "PartiQLDelete", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to drop an index from a table", + "privilege": "PartiQLDropIndex", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "qldb:Purge" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to drop a table", + "privilege": "PartiQLDropTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + }, + { + "condition_keys": [ + "qldb:Purge" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use the history function on a table", + "privilege": "PartiQLHistoryFunction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to insert documents into a table", + "privilege": "PartiQLInsert", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to select documents from a table", + "privilege": "PartiQLSelect", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to undrop a table", + "privilege": "PartiQLUndropTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update existing documents in a table", + "privilege": "PartiQLUpdate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send commands to a ledger", + "privilege": "SendCommand", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to view a ledger's catalog via the console", + "privilege": "ShowCatalog", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stream journal contents to a Kinesis Data Stream", + "privilege": "StreamJournalToKinesis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "catalog" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "stream" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "table" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update properties on a ledger", + "privilege": "UpdateLedger", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the permissions mode on a ledger", + "privilege": "UpdateLedgerPermissionsMode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ledger*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ledger" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:stream/${LedgerName}/${StreamId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "stream" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/table/${TableId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "table" + }, + { + "arn": "arn:${Partition}:qldb:${Region}:${Account}:ledger/${LedgerName}/information_schema/user_tables", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "catalog" + } + ], + "service_name": "Amazon QLDB" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by tag keys", + "type": "String" + }, + { + "condition": "quicksight:DirectoryType", + "description": "Filters access based on the user management options", + "type": "String" + }, + { + "condition": "quicksight:Edition", + "description": "Filters access based on the edition of QuickSight", + "type": "String" + }, + { + "condition": "quicksight:IamArn", + "description": "Filters access by IAM user or role ARN", + "type": "String" + }, + { + "condition": "quicksight:SessionName", + "description": "Filters access by session name", + "type": "String" + }, + { + "condition": "quicksight:UserName", + "description": "Filters access by user name", + "type": "String" + } + ], + "prefix": "quicksight", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to cancel a SPICE ingestions on a dataset", + "privilege": "CancelIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an account customization for QuickSight account or namespace", + "privilege": "CreateAccountCustomization", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight administrators, authors, and readers", + "privilege": "CreateAdmin", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an analysis from a template", + "privilege": "CreateAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to create a custom permissions resource for restricting user access", + "privilege": "CreateCustomPermissions", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight Dashboard", + "privilege": "CreateDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a dataset", + "privilege": "CreateDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "quicksight:PassDataSource" + ], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a data source", + "privilege": "CreateDataSource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight folder", + "privilege": "CreateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder", + "privilege": "CreateFolderMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight group", + "privilege": "CreateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a QuickSight user to a QuickSight group", + "privilege": "CreateGroupMembership", + "resource_types": [ + { + "condition_keys": [ + "quicksight:UserName" + ], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight", + "privilege": "CreateIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a SPICE ingestion on a dataset", + "privilege": "CreateIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an QuickSight namespace", + "privilege": "CreateNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight readers", + "privilege": "CreateReader", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a template", + "privilege": "CreateTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a template alias", + "privilege": "CreateTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grant permission to create a theme", + "privilege": "CreateTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an alias for a theme version", + "privilege": "CreateThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provision Amazon QuickSight authors and readers", + "privilege": "CreateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a VPC connection", + "privilege": "CreateVPCConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an account customization for QuickSight account or namespace", + "privilege": "DeleteAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permissions to delete an analysis", + "privilege": "DeleteAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete a custom permissions resource", + "privilege": "DeleteCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight Dashboard", + "privilege": "DeleteDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a dataset", + "privilege": "DeleteDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a data source", + "privilege": "DeleteDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight Folder", + "privilege": "DeleteFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder", + "privilege": "DeleteFolderMembership", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a user group from QuickSight", + "privilege": "DeleteGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a user from a group so that he/she is no longer a member of the group", + "privilege": "DeleteGroupMembership", + "resource_types": [ + { + "condition_keys": [ + "quicksight:UserName" + ], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing assignment", + "privilege": "DeleteIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight namespace", + "privilege": "DeleteNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a template", + "privilege": "DeleteTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a template alias", + "privilege": "DeleteTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a theme", + "privilege": "DeleteTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the alias of a theme", + "privilege": "DeleteThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a QuickSight user, given the user name", + "privilege": "DeleteUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes a user identified by its principal ID", + "privilege": "DeleteUserByPrincipalId", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a VPC connection", + "privilege": "DeleteVPCConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an account customization for QuickSight account or namespace", + "privilege": "DescribeAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the administrative account settings for QuickSight account", + "privilege": "DescribeAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an analysis", + "privilege": "DescribeAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for an analysis", + "privilege": "DescribeAnalysisPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to describe a custom permissions resource in a QuickSight account", + "privilege": "DescribeCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight Dashboard", + "privilege": "DescribeDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a QuickSight Dashboard", + "privilege": "DescribeDashboardPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a dataset", + "privilege": "DescribeDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to describe the resource policy of a dataset", + "privilege": "DescribeDataSetPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a data source", + "privilege": "DescribeDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to describe the resource policy of a data source", + "privilege": "DescribeDataSourcePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight Folder", + "privilege": "DescribeFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a QuickSight Folder", + "privilege": "DescribeFolderPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe resolved permissions for a QuickSight Folder", + "privilege": "DescribeFolderResolvedPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight group", + "privilege": "DescribeGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an existing assignment", + "privilege": "DescribeIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a SPICE ingestion on a dataset", + "privilege": "DescribeIngestion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ingestion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight namespace", + "privilege": "DescribeNamespace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a template", + "privilege": "DescribeTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a template alias", + "privilege": "DescribeTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a template", + "privilege": "DescribeTemplatePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a theme", + "privilege": "DescribeTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a theme alias", + "privilege": "DescribeThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe permissions for a theme", + "privilege": "DescribeThemePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a QuickSight user given the user name", + "privilege": "DescribeUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", + "privilege": "GenerateEmbedUrlForAnonymousUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "namespace*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight", + "privilege": "GenerateEmbedUrlForRegisteredUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight", + "privilege": "GetAnonymousUserEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an auth code representing a QuickSight user", + "privilege": "GetAuthCode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL used to embed a QuickSight Dashboard", + "privilege": "GetDashboardEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight", + "privilege": "GetGroupMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a URL to embed QuickSight console experience", + "privilege": "GetSessionEmbedUrl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all analyses in an account", + "privilege": "ListAnalyses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to list custom permissions resources in QuickSight account", + "privilege": "ListCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a QuickSight Dashboard", + "privilege": "ListDashboardVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all Dashboards in a QuickSight Account", + "privilege": "ListDashboards", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all datasets", + "privilege": "ListDataSets", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all data sources", + "privilege": "ListDataSources", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all members in a folder", + "privilege": "ListFolderMembers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all Folders in a QuickSight Account", + "privilege": "ListFolders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list member users in a group", + "privilege": "ListGroupMemberships", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all user groups in QuickSight", + "privilege": "ListGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assignments in the current Amazon QuickSight account", + "privilege": "ListIAMPolicyAssignments", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all assignments assigned to a user and the groups it belongs", + "privilege": "ListIAMPolicyAssignmentsForUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all SPICE ingestions on a dataset", + "privilege": "ListIngestions", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to lists all namespaces in a QuickSight account", + "privilege": "ListNamespaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list tags of a QuickSight resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all aliases for a template", + "privilege": "ListTemplateAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a template", + "privilege": "ListTemplateVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all templates in a QuickSight account", + "privilege": "ListTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all aliases of a theme", + "privilege": "ListThemeAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all versions of a theme", + "privilege": "ListThemeVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all themes in an account", + "privilege": "ListThemes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list groups that a given user is a member of", + "privilege": "ListUserGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all of the QuickSight users belonging to this account", + "privilege": "ListUsers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use a dataset for a template", + "privilege": "PassDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use a data source for a data set", + "privilege": "PassDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request", + "privilege": "RegisterUser", + "resource_types": [ + { + "condition_keys": [ + "quicksight:IamArn", + "quicksight:SessionName" + ], + "dependent_actions": [], + "resource_type": "user*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a deleted analysis", + "privilege": "RestoreAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for a sub-set of analyses", + "privilege": "SearchAnalyses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for a sub-set of QuickSight Dashboards", + "privilege": "SearchDashboards", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", + "privilege": "SearchDirectoryGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to search for a sub-set of QuickSight Folders", + "privilege": "SearchFolders", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight", + "privilege": "SetGroupMapping", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition", + "privilege": "Subscribe", + "resource_types": [ + { + "condition_keys": [ + "quicksight:Edition", + "quicksight:DirectoryType" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a QuickSight resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight", + "privilege": "Unsubscribe", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a QuickSight resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an account customization for QuickSight account or namespace", + "privilege": "UpdateAccountCustomization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "customization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the administrative account settings for QuickSight account", + "privilege": "UpdateAccountSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an analysis", + "privilege": "UpdateAnalysis", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for an analysis", + "privilege": "UpdateAnalysisPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "analysis*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update a custom permissions resource", + "privilege": "UpdateCustomPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Dashboard", + "privilege": "UpdateDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a QuickSight Dashboard", + "privilege": "UpdateDashboardPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Dashboard\u2019s Published Version", + "privilege": "UpdateDashboardPublishedVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dashboard*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a dataset", + "privilege": "UpdateDataSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "quicksight:PassDataSource" + ], + "resource_type": "dataset*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update the resource policy of a dataset", + "privilege": "UpdateDataSetPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dataset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a data source", + "privilege": "UpdateDataSource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update the resource policy of a data source", + "privilege": "UpdateDataSourcePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datasource*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a QuickSight Folder", + "privilege": "UpdateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a QuickSight Folder", + "privilege": "UpdateFolderPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "folder*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change group description", + "privilege": "UpdateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing assignment", + "privilege": "UpdateIAMPolicyAssignment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "assignment*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a template", + "privilege": "UpdateTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a template alias", + "privilege": "UpdateTemplateAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a template", + "privilege": "UpdateTemplatePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a theme", + "privilege": "UpdateTheme", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the alias of a theme", + "privilege": "UpdateThemeAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to update permissions for a theme", + "privilege": "UpdateThemePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "theme*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an Amazon QuickSight user", + "privilege": "UpdateUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}", + "condition_keys": [], + "resource": "user" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}", + "condition_keys": [], + "resource": "group" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "analysis" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dashboard" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "template" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datasource" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dataset" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "ingestion" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "theme" + }, + { + "arn": "arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}", + "condition_keys": [], + "resource": "assignment" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "customization" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}", + "condition_keys": [], + "resource": "namespace" + }, + { + "arn": "arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "folder" + } + ], + "service_name": "Amazon QuickSight" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request when creating or tagging a resource share. If users don't pass these specific tags, or if they don't specify tags at all, the request fails", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed when creating or tagging a resource share", + "type": "String" + }, + { + "condition": "ram:AllowsExternalPrincipals", + "description": "Filters access based on resource shares that allow or deny sharing with external principals. For example, specify true if the action can only be performed on resource shares that allow sharing with external principals. External principals are AWS accounts that are outside of its AWS organization", + "type": "Bool" + }, + { + "condition": "ram:PermissionArn", + "description": "Filters access based on the specified Permission ARN", + "type": "Arn" + }, + { + "condition": "ram:PermissionResourceType", + "description": "Filters access based on permissions of specified resource type", + "type": "String" + }, + { + "condition": "ram:Principal", + "description": "Filters access based on the format of the specified principal", + "type": "String" + }, + { + "condition": "ram:RequestedAllowsExternalPrincipals", + "description": "Filters access based on the specified value for 'allowExternalPrincipals'. External principals are AWS accounts that are outside of its AWS Organization", + "type": "Bool" + }, + { + "condition": "ram:RequestedResourceType", + "description": "Filters access based on the specified resource type", + "type": "String" + }, + { + "condition": "ram:ResourceArn", + "description": "Filters access based on a resource with the specified ARN", + "type": "Arn" + }, + { + "condition": "ram:ResourceShareName", + "description": "Filters access based on a resource share with the specified name", + "type": "String" + }, + { + "condition": "ram:ShareOwnerAccountId", + "description": "Filters access based on resource shares owned by a specific account. For example, you can use this condition key to specify which resource share invitations can be accepted or rejected based on the resource share owner\u2019s account ID", + "type": "String" + } + ], + "prefix": "ram", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept the specified resource share invitation", + "privilege": "AcceptResourceShareInvitation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + }, + { + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate resource(s) and/or principal(s) to a resource share", + "privilege": "AssociateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:Principal", + "ram:RequestedResourceType", + "ram:ResourceArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a Permission with a Resource Share", + "privilege": "AssociateResourceSharePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a resource share with provided resource(s) and/or principal(s)", + "privilege": "CreateResourceShare", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "ram:RequestedResourceType", + "ram:ResourceArn", + "ram:RequestedAllowsExternalPrincipals", + "ram:Principal" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete resource share", + "privilege": "DeleteResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate resource(s) and/or principal(s) from a resource share", + "privilege": "DisassociateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:Principal", + "ram:RequestedResourceType", + "ram:ResourceArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a Permission from a Resource Share", + "privilege": "DisassociateResourceSharePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to access customer's organization and create a SLR in the customer's account", + "privilege": "EnableSharingWithAwsOrganization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the contents of an AWS RAM permission", + "privilege": "GetPermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "permission*" + }, + { + "condition_keys": [ + "ram:PermissionArn" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the policies for the specified resources that you own and have shared", + "privilege": "GetResourcePolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a set of resource share associations from a provided list or with a specified status of the specified type", + "privilege": "GetResourceShareAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get resource share invitations by the specified invitation arn or those for the resource share", + "privilege": "GetResourceShareInvitations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a set of resource shares from a provided list or with a specified status", + "privilege": "GetResourceShares", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the resources in a resource share that is shared with you but that the invitation is still pending for", + "privilege": "ListPendingInvitationResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the AWS RAM permissions", + "privilege": "ListPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the principals that you have shared resources with or that have shared resources with you", + "privilege": "ListPrincipals", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Permissions associated with a Resource Share", + "privilege": "ListResourceSharePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the shareable resource types supported by AWS RAM", + "privilege": "ListResourceTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the resources that you added to resource shares or the resources that are shared with you", + "privilege": "ListResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote the specified resource share", + "privilege": "PromoteResourceShareCreatedFromPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject the specified resource share invitation", + "privilege": "RejectResourceShareInvitation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share-invitation*" + }, + { + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag the specified resource share", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag the specified resource share", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update attributes of the resource share", + "privilege": "UpdateResourceShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resource-share*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:ResourceShareName", + "ram:AllowsExternalPrincipals", + "ram:RequestedAllowsExternalPrincipals" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share/${ResourcePath}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ram:AllowsExternalPrincipals", + "ram:ResourceShareName" + ], + "resource": "resource-share" + }, + { + "arn": "arn:${Partition}:ram:${Region}:${Account}:resource-share-invitation/${ResourcePath}", + "condition_keys": [ + "ram:ShareOwnerAccountId" + ], + "resource": "resource-share-invitation" + }, + { + "arn": "arn:${Partition}:ram::${Account}:permission/${ResourcePath}", + "condition_keys": [ + "ram:PermissionArn", + "ram:PermissionResourceType" + ], + "resource": "permission" + } + ], + "service_name": "AWS Resource Access Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "rds:DatabaseClass", + "description": "Filters access by the type of DB instance class", + "type": "String" + }, + { + "condition": "rds:DatabaseEngine", + "description": "Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API", + "type": "String" + }, + { + "condition": "rds:DatabaseName", + "description": "Filters access by the user-defined name of the database on the DB instance", + "type": "String" + }, + { + "condition": "rds:EndpointType", + "description": "Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM", + "type": "String" + }, + { + "condition": "rds:MultiAz", + "description": "Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true", + "type": "Boolean" + }, + { + "condition": "rds:Piops", + "description": "Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0", + "type": "Numeric" + }, + { + "condition": "rds:StorageEncrypted", + "description": "Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true", + "type": "Boolean" + }, + { + "condition": "rds:StorageSize", + "description": "Filters access by the storage volume size (in GB)", + "type": "Numeric" + }, + { + "condition": "rds:Vpc", + "description": "Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true", + "type": "Boolean" + }, + { + "condition": "rds:cluster-pg-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster parameter group", + "type": "String" + }, + { + "condition": "rds:cluster-snapshot-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster snapshot", + "type": "String" + }, + { + "condition": "rds:cluster-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB cluster", + "type": "String" + }, + { + "condition": "rds:db-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB instance", + "type": "String" + }, + { + "condition": "rds:es-tag/${TagKey}", + "description": "Filters access by the tag attached to an event subscription", + "type": "String" + }, + { + "condition": "rds:og-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB option group", + "type": "String" + }, + { + "condition": "rds:pg-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB parameter group", + "type": "String" + }, + { + "condition": "rds:req-tag/${TagKey}", + "description": "Filters access by the set of tag keys and values that can be used to tag a resource", + "type": "String" + }, + { + "condition": "rds:ri-tag/${TagKey}", + "description": "Filters access by the tag attached to a reserved DB instance", + "type": "String" + }, + { + "condition": "rds:secgrp-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB security group", + "type": "String" + }, + { + "condition": "rds:snapshot-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB snapshot", + "type": "String" + }, + { + "condition": "rds:subgrp-tag/${TagKey}", + "description": "Filters access by the tag attached to a DB subnet group", + "type": "String" + } + ], + "prefix": "rds", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster", + "privilege": "AddRoleToDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance", + "privilege": "AddRoleToDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a source identifier to an existing RDS event notification subscription", + "privilege": "AddSourceIdentifierToSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add metadata tags to an Amazon RDS resource", + "privilege": "AddTagsToResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to apply a pending maintenance action to a resource", + "privilege": "ApplyPendingMaintenanceAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization", + "privilege": "AuthorizeDBSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster", + "privilege": "BacktrackDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel an export task in progress", + "privilege": "CancelExportTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB cluster parameter group", + "privilege": "CopyDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot of a DB cluster", + "privilege": "CopyDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB parameter group", + "privilege": "CopyDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified DB snapshot", + "privilege": "CopyDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy the specified option group", + "privilege": "CopyOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "og*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new custom availability zone", + "privilege": "CreateCustomAvailabilityZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Amazon Aurora DB cluster", + "privilege": "CreateDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:StorageEncrypted" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster", + "privilege": "CreateDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + }, + { + "condition_keys": [ + "rds:EndpointType", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB cluster parameter group", + "privilege": "CreateDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot of a DB cluster", + "privilege": "CreateDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance", + "privilege": "CreateDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a DB instance that acts as a Read Replica of a source DB instance", + "privilege": "CreateDBInstanceReadReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB parameter group", + "privilege": "CreateDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "pg*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a database proxy", + "privilege": "CreateDBProxy", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a database proxy endpoint", + "privilege": "CreateDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB security group. DB security groups control access to a DB instance", + "privilege": "CreateDBSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "secgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a DBSnapshot", + "privilege": "CreateDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB subnet group", + "privilege": "CreateDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an RDS event notification subscription", + "privilege": "CreateEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "es*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Aurora global database spread across multiple regions", + "privilege": "CreateGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new option group", + "privilege": "CreateOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds:AddTagsToResource" + ], + "resource_type": "og*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation", + "privilege": "CrossRegionCommunication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a custom availability zone", + "privilege": "DeleteCustomAvailabilityZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously provisioned DB cluster", + "privilege": "DeleteDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster", + "privilege": "DeleteDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified DB cluster parameter group", + "privilege": "DeleteDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB cluster snapshot", + "privilege": "DeleteDBClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously provisioned DB instance", + "privilege": "DeleteDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID", + "privilege": "DeleteDBInstanceAutomatedBackup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified DBParameterGroup", + "privilege": "DeleteDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a database proxy", + "privilege": "DeleteDBProxy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a database proxy endpoint", + "privilege": "DeleteDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB security group", + "privilege": "DeleteDBSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DBSnapshot", + "privilege": "DeleteDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a DB subnet group", + "privilege": "DeleteDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an RDS event notification subscription", + "privilege": "DeleteEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a global database cluster", + "privilege": "DeleteGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an installation media", + "privilege": "DeleteInstallationMedia", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing option group", + "privilege": "DeleteOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove targets from a database proxy target group", + "privilege": "DeregisterDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all of the attributes for a customer account", + "privilege": "DescribeAccountAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Lists the set of CA certificates provided by Amazon RDS for this AWS account", + "privilege": "DescribeCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about provisioned custom availability zones", + "privilege": "DescribeCustomAvailabilityZones", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about backtracks for a DB cluster", + "privilege": "DescribeDBClusterBacktracks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about endpoints for an Amazon Aurora DB cluster", + "privilege": "DescribeDBClusterEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBClusterParameterGroup descriptions", + "privilege": "DescribeDBClusterParameterGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the detailed parameter list for a particular DB cluster parameter group", + "privilege": "DescribeDBClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot", + "privilege": "DescribeDBClusterSnapshotAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about DB cluster snapshots", + "privilege": "DescribeDBClusterSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about provisioned Aurora DB clusters", + "privilege": "DescribeDBClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of the available DB engines", + "privilege": "DescribeDBEngineVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of automated backups for both current and deleted instances", + "privilege": "DescribeDBInstanceAutomatedBackups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about provisioned RDS instances", + "privilege": "DescribeDBInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB log files for the DB instance", + "privilege": "DescribeDBLogFiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBParameterGroup descriptions", + "privilege": "DescribeDBParameterGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the detailed parameter list for a particular DB parameter group", + "privilege": "DescribeDBParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view proxies", + "privilege": "DescribeDBProxies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view proxy endpoints", + "privilege": "DescribeDBProxyEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view database proxy target group details", + "privilege": "DescribeDBProxyTargetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view database proxy target details", + "privilege": "DescribeDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBSecurityGroup descriptions", + "privilege": "DescribeDBSecurityGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot", + "privilege": "DescribeDBSnapshotAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about DB snapshots", + "privilege": "DescribeDBSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of DBSubnetGroup descriptions", + "privilege": "DescribeDBSubnetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the default engine and system parameter information for the cluster database engine", + "privilege": "DescribeEngineDefaultClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return the default engine and system parameter information for the specified database engine", + "privilege": "DescribeEngineDefaultParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type", + "privilege": "DescribeEventCategories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the subscription descriptions for a customer account", + "privilege": "DescribeEventSubscriptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days", + "privilege": "DescribeEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about the export tasks", + "privilege": "DescribeExportTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about Aurora global database clusters", + "privilege": "DescribeGlobalClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about available installation media", + "privilege": "DescribeInstallationMedia", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe all available options", + "privilege": "DescribeOptionGroupOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe the available option groups", + "privilege": "DescribeOptionGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of orderable DB instance options for the specified engine", + "privilege": "DescribeOrderableDBInstanceOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action", + "privilege": "DescribePendingMaintenanceActions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance", + "privilege": "DescribeReservedDBInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list available reserved DB instance offerings", + "privilege": "DescribeReservedDBInstancesOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from", + "privilege": "DescribeSourceRegions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list available modifications you can make to your DB instance", + "privilege": "DescribeValidDBInstanceModifications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download specified log file", + "privilege": "DownloadCompleteDBLogFile", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to download all or a portion of the specified log file, up to 1 MB in size", + "privilege": "DownloadDBLogFilePortion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to force a failover for a DB cluster", + "privilege": "FailoverDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to failover a global cluster", + "privilege": "FailoverGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to import an installation media for a DB engine", + "privilege": "ImportInstallationMedia", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list all tags on an Amazon RDS resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances", + "privilege": "ModifyCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify current cluster capacity for an Amazon Aurora Severless DB cluster", + "privilege": "ModifyCurrentDBClusterCapacity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a setting for an Amazon Aurora DB cluster", + "privilege": "ModifyDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster", + "privilege": "ModifyDBClusterEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB cluster parameter group", + "privilege": "ModifyDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot", + "privilege": "ModifyDBClusterSnapshotAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify settings for a DB instance", + "privilege": "ModifyDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB parameter group", + "privilege": "ModifyDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify database proxy", + "privilege": "ModifyDBProxy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "proxy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify database proxy endpoint", + "privilege": "ModifyDBProxyEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify target group for a database proxy", + "privilege": "ModifyDBProxyTargetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version", + "privilege": "ModifyDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot", + "privilege": "ModifyDBSnapshotAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing DB subnet group", + "privilege": "ModifyDBSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing RDS event notification subscription", + "privilege": "ModifyEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a setting for an Amazon Aurora global cluster", + "privilege": "ModifyGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing option group", + "privilege": "ModifyOptionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "og*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote a Read Replica DB instance to a standalone DB instance", + "privilege": "PromoteReadReplica", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to promote a Read Replica DB cluster to a standalone DB cluster", + "privilege": "PromoteReadReplicaDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to purchase a reserved DB instance offering", + "privilege": "PurchaseReservedDBInstancesOffering", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restart the database engine service", + "privilege": "RebootDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add targets to a database proxy target group", + "privilege": "RegisterDBProxyTargets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster", + "privilege": "RemoveFromGlobalCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "global-cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster", + "privilege": "RemoveRoleFromDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance", + "privilege": "RemoveRoleFromDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a source identifier from an existing RDS event notification subscription", + "privilege": "RemoveSourceIdentifierFromSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove metadata tags from an Amazon RDS resource", + "privilege": "RemoveTagsFromResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "es" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "proxy-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "ri" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "target-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB cluster parameter group to the default value", + "privilege": "ResetDBClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a DB parameter group to the engine/system default value", + "privilege": "ResetDBParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "pg*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket", + "privilege": "RestoreDBClusterFromS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:StorageEncrypted" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB cluster from a DB cluster snapshot", + "privilege": "RestoreDBClusterFromSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster-snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a DB cluster to an arbitrary point in time", + "privilege": "RestoreDBClusterToPointInTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance from a DB snapshot", + "privilege": "RestoreDBInstanceFromDBSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new DB instance from an Amazon S3 bucket", + "privilege": "RestoreDBInstanceFromS3", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore a DB instance to an arbitrary point in time", + "privilege": "RestoreDBInstanceToPointInTime", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole", + "rds:AddTagsToResource" + ], + "resource_type": "db*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "og*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subgrp*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "rds:req-tag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups", + "privilege": "RevokeDBSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "secgrp*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start Activity Stream", + "privilege": "StartActivityStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Starts the DB cluster", + "privilege": "StartDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start the DB instance", + "privilege": "StartDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start replication of automated backups to a different AWS Region", + "privilege": "StartDBInstanceAutomatedBackupsReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a new Export task for a DB snapshot", + "privilege": "StartExportTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop Activity Stream", + "privilege": "StopActivityStream", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop the DB cluster", + "privilege": "StopDBCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop the DB instance", + "privilege": "StopDBInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop automated backup replication for a DB instance", + "privilege": "StopDBInstanceAutomatedBackupsReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-tag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster-endpoint" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-pg-tag/${TagKey}" + ], + "resource": "cluster-pg" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:cluster-snapshot-tag/${TagKey}" + ], + "resource": "cluster-snapshot" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:DatabaseClass", + "rds:DatabaseEngine", + "rds:DatabaseName", + "rds:MultiAz", + "rds:Piops", + "rds:StorageEncrypted", + "rds:StorageSize", + "rds:Vpc", + "rds:db-tag/${TagKey}" + ], + "resource": "db" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:es-tag/${TagKey}" + ], + "resource": "es" + }, + { + "arn": "arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}", + "condition_keys": [], + "resource": "global-cluster" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:og-tag/${TagKey}" + ], + "resource": "og" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:pg-tag/${TagKey}" + ], + "resource": "pg" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proxy" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:db-proxy-endpoint:${DbProxyEndpointId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "proxy-endpoint" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:ri-tag/${TagKey}" + ], + "resource": "ri" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:secgrp-tag/${TagKey}" + ], + "resource": "secgrp" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:snapshot-tag/${TagKey}" + ], + "resource": "snapshot" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "rds:subgrp-tag/${TagKey}" + ], + "resource": "subgrp" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}", + "condition_keys": [], + "resource": "target" + }, + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "target-group" + } + ], + "service_name": "Amazon RDS" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys associated with the resource", + "type": "String" + } + ], + "prefix": "rds-data", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to run a batch SQL statement over an array of data", + "privilege": "BatchExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a SQL transaction", + "privilege": "BeginTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to end a SQL transaction started with the BeginTransaction operation and commits the changes", + "privilege": "CommitTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds-data:BeginTransaction" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation", + "privilege": "ExecuteSql", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to run a SQL statement against a database", + "privilege": "ExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to perform a rollback of a transaction. Rolling back a transaction cancels its changes", + "privilege": "RollbackTransaction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "rds-data:BeginTransaction" + ], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "aws:TagKeys" + ], + "resource": "cluster" + } + ], + "service_name": "Amazon RDS Data API" + }, + { + "conditions": [], + "prefix": "rds-db", + "privileges": [ + { + "access_level": "Permissions management", + "description": "Allows IAM role or user to connect to RDS database", + "privilege": "connect", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "db-user*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}", + "condition_keys": [], + "resource": "db-user" + } + ], + "service_name": "Amazon RDS IAM Authentication" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + }, + { + "condition": "redshift:ConsumerIdentifier", + "description": "Filters access by the datashare consumer", + "type": "String" + }, + { + "condition": "redshift:DbName", + "description": "Filters access by the database name", + "type": "String" + }, + { + "condition": "redshift:DbUser", + "description": "Filters access by the database user name", + "type": "String" + }, + { + "condition": "redshift:DurationSeconds", + "description": "Filters access by the number of seconds until a temporary credential set expires", + "type": "String" + } + ], + "prefix": "redshift", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration", + "privilege": "AcceptReservedNodeExchange", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a consumer to a datashare", + "privilege": "AssociateDataShareConsumer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datashare*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group", + "privilege": "AuthorizeClusterSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to authorize the specified datashare consumer to consume a datashare", + "privilege": "AuthorizeDataShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datashare*" + }, + { + "condition_keys": [ + "redshift:ConsumerIdentifier" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to the specified AWS account to restore a snapshot", + "privilege": "AuthorizeSnapshotAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete snapshots in a batch of size upto 100", + "privilege": "BatchDeleteClusterSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify settings for a list of snapshots", + "privilege": "BatchModifyClusterSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a query through the Amazon Redshift console", + "privilege": "CancelQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to see queries in the Amazon Redshift console", + "privilege": "CancelQuerySession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a resize operation", + "privilege": "CancelResize", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to copy a cluster snapshot", + "privilege": "CopyClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a cluster", + "privilege": "CreateCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift parameter group", + "privilege": "CreateClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift security group", + "privilege": "CreateClusterSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a manual snapshot of the specified cluster", + "privilege": "CreateClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift subnet group", + "privilege": "CreateClusterSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to automatically create the specified Amazon Redshift user if it does not exist", + "privilege": "CreateClusterUser", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbuser*" + }, + { + "condition_keys": [ + "redshift:DbUser" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift event notification subscription", + "privilege": "CreateEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM", + "privilege": "CreateHsmClientCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmclientcertificate*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM)", + "privilege": "CreateHsmConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmconfiguration*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create saved SQL queries through the Amazon Redshift console", + "privilege": "CreateSavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an Amazon Redshift scheduled action", + "privilege": "CreateScheduledAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region", + "privilege": "CreateSnapshotCopyGrant", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a snapshot schedule", + "privilege": "CreateSnapshotSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a specified resource", + "privilege": "CreateTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbname" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbuser" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmclientcertificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-cidr" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a usage limit", + "privilege": "CreateUsageLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Remove permission from the specified datashare consumer to consume a datashare", + "privilege": "DeauthorizeDataShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datashare*" + }, + { + "condition_keys": [ + "redshift:ConsumerIdentifier" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously provisioned cluster", + "privilege": "DeleteCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift parameter group", + "privilege": "DeleteClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift security group", + "privilege": "DeleteClusterSecurityGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a manual snapshot", + "privilege": "DeleteClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a cluster subnet group", + "privilege": "DeleteClusterSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift event notification subscription", + "privilege": "DeleteEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an HSM client certificate", + "privilege": "DeleteHsmClientCertificate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmclientcertificate*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift HSM configuration", + "privilege": "DeleteHsmConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmconfiguration*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete saved SQL queries through the Amazon Redshift console", + "privilege": "DeleteSavedQueries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon Redshift scheduled action", + "privilege": "DeleteScheduledAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a snapshot copy grant", + "privilege": "DeleteSnapshotCopyGrant", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a snapshot schedule", + "privilege": "DeleteSnapshotSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to delete a tag or tags from a resource", + "privilege": "DeleteTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbname" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbuser" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmclientcertificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-cidr" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a usage limit", + "privilege": "DeleteUsageLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe attributes attached to the specified AWS account", + "privilege": "DescribeAccountAttributes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe database revisions for a cluster", + "privilege": "DescribeClusterDbRevisions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group", + "privilege": "DescribeClusterParameterGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe parameters contained within an Amazon Redshift parameter group", + "privilege": "DescribeClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift security groups", + "privilege": "DescribeClusterSecurityGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots", + "privilege": "DescribeClusterSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups", + "privilege": "DescribeClusterSubnetGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe available maintenance tracks", + "privilege": "DescribeClusterTracks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe available Amazon Redshift cluster versions", + "privilege": "DescribeClusterVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe properties of provisioned clusters", + "privilege": "DescribeClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe datashares created and consumed by your clusters", + "privilege": "DescribeDataShares", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe only datashares consumed by your clusters", + "privilege": "DescribeDataSharesForConsumer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe only datashares created by your clusters", + "privilege": "DescribeDataSharesForProducer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe parameter settings for a parameter group family", + "privilege": "DescribeDefaultClusterParameters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe event categories for all event source types, or for a specified source type", + "privilege": "DescribeEventCategories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account", + "privilege": "DescribeEventSubscriptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days", + "privilege": "DescribeEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe HSM client certificates", + "privilege": "DescribeHsmClientCertificates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe Amazon Redshift HSM configurations", + "privilege": "DescribeHsmConfigurations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster", + "privilege": "DescribeLoggingStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type", + "privilege": "DescribeNodeConfigurationOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe orderable cluster options", + "privilege": "DescribeOrderableClusterOptions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a query through the Amazon Redshift console", + "privilege": "DescribeQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe available reserved node offerings by Amazon Redshift", + "privilege": "DescribeReservedNodeOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the reserved nodes", + "privilege": "DescribeReservedNodes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the last resize operation for a cluster", + "privilege": "DescribeResize", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe saved queries through the Amazon Redshift console", + "privilege": "DescribeSavedQueries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe created Amazon Redshift scheduled actions", + "privilege": "DescribeScheduledActions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region", + "privilege": "DescribeSnapshotCopyGrants", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe snapshot schedules", + "privilege": "DescribeSnapshotSchedules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe account level backups storage size and provisional storage", + "privilege": "DescribeStorage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a table through the Amazon Redshift console", + "privilege": "DescribeTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action", + "privilege": "DescribeTableRestoreStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe tags", + "privilege": "DescribeTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbname" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbuser" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmclientcertificate" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hsmconfiguration" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-cidr" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotcopygrant" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe usage limits", + "privilege": "DescribeUsageLimits", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable logging information, such as queries and connection attempts, for a cluster", + "privilege": "DisableLogging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable the automatic copy of snapshots for a cluster", + "privilege": "DisableSnapshotCopy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate a consumer from a datashare", + "privilege": "DisassociateDataShareConsumer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datashare*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable logging information, such as queries and connection attempts, for a cluster", + "privilege": "EnableLogging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable the automatic copy of snapshots for a cluster", + "privilege": "EnableSnapshotCopy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to execute a query through the Amazon Redshift console", + "privilege": "ExecuteQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to fetch query results through the Amazon Redshift console", + "privilege": "FetchResults", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account", + "privilege": "GetClusterCredentials", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbuser*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbgroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbname" + }, + { + "condition_keys": [ + "redshift:DbName", + "redshift:DbUser", + "redshift:DurationSeconds" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node", + "privilege": "GetReservedNodeExchangeOfferings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to join the specified Amazon Redshift group", + "privilege": "JoinGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dbgroup*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list databases through the Amazon Redshift console", + "privilege": "ListDatabases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list saved queries through the Amazon Redshift console", + "privilege": "ListSavedQueries", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list schemas through the Amazon Redshift console", + "privilege": "ListSchemas", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tables through the Amazon Redshift console", + "privilege": "ListTables", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the AQUA configuration of a cluster", + "privilege": "ModifyAquaConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the settings of a cluster", + "privilege": "ModifyCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the database revision of a cluster", + "privilege": "ModifyClusterDbRevision", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services", + "privilege": "ModifyClusterIamRoles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the maintenance settings of a cluster", + "privilege": "ModifyClusterMaintenance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the parameters of a parameter group", + "privilege": "ModifyClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the settings of a snapshot", + "privilege": "ModifyClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a snapshot schedule for a cluster", + "privilege": "ModifyClusterSnapshotSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a cluster subnet group to include the specified list of VPC subnets", + "privilege": "ModifyClusterSubnetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "subnetgroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing Amazon Redshift event notification subscription", + "privilege": "ModifyEventSubscription", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "eventsubscription*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing saved query through the Amazon Redshift console", + "privilege": "ModifySavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify an existing Amazon Redshift scheduled action", + "privilege": "ModifyScheduledAction", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region", + "privilege": "ModifySnapshotCopyRetentionPeriod", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a snapshot schedule", + "privilege": "ModifySnapshotSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshotschedule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify a usage limit", + "privilege": "ModifyUsageLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "usagelimit*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to pause a cluster", + "privilege": "PauseCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to purchase a reserved node", + "privilege": "PurchaseReservedNodeOffering", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reboot a cluster", + "privilege": "RebootCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to decline a datashare shared from another account", + "privilege": "RejectDataShare", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "datashare*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to \"engine-default\"", + "privilege": "ResetClusterParameterGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "parametergroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to change the size of a cluster", + "privilege": "ResizeCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a cluster from a snapshot", + "privilege": "RestoreFromClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a table from a table in an Amazon Redshift cluster snapshot", + "privilege": "RestoreTableFromClusterSnapshot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to resume a cluster", + "privilege": "ResumeCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group", + "privilege": "RevokeClusterSecurityGroupIngress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroup*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "securitygroupingress-ec2securitygroup*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to revoke access from the specified AWS account to restore a snapshot", + "privilege": "RevokeSnapshotAccess", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "snapshot*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to rotate an encryption key for a cluster", + "privilege": "RotateEncryptionKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to view query results through the Amazon Redshift console", + "privilege": "ViewQueriesFromConsole", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to terminate running queries and loads through the Amazon Redshift console", + "privilege": "ViewQueriesInConsole", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:datashare:${ProducerClusterNamespace}/{DataShareName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "datashare" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dbgroup" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dbname" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dbuser" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "eventsubscription" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "hsmclientcertificate" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "hsmconfiguration" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "parametergroup" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "securitygroup" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "securitygroupingress-cidr" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "securitygroupingress-ec2securitygroup" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "snapshot" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "snapshotcopygrant" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "snapshotschedule" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "subnetgroup" + }, + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:usagelimit:${UsageLimitId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "usagelimit" + } + ], + "service_name": "Amazon Redshift" + }, + { + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" + }, + { + "condition": "redshift-data:statement-owner-iam-userid", + "description": "Filters access by statement owner iam userid", + "type": "String" + } + ], + "prefix": "redshift-data", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to execute multiple queries under a single connection.", + "privilege": "BatchExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel a running query", + "privilege": "CancelStatement", + "resource_types": [ + { + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve detailed information about a statement execution", + "privilege": "DescribeStatement", + "resource_types": [ + { + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve metadata about a particular table", + "privilege": "DescribeTable", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to execute a query", + "privilege": "ExecuteStatement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to fetch the result of a query", + "privilege": "GetStatementResult", + "resource_types": [ + { + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list databases for a given cluster", + "privilege": "ListDatabases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list schemas for a given cluster", + "privilege": "ListSchemas", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list queries for a given principal", + "privilege": "ListStatements", + "resource_types": [ + { + "condition_keys": [ + "redshift-data:statement-owner-iam-userid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tables for a given cluster", + "privilege": "ListTables", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cluster" + } + ], + "service_name": "Amazon Redshift Data API" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "rekognition", + "privileges": [ + { + "access_level": "Read", + "description": "Compares a face in source input image with each face detected in the target input image.", + "privilege": "CompareFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Creates a collection in an AWS region. You can then add faces to the collection using the IndexFaces API.", + "privilege": "CreateCollection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Creates a new Amazon Rekognition Custom Labels project.", + "privilege": "CreateProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + } + ] + }, + { + "access_level": "Write", + "description": "Creates a new version of a model and begins training.", + "privilege": "CreateProjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Creates an Amazon Rekognition stream processor that you can use to detect and recognize faces in a streaming video.", + "privilege": "CreateStreamProcessor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes the specified collection. Note that this operation removes all faces in the collection.", + "privilege": "DeleteCollection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes faces from a collection.", + "privilege": "DeleteFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes a project.", + "privilege": "DeleteProject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes a model.", + "privilege": "DeleteProjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + } + ] + }, + { + "access_level": "Write", + "description": "Deletes the stream processor identified by Name.", + "privilege": "DeleteStreamProcessor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + } + ] + }, + { + "access_level": "Read", + "description": "Describes the specified collection.", + "privilege": "DescribeCollection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Read", + "description": "Lists and describes the model versions in an Amazon Rekognition Custom Labels project.", + "privilege": "DescribeProjectVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Lists and gets information about your Amazon Rekognition Custom Labels projects.", + "privilege": "DescribeProjects", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Provides information about a stream processor created by CreateStreamProcessor.", + "privilege": "DescribeStreamProcessor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + } + ] + }, + { + "access_level": "Read", + "description": "Detects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model version.", + "privilege": "DetectCustomLabels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + } + ] + }, + { + "access_level": "Read", + "description": "Detects human faces within an image (JPEG or PNG) provided as input.", + "privilege": "DetectFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Detects instances of real-world labels within an image (JPEG or PNG) provided as input.", + "privilege": "DetectLabels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Detects moderation labels within input image.", + "privilege": "DetectModerationLabels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Detects Protective Equipment in the input image.", + "privilege": "DetectProtectiveEquipment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Detects text in the input image and converts it into machine-readable text.", + "privilege": "DetectText", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the name and additional information about a celebrity based on his or her Rekognition ID.", + "privilege": "GetCelebrityInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the celebrity recognition results for a Rekognition Video analysis started by StartCelebrityRecognition.", + "privilege": "GetCelebrityRecognition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the content moderation analysis results for a Rekognition Video analysis started by StartContentModeration.", + "privilege": "GetContentModeration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets face detection results for a Rekognition Video analysis started by StartFaceDetection.", + "privilege": "GetFaceDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the face search results for Rekognition Video face search started by StartFaceSearch.", + "privilege": "GetFaceSearch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets the label detection results of a Rekognition Video analysis started by StartLabelDetection.", + "privilege": "GetLabelDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets information about people detected within a video.", + "privilege": "GetPersonTracking", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets segment detection results for a Rekognition Video analysis started by StartSegmentDetection.", + "privilege": "GetSegmentDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Gets text detection results for a Rekognition Video analysis started by StartTextDetection.", + "privilege": "GetTextDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Detects faces in the input image and adds them to the specified collection.", + "privilege": "IndexFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Read", + "description": "Returns a list of collection IDs in your account.", + "privilege": "ListCollections", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Read", + "description": "Returns metadata for faces in the specified collection.", + "privilege": "ListFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "List", + "description": "Gets a list of stream processors that you have created with CreateStreamProcessor.", + "privilege": "ListStreamProcessors", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + } + ] + }, + { + "access_level": "Read", + "description": "Returns a list of tags associated with a resource.", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + } + ] + }, + { + "access_level": "Read", + "description": "Returns an array of celebrities recognized in the input image.", + "privilege": "RecognizeCelebrities", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "For a given input face ID, searches the specified collection for matching faces.", + "privilege": "SearchFaces", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Read", + "description": "For a given input image, first detects the largest face in the image, and then searches the specified collection for matching faces.", + "privilege": "SearchFacesByImage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous recognition of celebrities in a video.", + "privilege": "StartCelebrityRecognition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous detection of explicit or suggestive adult content in a video.", + "privilege": "StartContentModeration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous detection of faces in a video.", + "privilege": "StartFaceDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts the asynchronous search for faces in a collection that match the faces of persons detected in a video.", + "privilege": "StartFaceSearch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "collection*" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous detection of labels in a video.", + "privilege": "StartLabelDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts the asynchronous tracking of persons in a video.", + "privilege": "StartPersonTracking", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts the deployment of a model version.", + "privilege": "StartProjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous detection of segments in a video.", + "privilege": "StartSegmentDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Starts processing a stream processor.", + "privilege": "StartStreamProcessor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + } + ] + }, + { + "access_level": "Write", + "description": "Starts asynchronous detection of text in a video.", + "privilege": "StartTextDetection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Stops a deployed model version.", + "privilege": "StopProjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + } + ] + }, + { + "access_level": "Write", + "description": "Stops a running stream processor that was created by CreateStreamProcessor.", + "privilege": "StopStreamProcessor", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "streamprocessor*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Adds one or more tags to a resource.", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Removes one or more tags from a resource.", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "projectversion*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:collection/${CollectionId}", + "condition_keys": [], + "resource": "collection" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:streamprocessor/${StreamprocessorId}", + "condition_keys": [], + "resource": "streamprocessor" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/${CreationTimestamp}", + "condition_keys": [], + "resource": "project" + }, + { + "arn": "arn:${Partition}:rekognition:${Region}:${Account}:project/${ProjectName}/version/${VersionName}/${CreationTimestamp}", + "condition_keys": [], + "resource": "projectversion" + } + ], + "service_name": "Amazon Rekognition" + }, + { + "conditions": [], + "prefix": "resource-explorer", + "privileges": [ + { + "access_level": "List", + "description": "Grants permission to retrieve the resource types currently supported by Tag Editor", + "privilege": "ListResourceTypes", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to retrieve the identifiers of the resources in the AWS account", + "privilege": "ListResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the tags attached to the specified resource identifiers", + "privilege": "ListTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "tag:GetResources" + ], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Tag Editor" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "resource-groups", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a resource group with a specified name, description, and resource query", + "privilege": "CreateGroup", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a specified resource group", + "privilege": "DeleteGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information of a specified resource group", + "privilege": "GetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the service configuration associated with the specified resource group", + "privilege": "GetGroupConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the query associated with a specified resource group", + "privilege": "GetGroupQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the tags associated with a specified resource group", + "privilege": "GetTags", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add the specified resources to the specified group", + "privilege": "GroupResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the resources that are members of a specified resource group", + "privilege": "ListGroupResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "tag:GetResources" + ], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all resource groups in your account", + "privilege": "ListGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put the service configuration associated with the specified resource group", + "privilege": "PutGroupConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a resource-based policy for the specified group", + "privilege": "PutGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to search for AWS resources matching the given query", + "privilege": "SearchResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "cloudformation:DescribeStacks", + "cloudformation:ListStackResources", + "tag:GetResources" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a specified resource group", + "privilege": "Tag", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the specified resources from the specified group", + "privilege": "UngroupResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags associated with a specified resource group", + "privilege": "Untag", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a specified resource group", + "privilege": "UpdateGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the query associated with a specified resource group", + "privilege": "UpdateGroupQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "group*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:resource-groups:${Region}:${Account}:group/${GroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "group" + } + ], + "service_name": "AWS Resource Groups" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "", + "type": "String" + } + ], + "prefix": "robomaker", + "privileges": [ + { + "access_level": "Write", + "description": "Delete one or more worlds in a batch operation", + "privilege": "BatchDeleteWorlds", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Describe multiple simulation jobs", + "privilege": "BatchDescribeSimulationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Cancel a deployment job", + "privilege": "CancelDeploymentJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Cancel a simulation job", + "privilege": "CancelSimulationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Cancel a simulation job batch", + "privilege": "CancelSimulationJobBatch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJobBatch*" + } + ] + }, + { + "access_level": "Write", + "description": "Cancel a world export job", + "privilege": "CancelWorldExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldExportJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Cancel a world generation job", + "privilege": "CancelWorldGenerationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldGenerationJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a deployment job", + "privilege": "CreateDeploymentJob", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a deployment fleet that represents a logical group of robots running the same robot application", + "privilege": "CreateFleet", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a robot that can be registered to a fleet", + "privilege": "CreateRobot", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a robot application", + "privilege": "CreateRobotApplication", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a snapshot of a robot application", + "privilege": "CreateRobotApplicationVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "robotApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a simulation application", + "privilege": "CreateSimulationApplication", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a snapshot of a simulation application", + "privilege": "CreateSimulationApplicationVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "simulationApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a simulation job", + "privilege": "CreateSimulationJob", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Create a world export job", + "privilege": "CreateWorldExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "world*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a world generation job", + "privilege": "CreateWorldGenerationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a world template", + "privilege": "CreateWorldTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Delete a deployment fleet", + "privilege": "DeleteFleet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet*" + } + ] + }, + { + "access_level": "Write", + "description": "Delete a robot", + "privilege": "DeleteRobot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot*" + } + ] + }, + { + "access_level": "Write", + "description": "Delete a robot application", + "privilege": "DeleteRobotApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Delete a simulation application", + "privilege": "DeleteSimulationApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Delete a world template", + "privilege": "DeleteWorldTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate*" + } + ] + }, + { + "access_level": "Write", + "description": "Deregister a robot from a fleet", + "privilege": "DeregisterRobot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a deployment job", + "privilege": "DescribeDeploymentJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a deployment fleet", + "privilege": "DescribeFleet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a robot", + "privilege": "DescribeRobot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a robot application", + "privilege": "DescribeRobotApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a simulation application", + "privilege": "DescribeSimulationApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a simulation job", + "privilege": "DescribeSimulationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a simulation job batch", + "privilege": "DescribeSimulationJobBatch", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJobBatch*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a world", + "privilege": "DescribeWorld", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "world*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a world export job", + "privilege": "DescribeWorldExportJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldExportJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a world generation job", + "privilege": "DescribeWorldGenerationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldGenerationJob*" + } + ] + }, + { + "access_level": "Read", + "description": "Describe a world template", + "privilege": "DescribeWorldTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate*" + } + ] + }, + { + "access_level": "Read", + "description": "Get the body of a world template", + "privilege": "GetWorldTemplateBody", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate*" + } + ] + }, + { + "access_level": "List", + "description": "List deployment jobs", + "privilege": "ListDeploymentJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List fleets", + "privilege": "ListFleets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List robot applications", + "privilege": "ListRobotApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List robots", + "privilege": "ListRobots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List simulation applications", + "privilege": "ListSimulationApplications", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List simulation job batches", + "privilege": "ListSimulationJobBatches", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List simulation jobs", + "privilege": "ListSimulationJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Lists supported availability zones", + "privilege": "ListSupportedAvailabilityZones", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List tags for a RoboMaker resource.", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJobBatch" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "world" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldExportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldGenerationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate" + } + ] + }, + { + "access_level": "List", + "description": "List world export jobs", + "privilege": "ListWorldExportJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List world generation jobs", + "privilege": "ListWorldGenerationJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List world templates", + "privilege": "ListWorldTemplates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "List worlds", + "privilege": "ListWorlds", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Register a robot to a fleet", + "privilege": "RegisterRobot", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot*" + } + ] + }, + { + "access_level": "Write", + "description": "Restart a running simulation job", + "privilege": "RestartSimulationJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob*" + } + ] + }, + { + "access_level": "Write", + "description": "Create a simulation job batch", + "privilege": "StartSimulationJobBatch", + "resource_types": [ + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Ensures the most recently deployed robot application is deployed to all robots in the fleet", + "privilege": "SyncDeploymentJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "deploymentFleet*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Add tags to a RoboMaker resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJobBatch" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "world" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldExportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldGenerationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Remove tags from a RoboMaker resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentFleet" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deploymentJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robot" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationJobBatch" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "world" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldExportJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldGenerationJob" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Update a robot application", + "privilege": "UpdateRobotApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "robotApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Report the deployment status for an individual robot", + "privilege": "UpdateRobotDeployment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Update a simulation application", + "privilege": "UpdateSimulationApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "simulationApplication*" + } + ] + }, + { + "access_level": "Write", + "description": "Update a world template", + "privilege": "UpdateWorldTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "worldTemplate*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:robot-application/${ApplicationName}/${CreatedOnEpoch}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "robotApplication" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-application/${ApplicationName}/${CreatedOnEpoch}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "simulationApplication" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-job/${SimulationJobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "simulationJob" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:simulation-job-batch/${SimulationJobBatchId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "simulationJobBatch" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:deployment-job/${DeploymentJobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deploymentJob" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:robot/${RobotName}/${CreatedOnEpoch}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "robot" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:deployment-fleet/${FleetName}/${CreatedOnEpoch}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deploymentFleet" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-generation-job/${WorldGenerationJobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "worldGenerationJob" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-export-job/${WorldExportJobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "worldExportJob" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world-template/${WorldTemplateJobId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "worldTemplate" + }, + { + "arn": "arn:${Partition}:robomaker:${Region}:${Account}:world/${WorldId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "world" + } + ], + "service_name": "AWS RoboMaker" + }, + { + "conditions": [], + "prefix": "route53", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to activate a key-signing key so that it can be used for signing by DNSSEC", + "privilege": "ActivateKeySigningKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate an additional Amazon VPC with a private hosted zone", + "privilege": "AssociateVPCWithHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "vpc*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name", + "privilege": "ChangeResourceRecordSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add, edit, or delete tags for a health check or a hosted zone", + "privilege": "ChangeTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new health check, which monitors the health and performance of your web applications, web servers, and other resources", + "privilege": "CreateHealthCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a public hosted zone, which you use to specify how the Domain Name System (DNS) routes traffic on the Internet for a domain, such as example.com, and its subdomains", + "privilege": "CreateHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "vpc" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new key-signing key associated with a hosted zone", + "privilege": "CreateKeySigningKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a configuration for DNS query logging", + "privilege": "CreateQueryLoggingConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a delegation set (a group of four name servers) that can be reused by multiple hosted zones", + "privilege": "CreateReusableDelegationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a traffic policy, which you use to create multiple DNS records for one domain name (such as example.com) or one subdomain name (such as www.example.com)", + "privilege": "CreateTrafficPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create records in a specified hosted zone based on the settings in a specified traffic policy version", + "privilege": "CreateTrafficPolicyInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new version of an existing traffic policy", + "privilege": "CreateTrafficPolicyVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to authorize the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request, which associates the VPC with a specified hosted zone that was created by a different account", + "privilege": "CreateVPCAssociationAuthorization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate a key-signing key so that it will not be used for signing by DNSSEC", + "privilege": "DeactivateKeySigningKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a health check", + "privilege": "DeleteHealthCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a hosted zone", + "privilege": "DeleteHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a key-signing key", + "privilege": "DeleteKeySigningKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a configuration for DNS query logging", + "privilege": "DeleteQueryLoggingConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queryloggingconfig*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a reusable delegation set", + "privilege": "DeleteReusableDelegationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "delegationset*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a traffic policy", + "privilege": "DeleteTrafficPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a traffic policy instance and all the records that Route 53 created when you created the instance", + "privilege": "DeleteTrafficPolicyInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicyinstance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove authorization for associating an Amazon Virtual Private Cloud with a Route 53 private hosted zone", + "privilege": "DeleteVPCAssociationAuthorization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disable DNSSEC signing in a specific hosted zone", + "privilege": "DisableHostedZoneDNSSEC", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an Amazon Virtual Private Cloud from a Route 53 private hosted zone", + "privilege": "DisassociateVPCFromHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "hostedzone" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "vpc" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to enable DNSSEC signing in a specific hosted zone", + "privilege": "EnableHostedZoneDNSSEC", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the specified limit for the current account, for example, the maximum number of health checks that you can create using the account", + "privilege": "GetAccountLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get the current status of a request to create, update, or delete one or more records", + "privilege": "GetChange", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "change*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the IP ranges that are used by Route 53 health checkers to check the health of your resources", + "privilege": "GetCheckerIpRanges", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about DNSSEC for a specific hosted zone, including the key-signing keys in the hosted zone", + "privilege": "GetDNSSEC", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about whether a specified geographic location is supported for Route 53 geolocation records", + "privilege": "GetGeoLocation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified health check", + "privilege": "GetHealthCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get the number of health checks that are associated with the current AWS account", + "privilege": "GetHealthCheckCount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get the reason that a specified health check failed most recently", + "privilege": "GetHealthCheckLastFailureReason", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get the status of a specified health check", + "privilege": "GetHealthCheckStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about a specified hosted zone including the four name servers that Route 53 assigned to the hosted zone", + "privilege": "GetHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get the number of hosted zones that are associated with the current AWS account", + "privilege": "GetHostedZoneCount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the specified limit for a specified hosted zone", + "privilege": "GetHostedZoneLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified configuration for DNS query logging", + "privilege": "GetQueryLoggingConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "queryloggingconfig*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about a specified reusable delegation set, including the four name servers that are assigned to the delegation set", + "privilege": "GetReusableDelegationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "delegationset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the maximum number of hosted zones that you can associate with the specified reusable delegation set", + "privilege": "GetReusableDelegationSetLimit", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "delegationset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified traffic policy version", + "privilege": "GetTrafficPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified traffic policy instance", + "privilege": "GetTrafficPolicyInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicyinstance*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the number of traffic policy instances that are associated with the current AWS account", + "privilege": "GetTrafficPolicyInstanceCount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of geographic locations that Route 53 supports for geolocation", + "privilege": "ListGeoLocations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the health checks that are associated with the current AWS account", + "privilege": "ListHealthChecks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the public and private hosted zones that are associated with the current AWS account", + "privilege": "ListHostedZones", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www.", + "privilege": "ListHostedZonesByName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of all the private hosted zones that a specified VPC is associated with", + "privilege": "ListHostedZonesByVPC", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "vpc*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone.", + "privilege": "ListQueryLoggingConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the records in a specified hosted zone", + "privilege": "ListResourceRecordSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the reusable delegation sets that are associated with the current AWS account.", + "privilege": "ListReusableDelegationSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tags for one health check or hosted zone", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tags for up to 10 health checks or hosted zones", + "privilege": "ListTagsForResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created.", + "privilege": "ListTrafficPolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about the traffic policy instances that you created by using the current AWS account", + "privilege": "ListTrafficPolicyInstances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about the traffic policy instances that you created in a specified hosted zone", + "privilege": "ListTrafficPolicyInstancesByHostedZone", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about the traffic policy instances that you created using a specified traffic policy version", + "privilege": "ListTrafficPolicyInstancesByPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get information about all the versions for a specified traffic policy", + "privilege": "ListTrafficPolicyVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to get a list of the VPCs that were created by other accounts and that can be associated with a specified hosted zone", + "privilege": "ListVPCAssociationAuthorizations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the value that Route 53 returns in response to a DNS query for a specified record name and type", + "privilege": "TestDNSAnswer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing health check", + "privilege": "UpdateHealthCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "healthcheck*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the comment for a specified hosted zone", + "privilege": "UpdateHostedZoneComment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "hostedzone*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the comment for a specified traffic policy version", + "privilege": "UpdateTrafficPolicyComment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicy*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the records in a specified hosted zone that were created based on the settings in a specified traffic policy version", + "privilege": "UpdateTrafficPolicyInstance", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "trafficpolicyinstance*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:route53:::change/${Id}", + "condition_keys": [], + "resource": "change" + }, + { + "arn": "arn:${Partition}:route53:::delegationset/${Id}", + "condition_keys": [], + "resource": "delegationset" + }, + { + "arn": "arn:${Partition}:route53:::healthcheck/${Id}", + "condition_keys": [], + "resource": "healthcheck" + }, + { + "arn": "arn:${Partition}:route53:::hostedzone/${Id}", + "condition_keys": [], + "resource": "hostedzone" + }, + { + "arn": "arn:${Partition}:route53:::trafficpolicy/${Id}", + "condition_keys": [], + "resource": "trafficpolicy" + }, + { + "arn": "arn:${Partition}:route53:::trafficpolicyinstance/${Id}", + "condition_keys": [], + "resource": "trafficpolicyinstance" + }, + { + "arn": "arn:${Partition}:route53:::queryloggingconfig/${Id}", + "condition_keys": [], + "resource": "queryloggingconfig" + }, + { + "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}", + "condition_keys": [], + "resource": "vpc" + } + ], + "service_name": "Amazon Route 53" + }, + { + "conditions": [], + "prefix": "route53-recovery-cluster", + "privileges": [ + { + "access_level": "Read", + "description": "Grants permission to Get a Routing Control State", + "privilege": "GetRoutingControlState", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update a Routing Control State", + "privilege": "UpdateRoutingControlState", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update Routing Control States", + "privilege": "UpdateRoutingControlStates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}/routingcontrol/${RoutingControlId}", + "condition_keys": [], + "resource": "routingcontrol" + } + ], + "service_name": "Amazon Route53 Recovery Cluster" + }, + { + "conditions": [], + "prefix": "route53-recovery-control-config", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to Create a new Cluster", + "privilege": "CreateCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a new Control Panel", + "privilege": "CreateControlPanel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a new Routing Control", + "privilege": "CreateRoutingControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a Safety Rule", + "privilege": "CreateSafetyRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete an existing Cluster", + "privilege": "DeleteCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a Control Panel", + "privilege": "DeleteControlPanel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete a Routing Control", + "privilege": "DeleteRoutingControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete a Safety Rule", + "privilege": "DeleteSafetyRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Describe a Cluster", + "privilege": "DescribeCluster", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cluster*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Describe a Control Panel", + "privilege": "DescribeControlPanel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Describe a Routing Control", + "privilege": "DescribeRoutingControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Describe a Routing Control", + "privilege": "DescribeRoutingControlByName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Describe a Safety Rule", + "privilege": "DescribeSafetyRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to List Associated Route53 Health Checks", + "privilege": "ListAssociatedRoute53HealthChecks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Clusters", + "privilege": "ListClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List Control Panels", + "privilege": "ListControlPanels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List Routing Controls", + "privilege": "ListRoutingControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List Safety Rules", + "privilege": "ListSafetyRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Cluster", + "privilege": "UpdateControlPanel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "controlpanel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update a Routing Control", + "privilege": "UpdateRoutingControl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "routingcontrol*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Safety Rule", + "privilege": "UpdateSafetyRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "safetyrule*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:route53-recovery-control::${Account}:cluster/${ResourceId}", + "condition_keys": [], + "resource": "cluster" + }, + { + "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}", + "condition_keys": [], + "resource": "controlpanel" + }, + { + "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}/routingcontrol/${RoutingControlId}", + "condition_keys": [], + "resource": "routingcontrol" + }, + { + "arn": "arn:${Partition}:route53-recovery-control::${Account}:controlpanel/${ControlPanelId}/safetyrule/${SafetyRuleId}", + "condition_keys": [], + "resource": "safetyrule" + } + ], + "service_name": "Amazon Route53 Recovery Controls" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "route53-recovery-readiness", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to Create a new Cell", + "privilege": "CreateCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a new Cross Account Authorization", + "privilege": "CreateCrossAccountAuthorization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a new Readiness Check", + "privilege": "CreateReadinessCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a Recovery Group", + "privilege": "CreateRecoveryGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Create a new Resource Set", + "privilege": "CreateResourceSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete an existing Cell", + "privilege": "DeleteCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete a Cross Account Authorization", + "privilege": "DeleteCrossAccountAuthorization", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete an existing Readiness Check", + "privilege": "DeleteReadinessCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete an existing Recovery Group", + "privilege": "DeleteRecoveryGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Delete an existing Readiness Check", + "privilege": "DeleteResourceSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get Architecture Recommendations for a Recovery Group", + "privilege": "GetArchitectureRecommendations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get an existing Cell", + "privilege": "GetCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get Readiness Summary for Cell", + "privilege": "GetCellReadinessSummary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get a Readiness Check", + "privilege": "GetReadinessCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get the Readiness Summary for a Resource", + "privilege": "GetReadinessCheckResourceStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get the status of a Readiness Check", + "privilege": "GetReadinessCheckStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get a Recovery Group", + "privilege": "GetRecoveryGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get the Readiness Summary of a Recovery Group", + "privilege": "GetRecoveryGroupReadinessSummary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to Get a Resource Set", + "privilege": "GetResourceSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Cells", + "privilege": "ListCells", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Cross Account Authorizations", + "privilege": "ListCrossAccountAuthorizations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Readiness Checks", + "privilege": "ListReadinessChecks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Recovery Groups", + "privilege": "ListRecoveryGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List existing Resource Sets", + "privilege": "ListResourceSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List Readiness Rules", + "privilege": "ListRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to List Tags for a Resource", + "privilege": "ListTagsForResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to Add a Tag to a Resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to Remove a Tag from a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Cell", + "privilege": "UpdateCell", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "cell*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Readiness Check", + "privilege": "UpdateReadinessCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "readinesscheck*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Recovery Group", + "privilege": "UpdateRecoveryGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "recoverygroup*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to Update an existing Resource Set", + "privilege": "UpdateResourceSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resourceset*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:route53-recovery-readiness::${Account}:readiness-check/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "readinesscheck" + }, + { + "arn": "arn:${Partition}:route53-recovery-readiness::${Account}:resource-set/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resourceset" + }, + { + "arn": "arn:${Partition}:route53-recovery-readiness::${Account}:cell/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "cell" + }, + { + "arn": "arn:${Partition}:route53-recovery-readiness::${Account}:recovery-group/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "recoverygroup" + } + ], + "service_name": "Amazon Route53 Recovery Readiness" + }, + { + "conditions": [], + "prefix": "route53domains", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept the transfer of a domain from another AWS account to the current AWS account", + "privilege": "AcceptDomainTransferFromAnotherAwsAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to cancel the transfer of a domain from the current AWS account to another AWS account", + "privilege": "CancelDomainTransferToAnotherAwsAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to check the availability of one domain name", + "privilege": "CheckDomainAvailability", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to check whether a domain name can be transferred to Amazon Route 53", + "privilege": "CheckDomainTransferability", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to delete the specified tags for a domain", + "privilege": "DeleteTagsForDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires", + "privilege": "DisableDomainAutoRenew", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the transfer lock on the domain (specifically the clientTransferProhibited status) to allow domain transfers", + "privilege": "DisableDomainTransferLock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to configure Amazon Route 53 to automatically renew the specified domain before the domain registration expires", + "privilege": "EnableDomainAutoRenew", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the transfer lock on the domain (specifically the clientTransferProhibited status) to prevent domain transfers", + "privilege": "EnableDomainTransferLock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to get information about whether the registrant contact has responded", + "privilege": "GetContactReachabilityStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get detailed information about a domain", + "privilege": "GetDomainDetail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a list of suggested domain names given a string, which can either be a domain name or simply a word or phrase (without spaces)", + "privilege": "GetDomainSuggestions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the current status of an operation that is not completed", + "privilege": "GetOperationDetail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the domain names registered with Amazon Route 53 for the current AWS account", + "privilege": "ListDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the operation IDs of operations that are not yet complete", + "privilege": "ListOperations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the tags that are associated with the specified domain", + "privilege": "ListTagsForDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to register domains", + "privilege": "RegisterDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to reject the transfer of a domain from another AWS account to the current AWS account", + "privilege": "RejectDomainTransferFromAnotherAwsAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to renew domains for the specified number of years", + "privilege": "RenewDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "For operations that require confirmation that the email address for the registrant contact is valid, such as registering a new domain, grants permission to resend the confirmation email to the current email address for the registrant contact", + "privilege": "ResendContactReachabilityEmail", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to get the AuthCode for the domain", + "privilege": "RetrieveDomainAuthCode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to transfer a domain from another registrar to Amazon Route 53", + "privilege": "TransferDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to transfer a domain from the current AWS account to another AWS account", + "privilege": "TransferDomainToAnotherAwsAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the contact information for domain", + "privilege": "UpdateDomainContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the domain contact privacy setting", + "privilege": "UpdateDomainContactPrivacy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to replace the current set of name servers for a domain with the specified set of name servers", + "privilege": "UpdateDomainNameservers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add or update tags for a specified domain", + "privilege": "UpdateTagsForDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get all the domain-related billing records for the current AWS account for a specified period", + "privilege": "ViewBilling", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "Amazon Route 53 Domains" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "route53resolver", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate an Amazon VPC with a specified firewall rule group", + "privilege": "AssociateFirewallRuleGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "firewall-rule-group-association*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a specified IP address with a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", + "privilege": "AssociateResolverEndpointIpAddress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate an Amazon VPC with a specified query logging configuration", + "privilege": "AssociateResolverQueryLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate a specified Resolver rule with a specified VPC", + "privilege": "AssociateResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Firewall domain list", + "privilege": "CreateFirewallDomainList", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Firewall rule within a Firewall rule group", + "privilege": "CreateFirewallRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Firewall rule group", + "privilege": "CreateFirewallRuleGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Resolver endpoint. There are two types of Resolver endpoints, inbound and outbound", + "privilege": "CreateResolverEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a Resolver query logging configuration, which defines where you want Resolver to save DNS query logs that originate in your VPCs", + "privilege": "CreateResolverQueryLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "For DNS queries that originate in your VPC, grants permission to define how to route the queries out of the VPC", + "privilege": "CreateResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Firewall domain list", + "privilege": "DeleteFirewallDomainList", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Firewall rule within a Firewall rule group", + "privilege": "DeleteFirewallRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Firewall rule group", + "privilege": "DeleteFirewallRuleGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Resolver endpoint. The effect of deleting a Resolver endpoint depends on whether it's an inbound or an outbound endpoint", + "privilege": "DeleteResolverEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Resolver query logging configuration", + "privilege": "DeleteResolverQueryLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a Resolver rule", + "privilege": "DeleteResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the association between a specified Firewall rule group and a specified VPC", + "privilege": "DisassociateFirewallRuleGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a specified IP address from a Resolver endpoint. This is an IP address that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", + "privilege": "DisassociateResolverEndpointIpAddress", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the association between a specified Resolver query logging configuration and a specified VPC", + "privilege": "DisassociateResolverQueryLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the association between a specified Resolver rule and a specified VPC", + "privilege": "DisassociateResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Firewall config", + "privilege": "GetFirewallConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "firewall-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Firewall domain list", + "privilege": "GetFirewallDomainList", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Firewall rule group", + "privilege": "GetFirewallRuleGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about an association between a specified Firewall rule group and a VPC", + "privilege": "GetFirewallRuleGroupAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Firewall rule group policy, which specifies the Firewall rule group operations and resources that you want to allow another AWS account to use", + "privilege": "GetFirewallRuleGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource", + "privilege": "GetResolverDnssecConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-dnssec-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC", + "privilege": "GetResolverEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to", + "privilege": "GetResolverQueryLogConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC", + "privilege": "GetResolverQueryLogConfigAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Resolver query logging policy, which specifies the Resolver query logging operations and resources that you want to allow another AWS account to use", + "privilege": "GetResolverQueryLogConfigPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the IP address that queries are forwarded to", + "privilege": "GetResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about an association between a specified Resolver rule and a VPC", + "privilege": "GetResolverRuleAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a Resolver rule policy, which specifies the Resolver operations and resources that you want to allow another AWS account to use", + "privilege": "GetResolverRulePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add, remove or replace Firewall domains in a Firewall domain list", + "privilege": "ImportFirewallDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Firewall config that current AWS account is able to check", + "privilege": "ListFirewallConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "firewall-config*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Firewall domain list that current AWS account is able to use", + "privilege": "ListFirewallDomainLists", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Firewall domain under a speicfied Firewall domain list", + "privilege": "ListFirewallDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list information about associations between Amazon VPCs and Firewall rule group", + "privilege": "ListFirewallRuleGroupAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Firewall rule group that current AWS account is able to use", + "privilege": "ListFirewallRuleGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Firewall rule under a speicfied Firewall rule group", + "privilege": "ListFirewallRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the DNSSEC validation support status for DNS queries", + "privilege": "ListResolverDnssecConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-dnssec-config*" + } + ] + }, + { + "access_level": "List", + "description": "For a specified Resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)", + "privilege": "ListResolverEndpointIpAddresses", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all the Resolver endpoints that were created using the current AWS account", + "privilege": "ListResolverEndpoints", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list information about associations between Amazon VPCs and query logging configurations", + "privilege": "ListResolverQueryLogConfigAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list information about the specified query logging configurations, which define where you want Resolver to save DNS query logs and specify the VPCs that you want to log queries for", + "privilege": "ListResolverQueryLogConfigs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the associations that were created between Resolver rules and VPCs using the current AWS account", + "privilege": "ListResolverRuleAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the Resolver rules that were created using the current AWS account", + "privilege": "ListResolverRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags that you associated with the specified resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to specify an AWS account that you want to share a Firewall rule group with, the Firewall rule group that you want to share, and the operations that you want the account to be able to perform on the configuration", + "privilege": "PutFirewallRuleGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to specify an AWS account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration", + "privilege": "PutResolverQueryLogConfigPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-query-log-config*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules", + "privilege": "PutResolverRulePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a specified resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a specified resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update selected settings for an Firewall config", + "privilege": "UpdateFirewallConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ec2:DescribeVpcs" + ], + "resource_type": "firewall-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add, remove or replace Firewall domains in a Firewall domain list", + "privilege": "UpdateFirewallDomains", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-domain-list*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update selected settings for an Firewall rule in a Firewall rule group", + "privilege": "UpdateFirewallRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update selected settings for an Firewall rule group association", + "privilege": "UpdateFirewallRuleGroupAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "firewall-rule-group-association*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource", + "privilege": "UpdateResolverDnssecConfig", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-dnssec-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update selected settings for an inbound or an outbound Resolver endpoint", + "privilege": "UpdateResolverEndpoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-endpoint*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update settings for a specified Resolver rule", + "privilege": "UpdateResolverRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "resolver-rule*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-dnssec-config/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resolver-dnssec-config" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resolver-query-log-config" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-rule/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resolver-rule" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-endpoint/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "resolver-endpoint" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "firewall-rule-group" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:firewall-rule-group-association/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "firewall-rule-group-association" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:firewall-domain-list/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "firewall-domain-list" + }, + { + "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:firewall-config/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "firewall-config" + } + ], + "service_name": "Amazon Route 53 Resolver" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:RequestedRegion", + "description": "Requested region for the multi region access point operation", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" + }, + { + "condition": "s3:AccessPointNetworkOrigin", + "description": "Filters access by the network origin (Internet or VPC)", + "type": "String" + }, + { + "condition": "s3:DataAccessPointAccount", + "description": "Filters access by the AWS Account ID that owns the access point", + "type": "String" + }, + { + "condition": "s3:DataAccessPointArn", + "description": "Filters access by an access point Amazon Resource Name (ARN)", + "type": "String" + }, + { + "condition": "s3:ExistingJobOperation", + "description": "Filters access to updating the job priority by operation", + "type": "String" + }, + { + "condition": "s3:ExistingJobPriority", + "description": "Filters access to cancelling existing jobs by priority range", + "type": "Numeric" + }, + { + "condition": "s3:ExistingObjectTag/", + "description": "Filters access by existing object tag key and value", + "type": "String" + }, + { + "condition": "s3:JobSuspendedCause", + "description": "Filters access to cancelling suspended jobs by a specific job suspended cause (for example, AWAITING_CONFIRMATION)", + "type": "String" + }, + { + "condition": "s3:LocationConstraint", + "description": "Filters access by a specific Region", + "type": "String" + }, + { + "condition": "s3:RequestJobOperation", + "description": "Filters access to creating jobs by operation", + "type": "String" + }, + { + "condition": "s3:RequestJobPriority", + "description": "Filters access to creating new jobs by priority range", + "type": "Numeric" + }, + { + "condition": "s3:RequestObjectTag/", + "description": "Filters access by the tag keys and values to be added to objects", + "type": "String" + }, + { + "condition": "s3:RequestObjectTagKeys", + "description": "Filters access by the tag keys to be added to objects", + "type": "String" + }, + { + "condition": "s3:ResourceAccount", + "description": "Filters access by the resource owner AWS account ID", + "type": "String" + }, + { + "condition": "s3:TlsVersion", + "description": "Filters access by the TLS version used by the client", + "type": "Numeric" + }, + { + "condition": "s3:VersionId", + "description": "Filters access by a specific object version", + "type": "String" + }, + { + "condition": "s3:authType", + "description": "Filters access by authentication method", + "type": "String" + }, + { + "condition": "s3:delimiter", + "description": "Filters access by delimiter parameter", + "type": "String" + }, + { + "condition": "s3:locationconstraint", + "description": "Filters access by a specific Region", + "type": "String" + }, + { + "condition": "s3:max-keys", + "description": "Filters access by maximum number of keys returned in a ListBucket request", + "type": "Numeric" + }, + { + "condition": "s3:object-lock-legal-hold", + "description": "Filters access by object legal hold status", + "type": "String" + }, + { + "condition": "s3:object-lock-mode", + "description": "Filters access by object retention mode (COMPLIANCE or GOVERNANCE)", + "type": "String" + }, + { + "condition": "s3:object-lock-remaining-retention-days", + "description": "Filters access by remaining object retention days", + "type": "String" + }, + { + "condition": "s3:object-lock-retain-until-date", + "description": "Filters access by object retain-until date", + "type": "String" + }, + { + "condition": "s3:prefix", + "description": "Filters access by key name prefix", + "type": "String" + }, + { + "condition": "s3:signatureAge", + "description": "Filters access by the age in milliseconds of the request signature", + "type": "Numeric" + }, + { + "condition": "s3:signatureversion", + "description": "Filters access by the version of AWS Signature used on the request", + "type": "String" + }, + { + "condition": "s3:versionid", + "description": "Filters access by a specific object version", + "type": "String" + }, + { + "condition": "s3:x-amz-acl", + "description": "Filters access by canned ACL in the request's x-amz-acl header", + "type": "String" + }, + { + "condition": "s3:x-amz-content-sha256", + "description": "Filters access to unsigned content in your bucket", + "type": "String" + }, + { + "condition": "s3:x-amz-copy-source", + "description": "Filters access to requests with a specific bucket, prefix, or object as the copy source", + "type": "String" + }, + { + "condition": "s3:x-amz-grant-full-control", + "description": "Filters access to requests with the x-amz-grant-full-control (full control) header", + "type": "String" + }, + { + "condition": "s3:x-amz-grant-read", + "description": "Filters access to requests with the x-amz-grant-read (read access) header", + "type": "String" + }, + { + "condition": "s3:x-amz-grant-read-acp", + "description": "Filters access to requests with the x-amz-grant-read-acp (read permissions for the ACL) header", + "type": "String" + }, + { + "condition": "s3:x-amz-grant-write", + "description": "Filters access to requests with the x-amz-grant-write (write access) header", + "type": "String" + }, + { + "condition": "s3:x-amz-grant-write-acp", + "description": "Filters access to requests with the x-amz-grant-write-acp (write permissions for the ACL) header", + "type": "String" + }, + { + "condition": "s3:x-amz-metadata-directive", + "description": "Filters access by object metadata behavior (COPY or REPLACE) when objects are copied", + "type": "String" + }, + { + "condition": "s3:x-amz-server-side-encryption", + "description": "Filters access by server-side encryption", + "type": "String" + }, + { + "condition": "s3:x-amz-server-side-encryption-aws-kms-key-id", + "description": "Filters access by AWS KMS customer managed CMK for server-side encryption", + "type": "String" + }, + { + "condition": "s3:x-amz-storage-class", + "description": "Filters access by storage class", + "type": "String" + }, + { + "condition": "s3:x-amz-website-redirect-location", + "description": "Filters access by a specific website redirect location for buckets that are configured as static websites", + "type": "String" + } + ], + "prefix": "s3", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to abort a multipart upload", + "privilege": "AbortMultipartUpload", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to allow circumvention of governance-mode object retention settings", + "privilege": "BypassGovernanceRetention", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:RequestObjectTag/", + "s3:RequestObjectTagKeys", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-copy-source", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp", + "s3:x-amz-metadata-directive", + "s3:x-amz-server-side-encryption", + "s3:x-amz-server-side-encryption-aws-kms-key-id", + "s3:x-amz-storage-class", + "s3:x-amz-website-redirect-location", + "s3:object-lock-mode", + "s3:object-lock-retain-until-date", + "s3:object-lock-remaining-retention-days", + "s3:object-lock-legal-hold" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new access point", + "privilege": "CreateAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:locationconstraint", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-acl", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an object lambda enabled accesspoint", + "privilege": "CreateAccessPointForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new bucket", + "privilege": "CreateBucket", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:locationconstraint", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Amazon S3 Batch Operations job", + "privilege": "CreateJob", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256", + "s3:RequestJobPriority", + "s3:RequestJobOperation", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new multi region access point", + "privilege": "CreateMultiRegionAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the access point named in the URI", + "privilege": "DeleteAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the object lambda enabled access point named in the URI", + "privilege": "DeleteAccessPointForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete the policy on a specified access point", + "privilege": "DeleteAccessPointPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete the policy on a specified object lambda enabled access point", + "privilege": "DeleteAccessPointPolicyForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the bucket named in the URI", + "privilege": "DeleteBucket", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete ownership controls on a bucket", + "privilege": "DeleteBucketOwnershipControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete the policy on a specified bucket", + "privilege": "DeleteBucketPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the website configuration for a bucket", + "privilege": "DeleteBucketWebsite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from an existing Amazon S3 Batch Operations job", + "privilege": "DeleteJobTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256", + "s3:ExistingJobPriority", + "s3:ExistingJobOperation" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete the multi region access point named in the URI", + "privilege": "DeleteMultiRegionAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object", + "privilege": "DeleteObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object", + "privilege": "DeleteObjectTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a specific version of an object", + "privilege": "DeleteObjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the entire tag set for a specific version of the object", + "privilege": "DeleteObjectVersionTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an existing Amazon S3 Storage Lens configuration", + "privilege": "DeleteStorageLensConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storagelensconfiguration*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from an existing Amazon S3 Storage Lens configuration", + "privilege": "DeleteStorageLensConfigurationTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storagelensconfiguration*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the configuration parameters and status for a batch operations job", + "privilege": "DescribeJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the configurations for a multi region access point", + "privilege": "DescribeMultiRegionAccessPointOperation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspointrequestarn*" + }, + { + "condition_keys": [ + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended", + "privilege": "GetAccelerateConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return configuration information about the specified access point", + "privilege": "GetAccessPoint", + "resource_types": [ + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the configuration of the object lambda enabled access point", + "privilege": "GetAccessPointConfigurationForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to create an object lambda enabled accesspoint", + "privilege": "GetAccessPointForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to returns the access point policy associated with the specified access point", + "privilege": "GetAccessPointPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to returns the access point policy associated with the specified object lambda enabled access point", + "privilege": "GetAccessPointPolicyForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the policy status for a specific access point policy", + "privilege": "GetAccessPointPolicyStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the policy status for a specific object lambda access point policy", + "privilege": "GetAccessPointPolicyStatusForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the PublicAccessBlock configuration for an AWS account", + "privilege": "GetAccountPublicAccessBlock", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID", + "privilege": "GetAnalyticsConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket", + "privilege": "GetBucketAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the CORS configuration information set for an Amazon S3 bucket", + "privilege": "GetBucketCORS", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the Region that an Amazon S3 bucket resides in", + "privilege": "GetBucketLocation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status", + "privilege": "GetBucketLogging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the notification configuration of an Amazon S3 bucket", + "privilege": "GetBucketNotification", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the Object Lock configuration of an Amazon S3 bucket", + "privilege": "GetBucketObjectLockConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:signatureversion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve ownership controls on a bucket", + "privilege": "GetBucketOwnershipControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the policy of the specified bucket", + "privilege": "GetBucketPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public", + "privilege": "GetBucketPolicyStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket", + "privilege": "GetBucketPublicAccessBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the request payment configuration for an Amazon S3 bucket", + "privilege": "GetBucketRequestPayment", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set associated with an Amazon S3 bucket", + "privilege": "GetBucketTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the versioning state of an Amazon S3 bucket", + "privilege": "GetBucketVersioning", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the website configuration for an Amazon S3 bucket", + "privilege": "GetBucketWebsite", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the default encryption configuration an Amazon S3 bucket", + "privilege": "GetEncryptionConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket", + "privilege": "GetIntelligentTieringConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID", + "privilege": "GetInventoryConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set of an existing Amazon S3 Batch Operations job", + "privilege": "GetJobTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket", + "privilege": "GetLifecycleConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a metrics configuration from an Amazon S3 bucket", + "privilege": "GetMetricsConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return configuration information about the specified multi region access point", + "privilege": "GetMultiRegionAccessPoint", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to returns the access point policy associated with the specified multi region access point", + "privilege": "GetMultiRegionAccessPointPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the policy status for a specific multi region access point policy", + "privilege": "GetMultiRegionAccessPointPolicyStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve objects from Amazon S3", + "privilege": "GetObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the access control list (ACL) of an object", + "privilege": "GetObjectAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an object's current Legal Hold status", + "privilege": "GetObjectLegalHold", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the retention settings for an object", + "privilege": "GetObjectRetention", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set of an object", + "privilege": "GetObjectTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return torrent files from an Amazon S3 bucket", + "privilege": "GetObjectTorrent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a specific version of an object", + "privilege": "GetObjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the access control list (ACL) of a specific object version", + "privilege": "GetObjectVersionAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS", + "privilege": "GetObjectVersionForReplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set for a specific version of the object", + "privilege": "GetObjectVersionTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get Torrent files about a different version using the versionId subresource", + "privilege": "GetObjectVersionTorrent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:versionid", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the replication configuration information set on an Amazon S3 bucket", + "privilege": "GetReplicationConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an Amazon S3 Storage Lens configuration", + "privilege": "GetStorageLensConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storagelensconfiguration*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the tag set of an existing Amazon S3 Storage Lens configuration", + "privilege": "GetStorageLensConfigurationTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storagelensconfiguration*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an Amazon S3 Storage Lens dashboard", + "privilege": "GetStorageLensDashboard", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "storagelensconfiguration*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list access points", + "privilege": "ListAccessPoints", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list object lambda enabled accesspoints", + "privilege": "ListAccessPointsForObjectLambda", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all buckets owned by the authenticated sender of the request", + "privilege": "ListAllMyBuckets", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)", + "privilege": "ListBucket", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:delimiter", + "s3:max-keys", + "s3:prefix", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list in-progress multipart uploads", + "privilege": "ListBucketMultipartUploads", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket", + "privilege": "ListBucketVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:delimiter", + "s3:max-keys", + "s3:prefix", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list current jobs and jobs that have ended recently", + "privilege": "ListJobs", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list multi region access points", + "privilege": "ListMultiRegionAccessPoints", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the parts that have been uploaded for a specific multipart upload", + "privilege": "ListMultipartUploadParts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list Amazon S3 Storage Lens configurations", + "privilege": "ListStorageLensConfigurations", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to change replica ownership", + "privilege": "ObjectOwnerOverrideToBucketOwner", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket", + "privilege": "PutAccelerateConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the configuration of the object lambda enabled access point", + "privilege": "PutAccessPointConfigurationForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointArn", + "s3:DataAccessPointAccount", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to associate an access policy with a specified access point", + "privilege": "PutAccessPointPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "accesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to associate an access policy with a specified object lambda enabled access point", + "privilege": "PutAccessPointPolicyForObjectLambda", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to create or modify the PublicAccessBlock configuration for an AWS account", + "privilege": "PutAccountPublicAccessBlock", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID", + "privilege": "PutAnalyticsConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to set the permissions on an existing bucket using access control lists (ACLs)", + "privilege": "PutBucketAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the CORS configuration for an Amazon S3 bucket", + "privilege": "PutBucketCORS", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the logging parameters for an Amazon S3 bucket", + "privilege": "PutBucketLogging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to receive notifications when certain events happen in an Amazon S3 bucket", + "privilege": "PutBucketNotification", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to put Object Lock configuration on a specific bucket", + "privilege": "PutBucketObjectLockConfiguration", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:TlsVersion", + "s3:signatureversion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add or replace ownership controls on a bucket", + "privilege": "PutBucketOwnershipControls", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to add or replace a bucket policy on a bucket", + "privilege": "PutBucketPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "s3:x-amz-storage-class", - "description": "Filters access by storage class", - "type": "String" + "access_level": "Permissions management", + "description": "Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket", + "privilege": "PutBucketPublicAccessBlock", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, - { - "condition": "s3:x-amz-website-redirect-location", - "description": "Filters access by a specific website redirect location for buckets that are configured as static websites", - "type": "String" - } - ], - "prefix": "s3", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to abort a multipart upload", - "privilege": "AbortMultipartUpload", + "description": "Grants permission to set the request payment configuration of a bucket", + "privilege": "PutBucketRequestPayment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointArn", - "s3:DataAccessPointAccount", - "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118174,44 +147561,23 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to allow circumvention of governance-mode object retention settings", - "privilege": "BypassGovernanceRetention", + "access_level": "Tagging", + "description": "Grants permission to add a set of tags to an existing Amazon S3 bucket", + "privilege": "PutBucketTagging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:RequestObjectTag/", - "s3:RequestObjectTagKeys", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-copy-source", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp", - "s3:x-amz-metadata-directive", - "s3:x-amz-server-side-encryption", - "s3:x-amz-server-side-encryption-aws-kms-key-id", - "s3:x-amz-storage-class", - "s3:x-amz-website-redirect-location", - "s3:object-lock-mode", - "s3:object-lock-retain-until-date", - "s3:object-lock-remaining-retention-days", - "s3:object-lock-legal-hold" + "s3:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118220,26 +147586,21 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new access point", - "privilege": "CreateAccessPoint", + "description": "Grants permission to set the versioning state of an existing Amazon S3 bucket", + "privilege": "PutBucketVersioning", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", "s3:authType", - "s3:locationconstraint", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-acl", "s3:x-amz-content-sha256" ], "dependent_actions": [], @@ -118249,8 +147610,8 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new bucket", - "privilege": "CreateBucket", + "description": "Grants permission to set the configuration of the website that is specified in the website subresource", + "privilege": "PutBucketWebsite", "resource_types": [ { "condition_keys": [], @@ -118260,18 +147621,11 @@ { "condition_keys": [ "s3:authType", - "s3:locationconstraint", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp" + "s3:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118280,9 +147634,14 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new Amazon S3 Batch Operations job", - "privilege": "CreateJob", + "description": "Grants permission to set the encryption configuration for an Amazon S3 bucket", + "privilege": "PutEncryptionConfiguration", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "bucket*" + }, { "condition_keys": [ "s3:authType", @@ -118290,34 +147649,25 @@ "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:RequestJobPriority", - "s3:RequestJobOperation", - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [ - "iam:PassRole" + "s3:x-amz-content-sha256" ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the access point named in the URI", - "privilege": "DeleteAccessPoint", + "description": "Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration", + "privilege": "PutIntelligentTieringConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointArn", - "s3:DataAccessPointAccount", - "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118331,20 +147681,17 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the policy on a specified access point", - "privilege": "DeleteAccessPointPolicy", + "access_level": "Write", + "description": "Grants permission to add an inventory configuration to the bucket, identified by the inventory ID", + "privilege": "PutInventoryConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointArn", - "s3:DataAccessPointAccount", - "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118357,10 +147704,38 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to replace tags on an existing Amazon S3 Batch Operations job", + "privilege": "PutJobTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256", + "s3:ExistingJobPriority", + "s3:ExistingJobOperation", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Grants permission to delete the bucket named in the URI", - "privilege": "DeleteBucket", + "description": "Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration", + "privilege": "PutLifecycleConfiguration", "resource_types": [ { "condition_keys": [], @@ -118383,8 +147758,8 @@ }, { "access_level": "Write", - "description": "Grants permission to delete ownership controls on a bucket", - "privilege": "DeleteBucketOwnershipControls", + "description": "Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket", + "privilege": "PutMetricsConfiguration", "resource_types": [ { "condition_keys": [], @@ -118407,22 +147782,70 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to delete the policy on a specified bucket", - "privilege": "DeleteBucketPolicy", + "description": "Grants permission to associate an access policy with a specified multi region access point", + "privilege": "PutMultiRegionAccessPointPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "multiregionaccesspoint*" + }, + { + "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "aws:RequestedRegion", + "s3:authType", + "s3:ResourceAccount", + "s3:signatureversion", + "s3:signatureAge", + "s3:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an object to a bucket", + "privilege": "PutObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" }, { "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:RequestObjectTag/", + "s3:RequestObjectTagKeys", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-copy-source", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp", + "s3:x-amz-metadata-directive", + "s3:x-amz-server-side-encryption", + "s3:x-amz-server-side-encryption-aws-kms-key-id", + "s3:x-amz-storage-class", + "s3:x-amz-website-redirect-location", + "s3:object-lock-mode", + "s3:object-lock-retain-until-date", + "s3:object-lock-remaining-retention-days", + "s3:object-lock-legal-hold" ], "dependent_actions": [], "resource_type": "" @@ -118430,23 +147853,34 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove the website configuration for a bucket", - "privilege": "DeleteBucketWebsite", + "access_level": "Permissions management", + "description": "Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket.", + "privilege": "PutObjectAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp", + "s3:x-amz-storage-class" ], "dependent_actions": [], "resource_type": "" @@ -118454,25 +147888,27 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove tags from an existing Amazon S3 Batch Operations job", - "privilege": "DeleteJobTagging", + "access_level": "Write", + "description": "Grants permission to apply a Legal Hold configuration to the specified object", + "privilege": "PutObjectLegalHold", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "object*" }, { "condition_keys": [ + "s3:DataAccessPointAccount", + "s3:DataAccessPointArn", + "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", "s3:x-amz-content-sha256", - "s3:ExistingJobPriority", - "s3:ExistingJobOperation" + "s3:object-lock-legal-hold" ], "dependent_actions": [], "resource_type": "" @@ -118481,8 +147917,8 @@ }, { "access_level": "Write", - "description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object", - "privilege": "DeleteObject", + "description": "Grants permission to place an Object Retention configuration on an object", + "privilege": "PutObjectRetention", "resource_types": [ { "condition_keys": [], @@ -118499,7 +147935,10 @@ "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-content-sha256", + "s3:object-lock-mode", + "s3:object-lock-retain-until-date", + "s3:object-lock-remaining-retention-days" ], "dependent_actions": [], "resource_type": "" @@ -118508,8 +147947,8 @@ }, { "access_level": "Tagging", - "description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object", - "privilege": "DeleteObjectTagging", + "description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket", + "privilege": "PutObjectTagging", "resource_types": [ { "condition_keys": [], @@ -118522,6 +147961,8 @@ "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", "s3:ExistingObjectTag/", + "s3:RequestObjectTag/", + "s3:RequestObjectTagKeys", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118535,9 +147976,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to remove a specific version of an object", - "privilege": "DeleteObjectVersion", + "access_level": "Permissions management", + "description": "Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket", + "privilege": "PutObjectVersionAcl", "resource_types": [ { "condition_keys": [], @@ -118549,13 +147990,21 @@ "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", + "s3:ExistingObjectTag/", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", "s3:versionid", - "s3:x-amz-content-sha256" + "s3:x-amz-acl", + "s3:x-amz-content-sha256", + "s3:x-amz-grant-full-control", + "s3:x-amz-grant-read", + "s3:x-amz-grant-read-acp", + "s3:x-amz-grant-write", + "s3:x-amz-grant-write-acp", + "s3:x-amz-storage-class" ], "dependent_actions": [], "resource_type": "" @@ -118564,8 +148013,8 @@ }, { "access_level": "Tagging", - "description": "Grants permission to remove the entire tag set for a specific version of the object", - "privilege": "DeleteObjectVersionTagging", + "description": "Grants permission to set the supplied tag-set for a specific version of an object", + "privilege": "PutObjectVersionTagging", "resource_types": [ { "condition_keys": [], @@ -118578,6 +148027,8 @@ "s3:DataAccessPointArn", "s3:AccessPointNetworkOrigin", "s3:ExistingObjectTag/", + "s3:RequestObjectTag/", + "s3:RequestObjectTagKeys", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118593,13 +148044,15 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an existing Amazon S3 Storage Lens configuration", - "privilege": "DeleteStorageLensConfiguration", + "description": "Grants permission to create a new replication configuration or replace an existing one", + "privilege": "PutReplicationConfiguration", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "storagelensconfiguration*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "bucket*" }, { "condition_keys": [ @@ -118615,10 +148068,31 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to create or update an Amazon S3 Storage Lens configuration", + "privilege": "PutStorageLensConfiguration", + "resource_types": [ + { + "condition_keys": [ + "s3:authType", + "s3:ResourceAccount", + "s3:signatureAge", + "s3:signatureversion", + "s3:TlsVersion", + "s3:x-amz-content-sha256", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", - "description": "Grants permission to remove tags from an existing Amazon S3 Storage Lens configuration", - "privilege": "DeleteStorageLensConfigurationTagging", + "description": "Grants permission to put or replace tags on an existing Amazon S3 Storage Lens configuration", + "privilege": "PutStorageLensConfigurationTagging", "resource_types": [ { "condition_keys": [], @@ -118632,7 +148106,9 @@ "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-content-sha256", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -118640,14 +148116,14 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the configuration parameters and status for a batch operations job", - "privilege": "DescribeJob", + "access_level": "Write", + "description": "Grants permission to replicate delete markers to the destination bucket", + "privilege": "ReplicateDelete", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "object*" }, { "condition_keys": [ @@ -118664,14 +148140,14 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended", - "privilege": "GetAccelerateConfiguration", + "access_level": "Write", + "description": "Grants permission to replicate objects and object tags to the destination bucket", + "privilege": "ReplicateObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ @@ -118680,7 +148156,9 @@ "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-content-sha256", + "s3:x-amz-server-side-encryption", + "s3:x-amz-server-side-encryption-aws-kms-key-id" ], "dependent_actions": [], "resource_type": "" @@ -118688,15 +148166,17 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return configuration information about the specified access point", - "privilege": "GetAccessPoint", + "access_level": "Tagging", + "description": "Grants permission to replicate object tags to the destination bucket", + "privilege": "ReplicateTags", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", @@ -118710,14 +148190,14 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to returns the access point policy associated with the specified access point", - "privilege": "GetAccessPointPolicy", + "access_level": "Write", + "description": "Grants permission to restore an archived copy of an object back into Amazon S3", + "privilege": "RestoreObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "object*" }, { "condition_keys": [ @@ -118737,26 +148217,26 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the policy status for a specific access point policy", - "privilege": "GetAccessPointPolicyStatus", + "access_level": "Write", + "description": "Grants permission to update the priority of an existing job", + "privilege": "UpdateJobPriority", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "job*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", "s3:authType", "s3:ResourceAccount", "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-content-sha256", + "s3:RequestJobPriority", + "s3:ExistingJobPriority", + "s3:ExistingJobOperation" ], "dependent_actions": [], "resource_type": "" @@ -118764,10 +148244,15 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the PublicAccessBlock configuration for an AWS account", - "privilege": "GetAccountPublicAccessBlock", + "access_level": "Write", + "description": "Grants permission to update the status for the specified job", + "privilege": "UpdateJobStatus", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "job*" + }, { "condition_keys": [ "s3:authType", @@ -118775,7 +148260,189 @@ "s3:signatureAge", "s3:signatureversion", "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3:x-amz-content-sha256", + "s3:ExistingJobPriority", + "s3:ExistingJobOperation", + "s3:JobSuspendedCause" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", + "condition_keys": [], + "resource": "accesspoint" + }, + { + "arn": "arn:${Partition}:s3:::${BucketName}", + "condition_keys": [], + "resource": "bucket" + }, + { + "arn": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", + "condition_keys": [], + "resource": "object" + }, + { + "arn": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", + "condition_keys": [], + "resource": "job" + }, + { + "arn": "arn:${Partition}:s3:${Region}:${Account}:storage-lens/${ConfigId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "storagelensconfiguration" + }, + { + "arn": "arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}", + "condition_keys": [], + "resource": "objectlambdaaccesspoint" + }, + { + "arn": "arn:${Partition}:s3::${Account}:accesspoint/${AccessPointName}", + "condition_keys": [], + "resource": "multiregionaccesspoint" + }, + { + "arn": "arn:${Partition}:s3:us-west-2:${Account}:async-request/mrap/${Operation}/${Token}", + "condition_keys": [], + "resource": "multiregionaccesspointrequestarn" + } + ], + "service_name": "Amazon S3" + }, + { + "conditions": [ + { + "condition": "s3-object-lambda:TlsVersion", + "description": "Filters access by the TLS version used by the client", + "type": "Numeric" + }, + { + "condition": "s3-object-lambda:authType", + "description": "Filters access by authentication method", + "type": "String" + }, + { + "condition": "s3-object-lambda:signatureAge", + "description": "Filters access by the age in milliseconds of the request signature", + "type": "Numeric" + }, + { + "condition": "s3-object-lambda:versionid", + "description": "Filters access by a specific object version", + "type": "String" + } + ], + "prefix": "s3-object-lambda", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to abort a multipart upload", + "privilege": "AbortMultipartUpload", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object", + "privilege": "DeleteObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object", + "privilege": "DeleteObjectTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a specific version of an object", + "privilege": "DeleteObjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove the entire tag set for a specific version of the object", + "privilege": "DeleteObjectVersionTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" ], "dependent_actions": [], "resource_type": "" @@ -118784,22 +148451,574 @@ }, { "access_level": "Read", - "description": "Grants permission to get an analytics configuration from an Amazon S3 bucket, identified by the analytics configuration ID", - "privilege": "GetAnalyticsConfiguration", + "description": "Grants permission to retrieve objects from Amazon S3", + "privilege": "GetObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "objectlambdaaccesspoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the access control list (ACL) of an object", + "privilege": "GetObjectAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get an object's current Legal Hold status", + "privilege": "GetObjectLegalHold", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the retention settings for an object", + "privilege": "GetObjectRetention", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set of an object", + "privilege": "GetObjectTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a specific version of an object", + "privilege": "GetObjectVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the access control list (ACL) of a specific object version", + "privilege": "GetObjectVersionAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the tag set for a specific version of the object", + "privilege": "GetObjectVersionTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)", + "privilege": "ListBucket", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list in-progress multipart uploads", + "privilege": "ListBucketMultipartUploads", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket", + "privilege": "ListBucketVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the parts that have been uploaded for a specific multipart upload", + "privilege": "ListMultipartUploadParts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add an object to a bucket", + "privilege": "PutObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket.", + "privilege": "PutObjectAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to apply a Legal Hold configuration to the specified object", + "privilege": "PutObjectLegalHold", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to place an Object Retention configuration on an object", + "privilege": "PutObjectRetention", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket", + "privilege": "PutObjectTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket", + "privilege": "PutObjectVersionAcl", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to set the supplied tag-set for a specific version of an object", + "privilege": "PutObjectVersionTagging", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion", + "s3-object-lambda:versionid" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore an archived copy of an object back into Amazon S3", + "privilege": "RestoreObject", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to provide data for GetObject requests send to S3 Object Lambda", + "privilege": "WriteGetObjectResponse", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "objectlambdaaccesspoint*" + }, + { + "condition_keys": [ + "s3-object-lambda:authType", + "s3-object-lambda:signatureAge", + "s3-object-lambda:TlsVersion" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:s3-object-lambda:${Region}:${Account}:accesspoint/${AccessPointName}", + "condition_keys": [], + "resource": "objectlambdaaccesspoint" + } + ], + "service_name": "Amazon S3 Object Lambda" + }, + { + "conditions": [ + { + "condition": "s3-outposts:AccessPointNetworkOrigin", + "description": "Filters access by the network origin (Internet or VPC)", + "type": "String" + }, + { + "condition": "s3-outposts:DataAccessPointAccount", + "description": "Filters access by the AWS Account ID that owns the access point", + "type": "String" + }, + { + "condition": "s3-outposts:DataAccessPointArn", + "description": "Filters access by an access point Amazon Resource Name (ARN)", + "type": "String" + }, + { + "condition": "s3-outposts:ExistingObjectTag/", + "description": "Filters access by requiring that an existing object tag has a specific tag key and value", + "type": "String" + }, + { + "condition": "s3-outposts:RequestObjectTag/", + "description": "Filters access by restricting the tag keys and values allowed on objects", + "type": "String" + }, + { + "condition": "s3-outposts:RequestObjectTagKeys", + "description": "Filters access by restricting the tag keys allowed on objects", + "type": "String" + }, + { + "condition": "s3-outposts:authType", + "description": "Filters access by restricting incoming requests to a specific authentication method", + "type": "String" + }, + { + "condition": "s3-outposts:delimiter", + "description": "Filters access by requiring the delimiter parameter", + "type": "String" + }, + { + "condition": "s3-outposts:max-keys", + "description": "Filters access by limiting the maximum number of keys returned in a ListBucket request", + "type": "Numeric" + }, + { + "condition": "s3-outposts:prefix", + "description": "Filters access by key name prefix", + "type": "String" + }, + { + "condition": "s3-outposts:signatureAge", + "description": "Filters access by identifying the length of time, in milliseconds, that a signature is valid in an authenticated request", + "type": "Numeric" + }, + { + "condition": "s3-outposts:signatureversion", + "description": "Filters access by identifying the version of AWS Signature that is supported for authenticated requests", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-acl", + "description": "Filters access by requiring the x-amz-acl header with a specific canned ACL in a request", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-content-sha256", + "description": "Filters access by disallowing unsigned content in your bucket", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-copy-source", + "description": "Filters access by restricting the copy source to a specific bucket, prefix, or object", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-metadata-directive", + "description": "Filters access by enabling enforcement of object metadata behavior (COPY or REPLACE) when objects are copied", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-server-side-encryption", + "description": "Filters access by requiring server-side encryption", + "type": "String" + }, + { + "condition": "s3-outposts:x-amz-storage-class", + "description": "Filters access by storage class", + "type": "String" + } + ], + "prefix": "s3-outposts", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to abort a multipart upload", + "privilege": "AbortMultipartUpload", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "object*" + }, + { + "condition_keys": [ + "s3-outposts:DataAccessPointArn", + "s3-outposts:DataAccessPointAccount", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118807,23 +149026,24 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket", - "privilege": "GetBucketAcl", + "access_level": "Write", + "description": "Grants permission to create a new access point", + "privilege": "CreateAccessPoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "accesspoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118831,9 +149051,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the CORS configuration information set for an Amazon S3 bucket", - "privilege": "GetBucketCORS", + "access_level": "Write", + "description": "Grants permission to create a new bucket", + "privilege": "CreateBucket", "resource_types": [ { "condition_keys": [], @@ -118842,12 +149062,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118855,35 +149073,36 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the Region that an Amazon S3 bucket resides in", - "privilege": "GetBucketLocation", + "access_level": "Write", + "description": "Grants permission to create a new endpoint", + "privilege": "CreateEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "endpoint*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return the logging status of an Amazon S3 bucket and the permissions users have to view or modify that status", - "privilege": "GetBucketLogging", + "access_level": "Write", + "description": "Grants permission to delete the access point named in the URI", + "privilege": "DeleteAccessPoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "accesspoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointArn", + "s3-outposts:DataAccessPointAccount", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118891,23 +149110,24 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get the notification configuration of an Amazon S3 bucket", - "privilege": "GetBucketNotification", + "access_level": "Permissions management", + "description": "Grants permission to delete the policy on a specified access point", + "privilege": "DeleteAccessPointPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "accesspoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointArn", + "s3-outposts:DataAccessPointAccount", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118915,9 +149135,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get the Object Lock configuration of an Amazon S3 bucket", - "privilege": "GetBucketObjectLockConfiguration", + "access_level": "Write", + "description": "Grants permission to delete the bucket named in the URI", + "privilege": "DeleteBucket", "resource_types": [ { "condition_keys": [], @@ -118926,12 +149146,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:signatureversion" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118939,9 +149157,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve ownership controls on a bucket", - "privilege": "GetBucketOwnershipControls", + "access_level": "Permissions management", + "description": "Grants permission to delete the policy on a specified bucket", + "privilege": "DeleteBucketPolicy", "resource_types": [ { "condition_keys": [], @@ -118950,12 +149168,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -118963,47 +149179,36 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the policy of the specified bucket", - "privilege": "GetBucketPolicy", + "access_level": "Write", + "description": "Grants permission to delete the endpoint named in the URI", + "privilege": "DeleteEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "endpoint*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the policy status for a specific Amazon S3 bucket, which indicates whether the bucket is public", - "privilege": "GetBucketPolicyStatus", + "access_level": "Write", + "description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object", + "privilege": "DeleteObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119011,23 +149216,25 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the PublicAccessBlock configuration for an Amazon S3 bucket", - "privilege": "GetBucketPublicAccessBlock", + "access_level": "Tagging", + "description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object", + "privilege": "DeleteObjectTagging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:ExistingObjectTag/", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119036,22 +149243,18 @@ }, { "access_level": "Read", - "description": "Grants permission to return the request payment configuration for an Amazon S3 bucket", - "privilege": "GetBucketRequestPayment", + "description": "Grants permission to return configuration information about the specified access point", + "privilege": "GetAccessPoint", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" - }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119060,22 +149263,23 @@ }, { "access_level": "Read", - "description": "Grants permission to return the tag set associated with an Amazon S3 bucket", - "privilege": "GetBucketTagging", + "description": "Grants permission to returns the access point policy associated with the specified access point", + "privilege": "GetAccessPointPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "accesspoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119084,8 +149288,8 @@ }, { "access_level": "Read", - "description": "Grants permission to return the versioning state of an Amazon S3 bucket", - "privilege": "GetBucketVersioning", + "description": "Grants permission to return the bucket configuration associated with an Amazon S3 bucket", + "privilege": "GetBucket", "resource_types": [ { "condition_keys": [], @@ -119094,12 +149298,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119108,8 +149310,8 @@ }, { "access_level": "Read", - "description": "Grants permission to return the website configuration for an Amazon S3 bucket", - "privilege": "GetBucketWebsite", + "description": "Grants permission to return the policy of the specified bucket", + "privilege": "GetBucketPolicy", "resource_types": [ { "condition_keys": [], @@ -119118,12 +149320,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119132,8 +149332,8 @@ }, { "access_level": "Read", - "description": "Grants permission to return the default encryption configuration an Amazon S3 bucket", - "privilege": "GetEncryptionConfiguration", + "description": "Grants permission to return the tag set associated with an Amazon S3 bucket", + "privilege": "GetBucketTagging", "resource_types": [ { "condition_keys": [], @@ -119142,12 +149342,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119156,8 +149354,8 @@ }, { "access_level": "Read", - "description": "Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket", - "privilege": "GetIntelligentTieringConfiguration", + "description": "Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket", + "privilege": "GetLifecycleConfiguration", "resource_types": [ { "condition_keys": [], @@ -119166,12 +149364,10 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119180,22 +149376,24 @@ }, { "access_level": "Read", - "description": "Grants permission to return an inventory configuration from an Amazon S3 bucket, identified by the inventory configuration ID", - "privilege": "GetInventoryConfiguration", + "description": "Grants permission to retrieve objects from Amazon S3", + "privilege": "GetObject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:ExistingObjectTag/", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119204,22 +149402,24 @@ }, { "access_level": "Read", - "description": "Grants permission to return the tag set of an existing Amazon S3 Batch Operations job", - "privilege": "GetJobTagging", + "description": "Grants permission to return the tag set of an object", + "privilege": "GetObjectTagging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:ExistingObjectTag/", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119227,23 +149427,16 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket", - "privilege": "GetLifecycleConfiguration", + "access_level": "List", + "description": "Grants permission to list access points", + "privilege": "ListAccessPoints", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" - }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119251,51 +149444,32 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get a metrics configuration from an Amazon S3 bucket", - "privilege": "GetMetricsConfiguration", + "access_level": "List", + "description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)", + "privilege": "ListBucket", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "accesspoint*" }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to retrieve objects from Amazon S3", - "privilege": "GetObject", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:delimiter", + "s3-outposts:max-keys", + "s3-outposts:prefix", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119303,54 +149477,29 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the access control list (ACL) of an object", - "privilege": "GetObjectAcl", + "access_level": "List", + "description": "Grants permission to list in-progress multipart uploads", + "privilege": "ListBucketMultipartUploads", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "accesspoint*" }, - { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get an object's current Legal Hold status", - "privilege": "GetObjectLegalHold", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119358,36 +149507,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the retention settings for an object", - "privilege": "GetObjectRetention", + "access_level": "List", + "description": "Grants permission to list endpoints", + "privilege": "ListEndpoints", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" - }, - { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to return the tag set of an object", - "privilege": "GetObjectTagging", + "access_level": "List", + "description": "Grants permission to list the parts that have been uploaded for a specific multipart upload", + "privilege": "ListMultipartUploadParts", "resource_types": [ { "condition_keys": [], @@ -119396,16 +149530,13 @@ }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119413,23 +149544,16 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return torrent files from an Amazon S3 bucket", - "privilege": "GetObjectTorrent", + "access_level": "List", + "description": "Grants permission to list all buckets owned by the authenticated sender of the request", + "privilege": "ListRegionalBuckets", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" - }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119437,28 +149561,24 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a specific version of an object", - "privilege": "GetObjectVersion", + "access_level": "Permissions management", + "description": "Grants permission to associate an access policy with a specified access point", + "privilege": "PutAccessPointPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "accesspoint*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119466,28 +149586,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the access control list (ACL) of a specific object version", - "privilege": "GetObjectVersionAcl", + "access_level": "Permissions management", + "description": "Grants permission to add or replace a bucket policy on a bucket", + "privilege": "PutBucketPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119495,23 +149608,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to replicate both unencrypted objects and objects encrypted with SSE-S3 or SSE-KMS", - "privilege": "GetObjectVersionForReplication", + "access_level": "Tagging", + "description": "Grants permission to add a set of tags to an existing Amazon S3 bucket", + "privilege": "PutBucketTagging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119519,28 +149630,21 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the tag set for a specific version of the object", - "privilege": "GetObjectVersionTagging", + "access_level": "Write", + "description": "Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration", + "privilege": "PutLifecycleConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "bucket*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-content-sha256" + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" @@ -119548,9 +149652,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get Torrent files about a different version using the versionId subresource", - "privilege": "GetObjectVersionTorrent", + "access_level": "Write", + "description": "Grants permission to add an object to a bucket", + "privilege": "PutObject", "resource_types": [ { "condition_keys": [], @@ -119559,13 +149663,20 @@ }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:RequestObjectTag/", + "s3-outposts:RequestObjectTagKeys", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-acl", + "s3-outposts:x-amz-content-sha256", + "s3-outposts:x-amz-copy-source", + "s3-outposts:x-amz-metadata-directive", + "s3-outposts:x-amz-server-side-encryption", + "s3-outposts:x-amz-storage-class" ], "dependent_actions": [], "resource_type": "" @@ -119573,23 +149684,27 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get the replication configuration information set on an Amazon S3 bucket", - "privilege": "GetReplicationConfiguration", + "access_level": "Permissions management", + "description": "Grants permission to set the access control list (ACL) permissions for an object that already exists in a bucket", + "privilege": "PutObjectAcl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:ExistingObjectTag/", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-acl", + "s3-outposts:x-amz-content-sha256", + "s3-outposts:x-amz-storage-class" ], "dependent_actions": [], "resource_type": "" @@ -119597,624 +149712,474 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get an Amazon S3 Storage Lens configuration", - "privilege": "GetStorageLensConfiguration", + "access_level": "Tagging", + "description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket", + "privilege": "PutObjectTagging", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "storagelensconfiguration*" + "resource_type": "object*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "s3-outposts:DataAccessPointAccount", + "s3-outposts:DataAccessPointArn", + "s3-outposts:AccessPointNetworkOrigin", + "s3-outposts:ExistingObjectTag/", + "s3-outposts:RequestObjectTag/", + "s3-outposts:RequestObjectTagKeys", + "s3-outposts:authType", + "s3-outposts:signatureAge", + "s3-outposts:signatureversion", + "s3-outposts:x-amz-content-sha256" ], "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/accesspoint/${AccessPointName}", + "condition_keys": [], + "resource": "accesspoint" }, { - "access_level": "Read", - "description": "Grants permission to get the tag set of an existing Amazon S3 Storage Lens configuration", - "privilege": "GetStorageLensConfigurationTagging", + "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/bucket/${BucketName}", + "condition_keys": [], + "resource": "bucket" + }, + { + "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/endpoint/${EndpointId}", + "condition_keys": [], + "resource": "endpoint" + }, + { + "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/bucket/${BucketName}/object/${ObjectName}", + "condition_keys": [], + "resource": "object" + } + ], + "service_name": "Amazon S3 on Outposts" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access by a key that is present in the request the user makes to the SageMaker service", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" + }, + { + "condition": "aws:SourceIp", + "description": "Filters access by the requestor's IP address", + "type": "String" + }, + { + "condition": "aws:SourceVpc", + "description": "Filters access by the requestor's VPC", + "type": "String" + }, + { + "condition": "aws:SourceVpce", + "description": "Filters access by on requestor's VPC endpoint", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key names associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:AcceleratorTypes", + "description": "Filters access by the list of all accelerator types associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:AppNetworkAccessType", + "description": "Filters access by the app network access type associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:DirectInternetAccess", + "description": "Filters access by the direct internet access associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:DomainSharingOutputKmsKey", + "description": "Filters access by the Domain sharing output KMS key associated with the resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:FeatureGroupOfflineStoreKmsKey", + "description": "Filters access by the offline store kms key associated with the feature group resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:FeatureGroupOfflineStoreS3Uri", + "description": "Filters access by the offline store s3 uri associated with the feature group resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:FeatureGroupOnlineStoreKmsKey", + "description": "Filters access by the online store kms key associated with the feature group resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:FileSystemAccessMode", + "description": "Filters access by a file system access mode associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:FileSystemDirectoryPath", + "description": "Filters access by a file system directory path associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:FileSystemId", + "description": "Filters access by a file system ID associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:FileSystemType", + "description": "Filters access by a file system type associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:HomeEfsFileSystemKmsKey", + "description": "This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey", + "type": "ARN" + }, + { + "condition": "sagemaker:ImageArns", + "description": "Filters access by the list of all image arns associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:ImageVersionArns", + "description": "Filters access by the list of all image version arns associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:InstanceTypes", + "description": "Filters access by the list of all instance types associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:InterContainerTrafficEncryption", + "description": "Filters access by the inter container traffic encryption associated with the resource in the request", + "type": "Bool" + }, + { + "condition": "sagemaker:MaxRuntimeInSeconds", + "description": "Filters access by the max runtime in seconds associated with the resource in the request", + "type": "Numeric" + }, + { + "condition": "sagemaker:ModelArn", + "description": "Filters access by the model arn associated with the resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:NetworkIsolation", + "description": "Filters access by the network isolation associated with the resource in the request", + "type": "Bool" + }, + { + "condition": "sagemaker:OutputKmsKey", + "description": "Filters access by the output kms key associated with the resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:ResourceTag/", + "description": "Filters access by the preface string for a tag key and value pair attached to a resource", + "type": "String" + }, + { + "condition": "sagemaker:ResourceTag/${TagKey}", + "description": "Filters access by a tag key and value pair", + "type": "String" + }, + { + "condition": "sagemaker:RootAccess", + "description": "Filters access by the root access associated with the resource in the request", + "type": "String" + }, + { + "condition": "sagemaker:TargetModel", + "description": "Filters access by the target model associated with the Multi-Model Endpoint in the request", + "type": "String" + }, + { + "condition": "sagemaker:VolumeKmsKey", + "description": "Filters access by the volume kms key associated with the resource in the request", + "type": "ARN" + }, + { + "condition": "sagemaker:VpcSecurityGroupIds", + "description": "Filters access by the list of all VPC security group ids associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:VpcSubnets", + "description": "Filters access by the list of all VPC subnets associated with the resource in the request", + "type": "ArrayOfString" + }, + { + "condition": "sagemaker:WorkteamArn", + "description": "Filters access by the workteam arn associated to the request", + "type": "ARN" + }, + { + "condition": "sagemaker:WorkteamType", + "description": "Filters access by the workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd", + "type": "String" + } + ], + "prefix": "sagemaker", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to each other", + "privilege": "AddAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "storagelensconfiguration*" + "resource_type": "action*" }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get an Amazon S3 Storage Lens dashboard", - "privilege": "GetStorageLensDashboard", - "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "storagelensconfiguration*" + "resource_type": "artifact*" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to list access points", - "privilege": "ListAccessPoints", - "resource_types": [ + "resource_type": "context*" + }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all buckets owned by the authenticated sender of the request", - "privilege": "ListAllMyBuckets", - "resource_types": [ + "resource_type": "experiment*" + }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-trial-component*" } ] }, { - "access_level": "List", - "description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)", - "privilege": "ListBucket", + "access_level": "Tagging", + "description": "Grants permission to add or overwrite one or more tags for the specified Amazon SageMaker resource", + "privilege": "AddTags", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "action" }, { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:delimiter", - "s3:max-keys", - "s3:prefix", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list in-progress multipart uploads", - "privilege": "ListBucketMultipartUploads", - "resource_types": [ + "resource_type": "algorithm" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "app" }, { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list metadata about all the versions of objects in an Amazon S3 bucket", - "privilege": "ListBucketVersions", - "resource_types": [ + "resource_type": "app-image-config" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "artifact" }, { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:delimiter", - "s3:max-keys", - "s3:prefix", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list current jobs and jobs that have ended recently", - "privilege": "ListJobs", - "resource_types": [ - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "resource_type": "automl-job" + }, + { + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the parts that have been uploaded for a specific multipart upload", - "privilege": "ListMultipartUploadParts", - "resource_types": [ + "resource_type": "code-repository" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "context" }, { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list Amazon S3 Storage Lens configurations", - "privilege": "ListStorageLensConfigurations", - "resource_types": [ + "resource_type": "data-quality-job-definition" + }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to change replica ownership", - "privilege": "ObjectOwnerOverrideToBucketOwner", - "resource_types": [ + "resource_type": "device" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "device-fleet" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to use the accelerate subresource to set the Transfer Acceleration state of an existing S3 bucket", - "privilege": "PutAccelerateConfiguration", - "resource_types": [ + "resource_type": "domain" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "edge-packaging-job" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to associate an access policy with a specified access point", - "privilege": "PutAccessPointPolicy", - "resource_types": [ + "resource_type": "endpoint" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "endpoint-config" }, { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to create or modify the PublicAccessBlock configuration for an AWS account", - "privilege": "PutAccountPublicAccessBlock", - "resource_types": [ + "resource_type": "experiment" + }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set an analytics configuration for the bucket, specified by the analytics configuration ID", - "privilege": "PutAnalyticsConfiguration", - "resource_types": [ + "resource_type": "experiment-trial" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "experiment-trial-component" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to set the permissions on an existing bucket using access control lists (ACLs)", - "privilege": "PutBucketAcl", - "resource_types": [ + "resource_type": "feature-group" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "flow-definition" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set the CORS configuration for an Amazon S3 bucket", - "privilege": "PutBucketCORS", - "resource_types": [ + "resource_type": "human-task-ui" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "hyper-parameter-tuning-job" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set the logging parameters for an Amazon S3 bucket", - "privilege": "PutBucketLogging", - "resource_types": [ + "resource_type": "image" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "labeling-job" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to receive notifications when certain events happen in an Amazon S3 bucket", - "privilege": "PutBucketNotification", - "resource_types": [ + "resource_type": "model" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "model-bias-job-definition" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to put Object Lock configuration on a specific bucket", - "privilege": "PutBucketObjectLockConfiguration", - "resource_types": [ + "resource_type": "model-explainability-job-definition" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "model-package" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:TlsVersion", - "s3:signatureversion" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to add or replace ownership controls on a bucket", - "privilege": "PutBucketOwnershipControls", - "resource_types": [ + "resource_type": "model-package-group" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "model-quality-job-definition" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to add or replace a bucket policy on a bucket", - "privilege": "PutBucketPolicy", - "resource_types": [ + "resource_type": "monitoring-schedule" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "notebook-instance" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Permissions management", - "description": "Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket", - "privilege": "PutBucketPublicAccessBlock", - "resource_types": [ + "resource_type": "pipeline" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "processing-job" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to set the request payment configuration of a bucket", - "privilege": "PutBucketRequestPayment", - "resource_types": [ + "resource_type": "project" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "training-job" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Tagging", - "description": "Grants permission to add a set of tags to an existing Amazon S3 bucket", - "privilege": "PutBucketTagging", - "resource_types": [ + "resource_type": "transform-job" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "user-profile" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workteam" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120223,118 +150188,71 @@ }, { "access_level": "Write", - "description": "Grants permission to set the versioning state of an existing Amazon S3 bucket", - "privilege": "PutBucketVersioning", + "description": "Grants permission to associate a trial component with a trial", + "privilege": "AssociateTrialComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "experiment-trial*" }, { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-trial-component*" } ] }, { - "access_level": "Write", - "description": "Grants permission to set the configuration of the website that is specified in the website subresource", - "privilege": "PutBucketWebsite", + "access_level": "Read", + "description": "Grants permission to retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action", + "privilege": "BatchGetMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "training-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to set the encryption configuration for an Amazon S3 bucket", - "privilege": "PutEncryptionConfiguration", + "access_level": "Read", + "description": "Get a batch of records from one or more feature groups.", + "privilege": "BatchGetRecord", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "feature-group*" } ] }, { "access_level": "Write", - "description": "Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration", - "privilege": "PutIntelligentTieringConfiguration", + "description": "Grants permission to publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action", + "privilege": "BatchPutMetrics", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, - { - "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "training-job*" } ] }, { "access_level": "Write", - "description": "Grants permission to add an inventory configuration to the bucket, identified by the inventory ID", - "privilege": "PutInventoryConfiguration", + "description": "Grants permission to create an action", + "privilege": "CreateAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "action*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120342,27 +150260,19 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to replace tags on an existing Amazon S3 Batch Operations job", - "privilege": "PutJobTagging", + "access_level": "Write", + "description": "Grants permission to create an algorithm", + "privilege": "CreateAlgorithm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "algorithm*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:ExistingJobPriority", - "s3:ExistingJobOperation", - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120371,22 +150281,21 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration", - "privilege": "PutLifecycleConfiguration", + "description": "Grants permission to create an App for a SageMaker Studio UserProfile", + "privilege": "CreateApp", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "app*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:ImageArns", + "sagemaker:ImageVersionArns" ], "dependent_actions": [], "resource_type": "" @@ -120395,22 +150304,18 @@ }, { "access_level": "Write", - "description": "Grants permission to set or update a metrics configuration for the CloudWatch request metrics from an Amazon S3 bucket", - "privilege": "PutMetricsConfiguration", + "description": "Grants permission to create an AppImageConfig", + "privilege": "CreateAppImageConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "app-image-config*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120419,43 +150324,18 @@ }, { "access_level": "Write", - "description": "Grants permission to add an object to a bucket", - "privilege": "PutObject", + "description": "Grants permission to create an artifact", + "privilege": "CreateArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "artifact*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:RequestObjectTag/", - "s3:RequestObjectTagKeys", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-copy-source", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp", - "s3:x-amz-metadata-directive", - "s3:x-amz-server-side-encryption", - "s3:x-amz-server-side-encryption-aws-kms-key-id", - "s3:x-amz-storage-class", - "s3:x-amz-website-redirect-location", - "s3:object-lock-mode", - "s3:object-lock-retain-until-date", - "s3:object-lock-remaining-retention-days", - "s3:object-lock-legal-hold" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120463,34 +150343,26 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket.", - "privilege": "PutObjectAcl", + "access_level": "Write", + "description": "Grants permission to create an AutoML job", + "privilege": "CreateAutoMLJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "automl-job*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp", - "s3:x-amz-storage-class" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -120499,26 +150371,18 @@ }, { "access_level": "Write", - "description": "Grants permission to apply a Legal Hold configuration to the specified object", - "privilege": "PutObjectLegalHold", + "description": "Grants permission to create a CodeRepository", + "privilege": "CreateCodeRepository", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "code-repository*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:object-lock-legal-hold" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120527,58 +150391,32 @@ }, { "access_level": "Write", - "description": "Grants permission to place an Object Retention configuration on an object", - "privilege": "PutObjectRetention", + "description": "Grants permission to create a compilation job", + "privilege": "CreateCompilationJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" - }, - { - "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:object-lock-mode", - "s3:object-lock-retain-until-date", - "s3:object-lock-remaining-retention-days" + "dependent_actions": [ + "iam:PassRole" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "compilation-job*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket", - "privilege": "PutObjectTagging", + "access_level": "Write", + "description": "Grants permission to create a context", + "privilege": "CreateContext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "context*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:RequestObjectTag/", - "s3:RequestObjectTagKeys", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120586,35 +150424,29 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket", - "privilege": "PutObjectVersionAcl", + "access_level": "Write", + "description": "Grants permission to create a data quality job definition", + "privilege": "CreateDataQualityJobDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "data-quality-job-definition*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-acl", - "s3:x-amz-content-sha256", - "s3:x-amz-grant-full-control", - "s3:x-amz-grant-read", - "s3:x-amz-grant-read-acp", - "s3:x-amz-grant-write", - "s3:x-amz-grant-write-acp", - "s3:x-amz-storage-class" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -120622,30 +150454,21 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to set the supplied tag-set for a specific version of an object", - "privilege": "PutObjectVersionTagging", + "access_level": "Write", + "description": "Grants permission to create a device fleet", + "privilege": "CreateDeviceFleet", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "device-fleet*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:ExistingObjectTag/", - "s3:RequestObjectTag/", - "s3:RequestObjectTagKeys", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:versionid", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120654,24 +150477,29 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new replication configuration or replace an existing one", - "privilege": "PutReplicationConfiguration", + "description": "Grants permission to create a Domain for SageMaker Studio", + "privilege": "CreateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [ + "iam:CreateServiceLinkedRole", "iam:PassRole" ], - "resource_type": "bucket*" + "resource_type": "domain*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:AppNetworkAccessType", + "sagemaker:InstanceTypes", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets", + "sagemaker:DomainSharingOutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:ImageArns", + "sagemaker:ImageVersionArns" ], "dependent_actions": [], "resource_type": "" @@ -120680,19 +150508,20 @@ }, { "access_level": "Write", - "description": "Grants permission to create or update an Amazon S3 Storage Lens configuration", - "privilege": "PutStorageLensConfiguration", + "description": "Grants permission to create an edge packaging job", + "privilege": "CreateEdgePackagingJob", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "edge-packaging-job*" + }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120700,25 +150529,19 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to put or replace tags on an existing Amazon S3 Storage Lens configuration", - "privilege": "PutStorageLensConfigurationTagging", + "access_level": "Write", + "description": "Grants permission to create an endpoint using the endpoint configuration specified in the request", + "privilege": "CreateEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "storagelensconfiguration*" + "resource_type": "endpoint*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120727,22 +150550,22 @@ }, { "access_level": "Write", - "description": "Grants permission to replicate delete markers to the destination bucket", - "privilege": "ReplicateDelete", + "description": "Grants permission to create an endpoint configuration that can be deployed using Amazon SageMaker hosting services", + "privilege": "CreateEndpointConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "endpoint-config*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:AcceleratorTypes", + "sagemaker:InstanceTypes", + "sagemaker:ModelArn", + "sagemaker:VolumeKmsKey" ], "dependent_actions": [], "resource_type": "" @@ -120751,24 +150574,18 @@ }, { "access_level": "Write", - "description": "Grants permission to replicate objects and object tags to the destination bucket", - "privilege": "ReplicateObject", + "description": "Grants permission to create an experiment", + "privilege": "CreateExperiment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "experiment*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:x-amz-server-side-encryption", - "s3:x-amz-server-side-encryption-aws-kms-key-id" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120776,23 +150593,24 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to replicate object tags to the destination bucket", - "privilege": "ReplicateTags", + "access_level": "Write", + "description": "Grants permission to create a feature group", + "privilege": "CreateFeatureGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "feature-group*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:FeatureGroupOnlineStoreKmsKey", + "sagemaker:FeatureGroupOfflineStoreKmsKey", + "sagemaker:FeatureGroupOfflineStoreS3Uri" ], "dependent_actions": [], "resource_type": "" @@ -120801,25 +150619,22 @@ }, { "access_level": "Write", - "description": "Grants permission to restore an archived copy of an object back into Amazon S3", - "privilege": "RestoreObject", + "description": "Grants permission to create a flow definition, which defines settings for a human workflow", + "privilege": "CreateFlowDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "flow-definition*" }, { "condition_keys": [ - "s3:DataAccessPointAccount", - "s3:DataAccessPointArn", - "s3:AccessPointNetworkOrigin", - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256" + "sagemaker:WorkteamArn", + "sagemaker:WorkteamType", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120828,25 +150643,18 @@ }, { "access_level": "Write", - "description": "Grants permission to update the priority of an existing job", - "privilege": "UpdateJobPriority", + "description": "Grants permission to define the settings you will use for the human review workflow user interface", + "privilege": "CreateHumanTaskUi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "job*" + "resource_type": "human-task-ui*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:RequestJobPriority", - "s3:ExistingJobPriority", - "s3:ExistingJobOperation" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -120855,177 +150663,54 @@ }, { "access_level": "Write", - "description": "Grants permission to update the status for the specified job", - "privilege": "UpdateJobStatus", + "description": "Grants permission to create a hyper parameter tuning job that can be deployed using Amazon SageMaker", + "privilege": "CreateHyperParameterTuningJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "job*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "hyper-parameter-tuning-job*" }, { "condition_keys": [ - "s3:authType", - "s3:ResourceAccount", - "s3:signatureAge", - "s3:signatureversion", - "s3:TlsVersion", - "s3:x-amz-content-sha256", - "s3:ExistingJobPriority", - "s3:ExistingJobOperation", - "s3:JobSuspendedCause" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:FileSystemAccessMode", + "sagemaker:FileSystemDirectoryPath", + "sagemaker:FileSystemId", + "sagemaker:FileSystemType", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}", - "condition_keys": [], - "resource": "accesspoint" - }, - { - "arn": "arn:${Partition}:s3:::${BucketName}", - "condition_keys": [], - "resource": "bucket" - }, - { - "arn": "arn:${Partition}:s3:::${BucketName}/${ObjectName}", - "condition_keys": [], - "resource": "object" - }, - { - "arn": "arn:${Partition}:s3:${Region}:${Account}:job/${JobId}", - "condition_keys": [], - "resource": "job" - }, - { - "arn": "arn:${Partition}:s3:${Region}:${Account}:storage-lens/${ConfigId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "storagelensconfiguration" - } - ], - "service_name": "Amazon S3" - }, - { - "conditions": [ - { - "condition": "s3-outposts:AccessPointNetworkOrigin", - "description": "Filters access by the network origin (Internet or VPC)", - "type": "String" - }, - { - "condition": "s3-outposts:DataAccessPointAccount", - "description": "Filters access by the AWS Account ID that owns the access point", - "type": "String" - }, - { - "condition": "s3-outposts:DataAccessPointArn", - "description": "Filters access by an access point Amazon Resource Name (ARN)", - "type": "String" - }, - { - "condition": "s3-outposts:ExistingObjectTag/", - "description": "Filters access by requiring that an existing object tag has a specific tag key and value", - "type": "String" - }, - { - "condition": "s3-outposts:RequestObjectTag/", - "description": "Filters access by restricting the tag keys and values allowed on objects", - "type": "String" - }, - { - "condition": "s3-outposts:RequestObjectTagKeys", - "description": "Filters access by restricting the tag keys allowed on objects", - "type": "String" - }, - { - "condition": "s3-outposts:authType", - "description": "Filters access by restricting incoming requests to a specific authentication method", - "type": "String" - }, - { - "condition": "s3-outposts:delimiter", - "description": "Filters access by requiring the delimiter parameter", - "type": "String" - }, - { - "condition": "s3-outposts:max-keys", - "description": "Filters access by limiting the maximum number of keys returned in a ListBucket request", - "type": "Numeric" - }, - { - "condition": "s3-outposts:prefix", - "description": "Filters access by key name prefix", - "type": "String" - }, - { - "condition": "s3-outposts:signatureAge", - "description": "Filters access by identifying the length of time, in milliseconds, that a signature is valid in an authenticated request", - "type": "Numeric" - }, - { - "condition": "s3-outposts:signatureversion", - "description": "Filters access by identifying the version of AWS Signature that is supported for authenticated requests", - "type": "String" - }, - { - "condition": "s3-outposts:x-amz-acl", - "description": "Filters access by requiring the x-amz-acl header with a specific canned ACL in a request", - "type": "String" - }, - { - "condition": "s3-outposts:x-amz-content-sha256", - "description": "Filters access by disallowing unsigned content in your bucket", - "type": "String" - }, - { - "condition": "s3-outposts:x-amz-copy-source", - "description": "Filters access by restricting the copy source to a specific bucket, prefix, or object", - "type": "String" - }, - { - "condition": "s3-outposts:x-amz-metadata-directive", - "description": "Filters access by enabling enforcement of object metadata behavior (COPY or REPLACE) when objects are copied", - "type": "String" - }, - { - "condition": "s3-outposts:x-amz-server-side-encryption", - "description": "Filters access by requiring server-side encryption", - "type": "String" + ] }, - { - "condition": "s3-outposts:x-amz-storage-class", - "description": "Filters access by storage class", - "type": "String" - } - ], - "prefix": "s3-outposts", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to abort a multipart upload", - "privilege": "AbortMultipartUpload", + "description": "Grants permissions to create a SageMaker Image", + "privilege": "CreateImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "image*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointArn", - "s3-outposts:DataAccessPointAccount", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121034,23 +150719,36 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new access point", - "privilege": "CreateAccessPoint", + "description": "Grants permissions to create a SageMaker ImageVersion", + "privilege": "CreateImageVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "image*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models", + "privilege": "CreateLabelingJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "labeling-job*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "sagemaker:WorkteamArn", + "sagemaker:WorkteamType", + "sagemaker:VolumeKmsKey", + "sagemaker:OutputKmsKey", + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121059,20 +150757,23 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new bucket", - "privilege": "CreateBucket", + "description": "Grants permission to create a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers", + "privilege": "CreateModel", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "model*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:NetworkIsolation", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -121081,35 +150782,58 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new endpoint", - "privilege": "CreateEndpoint", + "description": "Grants permission to create a model bias job definition", + "privilege": "CreateModelBiasJobDefinition", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "model-bias-job-definition*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" + ], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the access point named in the URI", - "privilege": "DeleteAccessPoint", + "description": "Grants permission to create a model explainability job definition", + "privilege": "CreateModelExplainabilityJobDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "accesspoint*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "model-explainability-job-definition*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointArn", - "s3-outposts:DataAccessPointAccount", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -121117,24 +150841,24 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the policy on a specified access point", - "privilege": "DeleteAccessPointPolicy", + "access_level": "Write", + "description": "Grants permission to create a ModelPackage", + "privilege": "CreateModelPackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "model-package" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-package-group" }, { "condition_keys": [ - "s3-outposts:DataAccessPointArn", - "s3-outposts:DataAccessPointAccount", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121143,20 +150867,18 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the bucket named in the URI", - "privilege": "DeleteBucket", + "description": "Grants permission to create a ModelPackageGroup", + "privilege": "CreateModelPackageGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "model-package-group*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121164,21 +150886,29 @@ ] }, { - "access_level": "Permissions management", - "description": "Grants permission to delete the policy on a specified bucket", - "privilege": "DeleteBucketPolicy", + "access_level": "Write", + "description": "Grants permission to create a model quality job definition", + "privilege": "CreateModelQualityJobDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "model-quality-job-definition*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -121187,35 +150917,57 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the endpoint named in the URI", - "privilege": "DeleteEndpoint", + "description": "Grants permission to create a monitoring schedule", + "privilege": "CreateMonitoringSchedule", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "monitoring-schedule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" + ], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to remove the null version of an object and insert a delete marker, which becomes the current version of the object", - "privilege": "DeleteObject", + "description": "Grants permission to create an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook", + "privilege": "CreateNotebookInstance", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "object*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "notebook-instance*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:AcceleratorTypes", + "sagemaker:DirectInternetAccess", + "sagemaker:InstanceTypes", + "sagemaker:RootAccess", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -121223,45 +150975,33 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to use the tagging subresource to remove the entire tag set from the specified object", - "privilege": "DeleteObjectTagging", + "access_level": "Write", + "description": "Grants permission to create a notebook instance lifecycle configuration that can be deployed using Amazon SageMaker", + "privilege": "CreateNotebookInstanceLifecycleConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" - }, - { - "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:ExistingObjectTag/", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "notebook-instance-lifecycle-config*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return configuration information about the specified access point", - "privilege": "GetAccessPoint", + "access_level": "Write", + "description": "Grants permission to create a pipeline", + "privilege": "CreatePipeline", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "pipeline*" + }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121269,24 +151009,20 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to returns the access point policy associated with the specified access point", - "privilege": "GetAccessPointPolicy", + "access_level": "Write", + "description": "Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM'", + "privilege": "CreatePresignedDomainUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" + "resource_type": "user-profile*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:SourceIp", + "aws:SourceVpc", + "aws:SourceVpce" ], "dependent_actions": [], "resource_type": "" @@ -121294,21 +151030,41 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the bucket configuration associated with an Amazon S3 bucket", - "privilege": "GetBucket", + "access_level": "Write", + "description": "Grants permission to create a URL that you can use from your browser to connect to the Notebook Instance", + "privilege": "CreatePresignedNotebookInstanceUrl", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "notebook-instance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify", + "privilege": "CreateProcessingJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "processing-job*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets", + "sagemaker:InterContainerTrafficEncryption" ], "dependent_actions": [], "resource_type": "" @@ -121316,21 +151072,19 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the policy of the specified bucket", - "privilege": "GetBucketPolicy", + "access_level": "Write", + "description": "Grants permission to create a Project", + "privilege": "CreateProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "project*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121338,21 +151092,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the tag set associated with an Amazon S3 bucket", - "privilege": "GetBucketTagging", + "access_level": "Write", + "description": "Grants permission to start a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify", + "privilege": "CreateTrainingJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "training-job*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:FileSystemAccessMode", + "sagemaker:FileSystemDirectoryPath", + "sagemaker:FileSystemId", + "sagemaker:FileSystemType", + "sagemaker:InstanceTypes", + "sagemaker:InterContainerTrafficEncryption", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets" ], "dependent_actions": [], "resource_type": "" @@ -121360,21 +151126,23 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the lifecycle configuration information set on an Amazon S3 bucket", - "privilege": "GetLifecycleConfiguration", + "access_level": "Write", + "description": "Grants permission to start a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify", + "privilege": "CreateTransformJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "transform-job*" }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:ModelArn", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey" ], "dependent_actions": [], "resource_type": "" @@ -121382,25 +151150,19 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve objects from Amazon S3", - "privilege": "GetObject", + "access_level": "Write", + "description": "Grants permission to create a trial", + "privilege": "CreateTrial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "experiment-trial*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:ExistingObjectTag/", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121408,25 +151170,19 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return the tag set of an object", - "privilege": "GetObjectTagging", + "access_level": "Write", + "description": "Grants permission to create a trial component", + "privilege": "CreateTrialComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "experiment-trial-component*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:ExistingObjectTag/", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121434,16 +151190,26 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list access points", - "privilege": "ListAccessPoints", + "access_level": "Write", + "description": "Grants permission to create a UserProfile for a SageMaker Studio Domain", + "privilege": "CreateUserProfile", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "user-profile*" + }, { "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:InstanceTypes", + "sagemaker:DomainSharingOutputKmsKey", + "sagemaker:ImageArns", + "sagemaker:ImageVersionArns" ], "dependent_actions": [], "resource_type": "" @@ -121451,32 +151217,19 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)", - "privilege": "ListBucket", + "access_level": "Write", + "description": "Grants permission to create a workforce", + "privilege": "CreateWorkforce", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "workforce*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:delimiter", - "s3-outposts:max-keys", - "s3-outposts:prefix", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121484,29 +151237,19 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list in-progress multipart uploads", - "privilege": "ListBucketMultipartUploads", + "access_level": "Write", + "description": "Grants permission to create a workteam", + "privilege": "CreateWorkteam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "workteam*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -121514,479 +151257,432 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list endpoints", - "privilege": "ListEndpoints", + "access_level": "Write", + "description": "Grants permission to delete an action", + "privilege": "DeleteAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "action*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the parts that have been uploaded for a specific multipart upload", - "privilege": "ListMultipartUploadParts", + "access_level": "Write", + "description": "Grants permission to delete an algorithm", + "privilege": "DeleteAlgorithm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" - }, - { - "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "algorithm*" } ] }, { - "access_level": "List", - "description": "Grants permission to list all buckets owned by the authenticated sender of the request", - "privilege": "ListRegionalBuckets", + "access_level": "Write", + "description": "Grants permission to delete an App", + "privilege": "DeleteApp", "resource_types": [ { - "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "app*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to associate an access policy with a specified access point", - "privilege": "PutAccessPointPolicy", + "access_level": "Write", + "description": "Grants permission to delete an AppImageConfig", + "privilege": "DeleteAppImageConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "accesspoint*" - }, + "resource_type": "app-image-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an artifact", + "privilege": "DeleteArtifact", + "resource_types": [ { - "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "artifact*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to add or replace a bucket policy on a bucket", - "privilege": "PutBucketPolicy", + "access_level": "Write", + "description": "Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another", + "privilege": "DeleteAssociation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" + "resource_type": "action*" }, { - "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "artifact*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "context*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "experiment-trial-component*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add a set of tags to an existing Amazon S3 bucket", - "privilege": "PutBucketTagging", + "access_level": "Write", + "description": "Grants permission to delete a CodeRepository", + "privilege": "DeleteCodeRepository", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, + "resource_type": "code-repository*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a context", + "privilege": "DeleteContext", + "resource_types": [ { - "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "context*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a new lifecycle configuration for the bucket or replace an existing lifecycle configuration", - "privilege": "PutLifecycleConfiguration", + "description": "Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API", + "privilege": "DeleteDataQualityJobDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "bucket*" - }, + "resource_type": "data-quality-job-definition*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a device fleet", + "privilege": "DeleteDeviceFleet", + "resource_types": [ { - "condition_keys": [ - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "device-fleet*" } ] }, { "access_level": "Write", - "description": "Grants permission to add an object to a bucket", - "privilege": "PutObject", + "description": "Grants permission to delete a Domain", + "privilege": "DeleteDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" - }, + "resource_type": "domain*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created", + "privilege": "DeleteEndpoint", + "resource_types": [ { - "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:RequestObjectTag/", - "s3-outposts:RequestObjectTagKeys", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-acl", - "s3-outposts:x-amz-content-sha256", - "s3-outposts:x-amz-copy-source", - "s3-outposts:x-amz-metadata-directive", - "s3-outposts:x-amz-server-side-encryption", - "s3-outposts:x-amz-storage-class" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "endpoint*" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to set the access control list (ACL) permissions for an object that already exists in a bucket", - "privilege": "PutObjectAcl", + "access_level": "Write", + "description": "Grants permission to delete the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration", + "privilege": "DeleteEndpointConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" - }, + "resource_type": "endpoint-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an experiment", + "privilege": "DeleteExperiment", + "resource_types": [ { - "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:ExistingObjectTag/", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-acl", - "s3-outposts:x-amz-content-sha256", - "s3-outposts:x-amz-storage-class" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to set the supplied tag-set to an object that already exists in a bucket", - "privilege": "PutObjectTagging", + "access_level": "Write", + "description": "Grants permission to delete a feature group", + "privilege": "DeleteFeatureGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "object*" + "resource_type": "feature-group*" }, { "condition_keys": [ - "s3-outposts:DataAccessPointAccount", - "s3-outposts:DataAccessPointArn", - "s3-outposts:AccessPointNetworkOrigin", - "s3-outposts:ExistingObjectTag/", - "s3-outposts:RequestObjectTag/", - "s3-outposts:RequestObjectTagKeys", - "s3-outposts:authType", - "s3-outposts:signatureAge", - "s3-outposts:signatureversion", - "s3-outposts:x-amz-content-sha256" + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/accesspoint/${AccessPointName}", - "condition_keys": [], - "resource": "accesspoint" - }, - { - "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/bucket/${BucketName}", - "condition_keys": [], - "resource": "bucket" - }, - { - "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/endpoint/${EndpointId}", - "condition_keys": [], - "resource": "endpoint" - }, - { - "arn": "arn:${Partition}:s3-outposts:${Region}:${Account}:outpost/${OutpostId}/bucket/${BucketName}/object/${ObjectName}", - "condition_keys": [], - "resource": "object" - } - ], - "service_name": "Amazon S3 on Outposts" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "A key that is present in the request the user makes to the SageMaker service.", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "A tag key and value pair.", - "type": "String" - }, - { - "condition": "aws:SourceIp", - "description": "Filters access by the requestor's IP address", - "type": "String" - }, - { - "condition": "aws:SourceVpc", - "description": "Filters access by the requestor's VPC", - "type": "String" - }, - { - "condition": "aws:SourceVpce", - "description": "Filters access by the requestor's VPC endpoint", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "The list of all the tag key names associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:AcceleratorTypes", - "description": "The list of all accelerator types associated with the resource in the request.", - "type": "ArrayOfString" - }, - { - "condition": "sagemaker:AppNetworkAccessType", - "description": "App network access type associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:DirectInternetAccess", - "description": "The direct internet access associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:DomainSharingOutputKmsKey", - "description": "The Domain sharing output KMS key associated with the resource in the request.", - "type": "ARN" - }, - { - "condition": "sagemaker:FeatureGroupOfflineStoreKmsKey", - "description": "The offline store kms key associated with the feature group resource in the request.", - "type": "ARN" - }, - { - "condition": "sagemaker:FeatureGroupOfflineStoreS3Uri", - "description": "The offline store s3 uri associated with the feature group resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:FeatureGroupOnlineStoreKmsKey", - "description": "The online store kms key associated with the feature group resource in the request.", - "type": "ARN" - }, - { - "condition": "sagemaker:FileSystemAccessMode", - "description": "File system access mode associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:FileSystemDirectoryPath", - "description": "File system directory path associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:FileSystemId", - "description": "A file system ID associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:FileSystemType", - "description": "File system type associated with the resource in the request.", - "type": "String" - }, - { - "condition": "sagemaker:HomeEfsFileSystemKmsKey", - "description": "This key is deprecated. It has been replaced by sagemaker:VolumeKmsKey.", - "type": "ARN" - }, - { - "condition": "sagemaker:ImageArns", - "description": "Filters access by the list of all image arns associated with the resource in the request.", - "type": "ArrayOfString" - }, - { - "condition": "sagemaker:ImageVersionArns", - "description": "Filters access by the list of all image version arns associated with the resource in the request.", - "type": "ArrayOfString" - }, - { - "condition": "sagemaker:InstanceTypes", - "description": "The list of all instance types associated with the resource in the request.", - "type": "ArrayOfString" }, { - "condition": "sagemaker:InterContainerTrafficEncryption", - "description": "The inter container traffic encryption associated with the resource in the request.", - "type": "Bool" + "access_level": "Write", + "description": "Grants permission to delete the specified flow definition", + "privilege": "DeleteFlowDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "flow-definition*" + } + ] }, { - "condition": "sagemaker:MaxRuntimeInSeconds", - "description": "The max runtime in seconds associated with the resource in the request.", - "type": "Numeric" + "access_level": "Write", + "description": "Grants permission to delete a specified human loop", + "privilege": "DeleteHumanLoop", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "human-loop*" + } + ] }, { - "condition": "sagemaker:ModelArn", - "description": "The model arn associated with the resource in the request.", - "type": "ARN" + "access_level": "Write", + "description": "Grants permission to delete the specified human task user interface (worker task template)", + "privilege": "DeleteHumanTaskUi", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "human-task-ui*" + } + ] }, { - "condition": "sagemaker:NetworkIsolation", - "description": "The network isolation associated with the resource in the request.", - "type": "Bool" + "access_level": "Write", + "description": "Grants permissions to delete a SageMaker Image", + "privilege": "DeleteImage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image*" + } + ] }, { - "condition": "sagemaker:OutputKmsKey", - "description": "The output kms key associated with the resource in the request.", - "type": "ARN" + "access_level": "Write", + "description": "Grants permissions to delete a SageMaker ImageVersion", + "privilege": "DeleteImageVersion", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "image-version*" + } + ] }, { - "condition": "sagemaker:ResourceTag/", - "description": "The preface string for a tag key and value pair attached to a resource.", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model", + "privilege": "DeleteModel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model*" + } + ] }, { - "condition": "sagemaker:ResourceTag/${TagKey}", - "description": "A tag key and value pair.", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API", + "privilege": "DeleteModelBiasJobDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-bias-job-definition*" + } + ] }, { - "condition": "sagemaker:RootAccess", - "description": "The root access associated with the resource in the request.", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API", + "privilege": "DeleteModelExplainabilityJobDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-explainability-job-definition*" + } + ] }, { - "condition": "sagemaker:TargetModel", - "description": "The target model associated with the Multi-Model Endpoint in the request.", - "type": "String" + "access_level": "Write", + "description": "Grants permission to delete a ModelPackage", + "privilege": "DeleteModelPackage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-package*" + } + ] }, { - "condition": "sagemaker:VolumeKmsKey", - "description": "The volume kms key associated with the resource in the request.", - "type": "ARN" + "access_level": "Write", + "description": "Grants permission to delete a ModelPackageGroup", + "privilege": "DeleteModelPackageGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-package-group*" + } + ] }, { - "condition": "sagemaker:VpcSecurityGroupIds", - "description": "The list of all vpc security group ids associated with the resource in the request.", - "type": "ArrayOfString" + "access_level": "Write", + "description": "Grants permission to delete a ModelPackageGroup policy", + "privilege": "DeleteModelPackageGroupPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-package-group*" + } + ] }, { - "condition": "sagemaker:VpcSubnets", - "description": "The list of all vpc subnets associated with the resource in the request.", - "type": "ArrayOfString" + "access_level": "Write", + "description": "Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API", + "privilege": "DeleteModelQualityJobDefinition", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "model-quality-job-definition*" + } + ] }, { - "condition": "sagemaker:WorkteamArn", - "description": "The workteam arn associated to the request.", - "type": "ARN" + "access_level": "Write", + "description": "Grants permission to delete a monitoring schedule", + "privilege": "DeleteMonitoringSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "monitoring-schedule*" + } + ] }, - { - "condition": "sagemaker:WorkteamType", - "description": "The workteam type associated to the request. This can be public-crowd, private-crowd or vendor-crowd.", - "type": "String" - } - ], - "prefix": "sagemaker", - "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another.", - "privilege": "AddAssociation", + "description": "Grants permission to delete a Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API", + "privilege": "DeleteNotebookInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" - }, + "resource_type": "notebook-instance*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a notebook instance lifecycle configuration", + "privilege": "DeleteNotebookInstanceLifecycleConfig", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "artifact*" - }, + "resource_type": "notebook-instance-lifecycle-config*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a pipeline", + "privilege": "DeletePipeline", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "context*" - }, + "resource_type": "pipeline*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a project", + "privilege": "DeleteProject", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment*" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a record from a feature group", + "privilege": "DeleteRecord", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "resource_type": "feature-group*" } ] }, { "access_level": "Tagging", - "description": "Adds or overwrites one or more tags for the specified Amazon SageMaker resource.", - "privilege": "AddTags", + "description": "Grants permission to delete the specified set of tags from an Amazon SageMaker resource", + "privilege": "DeleteTags", "resource_types": [ { "condition_keys": [], @@ -122023,6 +151719,11 @@ "dependent_actions": [], "resource_type": "code-repository" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "compilation-job" + }, { "condition_keys": [], "dependent_actions": [], @@ -122185,7 +151886,6 @@ }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -122195,14 +151895,21 @@ }, { "access_level": "Write", - "description": "Associate a trial component with a trial.", - "privilege": "AssociateTrialComponent", + "description": "Grants permission to delete a trial", + "privilege": "DeleteTrial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "experiment-trial*" - }, + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a trial component", + "privilege": "DeleteTrialComponent", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], @@ -122211,793 +151918,624 @@ ] }, { - "access_level": "Read", - "description": "Retrieve metrics associated with SageMaker Resources such as Training Jobs. This API is not publicly exposed at this point, however admins can control this action", - "privilege": "BatchGetMetrics", + "access_level": "Write", + "description": "Grants permission to delete a UserProfile", + "privilege": "DeleteUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "training-job*" + "resource_type": "user-profile*" } ] }, { "access_level": "Write", - "description": "Publish metrics associated with a SageMaker Resource such as a Training Job. This API is not publicly exposed at this point, however admins can control this action", - "privilege": "BatchPutMetrics", + "description": "Grants permission to delete a workforce", + "privilege": "DeleteWorkforce", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "training-job*" + "resource_type": "workforce*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an action.", - "privilege": "CreateAction", + "description": "Grants permission to delete a workteam", + "privilege": "DeleteWorkteam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "workteam*" } ] }, { "access_level": "Write", - "description": "Grants permission to create an algorithm.", - "privilege": "CreateAlgorithm", + "description": "Grants permission to deregister a set of devices", + "privilege": "DeregisterDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "algorithm*" - }, + "resource_type": "device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about an action", + "privilege": "DescribeAction", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "action*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an App for a SageMaker Studio UserProfile", - "privilege": "CreateApp", + "access_level": "Read", + "description": "Grants permission to describe an algorithm", + "privilege": "DescribeAlgorithm", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" - }, + "resource_type": "algorithm*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an App", + "privilege": "DescribeApp", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:ImageArns", - "sagemaker:ImageVersionArns" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "app*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an AppImageConfig", - "privilege": "CreateAppImageConfig", + "access_level": "Read", + "description": "Grants permission to describe an AppImageConfig", + "privilege": "DescribeAppImageConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "app-image-config*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an artifact.", - "privilege": "CreateArtifact", + "access_level": "Read", + "description": "Grants permission to get information about an artifact", + "privilege": "DescribeArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "artifact*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates automl job.", - "privilege": "CreateAutoMLJob", + "access_level": "Read", + "description": "Grants permission to describe an AutoML job that was created via the CreateAutoMLJob API", + "privilege": "DescribeAutoMLJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "automl-job*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "automl-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a CodeRepository.", - "privilege": "CreateCodeRepository", + "access_level": "Read", + "description": "Grants permission to describe a CodeRepository", + "privilege": "DescribeCodeRepository", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "code-repository*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a compilation job.", - "privilege": "CreateCompilationJob", + "access_level": "Read", + "description": "Grants permission to return information about a compilation job", + "privilege": "DescribeCompilationJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "compilation-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a context.", - "privilege": "CreateContext", + "access_level": "Read", + "description": "Grants permission to get information about a context", + "privilege": "DescribeContext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "context*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a data quality job definition.", - "privilege": "CreateDataQualityJobDefinition", + "access_level": "Read", + "description": "Grants permission to return information about a data quality job definition", + "privilege": "DescribeDataQualityJobDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "data-quality-job-definition*" - }, + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to access information about a device", + "privilege": "DescribeDevice", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "device*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a device fleet", - "privilege": "CreateDeviceFleet", + "access_level": "Read", + "description": "Grants permission to access information about a device fleet", + "privilege": "DescribeDeviceFleet", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "device-fleet*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "device-fleet*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a Domain for SageMaker Studio", - "privilege": "CreateDomain", + "access_level": "Read", + "description": "Grants permission to describe a Domain", + "privilege": "DescribeDomain", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:CreateServiceLinkedRole", - "iam:PassRole" - ], - "resource_type": "domain*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:AppNetworkAccessType", - "sagemaker:InstanceTypes", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets", - "sagemaker:DomainSharingOutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:ImageArns", - "sagemaker:ImageVersionArns" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an edge packaging job", - "privilege": "CreateEdgePackagingJob", + "access_level": "Read", + "description": "Grants permission to access information about an edge packaging job", + "privilege": "DescribeEdgePackagingJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "edge-packaging-job*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "edge-packaging-job*" } ] }, { - "access_level": "Write", - "description": "Creates an endpoint using the endpoint configuration specified in the request.", - "privilege": "CreateEndpoint", + "access_level": "Read", + "description": "Grants permission to return the description of an endpoint", + "privilege": "DescribeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "endpoint*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates an endpoint configuration that can be deployed using Amazon SageMaker hosting services.", - "privilege": "CreateEndpointConfig", + "access_level": "Read", + "description": "Grants permission to return the description of an endpoint configuration, which was created using the CreateEndpointConfig API", + "privilege": "DescribeEndpointConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "endpoint-config*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:AcceleratorTypes", - "sagemaker:InstanceTypes", - "sagemaker:ModelArn", - "sagemaker:VolumeKmsKey" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create an experiment.", - "privilege": "CreateExperiment", + "access_level": "Read", + "description": "Grants permission to return information about an experiment", + "privilege": "DescribeExperiment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "experiment*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates feature group.", - "privilege": "CreateFeatureGroup", + "access_level": "Read", + "description": "Grants permission to return information about a feature group", + "privilege": "DescribeFeatureGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "feature-group*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:FeatureGroupOnlineStoreKmsKey", - "sagemaker:FeatureGroupOfflineStoreKmsKey", - "sagemaker:FeatureGroupOfflineStoreS3Uri" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "feature-group*" } ] }, { - "access_level": "Write", - "description": "Creates a flow definition, which defines settings for a human workflow.", - "privilege": "CreateFlowDefinition", + "access_level": "Read", + "description": "Grants permission to return information about the specified flow definition", + "privilege": "DescribeFlowDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], + "dependent_actions": [], "resource_type": "flow-definition*" - }, + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about the specified human loop", + "privilege": "DescribeHumanLoop", + "resource_types": [ { - "condition_keys": [ - "sagemaker:WorkteamArn", - "sagemaker:WorkteamType", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "human-loop*" } ] }, { - "access_level": "Write", - "description": "Defines the settings you will use for the human review workflow user interface.", - "privilege": "CreateHumanTaskUi", + "access_level": "Read", + "description": "Returns detailed information about the specified human review workflow user interface", + "privilege": "DescribeHumanTaskUi", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "human-task-ui*" - }, + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a hyper parameter tuning job that was created via the CreateHyperParameterTuningJob API", + "privilege": "DescribeHyperParameterTuningJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hyper-parameter-tuning-job*" } ] }, { - "access_level": "Write", - "description": "Creates hyper parameter tuning job that can be deployed using Amazon SageMaker.", - "privilege": "CreateHyperParameterTuningJob", + "access_level": "Read", + "description": "Grants permissions to return information about a SageMaker Image", + "privilege": "DescribeImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "hyper-parameter-tuning-job*" - }, + "dependent_actions": [], + "resource_type": "image*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permissions to return information about a SageMaker ImageVersion", + "privilege": "DescribeImageVersion", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:FileSystemAccessMode", - "sagemaker:FileSystemDirectoryPath", - "sagemaker:FileSystemId", - "sagemaker:FileSystemType", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "image-version*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a SageMaker Image.", - "privilege": "CreateImage", + "access_level": "Read", + "description": "Grants permission to return information about a labeling job", + "privilege": "DescribeLabelingJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "image*" - }, + "dependent_actions": [], + "resource_type": "labeling-job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a model that you created using the CreateModel API", + "privilege": "DescribeModel", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model*" } ] }, { - "access_level": "Write", - "description": "Grants permissions to create a SageMaker ImageVersion.", - "privilege": "CreateImageVersion", + "access_level": "Read", + "description": "Grants permission to return information about a model bias job definition", + "privilege": "DescribeModelBiasJobDefinition", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "model-bias-job-definition*" } ] }, { - "access_level": "Write", - "description": "Starts a labeling job. A labeling job takes unlabeled data in and produces labeled data as output, which can be used for training SageMaker models.", - "privilege": "CreateLabelingJob", + "access_level": "Read", + "description": "Grants permission to return information about a model explainability job definition", + "privilege": "DescribeModelExplainabilityJobDefinition", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "labeling-job*" - }, + "dependent_actions": [], + "resource_type": "model-explainability-job-definition*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a ModelPackage", + "privilege": "DescribeModelPackage", + "resource_types": [ { - "condition_keys": [ - "sagemaker:WorkteamArn", - "sagemaker:WorkteamType", - "sagemaker:VolumeKmsKey", - "sagemaker:OutputKmsKey", - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model-package*" } ] }, { - "access_level": "Write", - "description": "Creates a model in Amazon SageMaker. In the request, you specify a name for the model and describe one or more containers.", - "privilege": "CreateModel", + "access_level": "Read", + "description": "Grants permission to describe a ModelPackageGroup", + "privilege": "DescribeModelPackageGroup", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "model*" - }, + "dependent_actions": [], + "resource_type": "model-package-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a model quality job definition", + "privilege": "DescribeModelQualityJobDefinition", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:NetworkIsolation", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "model-quality-job-definition*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a model bias job definition.", - "privilege": "CreateModelBiasJobDefinition", + "access_level": "Read", + "description": "Grants permission to return information about a monitoring schedule", + "privilege": "DescribeMonitoringSchedule", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "model-bias-job-definition*" - }, + "dependent_actions": [], + "resource_type": "monitoring-schedule*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a notebook instance", + "privilege": "DescribeNotebookInstance", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "notebook-instance*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a model explainability job definition.", - "privilege": "CreateModelExplainabilityJobDefinition", + "access_level": "Read", + "description": "Grants permission to describe a notebook instance lifecycle configuration that was created via the CreateNotebookInstanceLifecycleConfig API", + "privilege": "DescribeNotebookInstanceLifecycleConfig", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "model-explainability-job-definition*" - }, + "dependent_actions": [], + "resource_type": "notebook-instance-lifecycle-config*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a pipeline", + "privilege": "DescribePipeline", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "pipeline*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a ModelPackage.", - "privilege": "CreateModelPackage", + "access_level": "Read", + "description": "Grants permission to get the pipeline definition for a pipeline execution", + "privilege": "DescribePipelineDefinitionForExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package" - }, + "resource_type": "pipeline-execution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about a pipeline execution", + "privilege": "DescribePipelineExecution", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group" - }, + "resource_type": "pipeline-execution*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a processing job", + "privilege": "DescribeProcessingJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "processing-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a ModelPackageGroup.", - "privilege": "CreateModelPackageGroup", + "access_level": "Read", + "description": "Grants permission to describe a project", + "privilege": "DescribeProject", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group*" - }, + "resource_type": "project*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a subscribed workteam", + "privilege": "DescribeSubscribedWorkteam", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workteam*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a model quality job definition.", - "privilege": "CreateModelQualityJobDefinition", + "access_level": "Read", + "description": "Grants permission to return information about a training job", + "privilege": "DescribeTrainingJob", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "model-quality-job-definition*" - }, + "dependent_actions": [], + "resource_type": "training-job*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a transform job", + "privilege": "DescribeTransformJob", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "transform-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a monitoring schedule.", - "privilege": "CreateMonitoringSchedule", + "access_level": "Read", + "description": "Grants permission to return information about a trial", + "privilege": "DescribeTrial", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "monitoring-schedule*" - }, + "dependent_actions": [], + "resource_type": "experiment-trial*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a trial component", + "privilege": "DescribeTrialComponent", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-trial-component*" } ] }, { - "access_level": "Write", - "description": "Creates an Amazon SageMaker notebook instance. A notebook instance is an Amazon EC2 instance running on a Jupyter Notebook.", - "privilege": "CreateNotebookInstance", + "access_level": "Read", + "description": "Grants permission to describe a UserProfile", + "privilege": "DescribeUserProfile", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "notebook-instance*" - }, + "dependent_actions": [], + "resource_type": "user-profile*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a workforce", + "privilege": "DescribeWorkforce", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:AcceleratorTypes", - "sagemaker:DirectInternetAccess", - "sagemaker:InstanceTypes", - "sagemaker:RootAccess", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workforce*" } ] }, { - "access_level": "Write", - "description": "Creates an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker.", - "privilege": "CreateNotebookInstanceLifecycleConfig", + "access_level": "Read", + "description": "Grants permission to return information about a workteam", + "privilege": "DescribeWorkteam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance-lifecycle-config*" + "resource_type": "workteam*" } ] }, { "access_level": "Write", - "description": "Grants permission to create a pipeline.", - "privilege": "CreatePipeline", + "description": "Grants permission to disable a SageMaker Service Catalog Portfolio", + "privilege": "DisableSagemakerServicecatalogPortfolio", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "pipeline*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], "dependent_actions": [], "resource_type": "" } @@ -123005,139 +152543,123 @@ }, { "access_level": "Write", - "description": "Grants permission to return a URL that you can use from your browser to connect to the Domain as a specified UserProfile when AuthMode is 'IAM'", - "privilege": "CreatePresignedDomainUrl", + "description": "Grants permission to disassociate a trial component from a trial", + "privilege": "DisassociateTrialComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user-profile*" + "resource_type": "experiment-trial*" }, { - "condition_keys": [ - "aws:SourceIp", - "aws:SourceVpc", - "aws:SourceVpce" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-trial-component*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "processing-job*" } ] }, { "access_level": "Write", - "description": "Returns a URL that you can use from your browser to connect to the Notebook Instance.", - "privilege": "CreatePresignedNotebookInstanceUrl", + "description": "Grants permission to enable a SageMaker Service Catalog Portfolio", + "privilege": "EnableSagemakerServicecatalogPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts a processing job. After processing completes, Amazon SageMaker saves the resulting artifacts and other optional output to an Amazon S3 location that you specify.", - "privilege": "CreateProcessingJob", + "access_level": "Read", + "description": "Grants permission to access a summary of the devices in a device fleet", + "privilege": "GetDeviceFleetReport", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "processing-job*" - }, + "dependent_actions": [], + "resource_type": "device-fleet*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration", + "privilege": "GetDeviceRegistration", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets", - "sagemaker:InterContainerTrafficEncryption" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "device*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a Project.", - "privilege": "CreateProject", + "access_level": "Read", + "description": "Grants permission to get a ModelPackageGroup policy", + "privilege": "GetModelPackageGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" - }, + "resource_type": "model-package-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a record from a feature group", + "privilege": "GetRecord", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "feature-group*" } ] }, { - "access_level": "Write", - "description": "Starts a model training job. After training completes, Amazon SageMaker saves the resulting model artifacts and other optional output to an Amazon S3 location that you specify.", - "privilege": "CreateTrainingJob", + "access_level": "Read", + "description": "Grants permission to get a SageMaker Service Catalog Portfolio", + "privilege": "GetSagemakerServicecatalogPortfolioStatus", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "training-job*" - }, + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get search suggestions when provided with a keyword", + "privilege": "GetSearchSuggestions", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:FileSystemAccessMode", - "sagemaker:FileSystemDirectoryPath", - "sagemaker:FileSystemId", - "sagemaker:FileSystemType", - "sagemaker:InstanceTypes", - "sagemaker:InterContainerTrafficEncryption", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Starts a transform job. After the results are obtained, Amazon SageMaker saves them to an Amazon S3 location that you specify.", - "privilege": "CreateTransformJob", + "access_level": "Read", + "description": "Grants permission to invoke an endpoint. After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint", + "privilege": "InvokeEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "transform-job*" + "resource_type": "endpoint*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:ModelArn", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey" + "sagemaker:TargetModel" ], "dependent_actions": [], "resource_type": "" @@ -123145,527 +152667,561 @@ ] }, { - "access_level": "Write", - "description": "Create a trial.", - "privilege": "CreateTrial", + "access_level": "Read", + "description": "Grants permission to get inferences from the hosted model at the specified endpoint in an asynchronous manner", + "privilege": "InvokeEndpointAsync", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial*" - }, + "resource_type": "endpoint*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list actions", + "privilege": "ListActions", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a trial component.", - "privilege": "CreateTrialComponent", + "access_level": "List", + "description": "Grants permission to list Algorithms", + "privilege": "ListAlgorithms", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial-component*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the AppImageConfigs in your account", + "privilege": "ListAppImageConfigs", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a UserProfile for a SageMaker Studio Domain", - "privilege": "CreateUserProfile", + "access_level": "List", + "description": "Grants permission to list the Apps in your account", + "privilege": "ListApps", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "user-profile*" - }, + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list artifacts", + "privilege": "ListArtifacts", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:InstanceTypes", - "sagemaker:DomainSharingOutputKmsKey", - "sagemaker:ImageArns", - "sagemaker:ImageVersionArns" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a workforce.", - "privilege": "CreateWorkforce", + "access_level": "List", + "description": "Grants permission to list associations", + "privilege": "ListAssociations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workforce*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list AutoML jobs", + "privilege": "ListAutoMLJobs", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Create a workteam.", - "privilege": "CreateWorkteam", + "access_level": "List", + "description": "Grants permission to lists candidates for an AutoML job", + "privilege": "ListCandidatesForAutoMLJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list code repositories", + "privilege": "ListCodeRepositories", + "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an action.", - "privilege": "DeleteAction", + "access_level": "List", + "description": "Grants permission to list compilation jobs", + "privilege": "ListCompilationJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an algorithm.", - "privilege": "DeleteAlgorithm", + "access_level": "List", + "description": "Grants permission to list contexts.", + "privilege": "ListContexts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "algorithm*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an App", - "privilege": "DeleteApp", + "access_level": "List", + "description": "Grants permission to list data quality job definitions", + "privilege": "ListDataQualityJobDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an AppImageConfig", - "privilege": "DeleteAppImageConfig", + "access_level": "List", + "description": "Grants permission to list device fleets", + "privilege": "ListDeviceFleets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app-image-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete an artifact.", - "privilege": "DeleteArtifact", + "access_level": "List", + "description": "Grants permission to list devices", + "privilege": "ListDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "artifact*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the association from a lineage entity (artifact, context, action, experiment, experiment-trial-component) to another.", - "privilege": "DeleteAssociation", + "access_level": "List", + "description": "Grants permission to list the Domains in your account", + "privilege": "ListDomains", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list edge packaging jobs", + "privilege": "ListEdgePackagingJobs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "artifact*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list endpoint configurations", + "privilege": "ListEndpointConfigs", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "context*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list endpoints", + "privilege": "ListEndpoints", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list experiments", + "privilege": "ListExperiments", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a CodeRepository.", - "privilege": "DeleteCodeRepository", + "access_level": "List", + "description": "Grants permission to list feature groups", + "privilege": "ListFeatureGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "code-repository*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a context.", - "privilege": "DeleteContext", + "access_level": "List", + "description": "Grants permission to return summary information about flow definitions, given the specified parameters", + "privilege": "ListFlowDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "context*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API.", - "privilege": "DeleteDataQualityJobDefinition", + "access_level": "List", + "description": "Grants permission to return summary information about human loops, given the specified parameters", + "privilege": "ListHumanLoops", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-quality-job-definition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a device fleet", - "privilege": "DeleteDeviceFleet", + "access_level": "List", + "description": "Grants permission to return summary information about human review workflow user interfaces, given the specified parameters", + "privilege": "ListHumanTaskUis", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device-fleet*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a Domain", - "privilege": "DeleteDomain", + "access_level": "List", + "description": "Grants permission to list hyper parameter tuning jobs", + "privilege": "ListHyperParameterTuningJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an endpoint. Amazon SageMaker frees up all the resources that were deployed when the endpoint was created.", - "privilege": "DeleteEndpoint", + "access_level": "List", + "description": "Grants permissions to list ImageVersions that belong to a SageMaker Image", + "privilege": "ListImageVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "image*" } ] }, { - "access_level": "Write", - "description": "Deletes the endpoint configuration created using the CreateEndpointConfig API. The DeleteEndpointConfig API deletes only the specified configuration. It does not delete any endpoints created using the configuration.", - "privilege": "DeleteEndpointConfig", + "access_level": "List", + "description": "Grants permissions to list SageMaker Images in your account", + "privilege": "ListImages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an experiment.", - "privilege": "DeleteExperiment", + "access_level": "List", + "description": "Grants permission to list labeling jobs", + "privilege": "ListLabelingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a feature group.", - "privilege": "DeleteFeatureGroup", + "access_level": "List", + "description": "Grants permission to list labeling jobs for workteam", + "privilege": "ListLabelingJobsForWorkteam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "feature-group*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "workteam*" } ] }, { - "access_level": "Write", - "description": "Deltes the specified flow definition.", - "privilege": "DeleteFlowDefinition", + "access_level": "List", + "description": "Grants permission to list model bias job definitions", + "privilege": "ListModelBiasJobDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow-definition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified human loop.", - "privilege": "DeleteHumanLoop", + "access_level": "List", + "description": "Grants permission to list model explainability job definitions", + "privilege": "ListModelExplainabilityJobDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "human-loop*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a SageMaker Image.", - "privilege": "DeleteImage", + "access_level": "List", + "description": "Grants permission to list ModelPackageGroups", + "privilege": "ListModelPackageGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permissions to delete a SageMaker ImageVersion.", - "privilege": "DeleteImageVersion", + "access_level": "List", + "description": "Grants permission to list ModelPackages", + "privilege": "ListModelPackages", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-version*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a model created using the CreateModel API. The DeleteModel API deletes only the model entry in Amazon SageMaker that you created by calling the CreateModel API. It does not delete model artifacts, inference code, or the IAM role that you specified when creating the model.", - "privilege": "DeleteModel", + "access_level": "List", + "description": "Grants permission to list model quality job definitions", + "privilege": "ListModelQualityJobDefinitions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API.", - "privilege": "DeleteModelBiasJobDefinition", + "access_level": "List", + "description": "Grants permission to list the models created with the CreateModel API", + "privilege": "ListModels", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-bias-job-definition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API.", - "privilege": "DeleteModelExplainabilityJobDefinition", + "access_level": "List", + "description": "Grants permission to list monitoring executions", + "privilege": "ListMonitoringExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-explainability-job-definition*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a ModelPackage.", - "privilege": "DeleteModelPackage", + "access_level": "List", + "description": "Grants permission to list monitoring schedules", + "privilege": "ListMonitoringSchedules", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a ModelPackageGroup.", - "privilege": "DeleteModelPackageGroup", + "access_level": "List", + "description": "Grants permission to list the notebook instance lifecycle configurations that can be deployed using Amazon SageMaker", + "privilege": "ListNotebookInstanceLifecycleConfigs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a ModelPackageGroup policy.", - "privilege": "DeleteModelPackageGroupPolicy", + "access_level": "List", + "description": "Grants permission to list the Amazon SageMaker notebook instances in the requester's account in an AWS Region", + "privilege": "ListNotebookInstances", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API.", - "privilege": "DeleteModelQualityJobDefinition", + "access_level": "List", + "description": "Grants permission to list steps for a pipeline execution", + "privilege": "ListPipelineExecutionSteps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-quality-job-definition*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a monitoring schedule.", - "privilege": "DeleteMonitoringSchedule", + "access_level": "List", + "description": "Grants permission to list executions for a pipeline", + "privilege": "ListPipelineExecutions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "monitoring-schedule*" + "resource_type": "pipeline*" } ] }, { - "access_level": "Write", - "description": "Deletes an Amazon SageMaker notebook instance. Before you can delete a notebook instance, you must call the StopNotebookInstance API.", - "privilege": "DeleteNotebookInstance", + "access_level": "List", + "description": "Grants permission to list parameters for a pipeline execution", + "privilege": "ListPipelineParametersForExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Write", - "description": "Deletes an notebook instance lifecycle configuration that can be deployed using Amazon SageMaker.", - "privilege": "DeleteNotebookInstanceLifecycleConfig", + "access_level": "List", + "description": "Grants permission to list pipelines", + "privilege": "ListPipelines", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance-lifecycle-config*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a pipeline.", - "privilege": "DeletePipeline", + "access_level": "List", + "description": "Grants permission to list processing jobs", + "privilege": "ListProcessingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a project.", - "privilege": "DeleteProject", + "access_level": "List", + "description": "Grants permission to list Projects", + "privilege": "ListProjects", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "project*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Delete a record from a feature group.", - "privilege": "DeleteRecord", + "access_level": "List", + "description": "Grants permission to list subscribed workteams", + "privilege": "ListSubscribedWorkteams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "feature-group*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Deletes the specified set of tags from an Amazon SageMaker resource.", - "privilege": "DeleteTags", + "access_level": "List", + "description": "Grants permission to list the tag set associated with the specified resource", + "privilege": "ListTags", "resource_types": [ { "condition_keys": [], @@ -123702,11 +153258,6 @@ "dependent_actions": [], "resource_type": "code-repository" }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "compilation-job" - }, { "condition_keys": [], "dependent_actions": [], @@ -123837,11 +153388,6 @@ "dependent_actions": [], "resource_type": "pipeline" }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "processing-job" - }, { "condition_keys": [], "dependent_actions": [], @@ -123866,783 +153412,1188 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "workteam" - }, - { - "condition_keys": [ - "aws:TagKeys" - ], - "dependent_actions": [], - "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a trial.", - "privilege": "DeleteTrial", + "access_level": "List", + "description": "Grants permission to list training jobs", + "privilege": "ListTrainingJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a trial component.", - "privilege": "DeleteTrialComponent", + "access_level": "List", + "description": "Grants permission to list training jobs for a hyper parameter tuning job", + "privilege": "ListTrainingJobsForHyperParameterTuningJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "resource_type": "hyper-parameter-tuning-job*" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a UserProfile", - "privilege": "DeleteUserProfile", + "access_level": "List", + "description": "Grants permission to list transform jobs", + "privilege": "ListTransformJobs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user-profile*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a workforce.", - "privilege": "DeleteWorkforce", + "access_level": "List", + "description": "Grants permission to list trial components", + "privilege": "ListTrialComponents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workforce*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a workteam.", - "privilege": "DeleteWorkteam", + "access_level": "List", + "description": "Grants permission to list trials", + "privilege": "ListTrials", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to deregister a set of devices", - "privilege": "DeregisterDevices", + "access_level": "List", + "description": "Grants permission to list the UserProfiles in your account", + "privilege": "ListUserProfiles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about an action.", - "privilege": "DescribeAction", + "access_level": "List", + "description": "Grants permission to list workforces", + "privilege": "ListWorkforces", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an algorithm.", - "privilege": "DescribeAlgorithm", + "access_level": "List", + "description": "Grants permission to list workteams", + "privilege": "ListWorkteams", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "algorithm*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an App", - "privilege": "DescribeApp", + "access_level": "Write", + "description": "Grants permission to put a ModelPackageGroup policy", + "privilege": "PutModelPackageGroupPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app*" + "resource_type": "model-package-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe an AppImageConfig", - "privilege": "DescribeAppImageConfig", + "access_level": "Write", + "description": "Grants permission to put a record to a feature group", + "privilege": "PutRecord", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app-image-config*" + "resource_type": "feature-group*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about an artifact.", - "privilege": "DescribeArtifact", + "access_level": "Write", + "description": "Grants permission to register a set of devices", + "privilege": "RegisterDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "artifact*" - } - ] - }, - { - "access_level": "Read", - "description": "Describes an automl job that was created via CreateAutoMLJob API.", - "privilege": "DescribeAutoMLJob", - "resource_types": [ + "resource_type": "device*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "automl-job*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a CodeRepository.", - "privilege": "DescribeCodeRepository", + "description": "Grants permission to render a UI template used for a human annotation task", + "privilege": "RenderUiTemplate", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "code-repository*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns information about a compilation job.", - "privilege": "DescribeCompilationJob", + "description": "Search for SageMaker objects", + "privilege": "Search", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "compilation-job*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a context.", - "privilege": "DescribeContext", + "access_level": "Write", + "description": "Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status", + "privilege": "SendHeartbeat", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "context*" + "resource_type": "device*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about a data quality job definition.", - "privilege": "DescribeDataQualityJobDefinition", + "access_level": "Write", + "description": "Grants permission to fail a pending callback step", + "privilege": "SendPipelineExecutionStepFailure", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-quality-job-definition*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Read", - "description": "Grants permission to access information about a device", - "privilege": "DescribeDevice", + "access_level": "Write", + "description": "Grants permission to succeed a pending callback step", + "privilege": "SendPipelineExecutionStepSuccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Read", - "description": "Grants permission to access information about a device fleet", - "privilege": "DescribeDeviceFleet", + "access_level": "Write", + "description": "Grants permission to start a human loop", + "privilege": "StartHumanLoop", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device-fleet*" + "resource_type": "flow-definition*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a Domain", - "privilege": "DescribeDomain", + "access_level": "Write", + "description": "Grants permission to start a monitoring schedule", + "privilege": "StartMonitoringSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "monitoring-schedule*" } ] }, { - "access_level": "Read", - "description": "Grants permission to access information about an edge packaging job", - "privilege": "DescribeEdgePackagingJob", + "access_level": "Write", + "description": "Grants permission to start a notebook instance. This launches an EC2 instance with the latest version of the libraries and attaches your EBS volume", + "privilege": "StartNotebookInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "edge-packaging-job*" + "resource_type": "notebook-instance*" } ] }, { - "access_level": "Read", - "description": "Returns the description of an endpoint.", - "privilege": "DescribeEndpoint", + "access_level": "Write", + "description": "Grants permission to start a pipeline execution", + "privilege": "StartPipelineExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "pipeline*" } ] }, { - "access_level": "Read", - "description": "Returns the description of an endpoint configuration, which was created using the CreateEndpointConfig API.", - "privilege": "DescribeEndpointConfig", + "access_level": "Write", + "description": "Grants permission to stop a running AutoML job", + "privilege": "StopAutoMLJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint-config*" + "resource_type": "automl-job*" } ] }, { - "access_level": "Read", - "description": "Returns information about an experiment.", - "privilege": "DescribeExperiment", + "access_level": "Write", + "description": "Grants permission to stop a compilation job", + "privilege": "StopCompilationJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment*" + "resource_type": "compilation-job*" } ] }, { - "access_level": "Read", - "description": "Returns information about a feature group.", - "privilege": "DescribeFeatureGroup", + "access_level": "Write", + "description": "Grants permission to stop an edge packaging job", + "privilege": "StopEdgePackagingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "feature-group*" + "resource_type": "edge-packaging-job*" } ] }, { - "access_level": "Read", - "description": "Returns detailed information about the specified flow definition.", - "privilege": "DescribeFlowDefinition", + "access_level": "Write", + "description": "Grants permission to stop a specified human loop", + "privilege": "StopHumanLoop", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow-definition*" + "resource_type": "human-loop*" } ] }, { - "access_level": "Read", - "description": "Returns detailed information about the specified human loop.", - "privilege": "DescribeHumanLoop", + "access_level": "Write", + "description": "Grants permission to stop a running hyper parameter tuning job create via the CreateHyperParameterTuningJob", + "privilege": "StopHyperParameterTuningJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "human-loop*" + "resource_type": "hyper-parameter-tuning-job*" } ] }, { - "access_level": "Read", - "description": "Returns detailed information about the specified human review workflow user interface.", - "privilege": "DescribeHumanTaskUi", + "access_level": "Write", + "description": "Grants permission to stop a labeling job. Any labels already generated will be exported before stopping", + "privilege": "StopLabelingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "human-task-ui*" + "resource_type": "labeling-job*" } ] }, { - "access_level": "Read", - "description": "Describes a hyper parameter tuning job that was created via CreateHyperParameterTuningJob API.", - "privilege": "DescribeHyperParameterTuningJob", + "access_level": "Write", + "description": "Grants permission to stop a monitoring schedule", + "privilege": "StopMonitoringSchedule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hyper-parameter-tuning-job*" + "resource_type": "monitoring-schedule*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to return information about a SageMaker Image.", - "privilege": "DescribeImage", + "access_level": "Write", + "description": "Grants permission to stop a notebook instance. This terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume", + "privilege": "StopNotebookInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "notebook-instance*" } ] }, { - "access_level": "Read", - "description": "Grants permissions to return information about a SageMaker ImageVersion.", - "privilege": "DescribeImageVersion", + "access_level": "Write", + "description": "Grants permission to stop a pipeline execution", + "privilege": "StopPipelineExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image-version*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Read", - "description": "Returns information about a labeling job.", - "privilege": "DescribeLabelingJob", + "access_level": "Write", + "description": "Grants permission to stop a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds", + "privilege": "StopProcessingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "labeling-job*" + "resource_type": "processing-job*" } ] }, { - "access_level": "Read", - "description": "Describes a model that you created using the CreateModel API.", - "privilege": "DescribeModel", + "access_level": "Write", + "description": "Grants permission to stop a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds", + "privilege": "StopTrainingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model*" + "resource_type": "training-job*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about a model bias job definition.", - "privilege": "DescribeModelBiasJobDefinition", + "access_level": "Write", + "description": "Grants permission to stop a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped", + "privilege": "StopTransformJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-bias-job-definition*" + "resource_type": "transform-job*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about a model explainability job definition.", - "privilege": "DescribeModelExplainabilityJobDefinition", + "access_level": "Write", + "description": "Grants permission to update an action", + "privilege": "UpdateAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-explainability-job-definition*" + "resource_type": "action*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a ModelPackage.", - "privilege": "DescribeModelPackage", + "access_level": "Write", + "description": "Grants permission to update an AppImageConfig", + "privilege": "UpdateAppImageConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package*" + "resource_type": "app-image-config*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a ModelPackageGroup.", - "privilege": "DescribeModelPackageGroup", + "access_level": "Write", + "description": "Grants permission to update an artifact", + "privilege": "UpdateArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group*" + "resource_type": "artifact*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about a model quality job definition.", - "privilege": "DescribeModelQualityJobDefinition", + "access_level": "Write", + "description": "Grants permission to update a CodeRepository", + "privilege": "UpdateCodeRepository", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-quality-job-definition*" + "resource_type": "code-repository*" } ] }, { - "access_level": "Read", - "description": "Grants permission to return information about a monitoring schedule.", - "privilege": "DescribeMonitoringSchedule", + "access_level": "Write", + "description": "Grants permission to update a context", + "privilege": "UpdateContext", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "monitoring-schedule*" + "resource_type": "context*" } ] }, { - "access_level": "Read", - "description": "Returns information about a notebook instance.", - "privilege": "DescribeNotebookInstance", + "access_level": "Write", + "description": "Grants permission to update a device fleet", + "privilege": "UpdateDeviceFleet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" + "resource_type": "device-fleet*" } ] }, { - "access_level": "Read", - "description": "Describes an notebook instance lifecycle configuration that was created via CreateNotebookInstanceLifecycleConfig API.", - "privilege": "DescribeNotebookInstanceLifecycleConfig", + "access_level": "Write", + "description": "Grants permission to update a set of devices", + "privilege": "UpdateDevices", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance-lifecycle-config*" + "resource_type": "device*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a pipeline.", - "privilege": "DescribePipeline", + "access_level": "Write", + "description": "Grants permission to update a Domain", + "privilege": "UpdateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "domain*" + }, + { + "condition_keys": [ + "sagemaker:VpcSecurityGroupIds", + "sagemaker:InstanceTypes", + "sagemaker:DomainSharingOutputKmsKey", + "sagemaker:ImageArns", + "sagemaker:ImageVersionArns" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the pipeline definition for a pipeline execution.", - "privilege": "DescribePipelineDefinitionForExecution", + "access_level": "Write", + "description": "Grants permission to update an endpoint to use the endpoint configuration specified in the request", + "privilege": "UpdateEndpoint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "endpoint*" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a pipeline execution.", - "privilege": "DescribePipelineExecution", + "access_level": "Write", + "description": "Grants permission to update variant weight, capacity, or both of one or more variants associated with an endpoint", + "privilege": "UpdateEndpointWeightsAndCapacities", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "endpoint*" } ] }, { - "access_level": "Read", - "description": "Returns information about a processing job.", - "privilege": "DescribeProcessingJob", + "access_level": "Write", + "description": "Grants permission to update an experiment", + "privilege": "UpdateExperiment", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "processing-job*" + "resource_type": "experiment*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a project.", - "privilege": "DescribeProject", + "access_level": "Write", + "description": "Grants permissions to update the properties of a SageMaker Image", + "privilege": "UpdateImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "project*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "image*" } ] }, { - "access_level": "Read", - "description": "Returns information about a subscribed workteam.", - "privilege": "DescribeSubscribedWorkteam", + "access_level": "Write", + "description": "Grants permission to update a ModelPackage", + "privilege": "UpdateModelPackage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" + "resource_type": "model-package*" } ] }, { - "access_level": "Read", - "description": "Returns information about a training job.", - "privilege": "DescribeTrainingJob", + "access_level": "Write", + "description": "Grants permission to update a monitoring schedule", + "privilege": "UpdateMonitoringSchedule", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "monitoring-schedule*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys", + "sagemaker:InstanceTypes", + "sagemaker:MaxRuntimeInSeconds", + "sagemaker:NetworkIsolation", + "sagemaker:OutputKmsKey", + "sagemaker:VolumeKmsKey", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:VpcSubnets", + "sagemaker:InterContainerTrafficEncryption" + ], "dependent_actions": [], - "resource_type": "training-job*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a transform job.", - "privilege": "DescribeTransformJob", + "access_level": "Write", + "description": "Grants permission to update a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups", + "privilege": "UpdateNotebookInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "transform-job*" + "resource_type": "notebook-instance*" + }, + { + "condition_keys": [ + "sagemaker:AcceleratorTypes", + "sagemaker:InstanceTypes", + "sagemaker:RootAccess" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a trial.", - "privilege": "DescribeTrial", + "access_level": "Write", + "description": "Grants permission to updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API", + "privilege": "UpdateNotebookInstanceLifecycleConfig", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial*" + "resource_type": "notebook-instance-lifecycle-config*" } ] }, { - "access_level": "Read", - "description": "Returns information about a trial component.", - "privilege": "DescribeTrialComponent", + "access_level": "Write", + "description": "Grants permission to update a pipeline", + "privilege": "UpdatePipeline", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "pipeline*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe a UserProfile", - "privilege": "DescribeUserProfile", + "access_level": "Write", + "description": "Grants permission to update a pipeline execution", + "privilege": "UpdatePipelineExecution", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user-profile*" + "resource_type": "pipeline-execution*" } ] }, { - "access_level": "Read", - "description": "Returns information about a workforce.", - "privilege": "DescribeWorkforce", + "access_level": "Write", + "description": "Grants permission to update a training job", + "privilege": "UpdateTrainingJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workforce*" + "resource_type": "training-job*" + }, + { + "condition_keys": [ + "sagemaker:InstanceTypes" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about a workteam.", - "privilege": "DescribeWorkteam", + "access_level": "Write", + "description": "Grants permission to update a trial", + "privilege": "UpdateTrial", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" + "resource_type": "experiment-trial*" } ] }, { "access_level": "Write", - "description": "Grants permission to disable a SageMaker Service Catalog Portfolio.", - "privilege": "DisableSagemakerServicecatalogPortfolio", + "description": "Grants permission to update a trial component", + "privilege": "UpdateTrialComponent", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "experiment-trial-component*" } ] }, { "access_level": "Write", - "description": "Disassociate a trial component with a trial.", - "privilege": "DisassociateTrialComponent", + "description": "Grants permission to update a UserProfile", + "privilege": "UpdateUserProfile", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "resource_type": "user-profile*" }, { - "condition_keys": [], + "condition_keys": [ + "sagemaker:InstanceTypes", + "sagemaker:VpcSecurityGroupIds", + "sagemaker:InstanceTypes", + "sagemaker:DomainSharingOutputKmsKey", + "sagemaker:ImageArns", + "sagemaker:ImageVersionArns" + ], "dependent_actions": [], - "resource_type": "processing-job*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable a SageMaker Service Catalog Portfolio.", - "privilege": "EnableSagemakerServicecatalogPortfolio", + "description": "Grants permission to update a workforce", + "privilege": "UpdateWorkforce", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workforce*" } ] }, { - "access_level": "Read", - "description": "Grants permission to access a summary of the devices in a device fleet", - "privilege": "GetDeviceFleetReport", + "access_level": "Write", + "description": "Grants permission to update a workteam", + "privilege": "UpdateWorkteam", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device-fleet*" + "resource_type": "workteam*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}/device/${DeviceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "device" }, { - "access_level": "Read", - "description": "Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration", - "privilege": "GetDeviceRegistration", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "device*" - } - ] + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "device-fleet" }, { - "access_level": "Read", - "description": "Grants permission to get a ModelPackageGroup policy.", - "privilege": "GetModelPackageGroupPolicy", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "model-package-group*" - } - ] + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:edge-packaging-job/${EdgePackagingJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "edge-packaging-job" }, { - "access_level": "Read", - "description": "Get a record from a feature group.", - "privilege": "GetRecord", + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}", + "condition_keys": [], + "resource": "human-loop" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:flow-definition/${FlowDefinitionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "flow-definition" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:human-task-ui/${HumanTaskUiName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "human-task-ui" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "labeling-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "workteam" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:workforce/${WorkforceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "workforce" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:domain/${DomainId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "domain" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:user-profile/${DomainId}/${UserProfileName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "user-profile" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:app/${DomainId}/${UserProfileName}/${AppType}/${AppName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "app" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:app-image-config/${AppImageConfigName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "app-image-config" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "notebook-instance" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}", + "condition_keys": [], + "resource": "notebook-instance-lifecycle-config" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "code-repository" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:image/${ImageName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "image" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:image-version/${ImageName}/${Version}", + "condition_keys": [], + "resource": "image-version" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "algorithm" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "training-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:processing-job/${ProcessingJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "processing-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "hyper-parameter-tuning-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:project/${ProjectName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "project" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model-package" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-package-group/${ModelPackageGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model-package-group" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "endpoint-config" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "endpoint" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "transform-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}", + "condition_keys": [], + "resource": "compilation-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:automl-job/${AutoMLJobJobName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "automl-job" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "monitoring-schedule" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:data-quality-job-definition/${DataQualityJobDefinitionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "data-quality-job-definition" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-quality-job-definition/${ModelQualityJobDefinitionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model-quality-job-definition" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-bias-job-definition/${ModelBiasJobDefinitionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model-bias-job-definition" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-explainability-job-definition/${ModelExplainabilityJobDefinitionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "model-explainability-job-definition" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "experiment" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial/${TrialName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "experiment-trial" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial-component/${TrialComponentName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "experiment-trial-component" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:feature-group/${FeatureGroupName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "feature-group" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "pipeline" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}/execution/${RandomString}", + "condition_keys": [], + "resource": "pipeline-execution" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:artifact/${HashOfArtifactSource}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "artifact" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:context/${ContextName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "context" + }, + { + "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:action/${ActionName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "sagemaker:ResourceTag/${TagKey}" + ], + "resource": "action" + } + ], + "service_name": "Amazon SageMaker" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value assoicated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + } + ], + "prefix": "savingsplans", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a savings plan", + "privilege": "CreateSavingsPlan", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], - "resource_type": "feature-group*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get a SageMaker Service Catalog Portfolio.", - "privilege": "GetSagemakerServicecatalogPortfolioStatus", + "access_level": "Write", + "description": "Grants permission to delete the queued savings plan associated with customers account", + "privilege": "DeleteQueuedSavingsPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "savingsplan*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Get search suggestions when provided with keyword.", - "privilege": "GetSearchSuggestions", + "description": "Grants permission to describe the rates associated with customers savings plan", + "privilege": "DescribeSavingsPlanRates", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "savingsplan*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "After you deploy a model into production using Amazon SageMaker hosting services, your client applications use this API to get inferences from the model hosted at the specified endpoint.", - "privilege": "InvokeEndpoint", + "description": "Grants permission to describe the savings plans associated with customers account", + "privilege": "DescribeSavingsPlans", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "savingsplan*" }, { "condition_keys": [ - "sagemaker:TargetModel" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -124650,9 +154601,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list actions.", - "privilege": "ListActions", + "access_level": "Read", + "description": "Grants permission to describe the rates assciated with savings plans offerings", + "privilege": "DescribeSavingsPlansOfferingRates", "resource_types": [ { "condition_keys": [], @@ -124662,9 +154613,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list Algorithms.", - "privilege": "ListAlgorithms", + "access_level": "Read", + "description": "Grants permission to describe the savings plans offerings that customer is eligible to purchase", + "privilege": "DescribeSavingsPlansOfferings", "resource_types": [ { "condition_keys": [], @@ -124675,212 +154626,264 @@ }, { "access_level": "List", - "description": "Grants permission to list the AppImageConfigs in your account", - "privilege": "ListAppImageConfigs", + "description": "Grants permission to list tags for a savings plan", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "savingsplan*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Apps in your account", - "privilege": "ListApps", + "access_level": "Tagging", + "description": "Grants permission to tag a savings plan", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "savingsplan*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list artifacts.", - "privilege": "ListArtifacts", + "access_level": "Tagging", + "description": "Grants permission to untag a savings plan", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "savingsplan*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:savingsplans::${Account}:savingsplan/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "savingsplan" + } + ], + "service_name": "AWS Savings Plans" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the allowed set of values for each of the tags", + "type": "String" }, { - "access_level": "List", - "description": "Grants permission to list associations.", - "privilege": "ListAssociations", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag-value associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of mandatory tags in the request", + "type": "String" + } + ], + "prefix": "schemas", + "privileges": [ + { + "access_level": "Write", + "description": "Creates an event schema discoverer. Once created, your events will be automatically map into corresponding schema documents", + "privilege": "CreateDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Lists automl jobs created via the CreateAutoMLJob.", - "privilege": "ListAutoMLJobs", + "access_level": "Write", + "description": "Create a new schema registry in your account.", + "privilege": "CreateRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Lists candidates for automl job created via the CreateAutoMLJob.", - "privilege": "ListCandidatesForAutoMLJob", + "access_level": "Write", + "description": "Create a new schema in your account.", + "privilege": "CreateSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Grants permission to list code repositories.", - "privilege": "ListCodeRepositories", + "access_level": "Write", + "description": "Deletes discoverer in your account.", + "privilege": "DeleteDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Lists compilation jobs.", - "privilege": "ListCompilationJobs", + "access_level": "Write", + "description": "Deletes an existing registry in your account.", + "privilege": "DeleteRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Grants permission to list contexts.", - "privilege": "ListContexts", + "access_level": "Write", + "description": "Delete the resource-based policy attached to a given registry.", + "privilege": "DeleteResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Grants permission to list data quality job definitions.", - "privilege": "ListDataQualityJobDefinitions", + "access_level": "Write", + "description": "Deletes an existing schema in your account.", + "privilege": "DeleteSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Grants permission to list device fleets", - "privilege": "ListDeviceFleets", + "access_level": "Write", + "description": "Deletes a specific version of schema in your account.", + "privilege": "DeleteSchemaVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Grants permission to list devices.", - "privilege": "ListDevices", + "access_level": "Read", + "description": "Retrieves metadata for generated code for specific schema in your account.", + "privilege": "DescribeCodeBinding", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Grants permission to list the Domains in your account", - "privilege": "ListDomains", + "access_level": "Read", + "description": "Retrieves discoverer metadata in your account.", + "privilege": "DescribeDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Grants permission to list edge packaging jobs", - "privilege": "ListEdgePackagingJobs", + "access_level": "Read", + "description": "Describes an existing registry metadata in your account.", + "privilege": "DescribeRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Lists endpoint configurations.", - "privilege": "ListEndpointConfigs", + "access_level": "Read", + "description": "Retrieves an existing schema in your account.", + "privilege": "DescribeSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Lists endpoints.", - "privilege": "ListEndpoints", + "access_level": "Read", + "description": "Allows exporting AWS registry or discovered schemas in OpenAPI 3 format to JSONSchema format.", + "privilege": "ExportSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Lists experiments.", - "privilege": "ListExperiments", + "access_level": "Read", + "description": "Retrieves metadata for generated code for specific schema in your account.", + "privilege": "GetCodeBindingSource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Lists feature groups.", - "privilege": "ListFeatureGroups", + "access_level": "Read", + "description": "Retrieves schema for the provided list of sample events.", + "privilege": "GetDiscoveredSchema", "resource_types": [ { "condition_keys": [], @@ -124890,285 +154893,360 @@ ] }, { - "access_level": "List", - "description": "Returns summary information about flow definitions, given the specified parameters.", - "privilege": "ListFlowDefinitions", + "access_level": "Read", + "description": "Retrieves the resource-based policy attached to a given registry.", + "privilege": "GetResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { "access_level": "List", - "description": "Returns summary information about human loops, given the specified parameters.", - "privilege": "ListHumanLoops", + "description": "Lists all the discoverers in your account.", + "privilege": "ListDiscoverers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { "access_level": "List", - "description": "Returns summary information about human review workflow user interfaces, given the specified parameters.", - "privilege": "ListHumanTaskUis", + "description": "List all discoverers in your account.", + "privilege": "ListRegistries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { "access_level": "List", - "description": "Lists hyper parameter tuning jobs that was created using Amazon SageMaker.", - "privilege": "ListHyperParameterTuningJobs", + "description": "List all versions of a schema.", + "privilege": "ListSchemaVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { "access_level": "List", - "description": "Grants permissions to list ImageVersions that belong to a SageMaker Image.", - "privilege": "ListImageVersions", + "description": "List all schemas.", + "privilege": "ListSchemas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "image*" + "resource_type": "schema*" } ] }, { "access_level": "List", - "description": "Grants permissions to list SageMaker Images in your account.", - "privilege": "ListImages", + "description": "This action lists tags for a resource.", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Lists labeling jobs.", - "privilege": "ListLabelingJobs", + "access_level": "Write", + "description": "Generates code for specific schema in your account.", + "privilege": "PutCodeBinding", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Lists labeling jobs for workteam.", - "privilege": "ListLabelingJobsForWorkteam", + "access_level": "Write", + "description": "Attach resource-based policy to the specific registry.", + "privilege": "PutResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" + "resource_type": "registry*" } ] }, { "access_level": "List", - "description": "Grants permission to list model bias job definitions.", - "privilege": "ListModelBiasJobDefinitions", + "description": "Searches schemas based on specified keywords in your account.", + "privilege": "SearchSchemas", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] }, { - "access_level": "List", - "description": "Grants permission to list model explainability job definitions.", - "privilege": "ListModelExplainabilityJobDefinitions", + "access_level": "Write", + "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", + "privilege": "StartDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Grants permission to list ModelPackageGroups.", - "privilege": "ListModelPackageGroups", + "access_level": "Write", + "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", + "privilege": "StopDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Grants permission to list ModelPackages.", - "privilege": "ListModelPackages", + "access_level": "Tagging", + "description": "This action tags an resource.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "discoverer*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list model quality job definitions.", - "privilege": "ListModelQualityJobDefinitions", + "access_level": "Tagging", + "description": "This action removes a tag from on a resource.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "discoverer*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "registry*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "schema*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists the models created with the CreateModel API.", - "privilege": "ListModels", + "access_level": "Write", + "description": "Updates an existing discoverer in your account.", + "privilege": "UpdateDiscoverer", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "discoverer*" } ] }, { - "access_level": "List", - "description": "Grants permission to list monitoring executions.", - "privilege": "ListMonitoringExecutions", + "access_level": "Write", + "description": "Updates an existing registry metadata in your account.", + "privilege": "UpdateRegistry", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "registry*" } ] }, { - "access_level": "List", - "description": "Grants permission to list monitoring schedules.", - "privilege": "ListMonitoringSchedules", + "access_level": "Write", + "description": "Updates an existing schema in your account.", + "privilege": "UpdateSchema", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "schema*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:schemas:${Region}:${Account}:discoverer/${DiscovererId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "discoverer" }, { - "access_level": "List", - "description": "Lists notebook instance lifecycle configurations that can be deployed using Amazon SageMaker.", - "privilege": "ListNotebookInstanceLifecycleConfigs", + "arn": "arn:${Partition}:schemas:${Region}:${Account}:registry/${RegistryName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "registry" + }, + { + "arn": "arn:${Partition}:schemas:${Region}:${Account}:schema/${RegistryName}/${SchemaName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "schema" + } + ], + "service_name": "Amazon EventBridge Schemas" + }, + { + "conditions": [], + "prefix": "sdb", + "privileges": [ + { + "access_level": "Write", + "description": "Performs multiple DeleteAttributes operations in a single call, which reduces round trips and latencies.", + "privilege": "BatchDeleteAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Returns a list of the Amazon SageMaker notebook instances in the requester's account in an AWS Region.", - "privilege": "ListNotebookInstances", + "access_level": "Write", + "description": "With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call. With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call.", + "privilege": "BatchPutAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to list steps for a pipeline execution", - "privilege": "ListPipelineExecutionSteps", + "access_level": "Write", + "description": "The CreateDomain operation creates a new domain.", + "privilege": "CreateDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to list executions for a pipeline", - "privilege": "ListPipelineExecutions", + "access_level": "Write", + "description": "Deletes one or more attributes associated with the item.", + "privilege": "DeleteAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to list parameters for a pipeline execution", - "privilege": "ListPipelineParametersForExecution", + "access_level": "Write", + "description": "The DeleteDomain operation deletes a domain.", + "privilege": "DeleteDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Grants permission to list pipelines.", - "privilege": "ListPipelines", + "access_level": "Read", + "description": "Returns information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values.", + "privilege": "DomainMetadata", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Lists processing jobs.", - "privilege": "ListProcessingJobs", + "access_level": "Read", + "description": "Returns all of the attributes associated with the item.", + "privilege": "GetAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { "access_level": "List", - "description": "Grants permission to list Projects.", - "privilege": "ListProjects", + "description": "Description for ListDomains", + "privilege": "ListDomains", "resource_types": [ { "condition_keys": [], @@ -125178,348 +155256,684 @@ ] }, { - "access_level": "List", - "description": "Lists subscribed workteams.", - "privilege": "ListSubscribedWorkteams", + "access_level": "Write", + "description": "The PutAttributes operation creates or replaces attributes in an item.", + "privilege": "PutAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "domain*" } ] }, { - "access_level": "List", - "description": "Returns the tag set associated with the specified resource.", - "privilege": "ListTags", + "access_level": "Read", + "description": "Description for Select", + "privilege": "Select", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "algorithm" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "app" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "app-image-config" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "artifact" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "automl-job" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "code-repository" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "context" - }, + "resource_type": "domain*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:sdb:${Region}:${Account}:domain/${DomainName}", + "condition_keys": [], + "resource": "domain" + } + ], + "service_name": "Amazon SimpleDB" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/tag-key", + "description": "Filters access by a key that is present in the request the user makes to the Secrets Manager service.", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access by the list of all the tag key namespresent in the request the user makes to the Secrets Manager service.", + "type": "String" + }, + { + "condition": "secretsmanager:BlockPublicPolicy", + "description": "Filters access by whether the resource policy blocks broad AWS account access.", + "type": "Boolean" + }, + { + "condition": "secretsmanager:Description", + "description": "Filters access by the description text in the request.", + "type": "String" + }, + { + "condition": "secretsmanager:ForceDeleteWithoutRecovery", + "description": "Filters access by whether the secret is to be deleted immediately without any recovery window.", + "type": "Boolean" + }, + { + "condition": "secretsmanager:KmsKeyId", + "description": "Filters access by the ARN of the KMS key in the request.", + "type": "String" + }, + { + "condition": "secretsmanager:Name", + "description": "Filters access by the friendly name of the secret in the request.", + "type": "String" + }, + { + "condition": "secretsmanager:RecoveryWindowInDays", + "description": "Filters access by the number of days that Secrets Manager waits before it can delete the secret.", + "type": "Long" + }, + { + "condition": "secretsmanager:ResourceTag/tag-key", + "description": "Filters access by a tag key and value pair.", + "type": "String" + }, + { + "condition": "secretsmanager:RotationLambdaARN", + "description": "Filters access by the ARN of the rotation Lambda function in the request.", + "type": "ARN" + }, + { + "condition": "secretsmanager:SecretId", + "description": "Filters access by the SecretID value in the request.", + "type": "ARN" + }, + { + "condition": "secretsmanager:SecretPrimaryRegion", + "description": "Primary region in which the secret is created.", + "type": "String" + }, + { + "condition": "secretsmanager:VersionId", + "description": "Filters access by the unique identifier of the version of the secret in the request.", + "type": "String" + }, + { + "condition": "secretsmanager:VersionStage", + "description": "Filters access by the list of version stages in the request.", + "type": "String" + }, + { + "condition": "secretsmanager:resource/AllowRotationLambdaArn", + "description": "Filters access by the ARN of the rotation Lambda function associated with the secret.", + "type": "ARN" + } + ], + "prefix": "secretsmanager", + "privileges": [ + { + "access_level": "Write", + "description": "Enables the user to cancel an in-progress secret rotation.", + "privilege": "CancelRotateSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "data-quality-job-definition" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "device" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Enables the user to create a secret that stores encrypted data that can be queried and rotated.", + "privilege": "CreateSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device-fleet" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:Name", + "secretsmanager:Description", + "secretsmanager:KmsKeyId", + "aws:RequestTag/tag-key", + "aws:TagKeys", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "domain" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Enables the user to delete the resource policy attached to a secret.", + "privilege": "DeleteResourcePolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "edge-packaging-job" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "endpoint" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Enables the user to delete a secret.", + "privilege": "DeleteSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint-config" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:RecoveryWindowInDays", + "secretsmanager:ForceDeleteWithoutRecovery", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "experiment" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Enables the user to retrieve the metadata about a secret, but not the encrypted data.", + "privilege": "DescribeSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "experiment-trial-component" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Enables the user to generate a random string for use in password creation.", + "privilege": "GetRandomPassword", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "feature-group" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Enables the user to get the resource policy attached to a secret.", + "privilege": "GetResourcePolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow-definition" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "human-task-ui" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Enables the user to retrieve and decrypt the encrypted data.", + "privilege": "GetSecretValue", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hyper-parameter-tuning-job" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:VersionId", + "secretsmanager:VersionStage", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "image" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Enables the user to list the available versions of a secret.", + "privilege": "ListSecretVersionIds", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "labeling-job" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "model" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Enables the user to list the available secrets.", + "privilege": "ListSecrets", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-bias-job-definition" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Enables the user to attach a resource policy to a secret.", + "privilege": "PutResourcePolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-explainability-job-definition" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key", + "secretsmanager:BlockPublicPolicy" + ], "dependent_actions": [], - "resource_type": "model-package" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Enables the user to create a new version of the secret with new encrypted data.", + "privilege": "PutSecretValue", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "model-quality-job-definition" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Remove regions from replication.", + "privilege": "RemoveRegionsFromReplication", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "monitoring-schedule" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "notebook-instance" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Converts an existing secret to a multi-Region secret and begins replicating the secret to a list of new regions.", + "privilege": "ReplicateSecretToRegions", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "project" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Enables the user to cancel deletion of a secret.", + "privilege": "RestoreSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "training-job" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "transform-job" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Enables the user to start rotation of a secret.", + "privilege": "RotateSecret", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user-profile" + "resource_type": "Secret*" }, { - "condition_keys": [], + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:RotationLambdaARN", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], "dependent_actions": [], - "resource_type": "workteam" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists training jobs.", - "privilege": "ListTrainingJobs", + "access_level": "Write", + "description": "Removes the secret from replication and promotes the secret to a regional secret in the replica Region.", + "privilege": "StopReplicationToReplica", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists training jobs for a hyper parameter tuning job that was created using Amazon SageMaker.", - "privilege": "ListTrainingJobsForHyperParameterTuningJob", + "access_level": "Tagging", + "description": "Enables the user to add tags to a secret.", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hyper-parameter-tuning-job*" + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "aws:RequestTag/tag-key", + "aws:TagKeys", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists transform jobs.", - "privilege": "ListTransformJobs", + "access_level": "Tagging", + "description": "Enables the user to remove tags from a secret.", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "aws:TagKeys", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists trial components.", - "privilege": "ListTrialComponents", + "access_level": "Write", + "description": "Enables the user to update a secret with new metadata or with a new version of the encrypted data.", + "privilege": "UpdateSecret", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:Description", + "secretsmanager:KmsKeyId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Lists trials.", - "privilege": "ListTrials", + "access_level": "Write", + "description": "Enables the user to move a stage from one secret to another.", + "privilege": "UpdateSecretVersionStage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:VersionStage", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the UserProfiles in your account", - "privilege": "ListUserProfiles", + "access_level": "Permissions management", + "description": "Enables the user to validate a resource policy before attaching policy.", + "privilege": "ValidateResourcePolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "Secret*" + }, + { + "condition_keys": [ + "secretsmanager:SecretId", + "secretsmanager:resource/AllowRotationLambdaArn", + "secretsmanager:ResourceTag/tag-key" + ], + "dependent_actions": [], "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}", + "condition_keys": [ + "aws:RequestTag/tag-key", + "aws:TagKeys", + "secretsmanager:ResourceTag/tag-key", + "secretsmanager:resource/AllowRotationLambdaArn" + ], + "resource": "Secret" + } + ], + "service_name": "AWS Secrets Manager" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "List", - "description": "Lists workforces.", - "privilege": "ListWorkforces", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}", + "description": "Filters access based on the presence of specific fields and values in the request", + "type": "String" + }, + { + "condition": "securityhub:TargetAccount", + "description": "Filters access based on the presence of AwsAccountId field in the requests", + "type": "String" + } + ], + "prefix": "securityhub", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept Security Hub invitations to become a member account", + "privilege": "AcceptAdministratorInvitation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, - { - "access_level": "List", - "description": "Lists workteams.", - "privilege": "ListWorkteams", + { + "access_level": "Write", + "description": "Grants permission to accept Security Hub invitations to become a member account", + "privilege": "AcceptInvitation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to put a ModelPackageGroup policy.", - "privilege": "PutModelPackageGroupPolicy", + "description": "Grants permission to disable standards in Security Hub", + "privilege": "BatchDisableStandards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package-group*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Put a record to a feature group.", - "privilege": "PutRecord", + "description": "Grants permission to enable standards in Security Hub", + "privilege": "BatchEnableStandards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "feature-group*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to register a set of devices", - "privilege": "RegisterDevices", + "description": "Grants permission to import findings into Security Hub from an integrated product", + "privilege": "BatchImportFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "product*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "securityhub:TargetAccount" ], "dependent_actions": [], "resource_type": "" @@ -125527,1484 +155941,1135 @@ ] }, { - "access_level": "Read", - "description": "Render a UI template used for a human annotation task.", - "privilege": "RenderUiTemplate", + "access_level": "Write", + "description": "Grants permission to update customer-controlled fields for a selected set of Security Hub findings", + "privilege": "BatchUpdateFindings", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" + "dependent_actions": [], + "resource_type": "hub" + }, + { + "condition_keys": [ + "securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}" ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Search for SageMaker objects.", - "privilege": "Search", + "access_level": "Write", + "description": "Grants permission to create custom actions in Security Hub", + "privilege": "CreateActionTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status", - "privilege": "SendHeartbeat", + "description": "Grants permission to create insights in Security Hub. Insights are collections of related findings", + "privilege": "CreateInsight", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Starts a human loop.", - "privilege": "StartHumanLoop", + "description": "Grants permission to create member accounts in Security Hub", + "privilege": "CreateMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "flow-definition*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Starts a monitoring schedule.", - "privilege": "StartMonitoringSchedule", + "description": "Grants permission to decline Security Hub invitations to become a member account", + "privilege": "DeclineInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "monitoring-schedule*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Launches an EC2 instance with the latest version of the libraries and attaches your EBS volume.", - "privilege": "StartNotebookInstance", + "description": "Grants permission to delete custom actions in Security Hub", + "privilege": "DeleteActionTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to start a pipeline execution.", - "privilege": "StartPipelineExecution", + "description": "Grants permission to delete insights from Security Hub", + "privilege": "DeleteInsight", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Stops a running automl job created via the CreateAutoMLJob.", - "privilege": "StopAutoMLJob", + "description": "Grants permission to delete Security Hub invitations to become a member account", + "privilege": "DeleteInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "automl-job*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Stops a compilation job.", - "privilege": "StopCompilationJob", + "description": "Grants permission to delete Security Hub member accounts", + "privilege": "DeleteMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "compilation-job*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to stop an edge packaging job", - "privilege": "StopEdgePackagingJob", + "access_level": "Read", + "description": "Grants permission to retrieve a list of custom actions using the API", + "privilege": "DescribeActionTargets", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "edge-packaging-job*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Stops the specified human loop.", - "privilege": "StopHumanLoop", + "access_level": "Read", + "description": "Grants permission to retrieve information about the hub resource in your account", + "privilege": "DescribeHub", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "human-loop*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Stops a running hyper parameter tuning job create via the CreateHyperParameterTuningJob.", - "privilege": "StopHyperParameterTuningJob", + "access_level": "Read", + "description": "Grants permission to describe the organization configuration for Security Hub", + "privilege": "DescribeOrganizationConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hyper-parameter-tuning-job*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Stops a labeling job. Any labels already generated will be exported before stopping.", - "privilege": "StopLabelingJob", + "access_level": "Read", + "description": "Grants permission to retrieve information about the available Security Hub product integrations", + "privilege": "DescribeProducts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "labeling-job*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Stops a monitoring schedule.", - "privilege": "StopMonitoringSchedule", + "access_level": "Read", + "description": "Grants permission to retrieve information about Security Hub standards", + "privilege": "DescribeStandards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "monitoring-schedule*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Terminates the EC2 instance. Before terminating the instance, Amazon SageMaker disconnects the EBS volume from it. Amazon SageMaker preserves the EBS volume.", - "privilege": "StopNotebookInstance", + "access_level": "Read", + "description": "Grants permission to retrieve information about Security Hub standards controls", + "privilege": "DescribeStandardsControls", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to stop a pipeline execution.", - "privilege": "StopPipelineExecution", + "description": "Grants permission to disable the findings importing for a Security Hub integrated product", + "privilege": "DisableImportFindingsForProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Stops a processing job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds.", - "privilege": "StopProcessingJob", + "description": "Grants permission to remove the Security Hub administrator account for your organization", + "privilege": "DisableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "processing-job*" + "dependent_actions": [ + "organizations:DescribeOrganization" + ], + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Stops a training job. To stop a job, Amazon SageMaker sends the algorithm the SIGTERM signal, which delays job termination for 120 seconds.", - "privilege": "StopTrainingJob", + "description": "Grants permission to disable Security Hub", + "privilege": "DisableSecurityHub", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "training-job*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Stops a transform job. When Amazon SageMaker receives a StopTransformJob request, the status of the job changes to Stopping. After Amazon SageMaker stops the job, the status is set to Stopped", - "privilege": "StopTransformJob", + "description": "Grants permission to a Security Hub member account to disassociate from the associated administrator account", + "privilege": "DisassociateFromAdministratorAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "transform-job*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to update an action.", - "privilege": "UpdateAction", + "description": "Grants permission to a Security Hub member account to disassociate from the associated master account", + "privilege": "DisassociateFromMasterAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "action*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to update an AppImageConfig", - "privilege": "UpdateAppImageConfig", + "description": "Grants permission to disassociate Security Hub member accounts from the associated administrator account", + "privilege": "DisassociateMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "app-image-config*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to update an artifact.", - "privilege": "UpdateArtifact", + "description": "Grants permission to enable the findings importing for a Security Hub integrated product", + "privilege": "EnableImportFindingsForProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "artifact*" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to update a CodeRepository.", - "privilege": "UpdateCodeRepository", + "description": "Grants permission to designate a Security Hub administrator account for your organization", + "privilege": "EnableOrganizationAdminAccount", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "code-repository*" + "dependent_actions": [ + "organizations:DescribeOrganization", + "organizations:EnableAWSServiceAccess", + "organizations:RegisterDelegatedAdministrator" + ], + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Grants permission to update a context.", - "privilege": "UpdateContext", + "description": "Grants permission to enable Security Hub", + "privilege": "EnableSecurityHub", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "context*" + "resource_type": "hub" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a device fleet", - "privilege": "UpdateDeviceFleet", + "access_level": "Read", + "description": "Grants permission to retrieve insight results by providing a set of filters instead of an insight ARN", + "privilege": "GetAdhocInsightResults", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device-fleet*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a set of devices", - "privilege": "UpdateDevices", + "access_level": "Read", + "description": "Grants permission to retrieve details about the Security Hub administrator account", + "privilege": "GetAdministratorAccount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "device*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a Domain", - "privilege": "UpdateDomain", + "access_level": "Read", + "description": "Grants permission to retrieve a security score and counts of finding and control statuses for a security standard", + "privilege": "GetControlFindingSummary", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" - }, - { - "condition_keys": [ - "sagemaker:VpcSecurityGroupIds", - "sagemaker:InstanceTypes", - "sagemaker:DomainSharingOutputKmsKey", - "sagemaker:ImageArns", - "sagemaker:ImageVersionArns" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates an endpoint to use the endpoint configuration specified in the request.", - "privilege": "UpdateEndpoint", + "access_level": "List", + "description": "Grants permission to retrieve a list of the standards that are enabled in Security Hub", + "privilege": "GetEnabledStandards", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates variant weight, capacity, or both of one or more variants associated with an endpoint.", - "privilege": "UpdateEndpointWeightsAndCapacities", + "access_level": "Read", + "description": "Grants permission to retrieve a list of findings from Security Hub", + "privilege": "GetFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "endpoint*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates an experiment.", - "privilege": "UpdateExperiment", + "access_level": "Read", + "description": "Grants permission to retrieve the end date for an account's free trial of Security Hub", + "privilege": "GetFreeTrialEndDate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permissions to update the properties of a SageMaker Image.", - "privilege": "UpdateImage", + "access_level": "Read", + "description": "Grants permission to retrieve information about Security Hub usage during the free trial period", + "privilege": "GetFreeTrialUsage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "image*" + "dependent_actions": [], + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a ModelPackage.", - "privilege": "UpdateModelPackage", + "access_level": "Read", + "description": "Grants permission to retrieve an insight finding trend from Security Hub in order to generate a graph", + "privilege": "GetInsightFindingTrend", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "model-package*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a monitoring schedule.", - "privilege": "UpdateMonitoringSchedule", + "access_level": "Read", + "description": "Grants permission to retrieve insight results from Security Hub", + "privilege": "GetInsightResults", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "monitoring-schedule*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys", - "sagemaker:InstanceTypes", - "sagemaker:MaxRuntimeInSeconds", - "sagemaker:NetworkIsolation", - "sagemaker:OutputKmsKey", - "sagemaker:VolumeKmsKey", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:VpcSubnets", - "sagemaker:InterContainerTrafficEncryption" - ], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a notebook instance. Notebook instance updates include upgrading or downgrading the EC2 instance used for your notebook instance to accommodate changes in your workload requirements. You can also update the VPC security groups.", - "privilege": "UpdateNotebookInstance", + "access_level": "List", + "description": "Grants permission to retrieve Security Hub insights", + "privilege": "GetInsights", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance*" - }, - { - "condition_keys": [ - "sagemaker:AcceleratorTypes", - "sagemaker:InstanceTypes", - "sagemaker:RootAccess" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a notebook instance lifecycle configuration created with the CreateNotebookInstanceLifecycleConfig API.", - "privilege": "UpdateNotebookInstanceLifecycleConfig", + "access_level": "Read", + "description": "Grants permission to retrieve the count of Security Hub membership invitations sent to the account", + "privilege": "GetInvitationsCount", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "notebook-instance-lifecycle-config*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a pipeline.", - "privilege": "UpdatePipeline", + "access_level": "Read", + "description": "Grants permission to retrieve details about the Security Hub master account", + "privilege": "GetMasterAccount", "resource_types": [ { "condition_keys": [], - "dependent_actions": [ - "iam:PassRole" - ], - "resource_type": "pipeline*" + "dependent_actions": [], + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a pipeline execution.", - "privilege": "UpdatePipelineExecution", + "access_level": "Read", + "description": "Grants permission to retrieve the details of Security Hub member accounts", + "privilege": "GetMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "pipeline-execution*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a training job.", - "privilege": "UpdateTrainingJob", + "access_level": "Read", + "description": "Grants permission to retrieve information about Security Hub usage by accounts", + "privilege": "GetUsage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "training-job*" - }, - { - "condition_keys": [ - "sagemaker:InstanceTypes" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { "access_level": "Write", - "description": "Updates a trial.", - "privilege": "UpdateTrial", + "description": "Grants permission to invite other AWS accounts to become Security Hub member accounts", + "privilege": "InviteMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a trial component.", - "privilege": "UpdateTrialComponent", + "access_level": "Read", + "description": "Grants permission to retrieve a list of controls for a standard, including the control IDs, statuses and finding counts", + "privilege": "ListControlEvaluationSummaries", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "experiment-trial-component*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to update a UserProfile", - "privilege": "UpdateUserProfile", + "access_level": "List", + "description": "Grants permission to retrieve the Security Hub integrated products that are currently enabled", + "privilege": "ListEnabledProductsForImport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "user-profile*" - }, - { - "condition_keys": [ - "sagemaker:InstanceTypes", - "sagemaker:VpcSecurityGroupIds", - "sagemaker:InstanceTypes", - "sagemaker:DomainSharingOutputKmsKey", - "sagemaker:ImageArns", - "sagemaker:ImageVersionArns" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a workforce.", - "privilege": "UpdateWorkforce", + "access_level": "List", + "description": "Grants permission to retrieve the Security Hub invitations sent to the account", + "privilege": "ListInvitations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workforce*" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Updates a workteam.", - "privilege": "UpdateWorkteam", + "access_level": "List", + "description": "Grants permission to retrieve details about Security Hub member accounts associated with the administrator account", + "privilege": "ListMembers", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workteam*" + "resource_type": "hub" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}/device/${DeviceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "device" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "device-fleet" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:edge-packaging-job/${EdgePackagingJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "edge-packaging-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}", - "condition_keys": [], - "resource": "human-loop" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:flow-definition/${FlowDefinitionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "flow-definition" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:human-task-ui/${HumanTaskUiName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "human-task-ui" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:labeling-job/${LabelingJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "labeling-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:workteam/${WorkteamName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "workteam" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:workforce/${WorkforceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "workforce" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:domain/${DomainId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "domain" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:user-profile/${DomainId}/${UserProfileName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "user-profile" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:app/${DomainId}/${UserProfileName}/${AppType}/${AppName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "app" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:app-image-config/${AppImageConfigName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "app-image-config" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance/${NotebookInstanceName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "notebook-instance" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:notebook-instance-lifecycle-config/${NotebookInstanceLifecycleConfigName}", - "condition_keys": [], - "resource": "notebook-instance-lifecycle-config" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:code-repository/${CodeRepositoryName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "code-repository" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:image/${ImageName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "image" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:image-version/${ImageName}/${Version}", - "condition_keys": [], - "resource": "image-version" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:algorithm/${AlgorithmName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "algorithm" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:training-job/${TrainingJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "training-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:processing-job/${ProcessingJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "processing-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:hyper-parameter-tuning-job/${HyperParameterTuningJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "hyper-parameter-tuning-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:project/${ProjectName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "project" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-package/${ModelPackageName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model-package" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-package-group/${ModelPackageGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model-package-group" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model/${ModelName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:endpoint-config/${EndpointConfigName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "endpoint-config" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:endpoint/${EndpointName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "endpoint" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:transform-job/${TransformJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "transform-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:compilation-job/${CompilationJobName}", - "condition_keys": [], - "resource": "compilation-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:automl-job/${AutoMLJobJobName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "automl-job" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:monitoring-schedule/${MonitoringScheduleName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "monitoring-schedule" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:data-quality-job-definition/${DataQualityJobDefinitionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "data-quality-job-definition" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-quality-job-definition/${ModelQualityJobDefinitionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model-quality-job-definition" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-bias-job-definition/${ModelBiasJobDefinitionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model-bias-job-definition" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-explainability-job-definition/${ModelExplainabilityJobDefinitionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "model-explainability-job-definition" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "experiment" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial/${TrialName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "experiment-trial" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment-trial-component/${TrialComponentName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "experiment-trial-component" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:feature-group/${FeatureGroupName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "feature-group" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "pipeline" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:pipeline/${PipelineName}/execution/${RandomString}", - "condition_keys": [], - "resource": "pipeline-execution" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:artifact/${HashOfArtifactSource}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "artifact" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:context/${ContextName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "context" - }, - { - "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:action/${ActionName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}", - "sagemaker:ResourceTag/${TagKey}" - ], - "resource": "action" - } - ], - "service_name": "Amazon SageMaker" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", - "type": "String" }, { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", - "type": "String" - } - ], - "prefix": "savingsplans", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to create a savings plan", - "privilege": "CreateSavingsPlan", + "access_level": "List", + "description": "Grants permission to list the Security Hub administrator accounts for your organization", + "privilege": "ListOrganizationAdminAccounts", "resource_types": [ { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "condition_keys": [], + "dependent_actions": [ + "organizations:DescribeOrganization" ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete the queued savings plan associated with customers account", - "privilege": "DeleteQueuedSavingsPlan", + "access_level": "Read", + "description": "Grants permission to list of tags associated with a resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub*" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the rates associated with customers savings plan", - "privilege": "DescribeSavingsPlanRates", + "description": "Grants permission to use a custom action to send Security Hub findings to Amazon EventBridge", + "privilege": "SendFindingEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" - }, - { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the savings plans associated with customers account", - "privilege": "DescribeSavingsPlans", + "description": "Grants permission to use a custom action to send Security Hub insights to Amazon EventBridge", + "privilege": "SendInsightEvents", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" - }, + "resource_type": "hub" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a Security Hub resource", + "privilege": "TagResource", + "resource_types": [ { - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the rates assciated with savings plans offerings", - "privilege": "DescribeSavingsPlansOfferingRates", + "access_level": "Tagging", + "description": "Grants permission to remove tags from a Security Hub resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub*" } ] }, { - "access_level": "Read", - "description": "Grants permission to describe the savings plans offerings that customer is eligible to purchase", - "privilege": "DescribeSavingsPlansOfferings", + "access_level": "Write", + "description": "Grants permission to update custom actions in Security Hub", + "privilege": "UpdateActionTarget", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "List", - "description": "Grants permission to list tags for a savings plan", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to update Security Hub findings", + "privilege": "UpdateFindings", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" + "resource_type": "hub" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a savings plan", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to update insights in Security Hub", + "privilege": "UpdateInsight", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" - }, + "resource_type": "hub" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the organization configuration for Security Hub", + "privilege": "UpdateOrganizationConfiguration", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to untag a savings plan", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to update Security Hub configuration", + "privilege": "UpdateSecurityHubConfiguration", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "savingsplan*" - }, + "resource_type": "hub" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update Security Hub standards controls", + "privilege": "UpdateStandardsControl", + "resource_types": [ { - "condition_keys": [ - "aws:TagKeys" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "hub" } ] } ], "resources": [ { - "arn": "arn:${Partition}:savingsplans::${Account}:savingsplan/${ResourceId}", + "arn": "arn:${Partition}:securityhub:${Region}:${Account}:hub/default", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "savingsplan" + "resource": "hub" + }, + { + "arn": "arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}", + "condition_keys": [], + "resource": "product" } ], - "service_name": "AWS Savings Plans" + "service_name": "AWS Security Hub" }, { "conditions": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the allowed set of values for each of the tags", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of mandatory tags in the request", + "condition": "serverlessrepo:applicationType", + "description": "Application type", "type": "String" } ], - "prefix": "schemas", + "prefix": "serverlessrepo", "privileges": [ { "access_level": "Write", - "description": "Creates an event schema discoverer. Once created, your events will be automatically map into corresponding schema documents", - "privilege": "CreateDiscoverer", + "description": "Creates an application, optionally including an AWS SAM file to create the first application version in the same call.", + "privilege": "CreateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new schema registry in your account.", - "privilege": "CreateRegistry", + "description": "Creates an application version.", + "privilege": "CreateApplicationVersion", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "applications*" } ] }, { "access_level": "Write", - "description": "Create a new schema in your account.", - "privilege": "CreateSchema", + "description": "Creates an AWS CloudFormation ChangeSet for the given application.", + "privilege": "CreateCloudFormationChangeSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" - } - ] - }, - { - "access_level": "Write", - "description": "Deletes discoverer in your account.", - "privilege": "DeleteDiscoverer", - "resource_types": [ + "resource_type": "applications*" + }, { - "condition_keys": [], + "condition_keys": [ + "serverlessrepo:applicationType" + ], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deletes an existing registry in your account.", - "privilege": "DeleteRegistry", + "description": "Creates an AWS CloudFormation template", + "privilege": "CreateCloudFormationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "applications*" + }, + { + "condition_keys": [ + "serverlessrepo:applicationType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Delete the resource-based policy attached to a given registry.", - "privilege": "DeleteResourcePolicy", + "description": "Deletes the specified application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "applications*" } ] }, { - "access_level": "Write", - "description": "Deletes an existing schema in your account.", - "privilege": "DeleteSchema", + "access_level": "Read", + "description": "Gets the specified application.", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "applications*" + }, + { + "condition_keys": [ + "serverlessrepo:applicationType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes a specific version of schema in your account.", - "privilege": "DeleteSchemaVersion", + "access_level": "Read", + "description": "Gets the policy for the specified application.", + "privilege": "GetApplicationPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "applications*" } ] }, { "access_level": "Read", - "description": "Retrieves metadata for generated code for specific schema in your account.", - "privilege": "DescribeCodeBinding", + "description": "Gets the specified AWS CloudFormation template", + "privilege": "GetCloudFormationTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "applications*" } ] }, { - "access_level": "Read", - "description": "Retrieves discoverer metadata in your account.", - "privilege": "DescribeDiscoverer", + "access_level": "List", + "description": "Retrieves the list of applications nested in the containing application", + "privilege": "ListApplicationDependencies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "applications*" + }, + { + "condition_keys": [ + "serverlessrepo:applicationType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Describes an existing registry metadata in your account.", - "privilege": "DescribeRegistry", + "access_level": "List", + "description": "Lists versions for the specified application owned by the requester.", + "privilege": "ListApplicationVersions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "applications*" + }, + { + "condition_keys": [ + "serverlessrepo:applicationType" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves an existing schema in your account.", - "privilege": "DescribeSchema", + "access_level": "List", + "description": "Lists applications owned by the requester.", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Allows exporting AWS registry or discovered schemas in OpenAPI 3 format to JSONSchema format.", - "privilege": "ExportSchema", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "registry*" - }, + "access_level": "Write", + "description": "Puts the policy for the specified application.", + "privilege": "PutApplicationPolicy", + "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "applications*" } ] }, { "access_level": "Read", - "description": "Retrieves metadata for generated code for specific schema in your account.", - "privilege": "GetCodeBindingSource", + "description": "Gets all applications authorized for this user", + "privilege": "SearchApplications", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "serverlessrepo:applicationType" + ], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieves schema for the provided list of sample events.", - "privilege": "GetDiscoveredSchema", + "access_level": "Write", + "description": "Unshares the specified application", + "privilege": "UnshareApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "applications*" } ] }, { - "access_level": "Read", - "description": "Retrieves the resource-based policy attached to a given registry.", - "privilege": "GetResourcePolicy", + "access_level": "Write", + "description": "Updates meta-data of the application", + "privilege": "UpdateApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "applications*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:serverlessrepo:${Region}:${Account}:applications/${ResourceId}", + "condition_keys": [], + "resource": "applications" + } + ], + "service_name": "AWS Serverless Application Repository" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "List", - "description": "Lists all the discoverers in your account.", - "privilege": "ListDiscoverers", + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "servicecatalog:accountLevel", + "description": "Filters users to see and perform actions on resources created by anyone in the account", + "type": "String" + }, + { + "condition": "servicecatalog:roleLevel", + "description": "Filters users to see and perform actions on resources created either by them or by anyone federating into the same role as them", + "type": "String" + }, + { + "condition": "servicecatalog:userLevel", + "description": "Filters users to see and perform actions on only resources that they created", + "type": "String" + } + ], + "prefix": "servicecatalog", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept a portfolio that has been shared with you", + "privilege": "AcceptPortfolioShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "Portfolio*" } ] }, { - "access_level": "List", - "description": "List all discoverers in your account.", - "privilege": "ListRegistries", + "access_level": "Write", + "description": "Grants permission to associate an attribute group with an application", + "privilege": "AssociateAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "Application*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AttributeGroup*" } ] }, { - "access_level": "List", - "description": "List all versions of a schema.", - "privilege": "ListSchemaVersions", + "access_level": "Write", + "description": "Grants permission to associate a budget with a resource", + "privilege": "AssociateBudgetWithResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "List all schemas.", - "privilege": "ListSchemas", + "access_level": "Write", + "description": "Grants permission to associate an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio", + "privilege": "AssociatePrincipalWithPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "Portfolio*" } ] }, { - "access_level": "List", - "description": "This action lists tags for a resource.", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to associate a product with a portfolio", + "privilege": "AssociateProductWithPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Generates code for specific schema in your account.", - "privilege": "PutCodeBinding", + "description": "Grants permission to associate a resource with an application", + "privilege": "AssociateResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Attach resource-based policy to the specific registry.", - "privilege": "PutResourcePolicy", + "description": "Grants permission to associate an action with a provisioning artifact", + "privilege": "AssociateServiceActionWithProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "Product*" } ] }, { - "access_level": "List", - "description": "Searches schemas based on specified keywords in your account.", - "privilege": "SearchSchemas", + "access_level": "Write", + "description": "Grants permission to associate the specified TagOption with the specified portfolio or product", + "privilege": "AssociateTagOptionWithResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "Portfolio" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Product" } ] }, { "access_level": "Write", - "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", - "privilege": "StartDiscoverer", + "description": "Grants permission to associate multiple self-service actions with provisioning artifacts", + "privilege": "BatchAssociateServiceActionWithProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Starts the specified discoverer. Once started the discoverer will automatically register schemas for published events to configured source in your account", - "privilege": "StopDiscoverer", + "description": "Grants permission to disassociate a batch of self-service actions from the specified provisioning artifact", + "privilege": "BatchDisassociateServiceActionFromProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "This action tags an resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to copy the specified source product to the specified target product or a new product", + "privilege": "CopyProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "registry*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an application", + "privilege": "CreateApplication", + "resource_types": [ { "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Application*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -127012,27 +157077,18 @@ ] }, { - "access_level": "Tagging", - "description": "This action removes a tag from on a resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to create an attribute group", + "privilege": "CreateAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "registry*" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "AttributeGroup*" }, { "condition_keys": [ + "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependent_actions": [], @@ -127042,158 +157098,144 @@ }, { "access_level": "Write", - "description": "Updates an existing discoverer in your account.", - "privilege": "UpdateDiscoverer", + "description": "Grants permission to create a constraint on an associated product and portfolio", + "privilege": "CreateConstraint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "discoverer*" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Updates an existing registry metadata in your account.", - "privilege": "UpdateRegistry", + "description": "Grants permission to create a portfolio", + "privilege": "CreatePortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "registry*" + "resource_type": "Portfolio*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Updates an existing schema in your account.", - "privilege": "UpdateSchema", + "access_level": "Permissions management", + "description": "Grants permission to share a portfolio you own with another AWS account", + "privilege": "CreatePortfolioShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "schema*" + "resource_type": "Portfolio*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:schemas:${Region}:${Account}:discoverer/${DiscovererId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "discoverer" - }, - { - "arn": "arn:${Partition}:schemas:${Region}:${Account}:registry/${RegistryName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "registry" }, - { - "arn": "arn:${Partition}:schemas:${Region}:${Account}:schema/${RegistryName}/${SchemaName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "schema" - } - ], - "service_name": "Amazon EventBridge Schemas" - }, - { - "conditions": [], - "prefix": "sdb", - "privileges": [ { "access_level": "Write", - "description": "Performs multiple DeleteAttributes operations in a single call, which reduces round trips and latencies.", - "privilege": "BatchDeleteAttributes", + "description": "Grants permission to create a product and that product's first provisioning artifact", + "privilege": "CreateProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "Product*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call. With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call.", - "privilege": "BatchPutAttributes", + "description": "Grants permission to add a new provisioned product plan", + "privilege": "CreateProvisionedProductPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The CreateDomain operation creates a new domain.", - "privilege": "CreateDomain", + "description": "Grants permission to add a new provisioning artifact to an existing product", + "privilege": "CreateProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Deletes one or more attributes associated with the item.", - "privilege": "DeleteAttributes", + "description": "Grants permission to create a self-service action", + "privilege": "CreateServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "The DeleteDomain operation deletes a domain.", - "privilege": "DeleteDomain", + "description": "Grants permission to create a TagOption", + "privilege": "CreateTagOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values.", - "privilege": "DomainMetadata", + "access_level": "Write", + "description": "Grants permission to delete an application if all associations have been removed from the application", + "privilege": "DeleteApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "Application*" } ] }, { - "access_level": "Read", - "description": "Returns all of the attributes associated with the item.", - "privilege": "GetAttributes", + "access_level": "Write", + "description": "Grants permission to delete an attribute group if all associations have been removed from the attribute group", + "privilege": "DeleteAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "AttributeGroup*" } ] }, { - "access_level": "List", - "description": "Description for ListDomains", - "privilege": "ListDomains", + "access_level": "Write", + "description": "Grants permission to remove and delete an existing constraint from an associated product and portfolio", + "privilege": "DeleteConstraint", "resource_types": [ { "condition_keys": [], @@ -127204,227 +157246,92 @@ }, { "access_level": "Write", - "description": "The PutAttributes operation creates or replaces attributes in an item.", - "privilege": "PutAttributes", + "description": "Grants permission to delete a portfolio if all associations and shares have been removed from the portfolio", + "privilege": "DeletePortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "Portfolio*" } ] }, { - "access_level": "Read", - "description": "Description for Select", - "privilege": "Select", + "access_level": "Permissions management", + "description": "Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with", + "privilege": "DeletePortfolioShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "domain*" + "resource_type": "Portfolio*" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:sdb:${Region}:${Account}:domain/${DomainName}", - "condition_keys": [], - "resource": "domain" - } - ], - "service_name": "Amazon SimpleDB" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/tag-key", - "description": "Filters access by a key that is present in the request the user makes to the Secrets Manager service.", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters access by the list of all the tag key namespresent in the request the user makes to the Secrets Manager service.", - "type": "String" - }, - { - "condition": "secretsmanager:BlockPublicPolicy", - "description": "Filters access by whether the resource policy blocks broad AWS account access.", - "type": "Boolean" - }, - { - "condition": "secretsmanager:Description", - "description": "Filters access by the description text in the request.", - "type": "String" - }, - { - "condition": "secretsmanager:ForceDeleteWithoutRecovery", - "description": "Filters access by whether the secret is to be deleted immediately without any recovery window.", - "type": "Boolean" - }, - { - "condition": "secretsmanager:KmsKeyId", - "description": "Filters access by the ARN of the KMS key in the request.", - "type": "String" - }, - { - "condition": "secretsmanager:Name", - "description": "Filters access by the friendly name of the secret in the request.", - "type": "String" - }, - { - "condition": "secretsmanager:RecoveryWindowInDays", - "description": "Filters access by the number of days that Secrets Manager waits before it can delete the secret.", - "type": "Long" - }, - { - "condition": "secretsmanager:ResourceTag/tag-key", - "description": "Filters access by a tag key and value pair.", - "type": "String" - }, - { - "condition": "secretsmanager:RotationLambdaARN", - "description": "Filters access by the ARN of the rotation Lambda function in the request.", - "type": "ARN" - }, - { - "condition": "secretsmanager:SecretId", - "description": "Filters access by the SecretID value in the request.", - "type": "ARN" - }, - { - "condition": "secretsmanager:VersionId", - "description": "Filters access by the unique identifier of the version of the secret in the request.", - "type": "String" }, - { - "condition": "secretsmanager:VersionStage", - "description": "Filters access by the list of version stages in the request.", - "type": "String" - }, - { - "condition": "secretsmanager:resource/AllowRotationLambdaArn", - "description": "Filters access by the ARN of the rotation Lambda function associated with the secret.", - "type": "ARN" - } - ], - "prefix": "secretsmanager", - "privileges": [ { "access_level": "Write", - "description": "Enables the user to cancel an in-progress secret rotation.", - "privilege": "CancelRotateSecret", + "description": "Grants permission to delete a product if all associations have been removed from the product", + "privilege": "DeleteProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Enables the user to create a secret that stores encrypted data that can be queried and rotated.", - "privilege": "CreateSecret", + "description": "Grants permission to delete a provisioned product plan", + "privilege": "DeleteProvisionedProductPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:Name", - "secretsmanager:Description", - "secretsmanager:KmsKeyId", - "aws:RequestTag/tag-key", - "aws:TagKeys", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Enables the user to delete the resource policy attached to a secret.", - "privilege": "DeleteResourcePolicy", + "access_level": "Write", + "description": "Grants permission to delete a provisioning artifact from a product", + "privilege": "DeleteProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Enables the user to delete a secret.", - "privilege": "DeleteSecret", + "description": "Grants permission to delete a self-service action", + "privilege": "DeleteServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:RecoveryWindowInDays", - "secretsmanager:ForceDeleteWithoutRecovery", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Enables the user to retrieve the metadata about a secret, but not the encrypted data.", - "privilege": "DescribeSecret", + "access_level": "Write", + "description": "Grants permission to delete the specified TagOption", + "privilege": "DeleteTagOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Enables the user to generate a random string for use in password creation.", - "privilege": "GetRandomPassword", + "description": "Grants permission to describe a constraint", + "privilege": "DescribeConstraint", "resource_types": [ { "condition_keys": [], @@ -127435,251 +157342,146 @@ }, { "access_level": "Read", - "description": "Enables the user to get the resource policy attached to a secret.", - "privilege": "GetResourcePolicy", + "description": "Grants permission to get the status of the specified copy product operation", + "privilege": "DescribeCopyProductStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Enables the user to retrieve and decrypt the encrypted data.", - "privilege": "GetSecretValue", + "description": "Grants permission to describe a portfolio", + "privilege": "DescribePortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:VersionId", - "secretsmanager:VersionStage", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Portfolio*" } ] }, { "access_level": "Read", - "description": "Enables the user to list the available versions of a secret.", - "privilege": "ListSecretVersionIds", + "description": "Grants permission to get the status of the specified portfolio share operation", + "privilege": "DescribePortfolioShareStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "Enables the user to list the available secrets.", - "privilege": "ListSecrets", + "description": "Grants permission to view a summary of each of the portfolio shares that were created for the specified portfolio", + "privilege": "DescribePortfolioShares", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Portfolio*" } ] }, { - "access_level": "Permissions management", - "description": "Enables the user to attach a resource policy to a secret.", - "privilege": "PutResourcePolicy", + "access_level": "Read", + "description": "Grants permission to describe a product as an end-user", + "privilege": "DescribeProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key", - "secretsmanager:BlockPublicPolicy" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Enables the user to create a new version of the secret with new encrypted data.", - "privilege": "PutSecretValue", + "access_level": "Read", + "description": "Grants permission to describe a product as an admin", + "privilege": "DescribeProductAsAdmin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Enables the user to cancel deletion of a secret.", - "privilege": "RestoreSecret", + "access_level": "Read", + "description": "Grants permission to describe a product as an end-user", + "privilege": "DescribeProductView", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Enables the user to start rotation of a secret.", - "privilege": "RotateSecret", + "access_level": "Read", + "description": "Grants permission to describe a provisioned product", + "privilege": "DescribeProvisionedProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:RotationLambdaARN", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Enables the user to add tags to a secret.", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to describe a provisioned product plan", + "privilege": "DescribeProvisionedProductPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "aws:RequestTag/tag-key", - "aws:TagKeys", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Enables the user to remove tags from a secret.", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to describe a provisioning artifact", + "privilege": "DescribeProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "aws:TagKeys", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Enables the user to update a secret with new metadata or with a new version of the encrypted data.", - "privilege": "UpdateSecret", + "access_level": "Read", + "description": "Grants permission to describe the parameters that you need to specify to successfully provision a specified provisioning artifact", + "privilege": "DescribeProvisioningParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:Description", - "secretsmanager:KmsKeyId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Enables the user to move a stage from one secret to another.", - "privilege": "UpdateSecretVersionStage", + "access_level": "Read", + "description": "Grants permission to describe a record and lists any outputs", + "privilege": "DescribeRecord", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Secret*" - }, { "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:VersionStage", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" ], "dependent_actions": [], "resource_type": "" @@ -127687,703 +157489,615 @@ ] }, { - "access_level": "Permissions management", - "description": "Enables the user to validate a resource policy before attaching policy.", - "privilege": "ValidateResourcePolicy", + "access_level": "Read", + "description": "Grants permission to describe a self-service action", + "privilege": "DescribeServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Secret*" - }, - { - "condition_keys": [ - "secretsmanager:SecretId", - "secretsmanager:resource/AllowRotationLambdaArn", - "secretsmanager:ResourceTag/tag-key" - ], - "dependent_actions": [], "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}", - "condition_keys": [ - "aws:RequestTag/tag-key", - "aws:TagKeys", - "secretsmanager:ResourceTag/tag-key", - "secretsmanager:resource/AllowRotationLambdaArn" - ], - "resource": "Secret" - } - ], - "service_name": "AWS Secrets Manager" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}", - "description": "Filters access based on the presence of specific fields and values in the request", - "type": "String" }, { - "condition": "securityhub:TargetAccount", - "description": "Filters access based on the presence of AwsAccountId field in the requests", - "type": "String" - } - ], - "prefix": "securityhub", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to accept Security Hub invitations to become a member account", - "privilege": "AcceptInvitation", + "access_level": "Read", + "description": "Grants permission to get the default parameters if you executed the specified Service Action on the specified Provisioned Product", + "privilege": "DescribeServiceActionExecutionParameters", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable standards in Security Hub", - "privilege": "BatchDisableStandards", + "access_level": "Read", + "description": "Grants permission to get information about the specified TagOption", + "privilege": "DescribeTagOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable standards in Security Hub", - "privilege": "BatchEnableStandards", + "description": "Grants permission to disable portfolio sharing through AWS Organizations feature", + "privilege": "DisableAWSOrganizationsAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to import findings into Security Hub from an integrated product", - "privilege": "BatchImportFindings", + "description": "Grants permission to disassociate an attribute group from an application", + "privilege": "DisassociateAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "product*" + "resource_type": "Application*" }, { - "condition_keys": [ - "securityhub:TargetAccount" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "AttributeGroup*" } ] }, { "access_level": "Write", - "description": "Grants permission to update customer-controlled fields for a selected set of Security Hub findings", - "privilege": "BatchUpdateFindings", + "description": "Grants permission to disassociate a budget from a resource", + "privilege": "DisassociateBudgetFromResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" - }, - { - "condition_keys": [ - "securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create custom actions in Security Hub", - "privilege": "CreateActionTarget", + "description": "Grants permission to disassociate an IAM principal from a portfolio", + "privilege": "DisassociatePrincipalFromPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Portfolio*" } ] }, { "access_level": "Write", - "description": "Grants permission to create insights in Security Hub. Insights are collections of related findings", - "privilege": "CreateInsight", + "description": "Grants permission to disassociate a product from a portfolio", + "privilege": "DisassociateProductFromPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to create member accounts in Security Hub", - "privilege": "CreateMembers", + "description": "Grants permission to disassociate a resource from an application", + "privilege": "DisassociateResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application*" } ] }, { "access_level": "Write", - "description": "Grants permission to decline Security Hub invitations to become a member account", - "privilege": "DeclineInvitations", + "description": "Grants permission to disassociate the specified self-service action association from the specified provisioning artifact", + "privilege": "DisassociateServiceActionFromProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete custom actions in Security Hub", - "privilege": "DeleteActionTarget", + "description": "Grants permission to disassociate the specified TagOption from the specified resource", + "privilege": "DisassociateTagOptionFromResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete insights from Security Hub", - "privilege": "DeleteInsight", - "resource_types": [ + "resource_type": "Portfolio" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product" } ] }, { "access_level": "Write", - "description": "Grants permission to delete Security Hub invitations to become a member account", - "privilege": "DeleteInvitations", + "description": "Grants permission to enable portfolio sharing feature through AWS Organizations", + "privilege": "EnableAWSOrganizationsAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete Security Hub member accounts", - "privilege": "DeleteMembers", + "description": "Grants permission to execute a provisioned product plan", + "privilege": "ExecuteProvisionedProductPlan", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of custom actions using the API", - "privilege": "DescribeActionTargets", + "access_level": "Write", + "description": "Grants permission to executes a provisioned product plan", + "privilege": "ExecuteProvisionedProductServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the hub resource in your account", - "privilege": "DescribeHub", + "description": "Grants permission to get the access status of AWS Organization portfolio share feature", + "privilege": "GetAWSOrganizationsAccessStatus", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the organization configuration for Security Hub", - "privilege": "DescribeOrganizationConfiguration", + "description": "Grants permission to get an application", + "privilege": "GetApplication", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about the available Security Hub product integrations", - "privilege": "DescribeProducts", + "description": "Grants permission to get information about a resource associated to an application", + "privilege": "GetAssociatedResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about Security Hub standards", - "privilege": "DescribeStandards", + "description": "Grants permission to get an attribute group", + "privilege": "GetAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "AttributeGroup*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve information about Security Hub standards controls", - "privilege": "DescribeStandardsControls", + "description": "Grants permission to get the provisioned product output with either provisioned product id or name", + "privilege": "GetProvisionedProductOutputs", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disable the findings importing for a Security Hub integrated product", - "privilege": "DisableImportFindingsForProduct", + "description": "Grants permission to import a resource into a provisioned product", + "privilege": "ImportAsProvisionedProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove the Security Hub administrator account for your organization", - "privilege": "DisableOrganizationAdminAccount", + "access_level": "List", + "description": "Grants permission to list the portfolios that have been shared with you and you have accepted", + "privilege": "ListAcceptedPortfolioShares", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disable Security Hub", - "privilege": "DisableSecurityHub", + "access_level": "List", + "description": "Grants permission to list the applications in your account", + "privilege": "ListApplications", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to a Security Hub member account to disassociate from the associated master account", - "privilege": "DisassociateFromMasterAccount", + "access_level": "List", + "description": "Grants permission to list the attribute groups associated with an application", + "privilege": "ListAssociatedAttributeGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate Security Hub member accounts from the associated master account", - "privilege": "DisassociateMembers", + "access_level": "List", + "description": "Grants permission to list the resources associated with an application", + "privilege": "ListAssociatedResources", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application*" } ] }, { - "access_level": "Write", - "description": "Grants permission to enable the findings importing for a Security Hub integrated product", - "privilege": "EnableImportFindingsForProduct", + "access_level": "List", + "description": "Grants permission to list the attribute groups in your account", + "privilege": "ListAttributeGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to designate a Security Hub administrator account for your organization", - "privilege": "EnableOrganizationAdminAccount", + "access_level": "List", + "description": "Grants permission to list all the budgets associated to a resource", + "privilege": "ListBudgetsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to enable Security Hub", - "privilege": "EnableSecurityHub", + "access_level": "List", + "description": "Grants permission to list constraints associated with a given portfolio", + "privilege": "ListConstraintsForPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve a list of the standards that are enabled in Security Hub", - "privilege": "GetEnabledStandards", + "description": "Grants permission to list the different ways to launch a given product as an end-user", + "privilege": "ListLaunchPaths", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve a list of findings from Security Hub", - "privilege": "GetFindings", + "access_level": "List", + "description": "Grants permission to list the organization nodes that have access to the specified portfolio", + "privilege": "ListOrganizationPortfolioAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve insight results from Security Hub", - "privilege": "GetInsightResults", + "access_level": "List", + "description": "Grants permission to list the AWS accounts you have shared a given portfolio with", + "privilege": "ListPortfolioAccess", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Portfolio*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve Security Hub insights", - "privilege": "GetInsights", + "description": "Grants permission to list the portfolios in your account", + "privilege": "ListPortfolios", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the count of Security Hub membership invitations sent to the account", - "privilege": "GetInvitationsCount", + "access_level": "List", + "description": "Grants permission to list the portfolios associated with a given product", + "privilege": "ListPortfoliosForProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve details about the Security Hub master account", - "privilege": "GetMasterAccount", + "access_level": "List", + "description": "Grants permission to list the IAM principals associated with a given portfolio", + "privilege": "ListPrincipalsForPortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Portfolio*" } ] }, { - "access_level": "Read", - "description": "Grants permission to retrieve the details of Security Hub member accounts", - "privilege": "GetMembers", + "access_level": "List", + "description": "Grants permission to list the provisioned product plans", + "privilege": "ListProvisionedProductPlans", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to invite other AWS accounts to become Security Hub member accounts", - "privilege": "InviteMembers", + "access_level": "List", + "description": "Grants permission to list the provisioning artifacts associated with a given product", + "privilege": "ListProvisioningArtifacts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve the Security Hub integrated products that are currently enabled", - "privilege": "ListEnabledProductsForImport", + "description": "Grants permission to list all provisioning artifacts for the specified self-service action", + "privilege": "ListProvisioningArtifactsForServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve the Security Hub invitations sent to the account", - "privilege": "ListInvitations", + "description": "Grants permission to list all the records in your account or all the records related to a given provisioned product", + "privilege": "ListRecordHistory", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to retrieve details about Security Hub member accounts associated with the master account", - "privilege": "ListMembers", + "description": "Grants permission to list the resources associated with the specified TagOption", + "privilege": "ListResourcesForTagOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list the Security Hub administrator accounts for your organization", - "privilege": "ListOrganizationAdminAccounts", + "description": "Grants permission to list all self-service actions", + "privilege": "ListServiceActions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { "access_level": "List", - "description": "Grants permission to list of tags associated with a resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to list all the service actions associated with the specified provisioning artifact in your account", + "privilege": "ListServiceActionsForProvisioningArtifact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub*" + "resource_type": "Product*" } ] }, { - "access_level": "Write", - "description": "Grants permission to add tags to a Security Hub resource", - "privilege": "TagResource", + "access_level": "List", + "description": "Grants permission to list account, region and status of each stack instances that are associated with a CFN_STACKSET type provisioned product", + "privilege": "ListStackInstancesForProvisionedProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove tags from a Security Hub resource", - "privilege": "UntagResource", + "access_level": "List", + "description": "Grants permission to list the specified TagOptions or all TagOptions", + "privilege": "ListTagOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update custom actions in Security Hub", - "privilege": "UpdateActionTarget", + "access_level": "Read", + "description": "Grants permission to list the tags for a service catalog appregistry resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AttributeGroup" } ] }, { "access_level": "Write", - "description": "Grants permission to update Security Hub findings", - "privilege": "UpdateFindings", + "description": "Grants permission to provision a product with a specified provisioning artifact and launch parameters", + "privilege": "ProvisionProduct", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Grants permission to update insights in Security Hub", - "privilege": "UpdateInsight", + "description": "Grants permission to reject a portfolio that has been shared with you that you previously accepted", + "privilege": "RejectPortfolioShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "Portfolio*" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the organization configuration for Security Hub", - "privilege": "UpdateOrganizationConfiguration", + "access_level": "List", + "description": "Grants permission to list all the provisioned products in your account", + "privilege": "ScanProvisionedProducts", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update Security Hub configuration", - "privilege": "UpdateSecurityHubConfiguration", + "access_level": "List", + "description": "Grants permission to list the products available to you as an end-user", + "privilege": "SearchProducts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update Security Hub standards controls", - "privilege": "UpdateStandardsControl", + "access_level": "List", + "description": "Grants permission to list all the products in your account or all the products associated with a given portfolio", + "privilege": "SearchProductsAsAdmin", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "hub" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:securityhub:${Region}:${Account}:hub/default", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "hub" }, { - "arn": "arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}", - "condition_keys": [], - "resource": "product" - } - ], - "service_name": "AWS Security Hub" - }, - { - "conditions": [ - { - "condition": "serverlessrepo:applicationType", - "description": "Application type", - "type": "String" - } - ], - "prefix": "serverlessrepo", - "privileges": [ - { - "access_level": "Write", - "description": "Creates an application, optionally including an AWS SAM file to create the first application version in the same call.", - "privilege": "CreateApplication", + "access_level": "List", + "description": "Grants permission to list all the provisioned products in your account", + "privilege": "SearchProvisionedProducts", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -128391,29 +158105,35 @@ }, { "access_level": "Write", - "description": "Creates an application version.", - "privilege": "CreateApplicationVersion", + "description": "Grants permission to sync a resource with its current state in AppRegistry", + "privilege": "SyncResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates an AWS CloudFormation ChangeSet for the given application.", - "privilege": "CreateCloudFormationChangeSet", + "access_level": "Tagging", + "description": "Grants permission to tag a service catalog appregistry resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "Application" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "AttributeGroup" }, { "condition_keys": [ - "serverlessrepo:applicationType" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -128422,17 +158142,14 @@ }, { "access_level": "Write", - "description": "Creates an AWS CloudFormation template", - "privilege": "CreateCloudFormationTemplate", + "description": "Grants permission to terminate an existing provisioned product", + "privilege": "TerminateProvisionedProduct", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "applications*" - }, { "condition_keys": [ - "serverlessrepo:applicationType" + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" ], "dependent_actions": [], "resource_type": "" @@ -128440,30 +158157,24 @@ ] }, { - "access_level": "Write", - "description": "Deletes the specified application", - "privilege": "DeleteApplication", + "access_level": "Tagging", + "description": "Grants permission to remove a tag from a service catalog appregistry resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" - } - ] - }, - { - "access_level": "Read", - "description": "Gets the specified application.", - "privilege": "GetApplication", - "resource_types": [ + "resource_type": "Application" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "AttributeGroup" }, { "condition_keys": [ - "serverlessrepo:applicationType" + "aws:TagKeys", + "aws:RequestTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -128471,42 +158182,57 @@ ] }, { - "access_level": "Read", - "description": "Gets the policy for the specified application.", - "privilege": "GetApplicationPolicy", + "access_level": "Write", + "description": "Grants permission to update the attributes of an existing application", + "privilege": "UpdateApplication", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "Application*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the attributes of an existing attribute group", + "privilege": "UpdateAttributeGroup", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "AttributeGroup*" } ] }, { - "access_level": "Read", - "description": "Gets the specified AWS CloudFormation template", - "privilege": "GetCloudFormationTemplate", + "access_level": "Write", + "description": "Grants permission to update the metadata fields of an existing constraint", + "privilege": "UpdateConstraint", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves the list of applications nested in the containing application", - "privilege": "ListApplicationDependencies", + "access_level": "Write", + "description": "Grants permission to update the metadata fields and/or tags of an existing portfolio", + "privilege": "UpdatePortfolio", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "Portfolio*" }, { "condition_keys": [ - "serverlessrepo:applicationType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -128514,18 +158240,31 @@ ] }, { - "access_level": "List", - "description": "Lists versions for the specified application owned by the requester.", - "privilege": "ListApplicationVersions", + "access_level": "Permissions management", + "description": "Grants permission to enable or disable resource sharing for an existing portfolio share", + "privilege": "UpdatePortfolioShare", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "Portfolio*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the metadata fields and/or tags of an existing product", + "privilege": "UpdateProduct", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "Product*" }, { "condition_keys": [ - "serverlessrepo:applicationType" + "aws:RequestTag/${TagKey}", + "aws:TagKeys" ], "dependent_actions": [], "resource_type": "" @@ -128533,12 +158272,16 @@ ] }, { - "access_level": "List", - "description": "Lists applications owned by the requester.", - "privilege": "ListApplications", + "access_level": "Write", + "description": "Grants permission to update an existing provisioned product", + "privilege": "UpdateProvisionedProduct", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicecatalog:accountLevel", + "servicecatalog:roleLevel", + "servicecatalog:userLevel" + ], "dependent_actions": [], "resource_type": "" } @@ -128546,135 +158289,165 @@ }, { "access_level": "Write", - "description": "Puts the policy for the specified application.", - "privilege": "PutApplicationPolicy", + "description": "Grants permission to update the properties of an existing provisioned product", + "privilege": "UpdateProvisionedProductProperties", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Gets all applications authorized for this user", - "privilege": "SearchApplications", + "access_level": "Write", + "description": "Grants permission to update the metadata fields of an existing provisioning artifact", + "privilege": "UpdateProvisioningArtifact", "resource_types": [ { - "condition_keys": [ - "serverlessrepo:applicationType" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "Product*" } ] }, { "access_level": "Write", - "description": "Unshares the specified application", - "privilege": "UnshareApplication", + "description": "Grants permission to update a self-service action", + "privilege": "UpdateServiceAction", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates meta-data of the application", - "privilege": "UpdateApplication", + "description": "Grants permission to update the specified TagOption", + "privilege": "UpdateTagOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "applications*" + "resource_type": "" } ] } ], "resources": [ { - "arn": "arn:${Partition}:serverlessrepo:${Region}:${Account}:applications/${ResourceId}", - "condition_keys": [], - "resource": "applications" + "arn": "arn:${Partition}:servicecatalog:${Region}:${Account}:/applications/${ApplicationId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Application" + }, + { + "arn": "arn:${Partition}:servicecatalog:${Region}:${Account}:/attribute-groups/${AttributeGroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "AttributeGroup" + }, + { + "arn": "arn:${Partition}:catalog:${Region}:${Account}:portfolio/${PortfolioId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Portfolio" + }, + { + "arn": "arn:${Partition}:catalog:${Region}:${Account}:product/${ProductId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "Product" } ], - "service_name": "AWS Serverless Application Repository" + "service_name": "AWS Service Catalog" }, { "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Filters access based on the presence of tag key-value pairs in the request", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters access based on tag key-value pairs attached to the resource", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Filters access based on the presence of tag keys in the request", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" }, { - "condition": "servicecatalog:accountLevel", - "description": "Filters users to see and perform actions on resources created by anyone in the account", + "condition": "servicediscovery:NamespaceArn", + "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related namespace", "type": "String" }, { - "condition": "servicecatalog:roleLevel", - "description": "Filters users to see and perform actions on resources created either by them or by anyone federating into the same role as them", + "condition": "servicediscovery:NamespaceName", + "description": "Filters access by specifying the name of the related namespace", "type": "String" }, { - "condition": "servicecatalog:userLevel", - "description": "Filters users to see and perform actions on only resources that they created", + "condition": "servicediscovery:ServiceArn", + "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related service", + "type": "String" + }, + { + "condition": "servicediscovery:ServiceName", + "description": "Filters access by specifying the name of the related service", "type": "String" } ], - "prefix": "servicecatalog", + "prefix": "servicediscovery", "privileges": [ { "access_level": "Write", - "description": "Grants permission to accept a portfolio that has been shared with you", - "privilege": "AcceptPortfolioShare", + "description": "Grants permission to create an HTTP namespace", + "privilege": "CreateHttpNamespace", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an attribute group with an application.", - "privilege": "AssociateAttributeGroup", + "description": "Grants permission to create a private namespace based on DNS, which will be visible only inside a specified Amazon VPC", + "privilege": "CreatePrivateDnsNamespace", "resource_types": [ { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Application*" - }, - { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "AttributeGroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to associate a budget with a resource", - "privilege": "AssociateBudgetWithResource", + "description": "Grants permission to create a public namespace based on DNS, which will be visible on the internet", + "privilege": "CreatePublicDnsNamespace", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -128682,23 +158455,20 @@ }, { "access_level": "Write", - "description": "Grants permission to associate an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio", - "privilege": "AssociatePrincipalWithPortfolio", + "description": "Grants permission to create a service", + "privilege": "CreateService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to associate a product with a portfolio", - "privilege": "AssociateProductWithPortfolio", - "resource_types": [ + "resource_type": "namespace*" + }, { - "condition_keys": [], + "condition_keys": [ + "servicediscovery:NamespaceArn", + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -128706,95 +158476,70 @@ }, { "access_level": "Write", - "description": "Grants permission to associate a resource with an application.", - "privilege": "AssociateResource", + "description": "Grants permission to delete a specified namespace", + "privilege": "DeleteNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" + "resource_type": "namespace*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate an action with a provisioning artifact", - "privilege": "AssociateServiceActionWithProvisioningArtifact", + "description": "Grants permission to delete a specified service", + "privilege": "DeleteService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "service*" } ] }, { "access_level": "Write", - "description": "Grants permission to associate the specified TagOption with the specified portfolio or product", - "privilege": "AssociateTagOptionWithResource", + "description": "Grants permission to delete the records and the health check, if any, that Amazon Route 53 created for the specified instance", + "privilege": "DeregisterInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio" + "resource_type": "service*" }, { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Product" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to associate multiple self-service actions with provisioning artifacts", - "privilege": "BatchAssociateServiceActionWithProvisioningArtifact", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to disassociate a batch of self-service actions from the specified provisioning artifact", - "privilege": "BatchDisassociateServiceActionFromProvisioningArtifact", - "resource_types": [ - { - "condition_keys": [], + "condition_keys": [ + "servicediscovery:ServiceArn" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to copy the specified source product to the specified target product or a new product", - "privilege": "CopyProduct", + "access_level": "Read", + "description": "Grants permission to discover registered instances for a specified namespace and service", + "privilege": "DiscoverInstances", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicediscovery:NamespaceName", + "servicediscovery:ServiceName" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create an application.", - "privilege": "CreateApplication", + "access_level": "Read", + "description": "Grants permission to get information about a specified instance", + "privilege": "GetInstance", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Application*" - }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "servicediscovery:ServiceArn" ], "dependent_actions": [], "resource_type": "" @@ -128802,19 +158547,13 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create an attribute group.", - "privilege": "CreateAttributeGroup", + "access_level": "Read", + "description": "Grants permission to get the current health status (Healthy, Unhealthy, or Unknown) of one or more instances", + "privilege": "GetInstancesHealthStatus", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AttributeGroup*" - }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "servicediscovery:ServiceArn" ], "dependent_actions": [], "resource_type": "" @@ -128822,63 +158561,49 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a constraint on an associated product and portfolio", - "privilege": "CreateConstraint", + "access_level": "Read", + "description": "Grants permission to get information about a namespace", + "privilege": "GetNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "namespace*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a portfolio", - "privilege": "CreatePortfolio", + "access_level": "Read", + "description": "Grants permission to get information about a specific operation", + "privilege": "GetOperation", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to share a portfolio you own with another AWS account", - "privilege": "CreatePortfolioShare", + "access_level": "Read", + "description": "Grants permission to get the settings for a specified service", + "privilege": "GetService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "service*" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a product and that product's first provisioning artifact", - "privilege": "CreateProduct", + "access_level": "List", + "description": "Grants permission to get summary information about the instances that were registered with a specified service", + "privilege": "ListInstances", "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Product*" - }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "servicediscovery:ServiceArn" ], "dependent_actions": [], "resource_type": "" @@ -128886,9 +158611,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to add a new provisioned product plan", - "privilege": "CreateProvisionedProductPlan", + "access_level": "List", + "description": "Grants permission to get information about the namespaces", + "privilege": "ListNamespaces", "resource_types": [ { "condition_keys": [], @@ -128898,21 +158623,21 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to add a new provisioning artifact to an existing product", - "privilege": "CreateProvisioningArtifact", + "access_level": "List", + "description": "Grants permission to list operations that match the criteria that you specify", + "privilege": "ListOperations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to create a self-service action", - "privilege": "CreateServiceAction", + "access_level": "List", + "description": "Grants permission to get settings for all the services that match specified filters", + "privilege": "ListServices", "resource_types": [ { "condition_keys": [], @@ -128922,9 +158647,9 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to create a TagOption", - "privilege": "CreateTagOption", + "access_level": "List", + "description": "Grants permission to lists tags for the specified resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -128935,116 +158660,163 @@ }, { "access_level": "Write", - "description": "Grants permission to delete an application if all associations have been removed from the application.", - "privilege": "DeleteApplication", + "description": "Grants permission to register an instance based on the settings in a specified service", + "privilege": "RegisterInstance", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to delete an attribute group if all associations have been removed from the attribute group.", - "privilege": "DeleteAttributeGroup", - "resource_types": [ + "resource_type": "service*" + }, { - "condition_keys": [], + "condition_keys": [ + "servicediscovery:ServiceArn" + ], "dependent_actions": [], - "resource_type": "AttributeGroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove and delete an existing constraint from an associated product and portfolio", - "privilege": "DeleteConstraint", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to the specified resource", + "privilege": "TagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to delete a portfolio if all associations and shares have been removed from the portfolio", - "privilege": "DeletePortfolio", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from the specified resource", + "privilege": "UntagResource", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "" } ] }, { - "access_level": "Permissions management", - "description": "Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with", - "privilege": "DeletePortfolioShare", + "access_level": "Write", + "description": "Grants permission to update the settings for a HTTP namespace", + "privilege": "UpdateHttpNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "namespace*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a product if all associations have been removed from the product", - "privilege": "DeleteProduct", + "description": "Grants permission to update the current health status for an instance that has a custom health check", + "privilege": "UpdateInstanceCustomHealthStatus", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "servicediscovery:ServiceArn" + ], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a provisioned product plan", - "privilege": "DeleteProvisionedProductPlan", + "description": "Grants permission to update the settings for a private DNS namespace", + "privilege": "UpdatePrivateDnsNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "namespace*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a provisioning artifact from a product", - "privilege": "DeleteProvisioningArtifact", + "description": "Grants permission to update the settings for a public DNS namespace", + "privilege": "UpdatePublicDnsNamespace", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "namespace*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a self-service action", - "privilege": "DeleteServiceAction", + "description": "Grants permission to update the settings in a specified service", + "privilege": "UpdateService", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "service*" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:servicediscovery:${Region}:${Account}:namespace/${NamespaceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "namespace" + }, + { + "arn": "arn:${Partition}:servicediscovery:${Region}:${Account}:service/${ServiceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "service" + } + ], + "service_name": "AWS Cloud Map" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the tag keys that are passed in the request", + "type": "String" }, + { + "condition": "servicequotas:service", + "description": "Filters or restricts access to a specified AWS service", + "type": "string" + } + ], + "prefix": "servicequotas", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to delete the specified TagOption", - "privilege": "DeleteTagOption", + "description": "Grants permission to associate the Service Quotas template with your organization", + "privilege": "AssociateServiceQuotaTemplate", "resource_types": [ { "condition_keys": [], @@ -129054,9 +158826,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to describe a constraint", - "privilege": "DescribeConstraint", + "access_level": "Write", + "description": "Grants permission to remove the specified service quota from the service quota template", + "privilege": "DeleteServiceQuotaIncreaseRequestFromTemplate", "resource_types": [ { "condition_keys": [], @@ -129066,9 +158838,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get the status of the specified copy product operation", - "privilege": "DescribeCopyProductStatus", + "access_level": "Write", + "description": "Grants permission to disassociate the Service Quotas template from your organization", + "privilege": "DisassociateServiceQuotaTemplate", "resource_types": [ { "condition_keys": [], @@ -129079,20 +158851,20 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a portfolio", - "privilege": "DescribePortfolio", + "description": "Grants permission to return the details for the specified service quota, including the AWS default value", + "privilege": "GetAWSDefaultServiceQuota", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to get the status of the specified portfolio share operation", - "privilege": "DescribePortfolioShareStatus", + "description": "Grants permission to retrieve the ServiceQuotaTemplateAssociationStatus value, which tells you if the Service Quotas template is associated with an organization", + "privilege": "GetAssociationForServiceQuotaTemplate", "resource_types": [ { "condition_keys": [], @@ -129103,32 +158875,32 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a product as an end-user", - "privilege": "DescribeProduct", + "description": "Grants permission to retrieve the details for a particular service quota increase request", + "privilege": "GetRequestedServiceQuotaChange", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a product as an admin", - "privilege": "DescribeProductAsAdmin", + "description": "Grants permission to return the details for the specified service quota, including the applied value", + "privilege": "GetServiceQuota", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a product as an end-user", - "privilege": "DescribeProductView", + "description": "Grants permission to retrieve the details for a service quota increase request from the service quota template", + "privilege": "GetServiceQuotaIncreaseRequestFromTemplate", "resource_types": [ { "condition_keys": [], @@ -129139,8 +158911,8 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a provisioned product", - "privilege": "DescribeProvisionedProduct", + "description": "Grants permission to list all default service quotas for the specified AWS service", + "privilege": "ListAWSDefaultServiceQuotas", "resource_types": [ { "condition_keys": [], @@ -129151,8 +158923,8 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a provisioned product plan", - "privilege": "DescribeProvisionedProductPlan", + "description": "Grants permission to request a list of the changes to quotas for a service", + "privilege": "ListRequestedServiceQuotaChangeHistory", "resource_types": [ { "condition_keys": [], @@ -129163,48 +158935,32 @@ }, { "access_level": "Read", - "description": "Grants permission to describe a provisioning artifact", - "privilege": "DescribeProvisioningArtifact", + "description": "Grants permission to request a list of the changes to specific service quotas", + "privilege": "ListRequestedServiceQuotaChangeHistoryByQuota", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe the parameters that you need to specify to successfully provision a specified provisioning artifact", - "privilege": "DescribeProvisioningParameters", + "description": "Grants permission to return a list of the service quota increase requests from the service quota template", + "privilege": "ListServiceQuotaIncreaseRequestsInTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to describe a record and lists any outputs", - "privilege": "DescribeRecord", - "resource_types": [ - { - "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Grants permission to describe a self-service action", - "privilege": "DescribeServiceAction", + "description": "Grants permission to list all service quotas for the specified AWS service, in that account, in that Region", + "privilege": "ListServiceQuotas", "resource_types": [ { "condition_keys": [], @@ -129215,8 +158971,8 @@ }, { "access_level": "Read", - "description": "Grants permission to get the default parameters if you executed the specified Service Action on the specified Provisioned Product", - "privilege": "DescribeServiceActionExecutionParameters", + "description": "Grants permission to list the AWS services available in Service Quotas", + "privilege": "ListServices", "resource_types": [ { "condition_keys": [], @@ -129226,9 +158982,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get information about the specified TagOption", - "privilege": "DescribeTagOption", + "access_level": "List", + "description": "Grants permission to view the existing tags on a SQ resource", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], @@ -129239,37 +158995,46 @@ }, { "access_level": "Write", - "description": "Grants permission to disable portfolio sharing through AWS Organizations feature", - "privilege": "DisableAWSOrganizationsAccess", + "description": "Grants permission to define and add a quota to the service quota template", + "privilege": "PutServiceQuotaIncreaseRequestIntoTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "quota" + }, + { + "condition_keys": [ + "servicequotas:service" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate an attribute group from an application.", - "privilege": "DisassociateAttributeGroup", + "description": "Grants permission to submit the request for a service quota increase", + "privilege": "RequestServiceQuotaIncrease", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" + "resource_type": "quota" }, { - "condition_keys": [], + "condition_keys": [ + "servicequotas:service" + ], "dependent_actions": [], - "resource_type": "AttributeGroup*" + "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate a budget from a resource", - "privilege": "DisassociateBudgetFromResource", + "access_level": "Tagging", + "description": "Grants permission to associate a set of tags with an existing SQ resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], @@ -129279,77 +159044,111 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate an IAM principal from a portfolio", - "privilege": "DisassociatePrincipalFromPortfolio", + "access_level": "Tagging", + "description": "Grants permission to remove a set of tags from a SQ resource, where tags to be removed match a set of customer-supplied tag keys", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:servicequotas:${Region}:${Account}:${ServiceCode}/${QuotaCode}", + "condition_keys": [], + "resource": "quota" + } + ], + "service_name": "Service Quotas" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to disassociate a product from a portfolio", - "privilege": "DisassociateProductFromPortfolio", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "" - } - ] + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" }, { - "access_level": "Write", - "description": "Grants permission to disassociate a resource from an application.", - "privilege": "DisassociateResource", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "Application*" - } - ] + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" }, + { + "condition": "ses:FeedbackAddress", + "description": "Filters actions based on the \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding", + "type": "String" + }, + { + "condition": "ses:FromAddress", + "description": "Filters actions based on the \"From\" address of a message", + "type": "String" + }, + { + "condition": "ses:FromDisplayName", + "description": "Filters actions based on the \"From\" address that is used as the display name of a message", + "type": "String" + }, + { + "condition": "ses:Recipients", + "description": "Filters actions based on the recipient addresses of a message, which include the \"To\", \"CC\", and \"BCC\" addresses", + "type": "ArrayOfString" + } + ], + "prefix": "ses", + "privileges": [ { "access_level": "Write", - "description": "Grants permission to disassociate the specified self-service action association from the specified provisioning artifact", - "privilege": "DisassociateServiceActionFromProvisioningArtifact", + "description": "Grants permission to create a configuration set", + "privilege": "CreateConfigurationSet", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to disassociate the specified TagOption from the specified resource", - "privilege": "DisassociateTagOptionFromResource", + "description": "Grants permission to create a configuration set event destination", + "privilege": "CreateConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio" + "resource_type": "configuration-set*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Product" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to enable portfolio sharing feature through AWS Organizations", - "privilege": "EnableAWSOrganizationsAccess", + "description": "Grants permission to create a new pool of dedicated IP addresses", + "privilege": "CreateDedicatedIpPool", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -129357,140 +159156,119 @@ }, { "access_level": "Write", - "description": "Grants permission to execute a provisioned product plan", - "privilege": "ExecuteProvisionedProductPlan", + "description": "Grants permission to create a new predictive inbox placement test", + "privilege": "CreateDeliverabilityTestReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to executes a provisioned product plan", - "privilege": "ExecuteProvisionedProductServiceAction", - "resource_types": [ + "resource_type": "identity*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the access status of AWS Organization portfolio share feature", - "privilege": "GetAWSOrganizationsAccessStatus", + "access_level": "Write", + "description": "Grants permission to start the process of verifying an email identity", + "privilege": "CreateEmailIdentity", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get an application.", - "privilege": "GetApplication", + "access_level": "Write", + "description": "Grants permission to delete an existing configuration set", + "privilege": "DeleteConfigurationSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" - } - ] - }, - { - "access_level": "Read", - "description": "Grants permission to get an attribute group.", - "privilege": "GetAttributeGroup", - "resource_types": [ + "resource_type": "configuration-set*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "AttributeGroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to import a resource into a provisioned product.", - "privilege": "ImportAsProvisionedProduct", + "description": "Grants permission to delete an event destination", + "privilege": "DeleteConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the portfolios that have been shared with you and you have accepted", - "privilege": "ListAcceptedPortfolioShares", - "resource_types": [ + "resource_type": "configuration-set*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the applications in your account.", - "privilege": "ListApplications", + "access_level": "Write", + "description": "Grants permission to delete a dedicated IP pool", + "privilege": "DeleteDedicatedIpPool", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the attribute groups associated with an application.", - "privilege": "ListAssociatedAttributeGroups", - "resource_types": [ + "resource_type": "dedicated-ip-pool*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "Application*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the resources associated with an application.", - "privilege": "ListAssociatedResources", + "access_level": "Write", + "description": "Grants permission to delete an email identity that you previously verified", + "privilege": "DeleteEmailIdentity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the attribute groups in your account.", - "privilege": "ListAttributeGroups", - "resource_types": [ + "resource_type": "identity*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the budgets associated to a resource", - "privilege": "ListBudgetsForResource", + "access_level": "Read", + "description": "Grants permission to get information about the email-sending status and capabilities", + "privilege": "GetAccount", "resource_types": [ { "condition_keys": [], @@ -129500,9 +159278,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list constraints associated with a given portfolio", - "privilege": "ListConstraintsForPortfolio", + "access_level": "Read", + "description": "Grants permission to retrieve a list of the deny lists on which your dedicated IP addresses appear", + "privilege": "GetBlacklistReports", "resource_types": [ { "condition_keys": [], @@ -129512,45 +159290,47 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the different ways to launch a given product as an end-user", - "privilege": "ListLaunchPaths", + "access_level": "Read", + "description": "Grants permission to get information about an existing configuration set", + "privilege": "GetConfigurationSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list the organization nodes that have access to the specified portfolio", - "privilege": "ListOrganizationPortfolioAccess", - "resource_types": [ + "resource_type": "configuration-set*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the AWS accounts you have shared a given portfolio with", - "privilege": "ListPortfolioAccess", + "access_level": "Read", + "description": "Grants permission to retrieve a list of event destinations that are associated with a configuration set", + "privilege": "GetConfigurationSetEventDestinations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the portfolios in your account", - "privilege": "ListPortfolios", + "access_level": "Read", + "description": "Grants permission to get information about a dedicated IP address", + "privilege": "GetDedicatedIp", "resource_types": [ { "condition_keys": [], @@ -129560,75 +159340,99 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the portfolios associated with a given product", - "privilege": "ListPortfoliosForProduct", + "access_level": "Read", + "description": "Grants permission to list the dedicated IP addresses that are associated with your account", + "privilege": "GetDedicatedIps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "dedicated-ip-pool*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the IAM principals associated with a given portfolio", - "privilege": "ListPrincipalsForPortfolio", + "access_level": "Read", + "description": "Grants permission to get the status of the Deliverability dashboard", + "privilege": "GetDeliverabilityDashboardOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the provisioned product plans", - "privilege": "ListProvisionedProductPlans", + "access_level": "Read", + "description": "Grants permission to retrieve the results of a predictive inbox placement test", + "privilege": "GetDeliverabilityTestReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "deliverability-test-report*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the provisioning artifacts associated with a given product", - "privilege": "ListProvisioningArtifacts", + "access_level": "Read", + "description": "Grants permission to retrieve all the deliverability data for a specific campaign", + "privilege": "GetDomainDeliverabilityCampaign", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all provisioning artifacts for the specified self-service action", - "privilege": "ListProvisioningArtifactsForServiceAction", + "access_level": "Read", + "description": "Grants permission to retrieve inbox placement and engagement rates for the domains that you use to send email", + "privilege": "GetDomainStatisticsReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the records in your account or all the records related to a given provisioned product", - "privilege": "ListRecordHistory", + "access_level": "Read", + "description": "Grants permission to get information about a specific identity associated with your account", + "privilege": "GetEmailIdentity", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, { "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129637,8 +159441,8 @@ }, { "access_level": "List", - "description": "Grants permission to list the resources associated with the specified TagOption", - "privilege": "ListResourcesForTagOption", + "description": "Grants permission to list all of the configuration sets associated with your account", + "privilege": "ListConfigurationSets", "resource_types": [ { "condition_keys": [], @@ -129649,8 +159453,8 @@ }, { "access_level": "List", - "description": "Grants permission to list all self-service actions", - "privilege": "ListServiceActions", + "description": "Grants permission to list all of the dedicated IP pools that exist in your account", + "privilege": "ListDedicatedIpPools", "resource_types": [ { "condition_keys": [], @@ -129661,20 +159465,20 @@ }, { "access_level": "List", - "description": "Grants permission to list all the service actions associated with the specified provisioning artifact in your account", - "privilege": "ListServiceActionsForProvisioningArtifact", + "description": "Grants permission to retrieve a list of the predictive inbox placement tests that you've performed, regardless of their statuses", + "privilege": "ListDeliverabilityTestReports", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list account, region and status of each stack instances that are associated with a CFN_STACKSET type provisioned product", - "privilege": "ListStackInstancesForProvisionedProduct", + "access_level": "Read", + "description": "Grants permission to retrieve deliverability data for all the campaigns that used a specific domain to send email during a specified time range", + "privilege": "ListDomainDeliverabilityCampaigns", "resource_types": [ { "condition_keys": [], @@ -129685,8 +159489,8 @@ }, { "access_level": "List", - "description": "Grants permission to list the specified TagOptions or all TagOptions", - "privilege": "ListTagOptions", + "description": "Grants permission to list all of the email identities that are associated with your account", + "privilege": "ListEmailIdentities", "resource_types": [ { "condition_keys": [], @@ -129696,66 +159500,48 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list the tags for a service catalog appregistry resource.", + "access_level": "Read", + "description": "Grants permission to retrieve a list of the tags (keys and values) that are associated with a specific resource", "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application" + "resource_type": "configuration-set" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "AttributeGroup" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to provision a product with a specified provisioning artifact and launch parameters", - "privilege": "ProvisionProduct", - "resource_types": [ + "resource_type": "dedicated-ip-pool" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to reject a portfolio that has been shared with you that you previously accepted", - "privilege": "RejectPortfolioShare", - "resource_types": [ + "resource_type": "deliverability-test-report" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "identity" } ] }, { - "access_level": "List", - "description": "Grants permission to list all the provisioned products in your account", - "privilege": "ScanProvisionedProducts", + "access_level": "Write", + "description": "Grants permission to enable or disable the automatic warm-up feature for dedicated IP addresses", + "privilege": "PutAccountDedicatedIpWarmupAttributes", "resource_types": [ { - "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "List", - "description": "Grants permission to list the products available to you as an end-user", - "privilege": "SearchProducts", + "access_level": "Write", + "description": "Grants permission to enable or disable the ability of your account to send email", + "privilege": "PutAccountSendingAttributes", "resource_types": [ { "condition_keys": [], @@ -129765,27 +159551,18 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list all the products in your account or all the products associated with a given portfolio", - "privilege": "SearchProductsAsAdmin", + "access_level": "Write", + "description": "Grants permission to associate a configuration set with a dedicated IP pool", + "privilege": "PutConfigurationSetDeliveryOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Grants permission to list all the provisioned products in your account", - "privilege": "SearchProvisionedProducts", - "resource_types": [ + "resource_type": "configuration-set*" + }, { "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129794,35 +159571,36 @@ }, { "access_level": "Write", - "description": "Grants permission to sync a resource with its current state in AppRegistry.", - "privilege": "SyncResource", + "description": "Grants permission to enable or disable collection of reputation metrics for emails that you send using a particular configuration set", + "privilege": "PutConfigurationSetReputationOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to tag a service catalog appregistry resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to enable or disable email sending for messages that use a particular configuration set", + "privilege": "PutConfigurationSetSendingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AttributeGroup" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129831,14 +159609,17 @@ }, { "access_level": "Write", - "description": "Grants permission to terminate an existing provisioned product", - "privilege": "TerminateProvisionedProduct", + "description": "Grants permission to specify a custom domain to use for open and click tracking elements in email that you send using a particular configuration set", + "privilege": "PutConfigurationSetTrackingOptions", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set*" + }, { "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129846,24 +159627,18 @@ ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove a tag from a service catalog appregistry resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to move a dedicated IP address to an existing dedicated IP pool", + "privilege": "PutDedicatedIpInPool", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "AttributeGroup" + "resource_type": "dedicated-ip-pool*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129872,54 +159647,60 @@ }, { "access_level": "Write", - "description": "Grants permission to update the attributes of an existing application.", - "privilege": "UpdateApplication", + "description": "Grants permission to enable dedicated IP warm up attributes", + "privilege": "PutDedicatedIpWarmupAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Application*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the attributes of an existing attribute group.", - "privilege": "UpdateAttributeGroup", + "description": "Grants permission to enable or disable the Deliverability dashboard", + "privilege": "PutDeliverabilityDashboardOption", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "AttributeGroup*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the metadata fields of an existing constraint", - "privilege": "UpdateConstraint", + "description": "Grants permission to enable or disable DKIM authentication for an email identity", + "privilege": "PutEmailIdentityDkimAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the metadata fields and/or tags of an existing portfolio", - "privilege": "UpdatePortfolio", + "description": "Grants permission to enable or disable feedback forwarding for an identity", + "privilege": "PutEmailIdentityFeedbackAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Portfolio*" + "resource_type": "identity*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129928,18 +159709,17 @@ }, { "access_level": "Write", - "description": "Grants permission to update the metadata fields and/or tags of an existing product", - "privilege": "UpdateProduct", + "description": "Grants permission to enable or disable the custom MAIL FROM domain configuration for an email identity", + "privilege": "PutEmailIdentityMailFromAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" + "resource_type": "identity*" }, { "condition_keys": [ - "aws:RequestTag/${TagKey}", - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -129948,14 +159728,20 @@ }, { "access_level": "Write", - "description": "Grants permission to update an existing provisioned product", - "privilege": "UpdateProvisionedProduct", + "description": "Grants permission to send an email message", + "privilege": "SendEmail", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, { "condition_keys": [ - "servicecatalog:accountLevel", - "servicecatalog:roleLevel", - "servicecatalog:userLevel" + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" ], "dependent_actions": [], "resource_type": "" @@ -129963,49 +159749,89 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to update the properties of an existing provisioned product", - "privilege": "UpdateProvisionedProductProperties", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags (keys and values) to a specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dedicated-ip-pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deliverability-test-report" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the metadata fields of an existing provisioning artifact", - "privilege": "UpdateProvisioningArtifact", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags (keys and values) from a specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "Product*" - } - ] - }, - { - "access_level": "Write", - "description": "Grants permission to update a self-service action", - "privilege": "UpdateServiceAction", - "resource_types": [ + "resource_type": "configuration-set" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dedicated-ip-pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deliverability-test-report" + }, { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to update the specified TagOption", - "privilege": "UpdateTagOption", + "description": "Grants permission to update the configuration of an event destination for a configuration set", + "privilege": "UpdateConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] @@ -130013,86 +159839,68 @@ ], "resources": [ { - "arn": "arn:${Partition}:servicecatalog:${Region}:${Account}:/applications/${ApplicationId}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Application" + "resource": "configuration-set" }, { - "arn": "arn:${Partition}:servicecatalog:${Region}:${Account}:/attribute-groups/${AttributeGroupId}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:dedicated-ip-pool/${DedicatedIPPool}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "AttributeGroup" + "resource": "dedicated-ip-pool" }, { - "arn": "arn:${Partition}:catalog:${Region}:${Account}:portfolio/${PortfolioId}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:deliverability-test-report/${ReportId}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Portfolio" + "resource": "deliverability-test-report" }, { - "arn": "arn:${Partition}:catalog:${Region}:${Account}:product/${ProductId}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], - "resource": "Product" + "resource": "identity" } ], - "service_name": "AWS Service Catalog" + "service_name": "Amazon Pinpoint Email Service" }, { "conditions": [ { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" - }, - { - "condition": "servicediscovery:NamespaceArn", - "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related namespace", + "condition": "ses:FeedbackAddress", + "description": "Filters actions based on the \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding", "type": "String" }, { - "condition": "servicediscovery:NamespaceName", - "description": "Filters access by specifying the name of the related namespace", + "condition": "ses:FromAddress", + "description": "Filters actions based on the \"From\" address of a message", "type": "String" }, { - "condition": "servicediscovery:ServiceArn", - "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related service", + "condition": "ses:FromDisplayName", + "description": "Filters actions based on the \"From\" address that is used as the display name of a message", "type": "String" }, { - "condition": "servicediscovery:ServiceName", - "description": "Filters access by specifying the name of the related service", - "type": "String" + "condition": "ses:Recipients", + "description": "Filters actions based on the recipient addresses of a message, which include the \"To\", \"CC\", and \"BCC\" addresses", + "type": "ArrayOfString" } ], - "prefix": "servicediscovery", + "prefix": "ses", "privileges": [ { "access_level": "Write", - "description": "Grants permission to create an HTTP namespace", - "privilege": "CreateHttpNamespace", + "description": "Grants permission to create a receipt rule set by cloning an existing one", + "privilege": "CloneReceiptRuleSet", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -130100,14 +159908,11 @@ }, { "access_level": "Write", - "description": "Grants permission to create a private namespace based on DNS, which will be visible only inside a specified Amazon VPC", - "privilege": "CreatePrivateDnsNamespace", + "description": "Grants permission to create a new configuration set", + "privilege": "CreateConfigurationSet", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -130115,14 +159920,11 @@ }, { "access_level": "Write", - "description": "Grants permission to create a public namespace based on DNS, which will be visible on the internet", - "privilege": "CreatePublicDnsNamespace", + "description": "Grants permission to create a configuration set event destination", + "privilege": "CreateConfigurationSetEventDestination", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } @@ -130130,127 +159932,116 @@ }, { "access_level": "Write", - "description": "Grants permission to create a service", - "privilege": "CreateService", + "description": "Grants permission to creates an association between a configuration set and a custom domain for open and click event tracking", + "privilege": "CreateConfigurationSetTrackingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" - }, - { - "condition_keys": [ - "servicediscovery:NamespaceArn", - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a specified namespace", - "privilege": "DeleteNamespace", + "description": "Grants permission to create a new custom verification email template", + "privilege": "CreateCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "identity*" } ] }, { "access_level": "Write", - "description": "Grants permission to delete a specified service", - "privilege": "DeleteService", + "description": "Grants permission to create a new IP address filter", + "privilege": "CreateReceiptFilter", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to delete the records and the health check, if any, that Amazon Route 53 created for the specified instance", - "privilege": "DeregisterInstance", + "description": "Grants permission to create a receipt rule", + "privilege": "CreateReceiptRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" - }, + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create an empty receipt rule set", + "privilege": "CreateReceiptRuleSet", + "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to discover registered instances for a specified namespace and service", - "privilege": "DiscoverInstances", + "access_level": "Write", + "description": "Grants permission to creates an email template", + "privilege": "CreateTemplate", "resource_types": [ { - "condition_keys": [ - "servicediscovery:NamespaceName", - "servicediscovery:ServiceName" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specified instance", - "privilege": "GetInstance", + "access_level": "Write", + "description": "Grants permission to delete an existing configuration set", + "privilege": "DeleteConfigurationSet", "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get the current health status (Healthy, Unhealthy, or Unknown) of one or more instances", - "privilege": "GetInstancesHealthStatus", + "access_level": "Write", + "description": "Grants permission to delete an event destination", + "privilege": "DeleteConfigurationSetEventDestination", "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a namespace", - "privilege": "GetNamespace", + "access_level": "Write", + "description": "Grants permission to delete an association between a configuration set and a custom domain for open and click event tracking", + "privilege": "DeleteConfigurationSetTrackingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "namespace*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Grants permission to get information about a specific operation", - "privilege": "GetOperation", + "access_level": "Write", + "description": "Grants permission to delete an existing custom verification email template", + "privilege": "DeleteCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], @@ -130260,35 +160051,33 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to get the settings for a specified service", - "privilege": "GetService", + "access_level": "Write", + "description": "Grants permission to delete the specified identity", + "privilege": "DeleteIdentity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "identity*" } ] }, { - "access_level": "List", - "description": "Grants permission to get summary information about the instances that were registered with a specified service", - "privilege": "ListInstances", + "access_level": "Permissions management", + "description": "Grants permission to delete the specified sending authorization policy for the given identity (an email address or a domain)", + "privilege": "DeleteIdentityPolicy", "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { - "access_level": "List", - "description": "Grants permission to get information about the namespaces", - "privilege": "ListNamespaces", + "access_level": "Write", + "description": "Grants permission to delete the specified IP address filter", + "privilege": "DeleteReceiptFilter", "resource_types": [ { "condition_keys": [], @@ -130298,9 +160087,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to list operations that match the criteria that you specify", - "privilege": "ListOperations", + "access_level": "Write", + "description": "Grants permission to delete the specified receipt rule", + "privilege": "DeleteReceiptRule", "resource_types": [ { "condition_keys": [], @@ -130310,9 +160099,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to get settings for all the services that match specified filters", - "privilege": "ListServices", + "access_level": "Write", + "description": "Grants permission to delete the specified receipt rule set and all of the receipt rules it contains", + "privilege": "DeleteReceiptRuleSet", "resource_types": [ { "condition_keys": [], @@ -130322,9 +160111,9 @@ ] }, { - "access_level": "List", - "description": "Grants permission to lists tags for the specified resource", - "privilege": "ListTagsForResource", + "access_level": "Write", + "description": "Grants permission to delete an email template", + "privilege": "DeleteTemplate", "resource_types": [ { "condition_keys": [], @@ -130335,187 +160124,152 @@ }, { "access_level": "Write", - "description": "Grants permission to register an instance based on the settings in a specified service", - "privilege": "RegisterInstance", + "description": "Grants permission to delete the specified email address from the list of verified addresses", + "privilege": "DeleteVerifiedEmailAddress", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" - }, + "resource_type": "identity*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return the metadata and receipt rules for the receipt rule set that is currently active", + "privilege": "DescribeActiveReceiptRuleSet", + "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to add one or more tags to the specified resource", - "privilege": "TagResource", + "access_level": "Read", + "description": "Grants permission to return the details of the specified configuration set", + "privilege": "DescribeConfigurationSet", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove one or more tags from the specified resource", - "privilege": "UntagResource", + "access_level": "Read", + "description": "Grants permission to return the details of the specified receipt rule", + "privilege": "DescribeReceiptRule", "resource_types": [ { - "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the current health status for an instance that has a custom health check", - "privilege": "UpdateInstanceCustomHealthStatus", + "access_level": "Read", + "description": "Grants permission to return the details of the specified receipt rule set", + "privilege": "DescribeReceiptRuleSet", "resource_types": [ { - "condition_keys": [ - "servicediscovery:ServiceArn" - ], + "condition_keys": [], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Grants permission to update the settings in a specified service", - "privilege": "UpdateService", + "access_level": "Read", + "description": "Grants permission to return the email sending status of your account", + "privilege": "GetAccountSendingEnabled", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "service*" + "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:servicediscovery:${Region}:${Account}:namespace/${NamespaceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "namespace" - }, - { - "arn": "arn:${Partition}:servicediscovery:${Region}:${Account}:service/${ServiceId}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "service" - } - ], - "service_name": "AWS Cloud Map" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the tags that are passed in the request", - "type": "String" }, { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on the tags associated with the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the tag keys that are passed in the request", - "type": "String" + "access_level": "Read", + "description": "Grants permission to return the custom email verification template for the template name you specify", + "privilege": "GetCustomVerificationEmailTemplate", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] }, { - "condition": "servicequotas:service", - "description": "Filters or restricts access to a specified AWS service", - "type": "string" - } - ], - "prefix": "servicequotas", - "privileges": [ - { - "access_level": "Write", - "description": "Grants permission to associate the Service Quotas template with your organization", - "privilege": "AssociateServiceQuotaTemplate", + "access_level": "Read", + "description": "Grants permission to return the current status of Easy DKIM signing for an entity", + "privilege": "GetIdentityDkimAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { - "access_level": "Write", - "description": "Grants permission to remove the specified service quota from the service quota template", - "privilege": "DeleteServiceQuotaIncreaseRequestFromTemplate", + "access_level": "Read", + "description": "Grants permission to return the custom MAIL FROM attributes for a list of identities (email addresses and/or domains)", + "privilege": "GetIdentityMailFromDomainAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { - "access_level": "Write", - "description": "Grants permission to disassociate the Service Quotas template from your organization", - "privilege": "DisassociateServiceQuotaTemplate", + "access_level": "Read", + "description": "Grants permission to return a structure describing identity notification attributes for a list of verified identities (email addresses and/or domains),", + "privilege": "GetIdentityNotificationAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { "access_level": "Read", - "description": "Grants permission to return the details for the specified service quota, including the AWS default value", - "privilege": "GetAWSDefaultServiceQuota", + "description": "Grants permission to return the requested sending authorization policies for the given identity (an email address or a domain)", + "privilege": "GetIdentityPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the ServiceQuotaTemplateAssociationStatus value, which tells you if the Service Quotas template is associated with an organization", - "privilege": "GetAssociationForServiceQuotaTemplate", + "description": "Grants permission to return the verification status and (for domain identities) the verification token for a list of identities", + "privilege": "GetIdentityVerificationAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { "access_level": "Read", - "description": "Grants permission to retrieve the details for a particular service quota increase request", - "privilege": "GetRequestedServiceQuotaChange", + "description": "Grants permission to return the user's current sending limits", + "privilege": "GetSendQuota", "resource_types": [ { "condition_keys": [], @@ -130526,8 +160280,8 @@ }, { "access_level": "Read", - "description": "Grants permission to return the details for the specified service quota, including the applied value", - "privilege": "GetServiceQuota", + "description": "Grants permission to returns the user's sending statistics", + "privilege": "GetSendStatistics", "resource_types": [ { "condition_keys": [], @@ -130538,8 +160292,8 @@ }, { "access_level": "Read", - "description": "Grants permission to retrieve the details for a service quota increase request from the service quota template", - "privilege": "GetServiceQuotaIncreaseRequestFromTemplate", + "description": "Grants permission to return the template object, which includes the subject line, HTML par, and text part for the template you specify", + "privilege": "GetTemplate", "resource_types": [ { "condition_keys": [], @@ -130549,9 +160303,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to list all default service quotas for the specified AWS service", - "privilege": "ListAWSDefaultServiceQuotas", + "access_level": "List", + "description": "Grants permission to list all of the configuration sets for your account", + "privilege": "ListConfigurationSets", "resource_types": [ { "condition_keys": [], @@ -130561,9 +160315,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to request a list of the changes to quotas for a service", - "privilege": "ListRequestedServiceQuotaChangeHistory", + "access_level": "List", + "description": "Grants permission to list all of the existing custom verification email templates for your account", + "privilege": "ListCustomVerificationEmailTemplates", "resource_types": [ { "condition_keys": [], @@ -130573,9 +160327,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to request a list of the changes to specific service quotas", - "privilege": "ListRequestedServiceQuotaChangeHistoryByQuota", + "access_level": "List", + "description": "Grants permission to list the email identities for your account", + "privilege": "ListIdentities", "resource_types": [ { "condition_keys": [], @@ -130585,9 +160339,9 @@ ] }, { - "access_level": "Read", - "description": "Grants permission to return a list of the service quota increase requests from the service quota template", - "privilege": "ListServiceQuotaIncreaseRequestsInTemplate", + "access_level": "List", + "description": "Grants permission to list all of the email templates for your account", + "privilege": "ListIdentityPolicies", "resource_types": [ { "condition_keys": [], @@ -130598,8 +160352,8 @@ }, { "access_level": "Read", - "description": "Grants permission to list all service quotas for the specified AWS service, in that account, in that Region", - "privilege": "ListServiceQuotas", + "description": "Grants permission to list the IP address filters associated with your account", + "privilege": "ListReceiptFilters", "resource_types": [ { "condition_keys": [], @@ -130610,8 +160364,8 @@ }, { "access_level": "Read", - "description": "Grants permission to list the AWS services available in Service Quotas", - "privilege": "ListServices", + "description": "Grants permission to list the receipt rule sets that exist under your account", + "privilege": "ListReceiptRuleSets", "resource_types": [ { "condition_keys": [], @@ -130622,8 +160376,8 @@ }, { "access_level": "List", - "description": "Grants permission to view the existing tags on a SQ resource", - "privilege": "ListTagsForResource", + "description": "Grants permission to list the email templates present in your account", + "privilege": "ListTemplates", "resource_types": [ { "condition_keys": [], @@ -130633,59 +160387,45 @@ ] }, { - "access_level": "Write", - "description": "Grants permission to define and add a quota to the service quota template", - "privilege": "PutServiceQuotaIncreaseRequestIntoTemplate", + "access_level": "Read", + "description": "Grants permission to list all of the email addresses that have been verified in your account", + "privilege": "ListVerifiedEmailAddresses", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "quota" - }, - { - "condition_keys": [ - "servicequotas:service" - ], - "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Grants permission to submit the request for a service quota increase", - "privilege": "RequestServiceQuotaIncrease", + "description": "Grants permission to add or update the delivery options for a configuration set", + "privilege": "PutConfigurationSetDeliveryOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "quota" - }, - { - "condition_keys": [ - "servicequotas:service" - ], - "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to associate a set of tags with an existing SQ resource", - "privilege": "TagResource", + "access_level": "Permissions management", + "description": "Grants permission to add or update a sending authorization policy for the specified identity (an email address or a domain)", + "privilege": "PutIdentityPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { - "access_level": "Tagging", - "description": "Grants permission to remove a set of tags from a SQ resource, where tags to be removed match a set of customer-supplied tag keys", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to reorder the receipt rules within a receipt rule set", + "privilege": "ReorderReceiptRuleSet", "resource_types": [ { "condition_keys": [], @@ -130693,71 +160433,52 @@ "resource_type": "" } ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:servicequotas:${Region}:${Account}:${ServiceCode}/${QuotaCode}", - "condition_keys": [], - "resource": "quota" - } - ], - "service_name": "Service Quotas" - }, - { - "conditions": [ - { - "condition": "aws:RequestTag/${TagKey}", - "description": "Filters actions based on the presence of tag key-value pairs in the request", - "type": "String" - }, - { - "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag key-value pairs attached to the resource", - "type": "String" - }, - { - "condition": "aws:TagKeys", - "description": "Filters actions based on the presence of tag keys in the request", - "type": "String" - }, - { - "condition": "ses:FeedbackAddress", - "description": "The \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding.", - "type": "String" - }, - { - "condition": "ses:FromAddress", - "description": "The \"From\" address of a message.", - "type": "String" }, { - "condition": "ses:FromDisplayName", - "description": "The \"From\" address that is used as the display name of a message.", - "type": "String" + "access_level": "Write", + "description": "Grants permission to generate and send a bounce message to the sender of an email you received through Amazon SES", + "privilege": "SendBounce", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "ses:FromAddress" + ], + "dependent_actions": [], + "resource_type": "" + } + ] }, - { - "condition": "ses:Recipients", - "description": "The recipient addresses of a message, which include the \"To\", \"CC\", and \"BCC\" addresses.", - "type": "String" - } - ], - "prefix": "ses", - "privileges": [ { "access_level": "Write", - "description": "Create a configuration set. Configuration sets are groups of rules that you can apply to the emails you send using Amazon Pinpoint", - "privilege": "CreateConfigurationSet", + "description": "Grants permission to compose an email message to multiple destinations", + "privilege": "SendBulkTemplatedEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" ], "dependent_actions": [], "resource_type": "" @@ -130766,30 +160487,47 @@ }, { "access_level": "Write", - "description": "Create an event destination", - "privilege": "CreateConfigurationSetEventDestination", + "description": "Grants permission to add an email address to the list of identities and attempts to verify it for your account", + "privilege": "SendCustomVerificationEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "identity*" + }, + { + "condition_keys": [ + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a new pool of dedicated IP addresses", - "privilege": "CreateDedicatedIpPool", + "description": "Grants permission to send an email message", + "privilege": "SendEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dedicated-ip-pool*" + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" ], "dependent_actions": [], "resource_type": "" @@ -130798,18 +160536,25 @@ }, { "access_level": "Write", - "description": "Create a new predictive inbox placement test.", - "privilege": "CreateDeliverabilityTestReport", + "description": "Grants permission to send an email message, with header and content specified by the client", + "privilege": "SendRawEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "identity*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" ], "dependent_actions": [], "resource_type": "" @@ -130818,18 +160563,30 @@ }, { "access_level": "Write", - "description": "Verifies an email identity for use with Amazon Pinpoint", - "privilege": "CreateEmailIdentity", + "description": "Grants permission to compose an email message using an email template", + "privilege": "SendTemplatedEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "identity*" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" ], "dependent_actions": [], "resource_type": "" @@ -130838,44 +160595,44 @@ }, { "access_level": "Write", - "description": "Delete an existing configuration set", - "privilege": "DeleteConfigurationSet", + "description": "Grants permission to set the specified receipt rule set as the active receipt rule set", + "privilege": "SetActiveReceiptRuleSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Delete an event destination", - "privilege": "DeleteConfigurationSetEventDestination", + "description": "Grants permission to enable or disable Easy DKIM signing of email sent from an identity", + "privilege": "SetIdentityDkimEnabled", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "identity*" } ] }, { "access_level": "Write", - "description": "Delete a dedicated IP pool", - "privilege": "DeleteDedicatedIpPool", + "description": "Grants permission to enable or disable whether Amazon SES forwards bounce and complaint notifications for an identity (an email address or a domain)", + "privilege": "SetIdentityFeedbackForwardingEnabled", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dedicated-ip-pool*" + "resource_type": "identity*" } ] }, { "access_level": "Write", - "description": "Deletes an email identity that you previously verified for use with Amazon Pinpoint", - "privilege": "DeleteEmailIdentity", + "description": "Grants permission to set whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type for a given identity (an email address or a domain)", + "privilege": "SetIdentityHeadersInNotificationsEnabled", "resource_types": [ { "condition_keys": [], @@ -130885,21 +160642,33 @@ ] }, { - "access_level": "Read", - "description": "Obtain information about the email-sending status and capabilities", - "privilege": "GetAccount", + "access_level": "Write", + "description": "Grants permission to enable or disable the custom MAIL FROM domain setup for a verified identity", + "privilege": "SetIdentityMailFromDomain", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" } ] }, { - "access_level": "Read", - "description": "Retrieve a list of the blacklists that your dedicated IP addresses appear on", - "privilege": "GetBlacklistReports", + "access_level": "Write", + "description": "Grants permission to set an Amazon Simple Notification Service (Amazon SNS) topic to use when delivering notifications for a verified identity", + "privilege": "SetIdentityNotificationTopic", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to set the position of the specified receipt rule in the receipt rule set", + "privilege": "SetReceiptRulePosition", "resource_types": [ { "condition_keys": [], @@ -130909,33 +160678,33 @@ ] }, { - "access_level": "Read", - "description": "Get information about an existing configuration set", - "privilege": "GetConfigurationSet", + "access_level": "Write", + "description": "Grants permission to create a preview of the MIME content of an email when provided with a template and a set of replacement data", + "privilege": "TestRenderTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve a list of event destinations that are associated with a configuration set", - "privilege": "GetConfigurationSetEventDestinations", + "access_level": "Write", + "description": "Grants permission to enable or disable email sending for your account", + "privilege": "UpdateAccountSendingEnabled", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Get information about a dedicated IP address", - "privilege": "GetDedicatedIp", + "access_level": "Write", + "description": "Grants permission to update the event destination of a configuration set", + "privilege": "UpdateConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], @@ -130945,21 +160714,21 @@ ] }, { - "access_level": "Read", - "description": "List the dedicated IP addresses that are associated with your Amazon Pinpoint account", - "privilege": "GetDedicatedIps", + "access_level": "Write", + "description": "Grants permission to enable or disable the publishing of reputation metrics for emails sent using a specific configuration set", + "privilege": "UpdateConfigurationSetReputationMetricsEnabled", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "dedicated-ip-pool*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Show the status of the Deliverability dashboard", - "privilege": "GetDeliverabilityDashboardOptions", + "access_level": "Write", + "description": "Grants permission to enable or disable email sending for messages sent using a specific configuration set", + "privilege": "UpdateConfigurationSetSendingEnabled", "resource_types": [ { "condition_keys": [], @@ -130969,45 +160738,45 @@ ] }, { - "access_level": "Read", - "description": "Retrieve the results of a predictive inbox placement test", - "privilege": "GetDeliverabilityTestReport", + "access_level": "Write", + "description": "Grants permission to modify an association between a configuration set and a custom domain for open and click event tracking", + "privilege": "UpdateConfigurationSetTrackingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "deliverability-test-report*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Retrieve inbox placement and engagement rates for the domains that you use to send email", - "privilege": "GetDomainStatisticsReport", + "access_level": "Write", + "description": "Grants permission to update an existing custom verification email template", + "privilege": "UpdateCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Provides information about a specific identity associated with your Amazon Pinpoint account", - "privilege": "GetEmailIdentity", + "access_level": "Write", + "description": "Grants permission to update a receipt rule", + "privilege": "UpdateReceiptRule", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "List all of the configuration sets associated with your Amazon Pinpoint account in the current region", - "privilege": "ListConfigurationSets", + "access_level": "Write", + "description": "Grants permission to update an email template", + "privilege": "UpdateTemplate", "resource_types": [ { "condition_keys": [], @@ -131017,9 +160786,21 @@ ] }, { - "access_level": "List", - "description": "List all of the dedicated IP pools that exist in your Amazon Pinpoint account in the current AWS Region", - "privilege": "ListDedicatedIpPools", + "access_level": "Write", + "description": "Grants permission to return a set of DKIM tokens for a domain", + "privilege": "VerifyDomainDkim", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to verify a domain", + "privilege": "VerifyDomainIdentity", "resource_types": [ { "condition_keys": [], @@ -131029,9 +160810,9 @@ ] }, { - "access_level": "List", - "description": "Show a list of the predictive inbox placement tests that you've performed, regardless of their statuses", - "privilege": "ListDeliverabilityTestReports", + "access_level": "Write", + "description": "Grants permission to verify an email address", + "privilege": "VerifyEmailAddress", "resource_types": [ { "condition_keys": [], @@ -131041,9 +160822,9 @@ ] }, { - "access_level": "List", - "description": "Returns a list of all of the email identities that are associated with your Amazon Pinpoint account", - "privilege": "ListEmailIdentities", + "access_level": "Write", + "description": "Grants permission to verify an email identity", + "privilege": "VerifyEmailIdentity", "resource_types": [ { "condition_keys": [], @@ -131051,53 +160832,106 @@ "resource_type": "" } ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}", + "condition_keys": [], + "resource": "configuration-set" + }, + { + "arn": "arn:${Partition}:ses:${Region}:${Account}:custom-verification-email-template/${TemplateName}", + "condition_keys": [], + "resource": "custom-verification-email-template" + }, + { + "arn": "arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}", + "condition_keys": [], + "resource": "identity" + }, + { + "arn": "arn:${Partition}:ses:${Region}:${Account}:template/${TemplateName}", + "condition_keys": [], + "resource": "template" + } + ], + "service_name": "Amazon SES" + }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + }, + { + "condition": "ses:FeedbackAddress", + "description": "Filters actions based on the \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding", + "type": "String" + }, + { + "condition": "ses:FromAddress", + "description": "Filters actions based on the \"From\" address of a message", + "type": "String" + }, + { + "condition": "ses:FromDisplayName", + "description": "Filters actions based on the \"From\" address that is used as the display name of a message", + "type": "String" }, { - "access_level": "Read", - "description": "Retrieve a list of the tags (keys and values) that are associated with a specific resource.", - "privilege": "ListTagsForResource", + "condition": "ses:Recipients", + "description": "Filters actions based on the recipient addresses of a message, which include the \"To\", \"CC\", and \"BCC\" addresses", + "type": "ArrayOfString" + } + ], + "prefix": "ses", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a new configuration set", + "privilege": "CreateConfigurationSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dedicated-ip-pool" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deliverability-test-report" + "resource_type": "configuration-set*" }, { - "condition_keys": [], + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "identity" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enable or disable the automatic warm-up feature for dedicated IP addresses", - "privilege": "PutAccountDedicatedIpWarmupAttributes", + "description": "Grants permission to create a configuration set event destination", + "privilege": "CreateConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Enable or disable the ability of your account to send email", - "privilege": "PutAccountSendingAttributes", - "resource_types": [ + "resource_type": "configuration-set*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -131105,140 +160939,171 @@ }, { "access_level": "Write", - "description": "Associate a configuration set with a dedicated IP pool", - "privilege": "PutConfigurationSetDeliveryOptions", + "description": "Grants permission to create a contact", + "privilege": "CreateContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" - } - ] - }, - { - "access_level": "Write", - "description": "Enable or disable collection of reputation metrics for emails that you send using a particular configuration set in a specific AWS Region", - "privilege": "PutConfigurationSetReputationOptions", - "resource_types": [ + "resource_type": "contact-list*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enable or disable email sending for messages that use a particular configuration set in a specific AWS Region", - "privilege": "PutConfigurationSetSendingOptions", + "description": "Grants permission to create a contact list", + "privilege": "CreateContactList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Specify a custom domain to use for open and click tracking elements in email that you send using Amazon Pinpoint", - "privilege": "PutConfigurationSetTrackingOptions", + "description": "Grants permission to create a new custom verification email template", + "privilege": "CreateCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" + "resource_type": "custom-verification-email-template*" } ] }, { "access_level": "Write", - "description": "Move a dedicated IP address to an existing dedicated IP pool", - "privilege": "PutDedicatedIpInPool", + "description": "Grants permission to create a new pool of dedicated IP addresses", + "privilege": "CreateDedicatedIpPool", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "dedicated-ip-pool*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Put Dedicated IP warm up attributes", - "privilege": "PutDedicatedIpWarmupAttributes", + "description": "Grants permission to create a new predictive inbox placement test", + "privilege": "CreateDeliverabilityTestReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enable or disable the Deliverability dashboard", - "privilege": "PutDeliverabilityDashboardOption", + "description": "Grants permission to start the process of verifying an email identity", + "privilege": "CreateEmailIdentity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Used to enable or disable DKIM authentication for an email identity", - "privilege": "PutEmailIdentityDkimAttributes", + "access_level": "Permissions management", + "description": "Grants permission to create the specified sending authorization policy for the given identity", + "privilege": "CreateEmailIdentityPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Used to enable or disable feedback forwarding for an identity", - "privilege": "PutEmailIdentityFeedbackAttributes", + "description": "Grants permission to create an email template", + "privilege": "CreateEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "template*" } ] }, { "access_level": "Write", - "description": "Used to enable or disable the custom Mail-From domain configuration for an email identity", - "privilege": "PutEmailIdentityMailFromAttributes", + "description": "Grants permission to creates an import job for a data destination", + "privilege": "CreateImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Sends an email message", - "privilege": "SendEmail", + "description": "Grants permission to delete an existing configuration set", + "privilege": "DeleteConfigurationSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131246,34 +161111,18 @@ ] }, { - "access_level": "Tagging", - "description": "Add one or more tags (keys and values) to a specified resource.", - "privilege": "TagResource", + "access_level": "Write", + "description": "Grants permission to delete an event destination", + "privilege": "DeleteConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dedicated-ip-pool" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deliverability-test-report" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "aws:TagKeys", - "aws:RequestTag/${TagKey}" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131281,33 +161130,18 @@ ] }, { - "access_level": "Tagging", - "description": "Remove one or more tags (keys and values) from a specified resource.", - "privilege": "UntagResource", + "access_level": "Write", + "description": "Grants permission to delete a contact from a contact list", + "privilege": "DeleteContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "dedicated-ip-pool" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "deliverability-test-report" - }, - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "identity" + "resource_type": "contact-list*" }, { "condition_keys": [ - "aws:TagKeys" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131316,86 +161150,18 @@ }, { "access_level": "Write", - "description": "Update the configuration of an event destination for a configuration set", - "privilege": "UpdateConfigurationSetEventDestination", + "description": "Grants permission to delete a contact list with all of its contacts", + "privilege": "DeleteContactList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "configuration-set*" - } - ] - } - ], - "resources": [ - { - "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "configuration-set" - }, - { - "arn": "arn:${Partition}:ses:${Region}:${Account}:dedicated-ip-pool/${CustomVerificationEmailTemplateName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "dedicated-ip-pool" - }, - { - "arn": "arn:${Partition}:ses:${Region}:${Account}:deliverability-test-report/${CustomVerificationEmailTemplateName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "deliverability-test-report" - }, - { - "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}:event-destination/${EventDestinationName}", - "condition_keys": [], - "resource": "event-destination" - }, - { - "arn": "arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}", - "condition_keys": [ - "aws:ResourceTag/${TagKey}" - ], - "resource": "identity" - } - ], - "service_name": "Amazon Pinpoint Email Service" - }, - { - "conditions": [ - { - "condition": "ses:FeedbackAddress", - "description": "The \"Return-Path\" address, which specifies where bounces and complaints are sent by email feedback forwarding.", - "type": "String" - }, - { - "condition": "ses:FromAddress", - "description": "The \"From\" address of a message.", - "type": "String" - }, - { - "condition": "ses:FromDisplayName", - "description": "The \"From\" address that is used as the display name of a message.", - "type": "String" - }, - { - "condition": "ses:Recipients", - "description": "The recipient addresses of a message, which include the \"To\", \"CC\", and \"BCC\" addresses.", - "type": "String" - } - ], - "prefix": "ses", - "privileges": [ - { - "access_level": "Write", - "description": "Creates a receipt rule set by cloning an existing one", - "privilege": "CloneReceiptRuleSet", - "resource_types": [ + "resource_type": "contact-list*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -131403,35 +161169,30 @@ }, { "access_level": "Write", - "description": "Creates a new configuration set", - "privilege": "CreateConfigurationSet", + "description": "Grants permission to delete an existing custom verification email template", + "privilege": "DeleteCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "custom-verification-email-template*" } ] }, { "access_level": "Write", - "description": "Creates a configuration set event destination", - "privilege": "CreateConfigurationSetEventDestination", + "description": "Grants permission to delete a dedicated IP pool", + "privilege": "DeleteDedicatedIpPool", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates an association between a configuration set and a custom domain for open and click event tracking", - "privilege": "CreateConfigurationSetTrackingOptions", - "resource_types": [ + "resource_type": "dedicated-ip-pool*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } @@ -131439,56 +161200,58 @@ }, { "access_level": "Write", - "description": "Creates a new custom verification email template", - "privilege": "CreateCustomVerificationEmailTemplate", + "description": "Grants permission to delete an email identity", + "privilege": "DeleteEmailIdentity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "Write", - "description": "Creates a new IP address filter", - "privilege": "CreateReceiptFilter", - "resource_types": [ + "resource_type": "identity*" + }, { - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Creates a receipt rule", - "privilege": "CreateReceiptRule", + "access_level": "Permissions management", + "description": "Grants permission to delete the specified sending authorization policy for the given identity (an email address or a domain)", + "privilege": "DeleteEmailIdentityPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates an empty receipt rule set", - "privilege": "CreateReceiptRuleSet", + "description": "Grants permission to delete an email template", + "privilege": "DeleteEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "template*" } ] }, { "access_level": "Write", - "description": "Creates an email template", - "privilege": "CreateTemplate", + "description": "Grants permission to remove an email address from the suppression list for your account", + "privilege": "DeleteSuppressedDestination", "resource_types": [ { "condition_keys": [], @@ -131498,9 +161261,9 @@ ] }, { - "access_level": "Write", - "description": "Deletes the configuration set", - "privilege": "DeleteConfigurationSet", + "access_level": "Read", + "description": "Grants permission to get information about the email-sending status and capabilities for your account", + "privilege": "GetAccount", "resource_types": [ { "condition_keys": [], @@ -131510,9 +161273,9 @@ ] }, { - "access_level": "Write", - "description": "Deletes a configuration set event destination", - "privilege": "DeleteConfigurationSetEventDestination", + "access_level": "Read", + "description": "Grants permission to retrieve a list of the deny lists on which your dedicated IP addresses or tracked domains appear", + "privilege": "GetBlacklistReports", "resource_types": [ { "condition_keys": [], @@ -131522,69 +161285,90 @@ ] }, { - "access_level": "Write", - "description": "Deletes an association between a configuration set and a custom domain for open and click event tracking", - "privilege": "DeleteConfigurationSetTrackingOptions", + "access_level": "Read", + "description": "Grants permission to get information about an existing configuration set", + "privilege": "GetConfigurationSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an existing custom verification email template", - "privilege": "DeleteCustomVerificationEmailTemplate", + "access_level": "Read", + "description": "Grants permission to retrieve a list of event destinations that are associated with a configuration set", + "privilege": "GetConfigurationSetEventDestinations", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified identity (an email address or a domain) from the list of verified identities", - "privilege": "DeleteIdentity", + "access_level": "Read", + "description": "Grants permission to return a contact from a contact list", + "privilege": "GetContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes the specified identity (an email address or a domain) from the list of verified identities", - "privilege": "DeleteIdentityPolicy", + "access_level": "Read", + "description": "Grants permission to return contact list metadata", + "privilege": "GetContactList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "contact-list*" } ] }, { - "access_level": "Write", - "description": "Deletes the specified IP address filter", - "privilege": "DeleteReceiptFilter", + "access_level": "Read", + "description": "Grants permission to return the custom email verification template for the template name you specify", + "privilege": "GetCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "custom-verification-email-template*" } ] }, { - "access_level": "Write", - "description": "Deletes the specified receipt rule", - "privilege": "DeleteReceiptRule", + "access_level": "Read", + "description": "Grants permission to get information about a dedicated IP address", + "privilege": "GetDedicatedIp", "resource_types": [ { "condition_keys": [], @@ -131594,21 +161378,28 @@ ] }, { - "access_level": "Write", - "description": "Deletes the specified receipt rule set and all of the receipt rules it contains", - "privilege": "DeleteReceiptRuleSet", + "access_level": "Read", + "description": "Grants permission to list the dedicated IP addresses a dedicated IP pool", + "privilege": "GetDedicatedIps", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "dedicated-ip-pool*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Deletes an email template", - "privilege": "DeleteTemplate", + "access_level": "Read", + "description": "Grants permission to get the status of the Deliverability dashboard", + "privilege": "GetDeliverabilityDashboardOptions", "resource_types": [ { "condition_keys": [], @@ -131618,21 +161409,28 @@ ] }, { - "access_level": "Write", - "description": "Deletes the specified email address from the list of verified addresses", - "privilege": "DeleteVerifiedEmailAddress", + "access_level": "Read", + "description": "Grants permission to retrieve the results of a predictive inbox placement test", + "privilege": "GetDeliverabilityTestReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "deliverability-test-report*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns the metadata and receipt rules for the receipt rule set that is currently active", - "privilege": "DescribeActiveReceiptRuleSet", + "description": "Grants permission to retrieve all the deliverability data for a specific campaign", + "privilege": "GetDomainDeliverabilityCampaign", "resource_types": [ { "condition_keys": [], @@ -131643,68 +161441,89 @@ }, { "access_level": "Read", - "description": "Returns the details of the specified configuration set", - "privilege": "DescribeConfigurationSet", + "description": "Grants permission to retrieve inbox placement and engagement rates for the domains that you use to send email", + "privilege": "GetDomainStatisticsReport", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns the details of the specified receipt rule", - "privilege": "DescribeReceiptRule", + "description": "Grants permission to get information about a specific identity", + "privilege": "GetEmailIdentity", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns the details of the specified receipt rule set", - "privilege": "DescribeReceiptRuleSet", + "description": "Grants permission to return the requested sending authorization policies for the given identity (an email address or a domain)", + "privilege": "GetEmailIdentityPolicies", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Read", - "description": "Returns the email sending status of the Amazon SES account for the current region", - "privilege": "GetAccountSendingEnabled", + "description": "Grants permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify", + "privilege": "GetEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "template*" } ] }, { "access_level": "Read", - "description": "Returns the custom email verification template for the template name you specify", - "privilege": "GetCustomVerificationEmailTemplate", + "description": "Grants permission to provide information about an import job", + "privilege": "GetImportJob", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "import-job*" } ] }, { "access_level": "Read", - "description": "Returns the current status of Easy DKIM signing for an entity", - "privilege": "GetIdentityDkimAttributes", + "description": "Grants permission to retrieve information about a specific email address that's on the suppression list for your account", + "privilege": "GetSuppressedDestination", "resource_types": [ { "condition_keys": [], @@ -131714,9 +161533,9 @@ ] }, { - "access_level": "Read", - "description": "Returns the custom MAIL FROM attributes for a list of identities (email addresses and/or domains)", - "privilege": "GetIdentityMailFromDomainAttributes", + "access_level": "List", + "description": "Grants permission to list all of the configuration sets for your account", + "privilege": "ListConfigurationSets", "resource_types": [ { "condition_keys": [], @@ -131726,9 +161545,9 @@ ] }, { - "access_level": "Read", - "description": "Given a list of verified identities (email addresses and/or domains), returns a structure describing identity notification attributes", - "privilege": "GetIdentityNotificationAttributes", + "access_level": "List", + "description": "Grants permission to list all of the contact lists available for your account", + "privilege": "ListContactLists", "resource_types": [ { "condition_keys": [], @@ -131738,21 +161557,21 @@ ] }, { - "access_level": "Read", - "description": "Returns the requested sending authorization policies for the given identity (an email address or a domain)", - "privilege": "GetIdentityPolicies", + "access_level": "List", + "description": "Grants permission to list the contacts present in a specific contact list", + "privilege": "ListContacts", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "contact-list*" } ] }, { - "access_level": "Read", - "description": "Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity", - "privilege": "GetIdentityVerificationAttributes", + "access_level": "List", + "description": "Grants permission to list all of the existing custom verification email templates for your account", + "privilege": "ListCustomVerificationEmailTemplates", "resource_types": [ { "condition_keys": [], @@ -131762,9 +161581,9 @@ ] }, { - "access_level": "Read", - "description": "Returns the user's current sending limits", - "privilege": "GetSendQuota", + "access_level": "List", + "description": "Grants permission to list all of the dedicated IP pools for your account", + "privilege": "ListDedicatedIpPools", "resource_types": [ { "condition_keys": [], @@ -131774,9 +161593,9 @@ ] }, { - "access_level": "Read", - "description": "Returns the user's sending statistics. The result is a list of data points, representing the last two weeks of sending activity", - "privilege": "GetSendStatistics", + "access_level": "List", + "description": "Grants permission to retrieve the list of the predictive inbox placement tests that you've performed, regardless of their statuses, for your account", + "privilege": "ListDeliverabilityTestReports", "resource_types": [ { "condition_keys": [], @@ -131787,8 +161606,8 @@ }, { "access_level": "Read", - "description": "Returns the template object (which includes the Subject line, HTML part and text part) for the template you specify", - "privilege": "GetTemplate", + "description": "Grants permission to list deliverability data for campaigns that used a specific domain to send email during a specified time range", + "privilege": "ListDomainDeliverabilityCampaigns", "resource_types": [ { "condition_keys": [], @@ -131799,8 +161618,8 @@ }, { "access_level": "List", - "description": "Returns a list of the configuration sets associated with your Amazon SES account in the current AWS Region", - "privilege": "ListConfigurationSets", + "description": "Grants permission to list the email identities for your account", + "privilege": "ListEmailIdentities", "resource_types": [ { "condition_keys": [], @@ -131811,8 +161630,8 @@ }, { "access_level": "List", - "description": "Lists the existing custom verification email templates for your account in the current AWS Region", - "privilege": "ListCustomVerificationEmailTemplates", + "description": "Grants permission to list all of the email templates for your account", + "privilege": "ListEmailTemplates", "resource_types": [ { "condition_keys": [], @@ -131823,8 +161642,8 @@ }, { "access_level": "List", - "description": "Returns a list containing all of the identities (email addresses and domains) for your AWS account, regardless of verification status", - "privilege": "ListIdentities", + "description": "Grants permission to list all of the import jobs for your account", + "privilege": "ListImportJobs", "resource_types": [ { "condition_keys": [], @@ -131834,9 +161653,9 @@ ] }, { - "access_level": "List", - "description": "Returns a list of sending authorization policies that are attached to the given identity (an email address or a domain)", - "privilege": "ListIdentityPolicies", + "access_level": "Read", + "description": "Grants permission to list email addresses that are on the suppression list for your account", + "privilege": "ListSuppressedDestinations", "resource_types": [ { "condition_keys": [], @@ -131846,33 +161665,41 @@ ] }, { - "access_level": "List", - "description": "Lists the IP address filters associated with your AWS account", - "privilege": "ListReceiptFilters", + "access_level": "Read", + "description": "Grants permission to retrieve a list of the tags (keys and values) that are associated with a specific resource for your account", + "privilege": "ListTagsForResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" - } - ] - }, - { - "access_level": "List", - "description": "Lists the receipt rule sets that exist under your AWS account", - "privilege": "ListReceiptRuleSets", - "resource_types": [ + "resource_type": "configuration-set" + }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "contact-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dedicated-ip-pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deliverability-test-report" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity" } ] }, { - "access_level": "List", - "description": "Lists the email templates present in your Amazon SES account in the current AWS Region", - "privilege": "ListTemplates", + "access_level": "Write", + "description": "Grants permission to enable or disable the automatic warm-up feature for dedicated IP addresses", + "privilege": "PutAccountDedicatedIpWarmupAttributes", "resource_types": [ { "condition_keys": [], @@ -131882,9 +161709,9 @@ ] }, { - "access_level": "List", - "description": "Returns a list containing all of the email addresses that have been verified", - "privilege": "ListVerifiedEmailAddresses", + "access_level": "Write", + "description": "Grants permission to update your account details", + "privilege": "PutAccountDetails", "resource_types": [ { "condition_keys": [], @@ -131895,8 +161722,8 @@ }, { "access_level": "Write", - "description": "Adds or updates a sending authorization policy for the specified identity (an email address or a domain)", - "privilege": "PutIdentityPolicy", + "description": "Grants permission to enable or disable the ability to send email for your account", + "privilege": "PutAccountSendingAttributes", "resource_types": [ { "condition_keys": [], @@ -131907,8 +161734,8 @@ }, { "access_level": "Write", - "description": "Reorders the receipt rules within a receipt rule set", - "privilege": "ReorderReceiptRuleSet", + "description": "Grants permission to change the settings for the account-level suppression list", + "privilege": "PutAccountSuppressionAttributes", "resource_types": [ { "condition_keys": [], @@ -131919,12 +161746,17 @@ }, { "access_level": "Write", - "description": "Generates and sends a bounce message to the sender of an email you received through Amazon SES", - "privilege": "SendBounce", + "description": "Grants permission to associate a configuration set with a dedicated IP pool", + "privilege": "PutConfigurationSetDeliveryOptions", "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set*" + }, { "condition_keys": [ - "ses:FromAddress" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131933,20 +161765,17 @@ }, { "access_level": "Write", - "description": "Composes an email message to multiple destinations", - "privilege": "SendBulkTemplatedEmail", + "description": "Grants permission to enable or disable collection of reputation metrics for emails that you send using a particular configuration set", + "privilege": "PutConfigurationSetReputationOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131955,20 +161784,17 @@ }, { "access_level": "Write", - "description": "Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it", - "privilege": "SendCustomVerificationEmail", + "description": "Grants permission to enable or disable email sending for messages that use a particular configuration set", + "privilege": "PutConfigurationSetSendingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131977,20 +161803,17 @@ }, { "access_level": "Write", - "description": "Composes an email message based on input data, and then immediately queues the message for sending", - "privilege": "SendEmail", + "description": "Grants permission to specify the account suppression list preferences for a particular configuration set", + "privilege": "PutConfigurationSetSuppressionOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -131999,20 +161822,17 @@ }, { "access_level": "Write", - "description": "Sends an email message, with header and content specified by the client", - "privilege": "SendRawEmail", + "description": "Grants permission to specify a custom domain to use for open and click tracking elements in email that you send for a particular configuration set", + "privilege": "PutConfigurationSetTrackingOptions", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "configuration-set*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -132021,20 +161841,17 @@ }, { "access_level": "Write", - "description": "Composes an email message using an email template and immediately queues it for sending", - "privilege": "SendTemplatedEmail", + "description": "Grants permission to move a dedicated IP address to an existing dedicated IP pool", + "privilege": "PutDedicatedIpInPool", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "identity*" + "resource_type": "dedicated-ip-pool*" }, { "condition_keys": [ - "ses:FeedbackAddress", - "ses:FromAddress", - "ses:FromDisplayName", - "ses:Recipients" + "aws:ResourceTag/${TagKey}" ], "dependent_actions": [], "resource_type": "" @@ -132043,8 +161860,8 @@ }, { "access_level": "Write", - "description": "Sets the specified receipt rule set as the active receipt rule set", - "privilege": "SetActiveReceiptRuleSet", + "description": "Grants permission to put Dedicated IP warm up attributes", + "privilege": "PutDedicatedIpWarmupAttributes", "resource_types": [ { "condition_keys": [], @@ -132055,8 +161872,8 @@ }, { "access_level": "Write", - "description": "Enables or disables Easy DKIM signing of email sent from an identity", - "privilege": "SetIdentityDkimEnabled", + "description": "Grants permission to enable or disable the Deliverability dashboard", + "privilege": "PutDeliverabilityDashboardOption", "resource_types": [ { "condition_keys": [], @@ -132067,68 +161884,108 @@ }, { "access_level": "Write", - "description": "Given an identity (an email address or a domain), enables or disables whether Amazon SES forwards bounce and complaint notifications as email", - "privilege": "SetIdentityFeedbackForwardingEnabled", + "description": "Grants permission to associate a configuration set with an email identity", + "privilege": "PutEmailIdentityConfigurationSetAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Given an identity (an email address or a domain), sets whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type", - "privilege": "SetIdentityHeadersInNotificationsEnabled", + "description": "Grants permission to enable or disable DKIM authentication for an email identity", + "privilege": "PutEmailIdentityDkimAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Enables or disables the custom MAIL FROM domain setup for a verified identity (an email address or a domain)", - "privilege": "SetIdentityMailFromDomain", + "description": "Grants permission to configure or change the DKIM authentication settings for an email domain identity", + "privilege": "PutEmailIdentityDkimSigningAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Given an identity (an email address or a domain), sets the Amazon Simple Notification Service (Amazon SNS) topic to which Amazon SES will publish bounce, complaint, and/or delivery notifications for emails sent with that identity as the Source", - "privilege": "SetIdentityNotificationTopic", + "description": "Grants permission to enable or disable feedback forwarding for an email identity", + "privilege": "PutEmailIdentityFeedbackAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Sets the position of the specified receipt rule in the receipt rule set", - "privilege": "SetReceiptRulePosition", + "description": "Grants permission to enable or disable the custom MAIL FROM domain configuration for an email identity", + "privilege": "PutEmailIdentityMailFromAttributes", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Creates a preview of the MIME content of an email when provided with a template and a set of replacement data", - "privilege": "TestRenderTemplate", + "description": "Grants permission to add an email address to the suppression list", + "privilege": "PutSuppressedDestination", "resource_types": [ { "condition_keys": [], @@ -132139,145 +161996,258 @@ }, { "access_level": "Write", - "description": "Enables or disables email sending across your entire Amazon SES account in the current AWS Region", - "privilege": "UpdateAccountSendingEnabled", + "description": "Grants permission to compose an email message to multiple destinations", + "privilege": "SendBulkEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" } ] }, { "access_level": "Write", - "description": "Updates the event destination of a configuration set", - "privilege": "UpdateConfigurationSetEventDestination", + "description": "Grants permission to add an email address to the list of identities and attempts to verify it", + "privilege": "SendCustomVerificationEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "custom-verification-email-template*" } ] }, { "access_level": "Write", - "description": "Enables or disables the publishing of reputation metrics for emails sent using a specific configuration set in a given AWS Region", - "privilege": "UpdateConfigurationSetReputationMetricsEnabled", + "description": "Grants permission to send an email message", + "privilege": "SendEmail", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "template" + }, + { + "condition_keys": [ + "ses:FeedbackAddress", + "ses:FromAddress", + "ses:FromDisplayName", + "ses:Recipients" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Write", - "description": "Enables or disables email sending for messages sent using a specific configuration set in a given AWS Region", - "privilege": "UpdateConfigurationSetSendingEnabled", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags (keys and values) to a specified resource", + "privilege": "TagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dedicated-ip-pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deliverability-test-report" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Modifies an association between a configuration set and a custom domain for open and click event tracking", - "privilege": "UpdateConfigurationSetTrackingOptions", + "description": "Grants permission to create a preview of the MIME content of an email when provided with a template and a set of replacement data", + "privilege": "TestRenderEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "template*" } ] }, { - "access_level": "Write", - "description": "Updates an existing custom verification email template", - "privilege": "UpdateCustomVerificationEmailTemplate", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags (keys and values) from a specified resource", + "privilege": "UntagResource", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact-list" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "dedicated-ip-pool" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "deliverability-test-report" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "identity" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates a receipt rule", - "privilege": "UpdateReceiptRule", + "description": "Grants permission to update the configuration of an event destination for a configuration set", + "privilege": "UpdateConfigurationSetEventDestination", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "configuration-set*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { "access_level": "Write", - "description": "Updates an email template", - "privilege": "UpdateTemplate", + "description": "Grants permission to update a contact's preferences for a list", + "privilege": "UpdateContact", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Returns a set of DKIM tokens for a domain", - "privilege": "VerifyDomainDkim", + "access_level": "Write", + "description": "Grants permission to update contact list metadata", + "privilege": "UpdateContactList", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "contact-list*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Verifies a domain", - "privilege": "VerifyDomainIdentity", + "access_level": "Write", + "description": "Grants permission to update an existing custom verification email template", + "privilege": "UpdateCustomVerificationEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "custom-verification-email-template*" } ] }, { - "access_level": "Read", - "description": "Verifies an email address. This action causes a confirmation email message to be sent to the specified address. This action is throttled at one request per second", - "privilege": "VerifyEmailAddress", + "access_level": "Permissions management", + "description": "Grants permission to update the specified sending authorization policy for the given identity (an email address or a domain)", + "privilege": "UpdateEmailIdentityPolicy", "resource_types": [ { "condition_keys": [], "dependent_actions": [], + "resource_type": "identity*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], "resource_type": "" } ] }, { - "access_level": "Read", - "description": "Verifies an email address. This action causes a confirmation email message to be sent to the specified address. This action is throttled at one request per second", - "privilege": "VerifyEmailIdentity", + "access_level": "Write", + "description": "Grants permission to update an email template", + "privilege": "UpdateEmailTemplate", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "template*" } ] } @@ -132285,38 +162255,48 @@ "resources": [ { "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "configuration-set" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:custom-verification-email-template/${CustomVerificationEmailTemplateName}", - "condition_keys": [], - "resource": "custom-verification-email-template" + "arn": "arn:${Partition}:ses:${Region}:${Account}:contact-list/${ContactListName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "contact-list" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}:event-destination/${EventDestinationName}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:custom-verification-email-template/${TemplateName}", "condition_keys": [], - "resource": "event-destination" + "resource": "custom-verification-email-template" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}", - "condition_keys": [], - "resource": "identity" + "arn": "arn:${Partition}:ses:${Region}:${Account}:dedicated-ip-pool/${DedicatedIPPool}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "dedicated-ip-pool" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:receipt-filter/${ReceiptFilterName}", - "condition_keys": [], - "resource": "receipt-filter" + "arn": "arn:${Partition}:ses:${Region}:${Account}:deliverability-test-report/${ReportId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "deliverability-test-report" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:receipt-rule-set/${ReceiptRuleSetName}:receipt-rule/${ReceiptRuleName}", - "condition_keys": [], - "resource": "receipt-rule" + "arn": "arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "identity" }, { - "arn": "arn:${Partition}:ses:${Region}:${Account}:receipt-rule-set/${ReceiptRuleSetName}", + "arn": "arn:${Partition}:ses:${Region}:${Account}:import-job/${ImportJobId}", "condition_keys": [], - "resource": "receipt-rule-set" + "resource": "import-job" }, { "arn": "arn:${Partition}:ses:${Region}:${Account}:template/${TemplateName}", @@ -132324,15 +162304,31 @@ "resource": "template" } ], - "service_name": "Amazon SES" + "service_name": "Amazon Simple Email Service v2" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters actions based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters actions based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters actions based on the presence of tag keys in the request", + "type": "String" + } + ], "prefix": "shield", "privileges": [ { "access_level": "Write", - "description": "Authorizes the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs", + "description": "Grants permission to authorize the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs", "privilege": "AssociateDRTLogBucket", "resource_types": [ { @@ -132347,7 +162343,7 @@ }, { "access_level": "Write", - "description": "Authorizes the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks", + "description": "Grants permission to authorize the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks", "privilege": "AssociateDRTRole", "resource_types": [ { @@ -132363,19 +162359,70 @@ }, { "access_level": "Write", - "description": "Activate DDoS protection service for a given resource ARN", - "privilege": "CreateProtection", + "description": "Grants permission to add health-based detection to the Shield Advanced protection for a resource", + "privilege": "AssociateHealthCheck", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "route53:GetHealthCheck" + ], "resource_type": "protection*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to initialize proactive engagement and set the list of contacts for the DDoS Response Team (DRT) to use", + "privilege": "AssociateProactiveEngagementDetails", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate DDoS protection service for a given resource ARN", + "privilege": "CreateProtection", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Activate subscription", + "description": "Grants permission to create a grouping of protected resources so they can be handled as a collective", + "privilege": "CreateProtectionGroup", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate subscription", "privilege": "CreateSubscription", "resource_types": [ { @@ -132387,19 +162434,45 @@ }, { "access_level": "Write", - "description": "Delete an existing protection", + "description": "Grants permission to delete an existing protection", "privilege": "DeleteProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "protection*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the specified protection group", + "privilege": "DeleteProtectionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Deactivate subscription", + "description": "Grants permission to deactivate subscription", "privilege": "DeleteSubscription", "resource_types": [ { @@ -132411,7 +162484,7 @@ }, { "access_level": "Read", - "description": "Get attack details", + "description": "Grants permission to get attack details", "privilege": "DescribeAttack", "resource_types": [ { @@ -132423,7 +162496,19 @@ }, { "access_level": "Read", - "description": "Returns the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation", + "description": "Grants permission to describe information about the number and type of attacks AWS Shield has detected in the last year", + "privilege": "DescribeAttackStatistics", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation", "privilege": "DescribeDRTAccess", "resource_types": [ { @@ -132435,7 +162520,7 @@ }, { "access_level": "Read", - "description": "Lists the email addresses that the DRT can use to contact you during a suspected attack", + "description": "Grants permission to list the email addresses that the DRT can use to contact you during a suspected attack", "privilege": "DescribeEmergencyContactSettings", "resource_types": [ { @@ -132447,19 +162532,45 @@ }, { "access_level": "Read", - "description": "Get protection details", + "description": "Grants permission to get protection details", "privilege": "DescribeProtection", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "protection*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe the specification for the specified protection group", + "privilege": "DescribeProtectionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Read", - "description": "Get subscription details, such as start time", + "description": "Grants permission to get subscription details, such as start time", "privilege": "DescribeSubscription", "resource_types": [ { @@ -132471,7 +162582,19 @@ }, { "access_level": "Write", - "description": "Removes the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs", + "description": "Grants permission to remove authorization from the DDoS Response Team (DRT) to notify contacts about escalations", + "privilege": "DisableProactiveEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs", "privilege": "DisassociateDRTLogBucket", "resource_types": [ { @@ -132487,7 +162610,7 @@ }, { "access_level": "Write", - "description": "Removes the DDoS Response team's access to your AWS account", + "description": "Grants permission to remove the DDoS Response team's access to your AWS account", "privilege": "DisassociateDRTRole", "resource_types": [ { @@ -132497,9 +162620,40 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to remove health-based detection from the Shield Advanced protection for a resource", + "privilege": "DisassociateHealthCheck", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to authorize the DDoS Response Team (DRT) to use email and phone to notify contacts about escalations", + "privilege": "EnableProactiveEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Get subscription state", + "description": "Grants permission to get subscription state", "privilege": "GetSubscriptionState", "resource_types": [ { @@ -132511,7 +162665,7 @@ }, { "access_level": "List", - "description": "List all existing attacks", + "description": "Grants permission to list all existing attacks", "privilege": "ListAttacks", "resource_types": [ { @@ -132523,7 +162677,19 @@ }, { "access_level": "List", - "description": "List all existing protections", + "description": "Grants permission to retrieve the protection groups for the account", + "privilege": "ListProtectionGroups", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all existing protections", "privilege": "ListProtections", "resource_types": [ { @@ -132533,9 +162699,88 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to retrieve the resources that are included in the protection group", + "privilege": "ListResourcesInProtectionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get information about AWS tags for a specified Amazon Resource Name (ARN) in AWS Shield", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add or updates tags for a resource in AWS Shield", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a resource in AWS Shield", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", - "description": "Updates the details of the list of email addresses that the DRT can use to contact you during a suspected attack", + "description": "Grants permission to update the details of the list of email addresses that the DRT can use to contact you during a suspected attack", "privilege": "UpdateEmergencyContactSettings", "resource_types": [ { @@ -132547,7 +162792,26 @@ }, { "access_level": "Write", - "description": "Updates the details of an existing subscription", + "description": "Grants permission to update an existing protection group", + "privilege": "UpdateProtectionGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "protection-group*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the details of an existing subscription", "privilege": "UpdateSubscription", "resource_types": [ { @@ -132566,8 +162830,17 @@ }, { "arn": "arn:${Partition}:shield::${Account}:protection/${Id}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "protection" + }, + { + "arn": "arn:${Partition}:shield::${Account}:protection-group/${Id}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "protection-group" } ], "service_name": "AWS Shield" @@ -133646,6 +163919,233 @@ "resources": [], "service_name": "Amazon Pinpoint SMS and Voice Service" }, + { + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], + "prefix": "snow-device-management", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to cancel tasks on remote devices", + "privilege": "CancelTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create tasks on remote devices", + "privilege": "CreateTask", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a remotely-managed device", + "privilege": "DescribeDevice", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a remotely-managed device's EC2 instances", + "privilege": "DescribeDeviceEc2Instances", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-device*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe task executions", + "privilege": "DescribeExecution", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a task", + "privilege": "DescribeTask", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list a remotely-managed device's resources", + "privilege": "ListDeviceResources", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-device*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list remotely-managed devices", + "privilege": "ListDevices", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list task executions", + "privilege": "ListExecutions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags for a resource (device or task)", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tasks", + "privilege": "ListTasks", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "managed-device" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:snow-device-management:${Region}:${Account}:managed-device/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "managed-device" + }, + { + "arn": "arn:${Partition}:snow-device-management:${Region}:${Account}:task/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "task" + } + ], + "service_name": "AWS Snow Device Management" + }, { "conditions": [], "prefix": "snowball", @@ -133710,6 +164210,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to creates a LongTermPricingListEntry for allowing customers to add an upfront billing contract for a job", + "privilege": "CreateLongTermPricing", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Creates a shipping label that will be used to return the Snow device to AWS.", + "privilege": "CreateReturnShippingLabel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Takes an AddressId and returns specific details about that address in the form of an Address object.", @@ -133758,6 +164282,18 @@ } ] }, + { + "access_level": "Read", + "description": "Information on the shipping label of a Snow device that is being returned to AWS.", + "privilege": "DescribeReturnShippingLabel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Returns a link to an Amazon S3 presigned URL for the manifest file associated with the specified JobId value.", @@ -133794,6 +164330,18 @@ } ] }, + { + "access_level": "Read", + "description": "Returns an Amazon S3 presigned URL for an update file associated with a specified JobId.", + "privilege": "GetSoftwareUpdates", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Returns an array of JobListEntry objects of the specified length.", @@ -133818,6 +164366,18 @@ } ] }, + { + "access_level": "List", + "description": "This action returns a list of the different Amazon EC2 Amazon Machine Images (AMIs) that are owned by your AWS account that would be supported for use on a Snow device.", + "privilege": "ListCompatibleImages", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Returns an array of JobListEntry objects of the specified length.", @@ -133830,6 +164390,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list LongTermPricingListEntry objects for the account making the request", + "privilege": "ListLongTermPricing", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "While a cluster's ClusterState value is in the AwaitingQuorum state, you can update some of the information associated with a cluster.", @@ -133853,6 +164425,30 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Updates the state when a the shipment states changes to a different state.", + "privilege": "UpdateJobShipmentState", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a specific upfront billing contract for a job", + "privilege": "UpdateLongTermPricing", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [], @@ -133862,22 +164458,22 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "Tags from request", + "description": "Filters access baded on tags from request", "type": "String" }, { "condition": "aws:TagKeys", - "description": "Tag keys from request", + "description": "Filters access baded on tag keys from request", "type": "String" }, { "condition": "sns:Endpoint", - "description": "The URL, email address, or ARN from a Subscribe request or a previously confirmed subscription.", + "description": "Filters access based on the URL, email address, or ARN from a Subscribe request or a previously confirmed subscription", "type": "String" }, { "condition": "sns:Protocol", - "description": "The protocol value from a Subscribe request or a previously confirmed subscription.", + "description": "Filters access based on the protocol value from a Subscribe request or a previously confirmed subscription", "type": "String" } ], @@ -133885,7 +164481,7 @@ "privileges": [ { "access_level": "Permissions management", - "description": "Adds a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions.", + "description": "Grants permission to add a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions", "privilege": "AddPermission", "resource_types": [ { @@ -133897,7 +164493,7 @@ }, { "access_level": "Read", - "description": "Accepts a phone number and indicates whether the phone holder has opted out of receiving SMS messages from your account.", + "description": "Grants permission to accept a phone number and indicate whether the phone holder has opted out of receiving SMS messages from your account", "privilege": "CheckIfPhoneNumberIsOptedOut", "resource_types": [ { @@ -133909,7 +164505,7 @@ }, { "access_level": "Write", - "description": "Verifies an endpoint owner's intent to receive messages by validating the token sent to the endpoint by an earlier Subscribe action.", + "description": "Grants permission to verify an endpoint owner's intent to receive messages by validating the token sent to the endpoint by an earlier Subscribe action", "privilege": "ConfirmSubscription", "resource_types": [ { @@ -133921,7 +164517,7 @@ }, { "access_level": "Write", - "description": "Creates a platform application object for one of the supported push notification services, such as APNS and GCM, to which devices and mobile apps may register.", + "description": "Grants permission to create a platform application object for one of the supported push notification services, such as APNS and GCM, to which devices and mobile apps may register", "privilege": "CreatePlatformApplication", "resource_types": [ { @@ -133935,7 +164531,7 @@ }, { "access_level": "Write", - "description": "Creates an endpoint for a device and mobile app on one of the supported push notification services, such as GCM and APNS.", + "description": "Grants permission to create an endpoint for a device and mobile app on one of the supported push notification services, such as GCM and APNS", "privilege": "CreatePlatformEndpoint", "resource_types": [ { @@ -133947,7 +164543,19 @@ }, { "access_level": "Write", - "description": "Creates a topic to which notifications can be published.", + "description": "Grants permission to add a destination phone number and send a one-time password (OTP) to that phone number for an AWS account", + "privilege": "CreateSMSSandboxPhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a topic to which notifications can be published", "privilege": "CreateTopic", "resource_types": [ { @@ -133961,7 +164569,7 @@ }, { "access_level": "Write", - "description": "Deletes the endpoint for a device and mobile app from Amazon SNS.", + "description": "Grants permission to delete the endpoint for a device and mobile app from Amazon SNS", "privilege": "DeleteEndpoint", "resource_types": [ { @@ -133973,7 +164581,7 @@ }, { "access_level": "Write", - "description": "Deletes a platform application object for one of the supported push notification services, such as APNS and GCM.", + "description": "Grants permission to delete a platform application object for one of the supported push notification services, such as APNS and GCM", "privilege": "DeletePlatformApplication", "resource_types": [ { @@ -133985,7 +164593,19 @@ }, { "access_level": "Write", - "description": "Deletes a topic and all its subscriptions.", + "description": "Grants permission to delete an AWS account's verified or pending phone number", + "privilege": "DeleteSMSSandboxPhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a topic and all its subscriptions", "privilege": "DeleteTopic", "resource_types": [ { @@ -133997,7 +164617,7 @@ }, { "access_level": "Read", - "description": "Retrieves the endpoint attributes for a device on one of the supported push notification services, such as GCM and APNS.", + "description": "Grants permission to retrieve the endpoint attributes for a device on one of the supported push notification services, such as GCM and APNS", "privilege": "GetEndpointAttributes", "resource_types": [ { @@ -134009,7 +164629,7 @@ }, { "access_level": "Read", - "description": "Retrieves the attributes of the platform application object for the supported push notification services, such as APNS and GCM.", + "description": "Grants permission to retrieve the attributes of the platform application object for the supported push notification services, such as APNS and GCM", "privilege": "GetPlatformApplicationAttributes", "resource_types": [ { @@ -134021,7 +164641,7 @@ }, { "access_level": "Read", - "description": "Returns the settings for sending SMS messages from your account.", + "description": "Grants permission to return the settings for sending SMS messages from your account", "privilege": "GetSMSAttributes", "resource_types": [ { @@ -134033,7 +164653,19 @@ }, { "access_level": "Read", - "description": "Returns all of the properties of a subscription.", + "description": "Grants permission to retrieve the sandbox status for the calling account in the target region", + "privilege": "GetSMSSandboxAccountStatus", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return all of the properties of a subscription", "privilege": "GetSubscriptionAttributes", "resource_types": [ { @@ -134045,7 +164677,7 @@ }, { "access_level": "Read", - "description": "Returns all of the properties of a topic. Topic properties returned might differ based on the authorization of the user.", + "description": "Grants permission to return all of the properties of a topic", "privilege": "GetTopicAttributes", "resource_types": [ { @@ -134057,7 +164689,7 @@ }, { "access_level": "List", - "description": "Lists the endpoints and endpoint attributes for devices in a supported push notification service, such as GCM and APNS.", + "description": "Grants permission to list the endpoints and endpoint attributes for devices in a supported push notification service, such as GCM and APNS", "privilege": "ListEndpointsByPlatformApplication", "resource_types": [ { @@ -134067,9 +164699,21 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to list all origination numbers, and their metadata", + "privilege": "ListOriginationNumbers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", - "description": "Returns a list of phone numbers that are opted out, meaning you cannot send SMS messages to them.", + "description": "Grants permission to return a list of phone numbers that are opted out, meaning you cannot send SMS messages to them", "privilege": "ListPhoneNumbersOptedOut", "resource_types": [ { @@ -134081,7 +164725,7 @@ }, { "access_level": "List", - "description": "Lists the platform application objects for the supported push notification services, such as APNS and GCM.", + "description": "Grants permission to list the platform application objects for the supported push notification services, such as APNS and GCM", "privilege": "ListPlatformApplications", "resource_types": [ { @@ -134093,7 +164737,19 @@ }, { "access_level": "List", - "description": "Returns a list of the requester's subscriptions.", + "description": "Grants permission to list the calling account's current pending and verified destination phone numbers", + "privilege": "ListSMSSandboxPhoneNumbers", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to return a list of the requester's subscriptions", "privilege": "ListSubscriptions", "resource_types": [ { @@ -134105,7 +164761,7 @@ }, { "access_level": "List", - "description": "Returns a list of the subscriptions to a specific topic.", + "description": "Grants permission to return a list of the subscriptions to a specific topic", "privilege": "ListSubscriptionsByTopic", "resource_types": [ { @@ -134117,7 +164773,7 @@ }, { "access_level": "Read", - "description": "List all tags added to the specified Amazon SNS topic.", + "description": "Grants permission to list all tags added to the specified Amazon SNS topic", "privilege": "ListTagsForResource", "resource_types": [ { @@ -134129,7 +164785,7 @@ }, { "access_level": "List", - "description": "Returns a list of the requester's topics. Each call returns a limited list of topics, up to 100.", + "description": "Grants permission to return a list of the requester's topics", "privilege": "ListTopics", "resource_types": [ { @@ -134141,7 +164797,7 @@ }, { "access_level": "Write", - "description": "Opts in a phone number that is currently opted out, which enables you to resume sending SMS messages to the number.", + "description": "Grants permission to opt in a phone number that is currently opted out, which enables you to resume sending SMS messages to the number", "privilege": "OptInPhoneNumber", "resource_types": [ { @@ -134153,7 +164809,7 @@ }, { "access_level": "Write", - "description": "Sends a message to all of a topic's subscribed endpoints.", + "description": "Grants permission to send a message to all of a topic's subscribed endpoints", "privilege": "Publish", "resource_types": [ { @@ -134165,7 +164821,7 @@ }, { "access_level": "Permissions management", - "description": "Removes a statement from a topic's access control policy.", + "description": "Grants permission to remove a statement from a topic's access control policy", "privilege": "RemovePermission", "resource_types": [ { @@ -134177,7 +164833,7 @@ }, { "access_level": "Write", - "description": "Sets the attributes for an endpoint for a device on one of the supported push notification services, such as GCM and APNS.", + "description": "Grants permission to set the attributes for an endpoint for a device on one of the supported push notification services, such as GCM and APNS", "privilege": "SetEndpointAttributes", "resource_types": [ { @@ -134189,7 +164845,7 @@ }, { "access_level": "Write", - "description": "Sets the attributes of the platform application object for the supported push notification services, such as APNS and GCM.", + "description": "Grants permission to set the attributes of the platform application object for the supported push notification services, such as APNS and GCM", "privilege": "SetPlatformApplicationAttributes", "resource_types": [ { @@ -134203,7 +164859,7 @@ }, { "access_level": "Write", - "description": "Set the default settings for sending SMS messages and receiving daily SMS usage reports.", + "description": "Grants permission to set the default settings for sending SMS messages and receiving daily SMS usage reports", "privilege": "SetSMSAttributes", "resource_types": [ { @@ -134215,7 +164871,7 @@ }, { "access_level": "Write", - "description": "Allows a subscription owner to set an attribute of the topic to a new value.", + "description": "Grants permission to allow a subscription owner to set an attribute of the topic to a new value", "privilege": "SetSubscriptionAttributes", "resource_types": [ { @@ -134227,7 +164883,7 @@ }, { "access_level": "Write", - "description": "Allows a topic owner to set an attribute of the topic to a new value.", + "description": "Grants permission to allow a topic owner to set an attribute of the topic to a new value", "privilege": "SetTopicAttributes", "resource_types": [ { @@ -134241,7 +164897,7 @@ }, { "access_level": "Write", - "description": "Prepares to subscribe an endpoint by sending the endpoint a confirmation message.", + "description": "Grants permission to prepare to subscribe an endpoint by sending the endpoint a confirmation message", "privilege": "Subscribe", "resource_types": [ { @@ -134261,7 +164917,7 @@ }, { "access_level": "Tagging", - "description": "Add tags to the specified Amazon SNS topic.", + "description": "Grants permission to add tags to the specified Amazon SNS topic", "privilege": "TagResource", "resource_types": [ { @@ -134281,7 +164937,7 @@ }, { "access_level": "Write", - "description": "Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required.", + "description": "Grants permission to delete a subscription", "privilege": "Unsubscribe", "resource_types": [ { @@ -134293,7 +164949,7 @@ }, { "access_level": "Tagging", - "description": "Remove tags from the specified Amazon SNS topic.", + "description": "Grants permission to remove tags from the specified Amazon SNS topic", "privilege": "UntagResource", "resource_types": [ { @@ -134310,6 +164966,18 @@ "resource_type": "" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to verify a destination phone number with a one-time password (OTP) for an AWS account", + "privilege": "VerifySMSSandboxPhoneNumber", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] } ], "resources": [ @@ -134322,37 +164990,667 @@ "service_name": "Amazon SNS" }, { - "conditions": [], - "prefix": "sqs", + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], + "prefix": "sqlworkbench", "privileges": [ { - "access_level": "Permissions management", - "description": "Adds a permission to a queue for a specific principal.", - "privilege": "AddPermission", + "access_level": "Write", + "description": "", + "privilege": "AssociateConnectionWithChart", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "queue*" + "resource_type": "chart*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" } ] }, { "access_level": "Write", - "description": "Changes the visibility timeout of a specified message in a queue to a new value.", - "privilege": "ChangeMessageVisibility", + "description": "", + "privilege": "AssociateConnectionWithTab", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "queue*" + "resource_type": "connection*" + } + ] + }, + { + "access_level": "Write", + "description": "", + "privilege": "AssociateQueryWithTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete folders on your account", + "privilege": "BatchDeleteFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create SQLWorkbench account", + "privilege": "CreateAccount", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create new saved chart on your account", + "privilege": "CreateChart", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new connection on your account", + "privilege": "CreateConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create folder on your account", + "privilege": "CreateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new saved query on your account", + "privilege": "CreateSavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove charts on your account", + "privilege": "DeleteChart", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove connections on your account", + "privilege": "DeleteConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove saved queries on your account", + "privilege": "DeleteSavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove a tab on your account", + "privilege": "DeleteTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to execute a query in your redshift cluster", + "privilege": "DriverExecute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to generate a new session on your account", + "privilege": "GenerateSession", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get account info", + "privilege": "GetAccountInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get charts on your account", + "privilege": "GetChart", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get connections on your account", + "privilege": "GetConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe KMS Keys", + "privilege": "GetKMSKey", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get saved query on your account", + "privilege": "GetSavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get user info", + "privilege": "GetUserInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get workspace settings on your account", + "privilege": "GetUserWorkspaceSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list buckets", + "privilege": "ListBuckets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the connections on your account", + "privilege": "ListConnections", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list databases of your redshift cluster", + "privilege": "ListDatabases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list files and folders", + "privilege": "ListFiles", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list KMS Key Aliases", + "privilege": "ListKMSKeyAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list KMS Keys", + "privilege": "ListKMSKeys", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list redshift clusters on your account", + "privilege": "ListRedshiftClusters", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list sample databases", + "privilege": "ListSampleDatabases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list versions of saved query on your account", + "privilege": "ListSavedQueryVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list tabs on your account", + "privilege": "ListTabs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list the tags of an sqlworkbench resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create or update a tab on your account", + "privilege": "PutTab", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update workspace settings on your account", + "privilege": "PutUserWorkspaceSettings", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to tag an sqlworkbench resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag an sqlworkbench resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a chart on your account", + "privilege": "UpdateChart", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Changes the visibility timeout of multiple messages.", - "privilege": "ChangeMessageVisibilityBatch", + "description": "Grants permission to update a connection on your account", + "privilege": "UpdateConnection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connection*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to move files on your account", + "privilege": "UpdateFileFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "chart" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a folder's name and details on your account", + "privilege": "UpdateFolder", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a saved query on your account", + "privilege": "UpdateSavedQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "query*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:sqlworkbench:${Region}:${Account}:connection/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connection" + }, + { + "arn": "arn:${Partition}:sqlworkbench:${Region}:${Account}:query/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "query" + }, + { + "arn": "arn:${Partition}:sqlworkbench:${Region}:${Account}:chart/${ResourceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "chart" + } + ], + "service_name": "AWS SQL Workbench" + }, + { + "conditions": [], + "prefix": "sqs", + "privileges": [ + { + "access_level": "Permissions management", + "description": "Grants permission to a queue for a specific principal", + "privilege": "AddPermission", "resource_types": [ { "condition_keys": [], @@ -134363,8 +165661,8 @@ }, { "access_level": "Write", - "description": "Creates a new queue, or returns the URL of an existing one.", - "privilege": "CreateQueue", + "description": "Grants permission to change the visibility timeout of a specified message in a queue to a new value", + "privilege": "ChangeMessageVisibility", "resource_types": [ { "condition_keys": [], @@ -134375,8 +165673,8 @@ }, { "access_level": "Write", - "description": "Deletes the specified message from the specified queue.", - "privilege": "DeleteMessage", + "description": "Grants permission to create a new queue, or returns the URL of an existing one", + "privilege": "CreateQueue", "resource_types": [ { "condition_keys": [], @@ -134387,8 +165685,8 @@ }, { "access_level": "Write", - "description": "Deletes up to ten messages from the specified queue.", - "privilege": "DeleteMessageBatch", + "description": "Grants permission to delete the specified message from the specified queue", + "privilege": "DeleteMessage", "resource_types": [ { "condition_keys": [], @@ -134399,7 +165697,7 @@ }, { "access_level": "Write", - "description": "Deletes the queue specified by the queue URL, regardless of whether the queue is empty.", + "description": "Grants permission to delete the queue specified by the queue URL, regardless of whether the queue is empty", "privilege": "DeleteQueue", "resource_types": [ { @@ -134411,7 +165709,7 @@ }, { "access_level": "Read", - "description": "Gets attributes for the specified queue.", + "description": "Grants permission to get attributes for the specified queue", "privilege": "GetQueueAttributes", "resource_types": [ { @@ -134423,7 +165721,7 @@ }, { "access_level": "Read", - "description": "Returns the URL of an existing queue.", + "description": "Grants permission to return the URL of an existing queue", "privilege": "GetQueueUrl", "resource_types": [ { @@ -134435,7 +165733,7 @@ }, { "access_level": "Read", - "description": "Returns a list of your queues that have the RedrivePolicy queue attribute configured with a dead letter queue.", + "description": "Grants permission to return a list of your queues that have the RedrivePolicy queue attribute configured with a dead letter queue", "privilege": "ListDeadLetterSourceQueues", "resource_types": [ { @@ -134447,7 +165745,7 @@ }, { "access_level": "Read", - "description": "Lists tags added to an SQS queue.", + "description": "Grants permission to list tags added to an SQS queue", "privilege": "ListQueueTags", "resource_types": [ { @@ -134458,8 +165756,8 @@ ] }, { - "access_level": "List", - "description": "Returns a list of your queues.", + "access_level": "Read", + "description": "Grants permission to return a list of your queues", "privilege": "ListQueues", "resource_types": [ { @@ -134471,7 +165769,7 @@ }, { "access_level": "Write", - "description": "Deletes the messages in a queue specified by the queue URL.", + "description": "Grants permission to delete the messages in a queue specified by the queue URL", "privilege": "PurgeQueue", "resource_types": [ { @@ -134483,7 +165781,7 @@ }, { "access_level": "Read", - "description": "Retrieves one or more messages, with a maximum limit of 10 messages, from the specified queue.", + "description": "Grants permission to retrieve one or more messages, with a maximum limit of 10 messages, from the specified queue", "privilege": "ReceiveMessage", "resource_types": [ { @@ -134495,7 +165793,7 @@ }, { "access_level": "Permissions management", - "description": "Revokes any permissions in the queue policy that matches the specified Label parameter.", + "description": "Grants permission to revoke any permissions in the queue policy that matches the specified Label parameter", "privilege": "RemovePermission", "resource_types": [ { @@ -134507,7 +165805,7 @@ }, { "access_level": "Write", - "description": "Delivers a message to the specified queue.", + "description": "Grants permission to deliver a message to the specified queue", "privilege": "SendMessage", "resource_types": [ { @@ -134519,19 +165817,7 @@ }, { "access_level": "Write", - "description": "Delivers up to ten messages to the specified queue.", - "privilege": "SendMessageBatch", - "resource_types": [ - { - "condition_keys": [], - "dependent_actions": [], - "resource_type": "queue*" - } - ] - }, - { - "access_level": "Write", - "description": "Sets the value of one or more queue attributes.", + "description": "Grants permission to set the value of one or more queue attributes", "privilege": "SetQueueAttributes", "resource_types": [ { @@ -134543,7 +165829,7 @@ }, { "access_level": "Tagging", - "description": "Add tags to the specified SQS queue.", + "description": "Grants permission to add tags to the specified SQS queue", "privilege": "TagQueue", "resource_types": [ { @@ -134555,7 +165841,7 @@ }, { "access_level": "Tagging", - "description": "Remove tags from the specified SQS queue.", + "description": "Grants permission to remove tags from the specified SQS queue", "privilege": "UntagQueue", "resource_types": [ { @@ -134594,17 +165880,17 @@ }, { "condition": "ssm:Overwrite", - "description": "Filters access by controlling whether the values for specified resources can be overwritten.", + "description": "Filters access by controlling whether the values for specified resources can be overwritten", "type": "String" }, { "condition": "ssm:Recursive", - "description": "Filters access for resources created in a hierarchical structure.", + "description": "Filters access for resources created in a hierarchical structure", "type": "String" }, { "condition": "ssm:SessionDocumentAccessCheck", - "description": "Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request.", + "description": "Filters access by verifying that a user has permission to access either the default Session Manager configuration document or the custom configuration document specified in a request", "type": "Boolean" }, { @@ -134640,6 +165926,16 @@ "dependent_actions": [], "resource_type": "managed-instance" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsitem" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsmetadata" + }, { "condition_keys": [], "dependent_actions": [], @@ -134652,6 +165948,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to associate RelatedItem to an OpsItem", + "privilege": "AssociateOpsItemRelatedItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsitem*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to cancel a specified Run Command command", @@ -134775,7 +166083,10 @@ "privilege": "CreateOpsItem", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -134787,7 +166098,10 @@ "privilege": "CreateOpsMetadata", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -134923,13 +166237,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -134942,13 +166249,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -135464,6 +166764,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate RelatedItem from an OpsItem", + "privilege": "DisassociateOpsItemRelatedItem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsitem*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to view details of a specified Automation execution", @@ -135652,7 +166964,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "opsitem*" } ] }, @@ -135689,13 +167001,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -135708,13 +167013,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -135727,13 +167025,6 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "parameter*" - }, - { - "condition_keys": [ - "aws:RequestTag/${TagKey}" - ], - "dependent_actions": [], - "resource_type": "" } ] }, @@ -135946,6 +167237,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to view details about OpsItem RelatedItems", + "privilege": "ListOpsItemRelatedItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to view a list of OpsMetadata objects", @@ -136004,6 +167307,16 @@ "dependent_actions": [], "resource_type": "managed-instance" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsitem" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsmetadata" + }, { "condition_keys": [], "dependent_actions": [], @@ -136157,6 +167470,16 @@ "dependent_actions": [], "resource_type": "managed-instance" }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsitem" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "opsmetadata" + }, { "condition_keys": [], "dependent_actions": [], @@ -136284,12 +167607,17 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "instance*" + "resource_type": "document" }, { "condition_keys": [], "dependent_actions": [], - "resource_type": "document" + "resource_type": "instance" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "task" }, { "condition_keys": [ @@ -136314,7 +167642,7 @@ }, { "access_level": "Write", - "description": "Grants permission to permanently end a Session Manager connection to an instance.", + "description": "Grants permission to permanently end a Session Manager connection to an instance", "privilege": "TerminateSession", "resource_types": [ { @@ -136499,7 +167827,7 @@ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "opsitem*" } ] }, @@ -136571,7 +167899,7 @@ "resource": "automation-execution" }, { - "arn": "arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName:VersionId}", + "arn": "arn:${Partition}:ssm:${Region}:${Account}:automation-definition/${AutomationDefinitionName}:${VersionId}", "condition_keys": [], "resource": "automation-definition" }, @@ -136605,7 +167933,7 @@ "resource": "maintenancewindow" }, { - "arn": "arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${ManagedInstanceName}", + "arn": "arn:${Partition}:ssm:${Region}:${Account}:managed-instance/${InstanceId}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ssm:resourceTag/tag-key" @@ -136619,16 +167947,21 @@ }, { "arn": "arn:${Partition}:ssm:${Region}:${Account}:opsitem/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "opsitem" }, { "arn": "arn:${Partition}:ssm:${Region}:${Account}:opsmetadata/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}", + "ssm:resourceTag/tag-key" + ], "resource": "opsmetadata" }, { - "arn": "arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}", + "arn": "arn:${Partition}:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}", "condition_keys": [ "aws:ResourceTag/${TagKey}", "ssm:resourceTag/tag-key" @@ -136667,17 +168000,787 @@ "arn": "arn:${Partition}:ssm:${Region}:${Account}:windowtask/${WindowTaskId}", "condition_keys": [], "resource": "windowtask" + }, + { + "arn": "arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "task" } ], "service_name": "AWS Systems Manager" }, + { + "conditions": [], + "prefix": "ssm-contacts", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to accept a page", + "privilege": "AcceptPage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "page*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to activate a contact's contact channel", + "privilege": "ActivateContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to use a contact in an escalation plan", + "privilege": "AssociateContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a contact", + "privilege": "CreateContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ssm-contacts:AssociateContact" + ], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a contact channel for a contact", + "privilege": "CreateContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to deactivate a contact's contact channel", + "privilege": "DeactivateContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a contact", + "privilege": "DeleteContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a contact's contact channel", + "privilege": "DeleteContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a contact's resource policy", + "privilege": "DeleteContactPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe an engagement", + "privilege": "DescribeEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "engagement*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to describe a page", + "privilege": "DescribePage", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "page*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a contact", + "privilege": "GetContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a contact's contact channel", + "privilege": "GetContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all of a contact's contact channels", + "privilege": "ListContactChannels", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all contacts", + "privilege": "ListContacts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all engagements", + "privilege": "ListEngagements", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all receipts of a page", + "privilege": "ListPageReceipts", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "page*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all pages sent to a contact", + "privilege": "ListPagesByContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all pages created in an engagement", + "privilege": "ListPagesByEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "engagement*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to add a resource policy to a contact", + "privilege": "PutContactPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to send the activation code of a contact's contact channel", + "privilege": "SendActivationCode", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start an engagement", + "privilege": "StartEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to stop an engagement", + "privilege": "StopEngagement", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "engagement*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a contact", + "privilege": "UpdateContact", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "ssm-contacts:AssociateContact" + ], + "resource_type": "contact*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a contact's contact channel", + "privilege": "UpdateContactChannel", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contactchannel*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a contact's resource policy", + "privilege": "UpdateContactPolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "contact*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:contact/${ContactAlias}", + "condition_keys": [], + "resource": "contact" + }, + { + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:contactchannel/${ContactAlias}/${ContactChannelId}", + "condition_keys": [], + "resource": "contactchannel" + }, + { + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:engagement/${EngagementId}", + "condition_keys": [], + "resource": "engagement" + }, + { + "arn": "arn:${Partition}:ssm-contacts:${Region}:${Account}:page/${ContactAlias}/${pageId}", + "condition_keys": [], + "resource": "page" + } + ], + "service_name": "AWS Systems Manager Incident Manager Contacts" + }, + { + "conditions": [], + "prefix": "ssm-incidents", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a replication set", + "privilege": "CreateReplicationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:CreateServiceLinkedRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a response plan", + "privilege": "CreateResponsePlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a timeline event for an incident record", + "privilege": "CreateTimelineEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an incident record", + "privilege": "DeleteIncidentRecord", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a replication set", + "privilege": "DeleteReplicationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replication-set*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to delete resource policy from a response plan", + "privilege": "DeleteResourcePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a response plan", + "privilege": "DeleteResponsePlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a timeline event", + "privilege": "DeleteTimelineEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the contents of an incident record", + "privilege": "GetIncidentRecord", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the replication set", + "privilege": "GetReplicationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replication-set*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view resource policies of a response plan", + "privilege": "GetResourcePolicies", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view the contents of a specified response plan", + "privilege": "GetResponsePlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view a timeline event", + "privilege": "GetTimelineEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the contents of all incident records", + "privilege": "ListIncidentRecords", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list related items of an incident records", + "privilege": "ListRelatedItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all replication sets", + "privilege": "ListReplicationSets", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all response plans", + "privilege": "ListResponsePlans", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to view a list of resource tags for a specified resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list all timeline events for an incident record", + "privilege": "ListTimelineEvents", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to put resource policy on a response plan", + "privilege": "PutResourcePolicy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a new incident using a response plan", + "privilege": "StartIncident", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to add tags to a response plan", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to remove tags from a response plan", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update replication set deletion protection", + "privilege": "UpdateDeletionProtection", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replication-set*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the contents of an incident record", + "privilege": "UpdateIncidentRecord", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update related items of an incident record", + "privilege": "UpdateRelatedItems", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a replication set", + "privilege": "UpdateReplicationSet", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "replication-set*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the contents of a response plan", + "privilege": "UpdateResponsePlan", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "iam:PassRole" + ], + "resource_type": "response-plan*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update a timeline event", + "privilege": "UpdateTimelineEvent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "incident-record*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "response-plan*" + } + ] + } + ], + "resources": [ + { + "arn": "arn:${Partition}:ssm-incidents::${Account}:response-plan/${ResponsePlan}", + "condition_keys": [], + "resource": "response-plan" + }, + { + "arn": "arn:${Partition}:ssm-incidents::${Account}:incident-record/${ResponsePlan}/${IncidentRecord}", + "condition_keys": [], + "resource": "incident-record" + }, + { + "arn": "arn:${Partition}:ssm-incidents::${Account}:replication-set/${ReplicationSet}", + "condition_keys": [], + "resource": "replication-set" + } + ], + "service_name": "AWS Systems Manager Incident Manager" + }, { "conditions": [], "prefix": "ssmmessages", "privileges": [ { "access_level": "Write", - "description": "Registers a control channel for an instance to send control messages to Systems Manager service.", + "description": "Grants permission to register a control channel for an instance to send control messages to Systems Manager service", "privilege": "CreateControlChannel", "resource_types": [ { @@ -136689,7 +168792,7 @@ }, { "access_level": "Write", - "description": "Registers a data channel for an instance to send data messages to Systems Manager service.", + "description": "Grants permission to register a data channel for an instance to send data messages to Systems Manager service", "privilege": "CreateDataChannel", "resource_types": [ { @@ -136701,7 +168804,7 @@ }, { "access_level": "Write", - "description": "Opens a websocket connection for a registered control channel stream from an instance to Systems Manager service.", + "description": "Grants permission to open a websocket connection for a registered control channel stream from an instance to Systems Manager service", "privilege": "OpenControlChannel", "resource_types": [ { @@ -136713,7 +168816,7 @@ }, { "access_level": "Write", - "description": "Opens a websocket connection for a registered data channel stream from an instance to Systems Manager service.", + "description": "Grants permission to open a websocket connection for a registered data channel stream from an instance to Systems Manager service", "privilege": "OpenDataChannel", "resource_types": [ { @@ -136731,17 +168834,17 @@ "conditions": [ { "condition": "aws:RequestTag/${TagKey}", - "description": "", + "description": "Filters actions based on the tags that are passed in the request", "type": "String" }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "", + "description": "Filters actions based on the tags associated with the resource", "type": "String" }, { "condition": "aws:TagKeys", - "description": "", + "description": "Filters actions based on the tag keys that are passed in the request", "type": "String" } ], @@ -136749,7 +168852,7 @@ "privileges": [ { "access_level": "Write", - "description": "Connect a directory to be used by AWS Single Sign-On", + "description": "Grants permission to connect a directory to be used by AWS Single Sign-On", "privilege": "AssociateDirectory", "resource_types": [ { @@ -136763,7 +168866,7 @@ }, { "access_level": "Write", - "description": "Create an association between a directory user or group and a profile", + "description": "Grants permission to create an association between a directory user or group and a profile", "privilege": "AssociateProfile", "resource_types": [ { @@ -136774,8 +168877,8 @@ ] }, { - "access_level": "Write", - "description": "Attaches an AWS managed policy to a permission set.", + "access_level": "Permissions management", + "description": "Grants permission to attach an AWS managed policy to a permission set.", "privilege": "AttachManagedPolicyToPermissionSet", "resource_types": [ { @@ -136792,7 +168895,7 @@ }, { "access_level": "Write", - "description": "Assigns access to a Principal for a specified AWS account using a specified permission set.", + "description": "Grants permission to assign access to a Principal for a specified AWS account using a specified permission set.", "privilege": "CreateAccountAssignment", "resource_types": [ { @@ -136814,7 +168917,7 @@ }, { "access_level": "Write", - "description": "Add an application instance to AWS Single Sign-On", + "description": "Grants permission to add an application instance to AWS Single Sign-On", "privilege": "CreateApplicationInstance", "resource_types": [ { @@ -136826,7 +168929,7 @@ }, { "access_level": "Write", - "description": "Add a new certificate for an application instance", + "description": "Grants permission to add a new certificate for an application instance", "privilege": "CreateApplicationInstanceCertificate", "resource_types": [ { @@ -136850,7 +168953,7 @@ }, { "access_level": "Write", - "description": "Add a managed application instance to AWS Single Sign-On", + "description": "Grants permission to add a managed application instance to AWS Single Sign-On", "privilege": "CreateManagedApplicationInstance", "resource_types": [ { @@ -136862,19 +168965,27 @@ }, { "access_level": "Write", - "description": "Create a permission set", + "description": "Grants permission to create a permission set", "privilege": "CreatePermissionSet", "resource_types": [ { "condition_keys": [], "dependent_actions": [], "resource_type": "Instance*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" } ] }, { "access_level": "Write", - "description": "Create a profile for an application instance", + "description": "Grants permission to create a profile for an application instance", "privilege": "CreateProfile", "resource_types": [ { @@ -136886,7 +168997,7 @@ }, { "access_level": "Write", - "description": "Create a federation trust in a target account", + "description": "Grants permission to create a federation trust in a target account", "privilege": "CreateTrust", "resource_types": [ { @@ -136898,7 +169009,7 @@ }, { "access_level": "Write", - "description": "Deletes a Principal's access from a specified AWS account using a specified permission set.", + "description": "Grants permission to delete a Principal's access from a specified AWS account using a specified permission set.", "privilege": "DeleteAccountAssignment", "resource_types": [ { @@ -136920,7 +169031,7 @@ }, { "access_level": "Write", - "description": "Delete the application instance", + "description": "Grants permission to delete the application instance", "privilege": "DeleteApplicationInstance", "resource_types": [ { @@ -136932,7 +169043,7 @@ }, { "access_level": "Write", - "description": "Delete an inactive or expired certificate from the application instance", + "description": "Grants permission to delete an inactive or expired certificate from the application instance", "privilege": "DeleteApplicationInstanceCertificate", "resource_types": [ { @@ -136944,7 +169055,7 @@ }, { "access_level": "Write", - "description": "Deletes the inline policy from a specified permission set.", + "description": "Grants permission to delete the inline policy from a specified permission set.", "privilege": "DeleteInlinePolicyFromPermissionSet", "resource_types": [ { @@ -136973,7 +169084,7 @@ }, { "access_level": "Write", - "description": "Delete the managed application instance", + "description": "Grants permission to delete the managed application instance", "privilege": "DeleteManagedApplicationInstance", "resource_types": [ { @@ -136985,7 +169096,7 @@ }, { "access_level": "Write", - "description": "Delete a permission set", + "description": "Grants permission to delete a permission set", "privilege": "DeletePermissionSet", "resource_types": [ { @@ -137001,8 +169112,8 @@ ] }, { - "access_level": "Write", - "description": "Delete the permission policy associated with a permission set", + "access_level": "Permissions management", + "description": "Grants permission to delete the permission policy associated with a permission set", "privilege": "DeletePermissionsPolicy", "resource_types": [ { @@ -137014,7 +169125,7 @@ }, { "access_level": "Write", - "description": "Delete the profile for an application instance", + "description": "Grants permission to delete the profile for an application instance", "privilege": "DeleteProfile", "resource_types": [ { @@ -137026,7 +169137,7 @@ }, { "access_level": "Read", - "description": "Describes the status of the assignment creation request.", + "description": "Grants permission to describe the status of the assignment creation request.", "privilege": "DescribeAccountAssignmentCreationStatus", "resource_types": [ { @@ -137038,7 +169149,7 @@ }, { "access_level": "Read", - "description": "Describes the status of an assignment deletion request.", + "description": "Grants permission to describe the status of an assignment deletion request.", "privilege": "DescribeAccountAssignmentDeletionStatus", "resource_types": [ { @@ -137062,7 +169173,7 @@ }, { "access_level": "Read", - "description": "Describes a permission set", + "description": "Grants permission to describe a permission set", "privilege": "DescribePermissionSet", "resource_types": [ { @@ -137079,7 +169190,7 @@ }, { "access_level": "Read", - "description": "Describes the status for the given Permission Set Provisioning request.", + "description": "Grants permission to describe the status for the given Permission Set Provisioning request.", "privilege": "DescribePermissionSetProvisioningStatus", "resource_types": [ { @@ -137091,7 +169202,7 @@ }, { "access_level": "Read", - "description": "Retrieve all the permissions policies associated with a permission set", + "description": "Grants permission to retrieve all the permissions policies associated with a permission set", "privilege": "DescribePermissionsPolicies", "resource_types": [ { @@ -137103,7 +169214,7 @@ }, { "access_level": "Read", - "description": "Obtains the regions where your organization has enabled AWS Single Sign-on", + "description": "Grants permission to obtain the regions where your organization has enabled AWS Single Sign-on", "privilege": "DescribeRegisteredRegions", "resource_types": [ { @@ -137114,8 +169225,8 @@ ] }, { - "access_level": "Write", - "description": "Detaches the attached AWS managed policy from the specified permission set.", + "access_level": "Permissions management", + "description": "Grants permission to detach the attached AWS managed policy from the specified permission set.", "privilege": "DetachManagedPolicyFromPermissionSet", "resource_types": [ { @@ -137132,7 +169243,7 @@ }, { "access_level": "Write", - "description": "Disassociate a directory to be used by AWS Single Sign-On", + "description": "Grants permission to disassociate a directory to be used by AWS Single Sign-On", "privilege": "DisassociateDirectory", "resource_types": [ { @@ -137146,7 +169257,7 @@ }, { "access_level": "Write", - "description": "Disassociate a directory user or group from a profile", + "description": "Grants permission to disassociate a directory user or group from a profile", "privilege": "DisassociateProfile", "resource_types": [ { @@ -137158,7 +169269,7 @@ }, { "access_level": "Read", - "description": "Retrieve details for an application instance", + "description": "Grants permission to retrieve details for an application instance", "privilege": "GetApplicationInstance", "resource_types": [ { @@ -137170,7 +169281,7 @@ }, { "access_level": "Read", - "description": "Retrieve application template details", + "description": "Grants permission to retrieve application template details", "privilege": "GetApplicationTemplate", "resource_types": [ { @@ -137182,7 +169293,7 @@ }, { "access_level": "Read", - "description": "Obtains the inline policy assigned to the permission set.", + "description": "Grants permission to obtain the inline policy assigned to the permission set.", "privilege": "GetInlinePolicyForPermissionSet", "resource_types": [ { @@ -137199,7 +169310,7 @@ }, { "access_level": "Read", - "description": "Retrieve details for an application instance", + "description": "Grants permission to retrieve details for an application instance", "privilege": "GetManagedApplicationInstance", "resource_types": [ { @@ -137211,7 +169322,7 @@ }, { "access_level": "Read", - "description": "Retrieve Mfa Device Management settings for the directory", + "description": "Grants permission to retrieve Mfa Device Management settings for the directory", "privilege": "GetMfaDeviceManagementForDirectory", "resource_types": [ { @@ -137223,7 +169334,7 @@ }, { "access_level": "Read", - "description": "Retrieve details of a permission set", + "description": "Grants permission to retrieve details of a permission set", "privilege": "GetPermissionSet", "resource_types": [ { @@ -137235,7 +169346,7 @@ }, { "access_level": "Read", - "description": "Retrieve all permission policies associated with a permission set", + "description": "Grants permission to retrieve all permission policies associated with a permission set", "privilege": "GetPermissionsPolicy", "resource_types": [ { @@ -137249,7 +169360,7 @@ }, { "access_level": "Read", - "description": "Retrieve a profile for an application instance", + "description": "Grants permission to retrieve a profile for an application instance", "privilege": "GetProfile", "resource_types": [ { @@ -137261,7 +169372,7 @@ }, { "access_level": "Read", - "description": "Check if AWS Single Sign-On is enabled", + "description": "Grants permission to check if AWS Single Sign-On is enabled", "privilege": "GetSSOStatus", "resource_types": [ { @@ -137273,7 +169384,7 @@ }, { "access_level": "Read", - "description": "Retrieve shared configuration for the current SSO instance", + "description": "Grants permission to retrieve shared configuration for the current SSO instance", "privilege": "GetSharedSsoConfiguration", "resource_types": [ { @@ -137285,7 +169396,7 @@ }, { "access_level": "Read", - "description": "Retrieve configuration for the current SSO instance", + "description": "Grants permission to retrieve configuration for the current SSO instance", "privilege": "GetSsoConfiguration", "resource_types": [ { @@ -137297,7 +169408,7 @@ }, { "access_level": "Read", - "description": "Retrieve the federation trust in a target account", + "description": "Grants permission to retrieve the federation trust in a target account", "privilege": "GetTrust", "resource_types": [ { @@ -137309,7 +169420,7 @@ }, { "access_level": "Write", - "description": "Update the application instance by uploading an application SAML metadata file provided by the service provider", + "description": "Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider", "privilege": "ImportApplicationInstanceServiceProviderMetadata", "resource_types": [ { @@ -137321,7 +169432,7 @@ }, { "access_level": "List", - "description": "Lists the status of the AWS account assignment creation requests for a specified SSO instance.", + "description": "Grants permission to list the status of the AWS account assignment creation requests for a specified SSO instance.", "privilege": "ListAccountAssignmentCreationStatus", "resource_types": [ { @@ -137333,7 +169444,7 @@ }, { "access_level": "List", - "description": "Lists the status of the AWS account assignment deletion requests for a specified SSO instance.", + "description": "Grants permission to list the status of the AWS account assignment deletion requests for a specified SSO instance.", "privilege": "ListAccountAssignmentDeletionStatus", "resource_types": [ { @@ -137345,7 +169456,7 @@ }, { "access_level": "List", - "description": "Lists the assignee of the specified AWS account with the specified permission set.", + "description": "Grants permission to list the assignee of the specified AWS account with the specified permission set.", "privilege": "ListAccountAssignments", "resource_types": [ { @@ -137367,7 +169478,7 @@ }, { "access_level": "List", - "description": "Lists all the AWS accounts where the specified permission set is provisioned.", + "description": "Grants permission to list all the AWS accounts where the specified permission set is provisioned.", "privilege": "ListAccountsForProvisionedPermissionSet", "resource_types": [ { @@ -137383,8 +169494,8 @@ ] }, { - "access_level": "List", - "description": "Retrieve all of the certificates for a given application instance", + "access_level": "Read", + "description": "Grants permission to retrieve all of the certificates for a given application instance", "privilege": "ListApplicationInstanceCertificates", "resource_types": [ { @@ -137396,7 +169507,7 @@ }, { "access_level": "List", - "description": "Retrieve all application instances", + "description": "Grants permission to retrieve all application instances", "privilege": "ListApplicationInstances", "resource_types": [ { @@ -137410,7 +169521,7 @@ }, { "access_level": "List", - "description": "Retrieve all supported application templates", + "description": "Grants permission to retrieve all supported application templates", "privilege": "ListApplicationTemplates", "resource_types": [ { @@ -137424,7 +169535,7 @@ }, { "access_level": "List", - "description": "Retrieve all supported applications", + "description": "Grants permission to retrieve all supported applications", "privilege": "ListApplications", "resource_types": [ { @@ -137435,8 +169546,8 @@ ] }, { - "access_level": "List", - "description": "Retrieve details about the directory connected to AWS Single Sign-On", + "access_level": "Read", + "description": "Grants permission to retrieve details about the directory connected to AWS Single Sign-On", "privilege": "ListDirectoryAssociations", "resource_types": [ { @@ -137448,7 +169559,7 @@ }, { "access_level": "List", - "description": "Lists the SSO Instances that the caller has access to.", + "description": "Grants permission to list the SSO Instances that the caller has access to.", "privilege": "ListInstances", "resource_types": [ { @@ -137460,7 +169571,7 @@ }, { "access_level": "List", - "description": "Lists the AWS managed policies that are attached to a specified permission set.", + "description": "Grants permission to list the AWS managed policies that are attached to a specified permission set.", "privilege": "ListManagedPoliciesInPermissionSet", "resource_types": [ { @@ -137477,7 +169588,7 @@ }, { "access_level": "List", - "description": "Lists the status of the Permission Set Provisioning requests for a specified SSO instance.", + "description": "Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance.", "privilege": "ListPermissionSetProvisioningStatus", "resource_types": [ { @@ -137489,7 +169600,7 @@ }, { "access_level": "List", - "description": "Retrieve all permission sets", + "description": "Grants permission to retrieve all permission sets", "privilege": "ListPermissionSets", "resource_types": [ { @@ -137501,7 +169612,7 @@ }, { "access_level": "List", - "description": "Lists all the permission sets that are provisioned to a specified AWS account.", + "description": "Grants permission to list all the permission sets that are provisioned to a specified AWS account.", "privilege": "ListPermissionSetsProvisionedToAccount", "resource_types": [ { @@ -137517,8 +169628,8 @@ ] }, { - "access_level": "List", - "description": "Retrieve the directory user or group associated with the profile", + "access_level": "Read", + "description": "Grants permission to retrieve the directory user or group associated with the profile", "privilege": "ListProfileAssociations", "resource_types": [ { @@ -137530,7 +169641,7 @@ }, { "access_level": "List", - "description": "Retrieve all profiles for an application instance", + "description": "Grants permission to retrieve all profiles for an application instance", "privilege": "ListProfiles", "resource_types": [ { @@ -137543,8 +169654,8 @@ ] }, { - "access_level": "List", - "description": "Lists the tags that are attached to a specified resource.", + "access_level": "Read", + "description": "Grants permission to list the tags that are attached to a specified resource.", "privilege": "ListTagsForResource", "resource_types": [ { @@ -137561,7 +169672,7 @@ }, { "access_level": "Write", - "description": "The process by which a specified permission set is provisioned to the specified target.", + "description": "Grants permission to provision a specified permission set to the specified target.", "privilege": "ProvisionPermissionSet", "resource_types": [ { @@ -137583,7 +169694,7 @@ }, { "access_level": "Write", - "description": "Attaches an IAM inline policy to a permission set.", + "description": "Grants permission to attach an IAM inline policy to a permission set.", "privilege": "PutInlinePolicyToPermissionSet", "resource_types": [ { @@ -137600,7 +169711,7 @@ }, { "access_level": "Write", - "description": "Put Mfa Device Management settings for the directory", + "description": "Grants permission to put Mfa Device Management settings for the directory", "privilege": "PutMfaDeviceManagementForDirectory", "resource_types": [ { @@ -137611,8 +169722,8 @@ ] }, { - "access_level": "Write", - "description": "Add a policy to a permission set", + "access_level": "Permissions management", + "description": "Grants permission to add a policy to a permission set", "privilege": "PutPermissionsPolicy", "resource_types": [ { @@ -137624,7 +169735,7 @@ }, { "access_level": "Read", - "description": "Search for groups within the associated directory", + "description": "Grants permission to search for groups within the associated directory", "privilege": "SearchGroups", "resource_types": [ { @@ -137638,7 +169749,7 @@ }, { "access_level": "Read", - "description": "Search for users within the associated directory", + "description": "Grants permission to search for users within the associated directory", "privilege": "SearchUsers", "resource_types": [ { @@ -137652,13 +169763,13 @@ }, { "access_level": "Write", - "description": "Initialize AWS Single Sign-On", + "description": "Grants permission to initialize AWS Single Sign-On", "privilege": "StartSSO", "resource_types": [ { "condition_keys": [], "dependent_actions": [ - "organization:DescribeOrganization", + "organizations:DescribeOrganization", "organizations:EnableAWSServiceAccess" ], "resource_type": "" @@ -137667,7 +169778,7 @@ }, { "access_level": "Tagging", - "description": "Associates a set of tags with a specified resource.", + "description": "Grants permission to associate a set of tags with a specified resource.", "privilege": "TagResource", "resource_types": [ { @@ -137692,7 +169803,7 @@ }, { "access_level": "Tagging", - "description": "Disassociates a set of tags from a specified resource.", + "description": "Grants permission to disassociate a set of tags from a specified resource.", "privilege": "UntagResource", "resource_types": [ { @@ -137717,7 +169828,7 @@ }, { "access_level": "Write", - "description": "Set a certificate as the active one for this application instance", + "description": "Grants permission to set a certificate as the active one for this application instance", "privilege": "UpdateApplicationInstanceActiveCertificate", "resource_types": [ { @@ -137729,7 +169840,7 @@ }, { "access_level": "Write", - "description": "Update display data of an application instance", + "description": "Grants permission to update display data of an application instance", "privilege": "UpdateApplicationInstanceDisplayData", "resource_types": [ { @@ -137741,7 +169852,7 @@ }, { "access_level": "Write", - "description": "Update federation response configuration for the application instance", + "description": "Grants permission to update federation response configuration for the application instance", "privilege": "UpdateApplicationInstanceResponseConfiguration", "resource_types": [ { @@ -137753,7 +169864,7 @@ }, { "access_level": "Write", - "description": "Update federation response schema configuration for the application instance", + "description": "Grants permission to update federation response schema configuration for the application instance", "privilege": "UpdateApplicationInstanceResponseSchemaConfiguration", "resource_types": [ { @@ -137765,7 +169876,7 @@ }, { "access_level": "Write", - "description": "Update security details for the application instance", + "description": "Grants permission to update security details for the application instance", "privilege": "UpdateApplicationInstanceSecurityConfiguration", "resource_types": [ { @@ -137777,7 +169888,7 @@ }, { "access_level": "Write", - "description": "Update service provider related configuration for the application instance", + "description": "Grants permission to update service provider related configuration for the application instance", "privilege": "UpdateApplicationInstanceServiceProviderConfiguration", "resource_types": [ { @@ -137789,7 +169900,7 @@ }, { "access_level": "Write", - "description": "Update the status of an application instance", + "description": "Grants permission to update the status of an application instance", "privilege": "UpdateApplicationInstanceStatus", "resource_types": [ { @@ -137801,7 +169912,7 @@ }, { "access_level": "Write", - "description": "Update the user attribute mappings for your connected directory", + "description": "Grants permission to update the user attribute mappings for your connected directory", "privilege": "UpdateDirectoryAssociation", "resource_types": [ { @@ -137825,7 +169936,7 @@ }, { "access_level": "Write", - "description": "Update the status of a managed application instance", + "description": "Grants permission to update the status of a managed application instance", "privilege": "UpdateManagedApplicationInstanceStatus", "resource_types": [ { @@ -137836,8 +169947,8 @@ ] }, { - "access_level": "Write", - "description": "Update the permission set.", + "access_level": "Permissions management", + "description": "Grants permission to update the permission set.", "privilege": "UpdatePermissionSet", "resource_types": [ { @@ -137854,7 +169965,7 @@ }, { "access_level": "Write", - "description": "Update the profile for an application instance", + "description": "Grants permission to update the profile for an application instance", "privilege": "UpdateProfile", "resource_types": [ { @@ -137866,7 +169977,7 @@ }, { "access_level": "Write", - "description": "Update the configuration for the current SSO instance", + "description": "Grants permission to update the configuration for the current SSO instance", "privilege": "UpdateSSOConfiguration", "resource_types": [ { @@ -137878,7 +169989,7 @@ }, { "access_level": "Write", - "description": "Update the federation trust in a target account", + "description": "Grants permission to update the federation trust in a target account", "privilege": "UpdateTrust", "resource_types": [ { @@ -138119,8 +170230,20 @@ ] }, { - "access_level": "List", - "description": "Grants permission to retrieve information about a group from the directory that AWS SSO provides by default", + "access_level": "Read", + "description": "Grants permission to query the group data, not including user and group members", + "privilege": "DescribeGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about groups from the directory that AWS SSO provides by default", "privilege": "DescribeGroups", "resource_types": [ { @@ -138130,6 +170253,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to describes the provisioning tenant", + "privilege": "DescribeProvisioningTenant", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to retrieve information about a user from the directory that AWS SSO provides by default", @@ -138143,7 +170278,19 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to describe user with a valid unique attribute represented for the user", + "privilege": "DescribeUserByUniqueAttribute", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to retrieve information about user from the directory that AWS SSO provides by default", "privilege": "DescribeUsers", "resource_types": [ @@ -138214,6 +170361,18 @@ } ] }, + { + "access_level": "Read", + "description": "(Deprecated) Grants permission to get UserPool Info", + "privilege": "GetUserPoolInfo", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to import the IdP certificate used for verifying external IdP responses", @@ -138239,7 +170398,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list bearer tokens for a given provisioning tenant", "privilege": "ListBearerTokens", "resource_types": [ @@ -138251,7 +170410,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list the external IdP certificates of a given directory and IdP", "privilege": "ListExternalIdPCertificates", "resource_types": [ @@ -138263,7 +170422,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all the External Identity Provider configurations created for the directory", "privilege": "ListExternalIdPConfigurationsForDirectory", "resource_types": [ @@ -138275,7 +170434,19 @@ ] }, { - "access_level": "List", + "access_level": "Read", + "description": "Grants permission to list groups of the target member", + "privilege": "ListGroupsForMember", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", "description": "Grants permission to list groups for a user from the directory that AWS SSO provides by default", "privilege": "ListGroupsForUser", "resource_types": [ @@ -138287,7 +170458,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to retrieve all members that are part of a group in the directory that AWS SSO provides by default", "privilege": "ListMembersInGroup", "resource_types": [ @@ -138299,7 +170470,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list all active MFA devices and their MFA device metadata for a user", "privilege": "ListMfaDevicesForUser", "resource_types": [ @@ -138311,7 +170482,7 @@ ] }, { - "access_level": "List", + "access_level": "Read", "description": "Grants permission to list provisioning tenants for a given directory", "privilege": "ListProvisioningTenants", "resource_types": [ @@ -138406,6 +170577,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update group display name update group display name response", + "privilege": "UpdateGroupDisplayName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update MFA device information", @@ -138442,6 +170625,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update user name update user name response", + "privilege": "UpdateUserName", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to verify an email address of an User", @@ -138955,6 +171150,26 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to associate an Amazon FSx file system with the Amazon FSx file gateway", + "privilege": "AssociateFileSystem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to connect a volume to an iSCSI connection and then attaches the volume to the specified gateway", @@ -139317,6 +171532,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the information about the most recent high availability monitoring test that was performed on the gateway", + "privilege": "DescribeAvailabilityMonitorTest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get the bandwidth rate limits of a gateway", @@ -139329,6 +171556,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get the bandwidth rate limit schedule of a gateway", + "privilege": "DescribeBandwidthRateLimitSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get information about the cache of a gateway. This operation is supported only for the gateway-cached volume architecture", @@ -139365,6 +171604,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to get a description for one or more file system associations", + "privilege": "DescribeFileSystemAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fs-association*" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not)", @@ -139545,6 +171796,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to disassociate an Amazon FSx file system from an Amazon FSx file gateway", + "privilege": "DisassociateFileSystem", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fs-association*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to enable you to join an Active Directory Domain", @@ -139581,6 +171844,18 @@ } ] }, + { + "access_level": "List", + "description": "Grants permission to get a list of the file system associations for the specified gateway", + "privilege": "ListFileSystemAssociations", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "List", "description": "Grants permission to list gateways owned by an AWS account in a region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN)", @@ -139832,6 +172107,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to start a test that verifies that the specified gateway is configured for High Availability monitoring in your host environment", + "privilege": "StartAvailabilityMonitorTest", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to start a gateway that you previously shut down", @@ -139873,6 +172160,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update the bandwidth rate limit schedule of a gateway", + "privilege": "UpdateBandwidthRateLimitSchedule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target", @@ -139885,6 +172184,18 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update a file system association", + "privilege": "UpdateFileSystemAssociation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "fs-association*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a gateway's metadata, which includes the gateway's name and time zone", @@ -139945,6 +172256,30 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to update whether the shares on a gateway are visible in a net view or browse list", + "privilege": "UpdateSMBFileShareVisibility", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the SMB security strategy on a file gateway", + "privilege": "UpdateSMBSecurityStrategy", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "gateway*" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update a snapshot schedule configured for a gateway volume", @@ -139976,6 +172311,13 @@ "condition_keys": [], "resource": "device" }, + { + "arn": "arn:${Partition}:storagegateway:${Region}:${Account}:fs-association/${FsaId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "fs-association" + }, { "arn": "arn:${Partition}:storagegateway:${Region}:${Account}:gateway/${GatewayId}", "condition_keys": [ @@ -140056,6 +172398,11 @@ "description": "Filters actions based on the tags associated with the resource", "type": "String" }, + { + "condition": "aws:SourceIdentity", + "description": "Filters actions based on the source identity that is set on the caller", + "type": "String" + }, { "condition": "aws:TagKeys", "description": "Filters actions based on the tag keys that are passed in the request", @@ -140261,6 +172608,11 @@ "description": "Filters actions based on the role session name required when you assume a role", "type": "String" }, + { + "condition": "sts:SourceIdentity", + "description": "Filters actions based on the source identity that is passed in the request", + "type": "String" + }, { "condition": "sts:TransitiveTagKeys", "description": "Filters actions based on the transitive tag keys that are passed in the request", @@ -140297,7 +172649,9 @@ "sts:TransitiveTagKeys", "sts:ExternalId", "sts:RoleSessionName", - "iam:ResourceTag/${TagKey}" + "iam:ResourceTag/${TagKey}", + "sts:SourceIdentity", + "aws:SourceIdentity" ], "dependent_actions": [], "resource_type": "" @@ -140351,7 +172705,9 @@ "aws:TagKeys", "aws:PrincipalTag/${TagKey}", "aws:RequestTag/${TagKey}", - "sts:TransitiveTagKeys" + "sts:TransitiveTagKeys", + "sts:SourceIdentity", + "sts:RoleSessionName" ], "dependent_actions": [], "resource_type": "" @@ -140383,7 +172739,9 @@ "aws:TagKeys", "aws:PrincipalTag/${TagKey}", "aws:RequestTag/${TagKey}", - "sts:TransitiveTagKeys" + "sts:TransitiveTagKeys", + "sts:SourceIdentity", + "sts:RoleSessionName" ], "dependent_actions": [], "resource_type": "" @@ -140471,6 +172829,31 @@ } ] }, + { + "access_level": "Write", + "description": "Grants permission to set a source identity on a STS session", + "privilege": "SetSourceIdentity", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "role" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "user" + }, + { + "condition_keys": [ + "sts:SourceIdentity", + "aws:SourceIdentity" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "Grants permission to add tags to a STS session", @@ -141625,6 +174008,58 @@ } ] }, + { + "access_level": "Write", + "description": "Undeprecates a previously deprecated activity type.", + "privilege": "UndeprecateActivityType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + }, + { + "condition_keys": [ + "swf:activityType.name", + "swf:activityType.version" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Undeprecates a previously deprecated domain.", + "privilege": "UndeprecateDomain", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + } + ] + }, + { + "access_level": "Write", + "description": "Undeprecates a previously deprecated workflow type.", + "privilege": "UndeprecateWorkflowType", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "domain*" + }, + { + "condition_keys": [ + "swf:workflowType.name", + "swf:workflowType.version" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Tagging", "description": "This action removes a tag from an AWS SWF resource.", @@ -141647,7 +174082,7 @@ ], "resources": [ { - "arn": "arn:${Partition}:swf::${Account}:domain/${DomainName}", + "arn": "arn:${Partition}:swf::${Account}:/domain/${DomainName}", "condition_keys": [ "aws:ResourceTag/${TagKey}" ], @@ -141657,12 +174092,18 @@ "service_name": "Amazon Simple Workflow Service" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + } + ], "prefix": "synthetics", "privileges": [ { "access_level": "Write", - "description": "Create a canary.", + "description": "Grants permission to create a canary", "privilege": "CreateCanary", "resource_types": [ { @@ -141674,7 +174115,7 @@ }, { "access_level": "Write", - "description": "Deletes a canary. Amazon Synthetics deletes all the resources except for the Lambda function and the CloudWatch Alarms if you created one.", + "description": "Grants permission to delete a canary. Amazon Synthetics deletes all the resources except for the Lambda function and the CloudWatch Alarms if you created one", "privilege": "DeleteCanary", "resource_types": [ { @@ -141686,7 +174127,7 @@ }, { "access_level": "Read", - "description": "Returns information of all canaries.", + "description": "Grants permission to list information of all canaries", "privilege": "DescribeCanaries", "resource_types": [ { @@ -141698,7 +174139,7 @@ }, { "access_level": "Read", - "description": "Returns information about the last test run associated with all canaries.", + "description": "Grants permission to list information about the last test run associated with all canaries", "privilege": "DescribeCanariesLastRun", "resource_types": [ { @@ -141710,7 +174151,31 @@ }, { "access_level": "Read", - "description": "Returns information about all the test runs associated with a canary.", + "description": "Grants permission to list information about Synthetics canary runtime versions", + "privilege": "DescribeRuntimeVersions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get a canary details", + "privilege": "GetCanary", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "canary*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to list information about all the test runs associated with a canary", "privilege": "GetCanaryRuns", "resource_types": [ { @@ -141722,7 +174187,7 @@ }, { "access_level": "Read", - "description": "Returns a list of all tags and values associated with a canary.", + "description": "Grants permission to list all tags and values associated with a canary", "privilege": "ListTagsForResource", "resource_types": [ { @@ -141734,7 +174199,7 @@ }, { "access_level": "Write", - "description": "Starts a canary, so that Amazon Synthetics starts monitoring a website.", + "description": "Grants permission to start a canary, so that Amazon CloudWatch Synthetics starts monitoring a website", "privilege": "StartCanary", "resource_types": [ { @@ -141746,7 +174211,7 @@ }, { "access_level": "Write", - "description": "Stops a canary.", + "description": "Grants permission to stop a canary", "privilege": "StopCanary", "resource_types": [ { @@ -141757,8 +174222,8 @@ ] }, { - "access_level": "Write", - "description": "Adds one or more tags to a canary.", + "access_level": "Tagging", + "description": "Grants permission to add one or more tags to a canary", "privilege": "TagResource", "resource_types": [ { @@ -141769,8 +174234,8 @@ ] }, { - "access_level": "Write", - "description": "Removes one or more tags from a canary.", + "access_level": "Tagging", + "description": "Grants permission to remove one or more tags from a canary", "privilege": "UntagResource", "resource_types": [ { @@ -141782,7 +174247,7 @@ }, { "access_level": "Write", - "description": "Updates a canary.", + "description": "Grants permission to update a canary", "privilege": "UpdateCanary", "resource_types": [ { @@ -141795,8 +174260,10 @@ ], "resources": [ { - "arn": "arn:${Partition}:synthetics::${Account}:canary:${CanaryName}", - "condition_keys": [], + "arn": "arn:${Partition}:synthetics:${Region}:${Account}:canary:${CanaryName}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "canary" } ], @@ -141808,7 +174275,7 @@ "privileges": [ { "access_level": "Read", - "description": "Describe the status of the StartReportCreation operation.", + "description": "Grants permission to describe the status of the StartReportCreation operation", "privilege": "DescribeReportCreation", "resource_types": [ { @@ -141820,7 +174287,7 @@ }, { "access_level": "Read", - "description": "Get a table that shows counts of resources that are noncompliant with their effective tag policies.", + "description": "Grants permission to retrieve a summary of how many resources are noncompliant with their effective tag policies", "privilege": "GetComplianceSummary", "resource_types": [ { @@ -141832,7 +174299,7 @@ }, { "access_level": "Read", - "description": "Get tagged AWS resources that match the given tag filters", + "description": "Grants permission to return tagged or previously tagged resources in the specified AWS Region for the calling account", "privilege": "GetResources", "resource_types": [ { @@ -141844,7 +174311,7 @@ }, { "access_level": "Read", - "description": "Get all tagKeys for the account in the specific region", + "description": "Grants permission to returns tag keys currently in use in the specified AWS Region for the calling account", "privilege": "GetTagKeys", "resource_types": [ { @@ -141856,7 +174323,7 @@ }, { "access_level": "Read", - "description": "Get all tagValues for the account in the specific region", + "description": "Grants permission to return tag values for the specified key that are used in the specified AWS Region for the calling account", "privilege": "GetTagValues", "resource_types": [ { @@ -141868,7 +174335,7 @@ }, { "access_level": "Write", - "description": "Generate a report that lists all tagged resources in accounts across your organization, and whether each resource is compliant with the effective tag policy.", + "description": "Grants permission to start generating a report listing all tagged resources in accounts across your organization, and whether each resource is compliant with the effective tag policy", "privilege": "StartReportCreation", "resource_types": [ { @@ -141880,7 +174347,7 @@ }, { "access_level": "Tagging", - "description": "Add tags to AWS resources", + "description": "Grants permission to apply one or more tags to the specified resources", "privilege": "TagResources", "resource_types": [ { @@ -141892,7 +174359,7 @@ }, { "access_level": "Tagging", - "description": "Remove tags from AWS resources", + "description": "Grants permission to remove the specified tags from the specified resources", "privilege": "UntagResources", "resource_types": [ { @@ -141912,7 +174379,7 @@ "privileges": [ { "access_level": "Read", - "description": "Detects instances of real-world document entities within an image provided as input.", + "description": "Grants permission to detect instances of real-world document entities within an image provided as input", "privilege": "AnalyzeDocument", "resource_types": [ { @@ -141926,7 +174393,21 @@ }, { "access_level": "Read", - "description": "Detects text in document images.", + "description": "Grants permission to detect instances of real-world document entities within an image provided as input", + "privilege": "AnalyzeExpense", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to detect text in document images", "privilege": "DetectDocumentText", "resource_types": [ { @@ -141940,7 +174421,7 @@ }, { "access_level": "Read", - "description": "Returns information about a document analysis job.", + "description": "Grants permission to return information about a document analysis job", "privilege": "GetDocumentAnalysis", "resource_types": [ { @@ -141952,7 +174433,7 @@ }, { "access_level": "Read", - "description": "Returns information about a document text detection job.", + "description": "Grants permission to return information about a document text detection job", "privilege": "GetDocumentTextDetection", "resource_types": [ { @@ -141964,7 +174445,7 @@ }, { "access_level": "Write", - "description": "Starts an asynchronous job to detect instances of real-world document entities within an image or pdf provided as input.", + "description": "Grants permission to start an asynchronous job to detect instances of real-world document entities within an image or pdf provided as input", "privilege": "StartDocumentAnalysis", "resource_types": [ { @@ -141978,7 +174459,7 @@ }, { "access_level": "Write", - "description": "Starts an asynchronous job to detect text in document images or pdfs.", + "description": "Grants permission to start an asynchronous job to detect text in document images or pdfs", "privilege": "StartDocumentTextDetection", "resource_types": [ { @@ -142620,21 +175101,65 @@ ], "service_name": "Amazon Timestream" }, + { + "conditions": [], + "prefix": "tiros", + "privileges": [ + { + "access_level": "Write", + "description": "Grants permission to create a VPC reachability query", + "privilege": "CreateQuery", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get VPC reachability query answers", + "privilege": "GetQueryAnswer", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get VPC reachability query explanations", + "privilege": "GetQueryExplanation", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + } + ], + "resources": [], + "service_name": "AWS Tiros" + }, { "conditions": [ { "condition": "transcribe:OutputBucketName", - "description": "Enables you to control access based on the output bucket name included in the request", + "description": "Filters access based on the output bucket name included in the request", "type": "String" }, { "condition": "transcribe:OutputEncryptionKMSKeyId", - "description": "Enables you to control access based on the KMS key id included in the request", + "description": "Filters access based on the KMS key id included in the request", "type": "String" }, { "condition": "transcribe:OutputKey", - "description": "Enables you to control access based on the output key included in the request", + "description": "Filters access based on the output key included in the request", "type": "String" } ], @@ -142642,7 +175167,19 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to create a new custom language model.", + "description": "Grants permission to create an analytics category. Amazon Transcribe applies the conditions specified by your analytics categories to your call analytics jobs", + "privilege": "CreateCallAnalyticsCategory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new custom language model", "privilege": "CreateLanguageModel", "resource_types": [ { @@ -142657,7 +175194,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe Medical handles transcription of an audio file.", + "description": "Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe Medical handles transcription of an audio file", "privilege": "CreateMedicalVocabulary", "resource_types": [ { @@ -142671,7 +175208,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe handles transcription of an audio file.", + "description": "Grants permission to create a new custom vocabulary that you can use to change the way Amazon Transcribe handles transcription of an audio file", "privilege": "CreateVocabulary", "resource_types": [ { @@ -142699,7 +175236,31 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a previously created custom language model.", + "description": "Grants permission to delete a call analytics category using its name from Amazon Transcribe", + "privilege": "DeleteCallAnalyticsCategory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously submitted call analytics job along with any other generated results such as the transcription, models, and so on", + "privilege": "DeleteCallAnalyticsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete a previously created custom language model", "privilege": "DeleteLanguageModel", "resource_types": [ { @@ -142711,7 +175272,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a previously submitted medical transcription job.", + "description": "Grants permission to delete a previously submitted medical transcription job", "privilege": "DeleteMedicalTranscriptionJob", "resource_types": [ { @@ -142723,7 +175284,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a medical vocabulary from Amazon Transcribe.", + "description": "Grants permission to delete a medical vocabulary from Amazon Transcribe", "privilege": "DeleteMedicalVocabulary", "resource_types": [ { @@ -142735,7 +175296,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a previously submitted transcription job along with any other generated results such as the transcription, models, and so on.", + "description": "Grants permission to delete a previously submitted transcription job along with any other generated results such as the transcription, models, and so on", "privilege": "DeleteTranscriptionJob", "resource_types": [ { @@ -142747,7 +175308,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a vocabulary from Amazon Transcribe.", + "description": "Grants permission to delete a vocabulary from Amazon Transcribe", "privilege": "DeleteVocabulary", "resource_types": [ { @@ -142759,7 +175320,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete a vocabulary filter from Amazon Transcribe.", + "description": "Grants permission to delete a vocabulary filter from Amazon Transcribe", "privilege": "DeleteVocabularyFilter", "resource_types": [ { @@ -142771,7 +175332,7 @@ }, { "access_level": "Read", - "description": "Grants permission to return information about a custom language model.", + "description": "Grants permission to return information about a custom language model", "privilege": "DescribeLanguageModel", "resource_types": [ { @@ -142783,7 +175344,31 @@ }, { "access_level": "Read", - "description": "Grants permission to return information about a medical transcription job.", + "description": "Grants permission to retrieve information about a call analytics category", + "privilege": "GetCallAnalyticsCategory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a call analytics job", + "privilege": "GetCallAnalyticsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to return information about a medical transcription job", "privilege": "GetMedicalTranscriptionJob", "resource_types": [ { @@ -142795,7 +175380,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get information about a medical vocabulary.", + "description": "Grants permission to get information about a medical vocabulary", "privilege": "GetMedicalVocabulary", "resource_types": [ { @@ -142807,7 +175392,7 @@ }, { "access_level": "Read", - "description": "Grants permission to return information about a transcription job.", + "description": "Grants permission to return information about a transcription job", "privilege": "GetTranscriptionJob", "resource_types": [ { @@ -142819,7 +175404,7 @@ }, { "access_level": "Read", - "description": "Grants permission to to get information about a vocabulary.", + "description": "Grants permission to to get information about a vocabulary", "privilege": "GetVocabulary", "resource_types": [ { @@ -142831,7 +175416,7 @@ }, { "access_level": "Read", - "description": "Grants permission to get information about a vocabulary filter.", + "description": "Grants permission to get information about a vocabulary filter", "privilege": "GetVocabularyFilter", "resource_types": [ { @@ -142843,7 +175428,31 @@ }, { "access_level": "List", - "description": "Grants permission to list custom language models.", + "description": "Grants permission to list call analytics categories that has been created", + "privilege": "ListCallAnalyticsCategories", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list call analytics jobs with the specified status", + "privilege": "ListCallAnalyticsJobs", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list custom language models", "privilege": "ListLanguageModels", "resource_types": [ { @@ -142855,7 +175464,7 @@ }, { "access_level": "List", - "description": "Grants permission to list medical transcription jobs with the specified status.", + "description": "Grants permission to list medical transcription jobs with the specified status", "privilege": "ListMedicalTranscriptionJobs", "resource_types": [ { @@ -142867,7 +175476,7 @@ }, { "access_level": "List", - "description": "Grants permission to return a list of medical vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies.", + "description": "Grants permission to return a list of medical vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies", "privilege": "ListMedicalVocabularies", "resource_types": [ { @@ -142879,7 +175488,7 @@ }, { "access_level": "List", - "description": "Grants permission to list transcription jobs with the specified status.", + "description": "Grants permission to list transcription jobs with the specified status", "privilege": "ListTranscriptionJobs", "resource_types": [ { @@ -142891,7 +175500,7 @@ }, { "access_level": "List", - "description": "Grants permission to return a list of vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies.", + "description": "Grants permission to return a list of vocabularies that match the specified criteria. If no criteria are specified, returns the entire list of vocabularies", "privilege": "ListVocabularies", "resource_types": [ { @@ -142903,7 +175512,7 @@ }, { "access_level": "List", - "description": "Grants permission to return a list of vocabulary filters that match the specified criteria. If no criteria are specified, returns the at most 5 vocabulary filters.", + "description": "Grants permission to return a list of vocabulary filters that match the specified criteria. If no criteria are specified, returns the at most 5 vocabulary filters", "privilege": "ListVocabularyFilters", "resource_types": [ { @@ -142915,7 +175524,21 @@ }, { "access_level": "Write", - "description": "Grants permission to start a protocol where audio is streamed to Transcribe Medical and the transcription results are streamed to your application.", + "description": "Grants permission to start an asynchronous analytics job that not only transcribes the audio recording of a caller and agent, but also returns additional insights", + "privilege": "StartCallAnalyticsJob", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "s3:GetObject" + ], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to start a protocol where audio is streamed to Transcribe Medical and the transcription results are streamed to your application", "privilege": "StartMedicalStreamTranscription", "resource_types": [ { @@ -142927,7 +175550,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start a WebSocket where audio is streamed to Transcribe Medical and the transcription results are streamed to your application.", + "description": "Grants permission to start a WebSocket where audio is streamed to Transcribe Medical and the transcription results are streamed to your application", "privilege": "StartMedicalStreamTranscriptionWebSocket", "resource_types": [ { @@ -142939,7 +175562,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start an asynchronous job to transcribe medical speech to text.", + "description": "Grants permission to start an asynchronous job to transcribe medical speech to text", "privilege": "StartMedicalTranscriptionJob", "resource_types": [ { @@ -142953,7 +175576,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start a bidirectional HTTP2 stream to transcribe speech to text in real time.", + "description": "Grants permission to start a bidirectional HTTP2 stream to transcribe speech to text in real time", "privilege": "StartStreamTranscription", "resource_types": [ { @@ -142965,7 +175588,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start a websocket stream to transcribe speech to text in real time.", + "description": "Grants permission to start a websocket stream to transcribe speech to text in real time", "privilege": "StartStreamTranscriptionWebSocket", "resource_types": [ { @@ -142977,7 +175600,7 @@ }, { "access_level": "Write", - "description": "Grants permission to start an asynchronous job to transcribe speech to text.", + "description": "Grants permission to start an asynchronous job to transcribe speech to text", "privilege": "StartTranscriptionJob", "resource_types": [ { @@ -142995,7 +175618,19 @@ }, { "access_level": "Write", - "description": "Grants permission to update an existing medical vocabulary with new values. The UpdateMedicalVocabulary operation overwrites all of the existing information with the values that you provide in the request.", + "description": "Grants permission to update the call analytics category with new values. The UpdateCallAnalyticsCategory operation overwrites all of the existing information with the values that you provide in the request", + "privilege": "UpdateCallAnalyticsCategory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update an existing medical vocabulary with new values. The UpdateMedicalVocabulary operation overwrites all of the existing information with the values that you provide in the request", "privilege": "UpdateMedicalVocabulary", "resource_types": [ { @@ -143009,7 +175644,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an existing vocabulary with new values. The UpdateVocabulary operation overwrites all of the existing information with the values that you provide in the request.", + "description": "Grants permission to update an existing vocabulary with new values. The UpdateVocabulary operation overwrites all of the existing information with the values that you provide in the request", "privilege": "UpdateVocabulary", "resource_types": [ { @@ -143023,7 +175658,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update an existing vocabulary filter with new values. The UpdateVocabularyFilter operation overwrites all of the existing information with the values that you provide in the request.", + "description": "Grants permission to update an existing vocabulary filter with new values. The UpdateVocabularyFilter operation overwrites all of the existing information with the values that you provide in the request", "privilege": "UpdateVocabularyFilter", "resource_types": [ { @@ -143818,7 +176453,7 @@ }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", + "description": "Filters actions based on tag-value associated with the resource", "type": "String" }, { @@ -143831,7 +176466,7 @@ "privileges": [ { "access_level": "Write", - "description": "Creates a ByteMatchSet.", + "description": "Grants permission to create a ByteMatchSet", "privilege": "CreateByteMatchSet", "resource_types": [ { @@ -143843,7 +176478,7 @@ }, { "access_level": "Write", - "description": "Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate from.", + "description": "Grants permission to create a GeoMatchSet", "privilege": "CreateGeoMatchSet", "resource_types": [ { @@ -143855,7 +176490,7 @@ }, { "access_level": "Write", - "description": "Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate from.", + "description": "Grants permission to create an IPSet", "privilege": "CreateIPSet", "resource_types": [ { @@ -143867,7 +176502,7 @@ }, { "access_level": "Write", - "description": "Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period.", + "description": "Grants permission to create a RateBasedRule for limiting the volume of requests from a single IP address", "privilege": "CreateRateBasedRule", "resource_types": [ { @@ -143887,7 +176522,7 @@ }, { "access_level": "Write", - "description": "Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a RegexPatternSet.", + "description": "Grants permission to create a RegexMatchSet", "privilege": "CreateRegexMatchSet", "resource_types": [ { @@ -143899,7 +176534,7 @@ }, { "access_level": "Write", - "description": "Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for.", + "description": "Grants permission to create a RegexPatternSet", "privilege": "CreateRegexPatternSet", "resource_types": [ { @@ -143911,7 +176546,7 @@ }, { "access_level": "Write", - "description": "Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block.", + "description": "Grants permission to create a Rule for filtering web requests", "privilege": "CreateRule", "resource_types": [ { @@ -143931,7 +176566,7 @@ }, { "access_level": "Write", - "description": "Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL.", + "description": "Grants permission to create a RuleGroup, which is a collection of predefined rules that you can use in a WebACL", "privilege": "CreateRuleGroup", "resource_types": [ { @@ -143951,7 +176586,7 @@ }, { "access_level": "Write", - "description": "Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length.", + "description": "Grants permission to create a SizeConstraintSet", "privilege": "CreateSizeConstraintSet", "resource_types": [ { @@ -143963,7 +176598,7 @@ }, { "access_level": "Write", - "description": "Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web requests.", + "description": "Grants permission to create an SqlInjectionMatchSet", "privilege": "CreateSqlInjectionMatchSet", "resource_types": [ { @@ -143975,7 +176610,7 @@ }, { "access_level": "Permissions management", - "description": "Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count.", + "description": "Grants permission to create a WebACL, which contains rules for filtering web requests", "privilege": "CreateWebACL", "resource_types": [ { @@ -143995,7 +176630,7 @@ }, { "access_level": "Write", - "description": "Create and store a CloudFormation tempalte that creates an equivalent WAF v2 WebACL from the given WAF Classic WebACL in the given S3 bucket.", + "description": "Grants permission to create a CloudFormation web ACL template in an S3 bucket for the purposes of migrating the web ACL from AWS WAF Classic to AWS WAF v2", "privilege": "CreateWebACLMigrationStack", "resource_types": [ { @@ -144009,7 +176644,7 @@ }, { "access_level": "Write", - "description": "Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests.", + "description": "Grants permission to create an XssMatchSet, which you use to detect requests that contain cross-site scripting attacks", "privilege": "CreateXssMatchSet", "resource_types": [ { @@ -144021,7 +176656,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a ByteMatchSet.", + "description": "Grants permission to delete a ByteMatchSet", "privilege": "DeleteByteMatchSet", "resource_types": [ { @@ -144033,7 +176668,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an GeoMatchSet.", + "description": "Grants permission to delete a GeoMatchSet", "privilege": "DeleteGeoMatchSet", "resource_types": [ { @@ -144045,7 +176680,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an IPSet.", + "description": "Grants permission to delete an IPSet", "privilege": "DeleteIPSet", "resource_types": [ { @@ -144057,7 +176692,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes the LoggingConfiguration from the specified web ACL.", + "description": "Grants permission to delete the LoggingConfiguration from a web ACL", "privilege": "DeleteLoggingConfiguration", "resource_types": [ { @@ -144069,7 +176704,7 @@ }, { "access_level": "Permissions management", - "description": "Permanently deletes an IAM policy from the specified RuleGroup.", + "description": "Grants permission to delete an IAM policy from a rule group", "privilege": "DeletePermissionPolicy", "resource_types": [ { @@ -144081,7 +176716,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a RateBasedRule.", + "description": "Grants permission to delete a RateBasedRule", "privilege": "DeleteRateBasedRule", "resource_types": [ { @@ -144093,7 +176728,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an RegexMatchSet.", + "description": "Grants permission to delete a RegexMatchSet", "privilege": "DeleteRegexMatchSet", "resource_types": [ { @@ -144105,7 +176740,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an RegexPatternSet.", + "description": "Grants permission to delete a RegexPatternSet", "privilege": "DeleteRegexPatternSet", "resource_types": [ { @@ -144117,7 +176752,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a Rule.", + "description": "Grants permission to delete a Rule", "privilege": "DeleteRule", "resource_types": [ { @@ -144129,7 +176764,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a RuleGroup.", + "description": "Grants permission to delete a RuleGroup", "privilege": "DeleteRuleGroup", "resource_types": [ { @@ -144141,7 +176776,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a SizeConstraintSet.", + "description": "Grants permission to delete a SizeConstraintSet", "privilege": "DeleteSizeConstraintSet", "resource_types": [ { @@ -144153,7 +176788,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a SqlInjectionMatchSet.", + "description": "Grants permission to delete an SqlInjectionMatchSet", "privilege": "DeleteSqlInjectionMatchSet", "resource_types": [ { @@ -144165,7 +176800,7 @@ }, { "access_level": "Permissions management", - "description": "Permanently deletes a WebACL.", + "description": "Grants permission to delete a WebACL", "privilege": "DeleteWebACL", "resource_types": [ { @@ -144177,7 +176812,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an XssMatchSet.", + "description": "Grants permission to delete an XssMatchSet", "privilege": "DeleteXssMatchSet", "resource_types": [ { @@ -144189,7 +176824,7 @@ }, { "access_level": "Read", - "description": "Returns the ByteMatchSet specified by ByteMatchSetId.", + "description": "Grants permission to retrieve a ByteMatchSet", "privilege": "GetByteMatchSet", "resource_types": [ { @@ -144201,7 +176836,7 @@ }, { "access_level": "Read", - "description": "When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete request.", + "description": "Grants permission to retrieve a change token to use in create, update, and delete requests", "privilege": "GetChangeToken", "resource_types": [ { @@ -144213,7 +176848,7 @@ }, { "access_level": "Read", - "description": "Returns the status of a ChangeToken that you got by calling GetChangeToken.", + "description": "Grants permission to retrieve the status of a change token", "privilege": "GetChangeTokenStatus", "resource_types": [ { @@ -144225,7 +176860,7 @@ }, { "access_level": "Read", - "description": "Returns the GeoMatchSet specified by GeoMatchSetId.", + "description": "Grants permission to retrieve a GeoMatchSet", "privilege": "GetGeoMatchSet", "resource_types": [ { @@ -144237,7 +176872,7 @@ }, { "access_level": "Read", - "description": "Returns the IPSet that is specified by IPSetId.", + "description": "Grants permission to retrieve an IPSet", "privilege": "GetIPSet", "resource_types": [ { @@ -144249,7 +176884,7 @@ }, { "access_level": "Read", - "description": "Returns the LoggingConfiguration for the specified web ACL.", + "description": "Grants permission to retrieve a LoggingConfiguration for a web ACL", "privilege": "GetLoggingConfiguration", "resource_types": [ { @@ -144261,7 +176896,7 @@ }, { "access_level": "Read", - "description": "Returns the IAM policy attached to the RuleGroup.", + "description": "Grants permission to retrieve an IAM policy for a rule group", "privilege": "GetPermissionPolicy", "resource_types": [ { @@ -144273,7 +176908,7 @@ }, { "access_level": "Read", - "description": "Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request.", + "description": "Grants permission to retrieve a RateBasedRule", "privilege": "GetRateBasedRule", "resource_types": [ { @@ -144285,7 +176920,7 @@ }, { "access_level": "Read", - "description": "Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId.", + "description": "Grants permission to retrieve the array of IP addresses that are currently being blocked by a RateBasedRule", "privilege": "GetRateBasedRuleManagedKeys", "resource_types": [ { @@ -144297,7 +176932,7 @@ }, { "access_level": "Read", - "description": "Returns the RegexMatchSet specified by RegexMatchSetId.", + "description": "Grants permission to retrieve a RegexMatchSet", "privilege": "GetRegexMatchSet", "resource_types": [ { @@ -144309,7 +176944,7 @@ }, { "access_level": "Read", - "description": "Returns the RegexPatternSet specified by RegexPatternSetId.", + "description": "Grants permission to retrieve a RegexPatternSet", "privilege": "GetRegexPatternSet", "resource_types": [ { @@ -144321,7 +176956,7 @@ }, { "access_level": "Read", - "description": "Returns the Rule that is specified by the RuleId that you included in the GetRule request.", + "description": "Grants permission to retrieve a Rule", "privilege": "GetRule", "resource_types": [ { @@ -144333,7 +176968,7 @@ }, { "access_level": "Read", - "description": "Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request.", + "description": "Grants permission to retrieve a RuleGroup", "privilege": "GetRuleGroup", "resource_types": [ { @@ -144345,7 +176980,7 @@ }, { "access_level": "Read", - "description": "Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose.", + "description": "Grants permission to retrieve detailed information about a sample set of web requests", "privilege": "GetSampledRequests", "resource_types": [ { @@ -144362,7 +176997,7 @@ }, { "access_level": "Read", - "description": "Returns the SizeConstraintSet specified by SizeConstraintSetId.", + "description": "Grants permission to retrieve a SizeConstraintSet", "privilege": "GetSizeConstraintSet", "resource_types": [ { @@ -144374,7 +177009,7 @@ }, { "access_level": "Read", - "description": "Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId.", + "description": "Grants permission to retrieve an SqlInjectionMatchSet", "privilege": "GetSqlInjectionMatchSet", "resource_types": [ { @@ -144386,7 +177021,7 @@ }, { "access_level": "Read", - "description": "Returns the WebACL that is specified by WebACLId.", + "description": "Grants permission to retrieve a WebACL", "privilege": "GetWebACL", "resource_types": [ { @@ -144398,7 +177033,7 @@ }, { "access_level": "Read", - "description": "Returns the XssMatchSet that is specified by XssMatchSetId.", + "description": "Grants permission to retrieve an XssMatchSet", "privilege": "GetXssMatchSet", "resource_types": [ { @@ -144410,7 +177045,7 @@ }, { "access_level": "List", - "description": "Returns an array of ActivatedRule objects.", + "description": "Grants permission to retrieve an array of ActivatedRule objects", "privilege": "ListActivatedRulesInRuleGroup", "resource_types": [ { @@ -144422,7 +177057,7 @@ }, { "access_level": "List", - "description": "Returns an array of ByteMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of ByteMatchSetSummary objects", "privilege": "ListByteMatchSets", "resource_types": [ { @@ -144434,7 +177069,7 @@ }, { "access_level": "List", - "description": "Returns an array of GeoMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of GeoMatchSetSummary objects", "privilege": "ListGeoMatchSets", "resource_types": [ { @@ -144446,7 +177081,7 @@ }, { "access_level": "List", - "description": "Returns an array of IPSetSummary objects in the response.", + "description": "Grants permission to retrieve an array of IPSetSummary objects", "privilege": "ListIPSets", "resource_types": [ { @@ -144458,7 +177093,7 @@ }, { "access_level": "List", - "description": "Returns an array of LoggingConfiguration objects.", + "description": "Grants permission to retrieve an array of LoggingConfiguration objects", "privilege": "ListLoggingConfigurations", "resource_types": [ { @@ -144470,7 +177105,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleSummary objects.", + "description": "Grants permission to retrieve an array of RuleSummary objects", "privilege": "ListRateBasedRules", "resource_types": [ { @@ -144482,7 +177117,7 @@ }, { "access_level": "List", - "description": "Returns an array of RegexMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of RegexMatchSetSummary objects", "privilege": "ListRegexMatchSets", "resource_types": [ { @@ -144494,7 +177129,7 @@ }, { "access_level": "List", - "description": "Returns an array of RegexPatternSetSummary objects.", + "description": "Grants permission to retrieve an array of RegexPatternSetSummary objects", "privilege": "ListRegexPatternSets", "resource_types": [ { @@ -144506,7 +177141,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleGroup objects.", + "description": "Grants permission to retrieve an array of RuleGroup objects", "privilege": "ListRuleGroups", "resource_types": [ { @@ -144518,7 +177153,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleSummary objects.", + "description": "Grants permission to retrieve an array of RuleSummary objects", "privilege": "ListRules", "resource_types": [ { @@ -144530,7 +177165,7 @@ }, { "access_level": "List", - "description": "Returns an array of SizeConstraintSetSummary objects.", + "description": "Grants permission to retrieve an array of SizeConstraintSetSummary objects", "privilege": "ListSizeConstraintSets", "resource_types": [ { @@ -144542,7 +177177,7 @@ }, { "access_level": "List", - "description": "Returns an array of SqlInjectionMatchSet objects.", + "description": "Grants permission to retrieve an array of SqlInjectionMatchSet objects", "privilege": "ListSqlInjectionMatchSets", "resource_types": [ { @@ -144554,7 +177189,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleGroup objects that you are subscribed to.", + "description": "Grants permission to retrieve an array of RuleGroup objects that you are subscribed to", "privilege": "ListSubscribedRuleGroups", "resource_types": [ { @@ -144566,7 +177201,7 @@ }, { "access_level": "Read", - "description": "Lists the Tags for a given resource.", + "description": "Grants permission to retrieve the tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -144593,7 +177228,7 @@ }, { "access_level": "List", - "description": "Returns an array of WebACLSummary objects in the response.", + "description": "Grants permission to retrieve an array of WebACLSummary objects", "privilege": "ListWebACLs", "resource_types": [ { @@ -144605,7 +177240,7 @@ }, { "access_level": "List", - "description": "Returns an array of XssMatchSet objects.", + "description": "Grants permission to retrieve an array of XssMatchSet objects", "privilege": "ListXssMatchSets", "resource_types": [ { @@ -144617,7 +177252,7 @@ }, { "access_level": "Write", - "description": "Associates a LoggingConfiguration with a specified web ACL.", + "description": "Grants permission to associate a LoggingConfiguration with a specified web ACL", "privilege": "PutLoggingConfiguration", "resource_types": [ { @@ -144631,7 +177266,7 @@ }, { "access_level": "Permissions management", - "description": "Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts.", + "description": "Grants permission to attach an IAM policy to a rule group, to share the rule group between accounts", "privilege": "PutPermissionPolicy", "resource_types": [ { @@ -144643,7 +177278,7 @@ }, { "access_level": "Tagging", - "description": "Adds a Tag to a given resource.", + "description": "Grants permission to add a Tag to a resource", "privilege": "TagResource", "resource_types": [ { @@ -144678,7 +177313,7 @@ }, { "access_level": "Tagging", - "description": "Removes a Tag from a given resource.", + "description": "Grants permission to remove a Tag from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -144712,7 +177347,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet.", + "description": "Grants permission to insert or delete ByteMatchTuple objects in a ByteMatchSet", "privilege": "UpdateByteMatchSet", "resource_types": [ { @@ -144724,7 +177359,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet.", + "description": "Grants permission to insert or delete GeoMatchConstraint objects in a GeoMatchSet", "privilege": "UpdateGeoMatchSet", "resource_types": [ { @@ -144736,7 +177371,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes IPSetDescriptor objects in an IPSet.", + "description": "Grants permission to insert or delete IPSetDescriptor objects in an IPSet", "privilege": "UpdateIPSet", "resource_types": [ { @@ -144748,7 +177383,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule.", + "description": "Grants permission to modify a rate based rule", "privilege": "UpdateRateBasedRule", "resource_types": [ { @@ -144760,7 +177395,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet.", + "description": "Grants permission to insert or delete RegexMatchTuple objects in a RegexMatchSet", "privilege": "UpdateRegexMatchSet", "resource_types": [ { @@ -144772,7 +177407,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes RegexPatternStrings in a RegexPatternSet.", + "description": "Grants permission to insert or delete RegexPatternStrings in a RegexPatternSet", "privilege": "UpdateRegexPatternSet", "resource_types": [ { @@ -144784,7 +177419,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes Predicate objects in a Rule.", + "description": "Grants permission to modify a Rule", "privilege": "UpdateRule", "resource_types": [ { @@ -144796,7 +177431,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes ActivatedRule objects in a RuleGroup.", + "description": "Grants permission to insert or delete ActivatedRule objects in a RuleGroup", "privilege": "UpdateRuleGroup", "resource_types": [ { @@ -144808,7 +177443,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet.", + "description": "Grants permission to insert or delete SizeConstraint objects in a SizeConstraintSet", "privilege": "UpdateSizeConstraintSet", "resource_types": [ { @@ -144820,7 +177455,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet.", + "description": "Grants permission to insert or delete SqlInjectionMatchTuple objects in an SqlInjectionMatchSet", "privilege": "UpdateSqlInjectionMatchSet", "resource_types": [ { @@ -144832,7 +177467,7 @@ }, { "access_level": "Permissions management", - "description": "Inserts or deletes ActivatedRule objects in a WebACL.", + "description": "Grants permission to insert or delete ActivatedRule objects in a WebACL", "privilege": "UpdateWebACL", "resource_types": [ { @@ -144844,7 +177479,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet.", + "description": "Grants permission to insert or delete XssMatchTuple objects in an XssMatchSet", "privilege": "UpdateXssMatchSet", "resource_types": [ { @@ -144949,7 +177584,7 @@ "privileges": [ { "access_level": "Write", - "description": "Associates a WebACL with a resource.", + "description": "Grants permission to associate a web ACL with a resource", "privilege": "AssociateWebACL", "resource_types": [ { @@ -144966,7 +177601,7 @@ }, { "access_level": "Write", - "description": "Creates a ByteMatchSet.", + "description": "Grants permission to create a ByteMatchSet", "privilege": "CreateByteMatchSet", "resource_types": [ { @@ -144978,7 +177613,7 @@ }, { "access_level": "Write", - "description": "Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate rom.", + "description": "Grants permission to create a GeoMatchSet", "privilege": "CreateGeoMatchSet", "resource_types": [ { @@ -144990,7 +177625,7 @@ }, { "access_level": "Write", - "description": "Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate rom.", + "description": "Grants permission to create an IPSet", "privilege": "CreateIPSet", "resource_types": [ { @@ -145002,7 +177637,7 @@ }, { "access_level": "Write", - "description": "Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address n a five-minute period.", + "description": "Grants permission to create a RateBasedRule", "privilege": "CreateRateBasedRule", "resource_types": [ { @@ -145022,7 +177657,7 @@ }, { "access_level": "Write", - "description": "Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a egexPatternSet.", + "description": "Grants permission to create a RegexMatchSet", "privilege": "CreateRegexMatchSet", "resource_types": [ { @@ -145034,7 +177669,7 @@ }, { "access_level": "Write", - "description": "Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for.", + "description": "Grants permission to create a RegexPatternSet", "privilege": "CreateRegexPatternSet", "resource_types": [ { @@ -145046,7 +177681,7 @@ }, { "access_level": "Write", - "description": "Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to lock.", + "description": "Grants permission to create a Rule", "privilege": "CreateRule", "resource_types": [ { @@ -145066,7 +177701,7 @@ }, { "access_level": "Write", - "description": "Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL.", + "description": "Grants permission to create a RuleGroup", "privilege": "CreateRuleGroup", "resource_types": [ { @@ -145086,7 +177721,7 @@ }, { "access_level": "Write", - "description": "Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length.", + "description": "Grants permission to create a SizeConstraintSet", "privilege": "CreateSizeConstraintSet", "resource_types": [ { @@ -145098,7 +177733,7 @@ }, { "access_level": "Write", - "description": "Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web equests.", + "description": "Grants permission to create an SqlInjectionMatchSet", "privilege": "CreateSqlInjectionMatchSet", "resource_types": [ { @@ -145110,7 +177745,7 @@ }, { "access_level": "Permissions management", - "description": "Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count.", + "description": "Grants permission to create a WebACL", "privilege": "CreateWebACL", "resource_types": [ { @@ -145130,7 +177765,7 @@ }, { "access_level": "Write", - "description": "Create and store a CloudFormation tempalte that creates an equivalent WAF v2 WebACL from the given WAF Classic WebACL in the given S3 bucket.", + "description": "Grants permission to create a CloudFormation web ACL template in an S3 bucket for the purposes of migrating the web ACL from AWS WAF Classic to AWS WAF v2", "privilege": "CreateWebACLMigrationStack", "resource_types": [ { @@ -145144,7 +177779,7 @@ }, { "access_level": "Write", - "description": "Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web equests.", + "description": "Grants permission to create an XssMatchSet", "privilege": "CreateXssMatchSet", "resource_types": [ { @@ -145156,7 +177791,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a ByteMatchSet.", + "description": "Grants permission to delete a ByteMatchSet", "privilege": "DeleteByteMatchSet", "resource_types": [ { @@ -145168,7 +177803,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an GeoMatchSet.", + "description": "Grants permission to delete a GeoMatchSet", "privilege": "DeleteGeoMatchSet", "resource_types": [ { @@ -145180,7 +177815,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an IPSet.", + "description": "Grants permission to delete an IPSet", "privilege": "DeleteIPSet", "resource_types": [ { @@ -145192,7 +177827,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes the LoggingConfiguration from the specified web ACL.", + "description": "Grants permission to delete a LoggingConfiguration from a web ACL", "privilege": "DeleteLoggingConfiguration", "resource_types": [ { @@ -145204,7 +177839,7 @@ }, { "access_level": "Permissions management", - "description": "Permanently deletes an IAM policy from the specified RuleGroup.", + "description": "Grants permission to delete an IAM policy from a rule group", "privilege": "DeletePermissionPolicy", "resource_types": [ { @@ -145216,7 +177851,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a RateBasedRule.", + "description": "Grants permission to delete a RateBasedRule", "privilege": "DeleteRateBasedRule", "resource_types": [ { @@ -145228,7 +177863,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an RegexMatchSet.", + "description": "Grants permission to delete a RegexMatchSet", "privilege": "DeleteRegexMatchSet", "resource_types": [ { @@ -145240,7 +177875,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an RegexPatternSet.", + "description": "Grants permission to delete a RegexPatternSet", "privilege": "DeleteRegexPatternSet", "resource_types": [ { @@ -145252,7 +177887,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a Rule.", + "description": "Grants permission to delete a Rule", "privilege": "DeleteRule", "resource_types": [ { @@ -145264,7 +177899,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a RuleGroup.", + "description": "Grants permission to delete a RuleGroup", "privilege": "DeleteRuleGroup", "resource_types": [ { @@ -145276,7 +177911,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a SizeConstraintSet.", + "description": "Grants permission to delete a SizeConstraintSet", "privilege": "DeleteSizeConstraintSet", "resource_types": [ { @@ -145288,7 +177923,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes a SqlInjectionMatchSet.", + "description": "Grants permission to delete an SqlInjectionMatchSet", "privilege": "DeleteSqlInjectionMatchSet", "resource_types": [ { @@ -145300,7 +177935,7 @@ }, { "access_level": "Permissions management", - "description": "Permanently deletes a WebACL.", + "description": "Grants permission to delete a WebACL", "privilege": "DeleteWebACL", "resource_types": [ { @@ -145312,7 +177947,7 @@ }, { "access_level": "Write", - "description": "Permanently deletes an XssMatchSet.", + "description": "Grants permission to delete an XssMatchSet", "privilege": "DeleteXssMatchSet", "resource_types": [ { @@ -145324,7 +177959,7 @@ }, { "access_level": "Write", - "description": "Removes a WebACL from the specified resource.", + "description": "Grants permission to delete an association between a web ACL and a resource", "privilege": "DisassociateWebACL", "resource_types": [ { @@ -145336,7 +177971,7 @@ }, { "access_level": "Read", - "description": "Returns the ByteMatchSet specified by ByteMatchSetId.", + "description": "Grants permission to retrieve a ByteMatchSet", "privilege": "GetByteMatchSet", "resource_types": [ { @@ -145348,7 +177983,7 @@ }, { "access_level": "Read", - "description": "When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete equest.", + "description": "Grants permission to retrieve a change token to use in create, update, and delete requests", "privilege": "GetChangeToken", "resource_types": [ { @@ -145360,7 +177995,7 @@ }, { "access_level": "Read", - "description": "Returns the status of a ChangeToken that you got by calling GetChangeToken.", + "description": "Grants permission to retrieve the status of a change token", "privilege": "GetChangeTokenStatus", "resource_types": [ { @@ -145372,7 +178007,7 @@ }, { "access_level": "Read", - "description": "Returns the GeoMatchSet specified by GeoMatchSetId.", + "description": "Grants permission to retrieve a GeoMatchSet", "privilege": "GetGeoMatchSet", "resource_types": [ { @@ -145384,7 +178019,7 @@ }, { "access_level": "Read", - "description": "Returns the IPSet that is specified by IPSetId.", + "description": "Grants permission to retrieve an IPSet", "privilege": "GetIPSet", "resource_types": [ { @@ -145396,7 +178031,7 @@ }, { "access_level": "Read", - "description": "Returns the LoggingConfiguration for the specified web ACL.", + "description": "Grants permission to retrieve a LoggingConfiguration", "privilege": "GetLoggingConfiguration", "resource_types": [ { @@ -145408,7 +178043,7 @@ }, { "access_level": "Read", - "description": "Returns the IAM policy attached to the RuleGroup.", + "description": "Grants permission to retrieve an IAM policy attached to a RuleGroup", "privilege": "GetPermissionPolicy", "resource_types": [ { @@ -145420,7 +178055,7 @@ }, { "access_level": "Read", - "description": "Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request.", + "description": "Grants permission to retrieve a RateBasedRule", "privilege": "GetRateBasedRule", "resource_types": [ { @@ -145432,7 +178067,7 @@ }, { "access_level": "Read", - "description": "Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId.", + "description": "Grants permission to retrieve the array of IP addresses that are currently being blocked by a RateBasedRule", "privilege": "GetRateBasedRuleManagedKeys", "resource_types": [ { @@ -145444,7 +178079,7 @@ }, { "access_level": "Read", - "description": "Returns the RegexMatchSet specified by RegexMatchSetId.", + "description": "Grants permission to retrieve a RegexMatchSet", "privilege": "GetRegexMatchSet", "resource_types": [ { @@ -145456,7 +178091,7 @@ }, { "access_level": "Read", - "description": "Returns the RegexPatternSet specified by RegexPatternSetId.", + "description": "Grants permission to retrieve a RegexPatternSet", "privilege": "GetRegexPatternSet", "resource_types": [ { @@ -145468,7 +178103,7 @@ }, { "access_level": "Read", - "description": "Returns the Rule that is specified by the RuleId that you included in the GetRule request.", + "description": "Grants permission to retrieve a Rule", "privilege": "GetRule", "resource_types": [ { @@ -145480,7 +178115,7 @@ }, { "access_level": "Read", - "description": "Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request.", + "description": "Grants permission to retrieve a RuleGroup", "privilege": "GetRuleGroup", "resource_types": [ { @@ -145492,7 +178127,7 @@ }, { "access_level": "Read", - "description": "Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests hat your AWS resource received during a time range that you choose.", + "description": "Grants permission to retrieve detailed information for a sample set of web requests", "privilege": "GetSampledRequests", "resource_types": [ { @@ -145509,7 +178144,7 @@ }, { "access_level": "Read", - "description": "Returns the SizeConstraintSet specified by SizeConstraintSetId.", + "description": "Grants permission to retrieve a SizeConstraintSet", "privilege": "GetSizeConstraintSet", "resource_types": [ { @@ -145521,7 +178156,7 @@ }, { "access_level": "Read", - "description": "Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId.", + "description": "Grants permission to retrieve an SqlInjectionMatchSet", "privilege": "GetSqlInjectionMatchSet", "resource_types": [ { @@ -145533,7 +178168,7 @@ }, { "access_level": "Read", - "description": "Returns the WebACL that is specified by WebACLId.", + "description": "Grants permission to retrieve a WebACL", "privilege": "GetWebACL", "resource_types": [ { @@ -145545,7 +178180,7 @@ }, { "access_level": "Read", - "description": "Returns the WebACL for the specified resource.", + "description": "Grants permission to retrieve a WebACL that's associated with a specified resource", "privilege": "GetWebACLForResource", "resource_types": [ { @@ -145557,7 +178192,7 @@ }, { "access_level": "Read", - "description": "Returns the XssMatchSet that is specified by XssMatchSetId.", + "description": "Grants permission to retrieve an XssMatchSet", "privilege": "GetXssMatchSet", "resource_types": [ { @@ -145569,7 +178204,7 @@ }, { "access_level": "List", - "description": "Returns an array of ActivatedRule objects.", + "description": "Grants permission to retrieve an array of ActivatedRule objects", "privilege": "ListActivatedRulesInRuleGroup", "resource_types": [ { @@ -145581,7 +178216,7 @@ }, { "access_level": "List", - "description": "Returns an array of ByteMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of ByteMatchSetSummary objects", "privilege": "ListByteMatchSets", "resource_types": [ { @@ -145593,7 +178228,7 @@ }, { "access_level": "List", - "description": "Returns an array of GeoMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of GeoMatchSetSummary objects", "privilege": "ListGeoMatchSets", "resource_types": [ { @@ -145605,7 +178240,7 @@ }, { "access_level": "List", - "description": "Returns an array of IPSetSummary objects in the response.", + "description": "Grants permission to retrieve an array of IPSetSummary objects", "privilege": "ListIPSets", "resource_types": [ { @@ -145617,7 +178252,7 @@ }, { "access_level": "List", - "description": "Returns an array of LoggingConfiguration objects.", + "description": "Grants permission to retrieve an array of LoggingConfiguration objects", "privilege": "ListLoggingConfigurations", "resource_types": [ { @@ -145629,7 +178264,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleSummary objects.", + "description": "Grants permission to retrieve an array of RuleSummary objects", "privilege": "ListRateBasedRules", "resource_types": [ { @@ -145641,7 +178276,7 @@ }, { "access_level": "List", - "description": "Returns an array of RegexMatchSetSummary objects.", + "description": "Grants permission to retrieve an array of RegexMatchSetSummary objects", "privilege": "ListRegexMatchSets", "resource_types": [ { @@ -145653,7 +178288,7 @@ }, { "access_level": "List", - "description": "Returns an array of RegexPatternSetSummary objects.", + "description": "Grants permission to retrieve an array of RegexPatternSetSummary objects", "privilege": "ListRegexPatternSets", "resource_types": [ { @@ -145665,7 +178300,7 @@ }, { "access_level": "List", - "description": "Returns an array of resources associated with the specified WebACL.", + "description": "Grants permission to retrieve an array of resources associated with a specified WebACL", "privilege": "ListResourcesForWebACL", "resource_types": [ { @@ -145677,7 +178312,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleGroup objects.", + "description": "Grants permission to retrieve an array of RuleGroup objects", "privilege": "ListRuleGroups", "resource_types": [ { @@ -145689,7 +178324,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleSummary objects.", + "description": "Grants permission to retrieve an array of RuleSummary objects", "privilege": "ListRules", "resource_types": [ { @@ -145701,7 +178336,7 @@ }, { "access_level": "List", - "description": "Returns an array of SizeConstraintSetSummary objects.", + "description": "Grants permission to retrieve an array of SizeConstraintSetSummary objects", "privilege": "ListSizeConstraintSets", "resource_types": [ { @@ -145713,7 +178348,7 @@ }, { "access_level": "List", - "description": "Returns an array of SqlInjectionMatchSet objects.", + "description": "Grants permission to retrieve an array of SqlInjectionMatchSet objects", "privilege": "ListSqlInjectionMatchSets", "resource_types": [ { @@ -145725,7 +178360,7 @@ }, { "access_level": "List", - "description": "Returns an array of RuleGroup objects that you are subscribed to.", + "description": "Grants permission to retrieve an array of RuleGroup objects that you are subscribed to", "privilege": "ListSubscribedRuleGroups", "resource_types": [ { @@ -145737,7 +178372,7 @@ }, { "access_level": "Read", - "description": "Lists the Tags for a given resource.", + "description": "Grants permission to lists the Tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -145764,7 +178399,7 @@ }, { "access_level": "List", - "description": "Returns an array of WebACLSummary objects in the response.", + "description": "Grants permission to retrieve an array of WebACLSummary objects", "privilege": "ListWebACLs", "resource_types": [ { @@ -145776,7 +178411,7 @@ }, { "access_level": "List", - "description": "Returns an array of XssMatchSet objects.", + "description": "Grants permission to retrieve an array of XssMatchSet objects", "privilege": "ListXssMatchSets", "resource_types": [ { @@ -145788,7 +178423,7 @@ }, { "access_level": "Write", - "description": "Associates a LoggingConfiguration with a specified web ACL.", + "description": "Grants permission to associates a LoggingConfiguration with a web ACL", "privilege": "PutLoggingConfiguration", "resource_types": [ { @@ -145802,7 +178437,7 @@ }, { "access_level": "Permissions management", - "description": "Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts.", + "description": "Grants permission to attach an IAM policy to a specified rule group, to support rule group sharing between accounts", "privilege": "PutPermissionPolicy", "resource_types": [ { @@ -145814,7 +178449,7 @@ }, { "access_level": "Tagging", - "description": "Adds a Tag to a given resource.", + "description": "Grants permission to add a Tag to a resource", "privilege": "TagResource", "resource_types": [ { @@ -145849,7 +178484,7 @@ }, { "access_level": "Tagging", - "description": "Removes a Tag from a given resource.", + "description": "Grants permission to remove a Tag from a resource", "privilege": "UntagResource", "resource_types": [ { @@ -145883,7 +178518,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet.", + "description": "Grants permission to insert or delete ByteMatchTuple objects in a ByteMatchSet", "privilege": "UpdateByteMatchSet", "resource_types": [ { @@ -145895,7 +178530,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet.", + "description": "Grants permission to insert or delete GeoMatchConstraint objects in a GeoMatchSet", "privilege": "UpdateGeoMatchSet", "resource_types": [ { @@ -145907,7 +178542,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes IPSetDescriptor objects in an IPSet.", + "description": "Grants permission to insert or delete IPSetDescriptor objects in an IPSet", "privilege": "UpdateIPSet", "resource_types": [ { @@ -145919,7 +178554,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule.", + "description": "Grants permission to insert or delete predicate objects in a rate based rule and update the RateLimit in the rule", "privilege": "UpdateRateBasedRule", "resource_types": [ { @@ -145931,7 +178566,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet.", + "description": "Grants permission to insert or delete RegexMatchTuple objects in a RegexMatchSet", "privilege": "UpdateRegexMatchSet", "resource_types": [ { @@ -145943,7 +178578,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes RegexPatternStrings in a RegexPatternSet.", + "description": "Grants permission to insert or delete RegexPatternStrings in a RegexPatternSet", "privilege": "UpdateRegexPatternSet", "resource_types": [ { @@ -145955,7 +178590,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes Predicate objects in a Rule.", + "description": "Grants permission to insert or delete predicate objects in a Rule", "privilege": "UpdateRule", "resource_types": [ { @@ -145967,7 +178602,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes ActivatedRule objects in a RuleGroup.", + "description": "Grants permission to insert or delete ActivatedRule objects in a RuleGroup", "privilege": "UpdateRuleGroup", "resource_types": [ { @@ -145979,7 +178614,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet.", + "description": "Grants permission to insert or delete SizeConstraint objects in a SizeConstraintSet", "privilege": "UpdateSizeConstraintSet", "resource_types": [ { @@ -145991,7 +178626,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet.", + "description": "Grants permission to insert or delete SqlInjectionMatchTuple objects in an SqlInjectionMatchSet", "privilege": "UpdateSqlInjectionMatchSet", "resource_types": [ { @@ -146003,7 +178638,7 @@ }, { "access_level": "Permissions management", - "description": "Inserts or deletes ActivatedRule objects in a WebACL.", + "description": "Grants permission to insert or delete ActivatedRule objects in a WebACL", "privilege": "UpdateWebACL", "resource_types": [ { @@ -146015,7 +178650,7 @@ }, { "access_level": "Write", - "description": "Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet.", + "description": "Grants permission to insert or delete XssMatchTuple objects in an XssMatchSet", "privilege": "UpdateXssMatchSet", "resource_types": [ { @@ -146112,7 +178747,7 @@ }, { "condition": "aws:ResourceTag/${TagKey}", - "description": "Filters actions based on tag-value assoicated with the resource", + "description": "Filters actions based on tag-value associated with the resource", "type": "String" }, { @@ -146125,7 +178760,7 @@ "privileges": [ { "access_level": "Write", - "description": "Grants permission to associate a WebACL with a resource.", + "description": "Grants permission to associate a WebACL with a resource", "privilege": "AssociateWebACL", "resource_types": [ { @@ -146152,7 +178787,7 @@ }, { "access_level": "Read", - "description": "Grants permission to calculate web ACL capacity unit (WCU) requirements for a specified scope and set of rules.", + "description": "Grants permission to calculate web ACL capacity unit (WCU) requirements for a specified scope and set of rules", "privilege": "CheckCapacity", "resource_types": [ { @@ -146164,7 +178799,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create an IPSet.", + "description": "Grants permission to create an IPSet", "privilege": "CreateIPSet", "resource_types": [ { @@ -146184,7 +178819,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a RegexPatternSet.", + "description": "Grants permission to create a RegexPatternSet", "privilege": "CreateRegexPatternSet", "resource_types": [ { @@ -146204,7 +178839,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create a RuleGroup.", + "description": "Grants permission to create a RuleGroup", "privilege": "CreateRuleGroup", "resource_types": [ { @@ -146224,7 +178859,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to create a WebACL.", + "description": "Grants permission to create a WebACL", "privilege": "CreateWebACL", "resource_types": [ { @@ -146244,7 +178879,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete specified FirewallManagedRulesGroups from the specified WebACL if not managed by Firewall Manager anymore.", + "description": "Grants permission to delete FirewallManagedRulesGroups from a WebACL if not managed by Firewall Manager anymore", "privilege": "DeleteFirewallManagerRuleGroups", "resource_types": [ { @@ -146256,7 +178891,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the specified IPSet.", + "description": "Grants permission to delete an IPSet", "privilege": "DeleteIPSet", "resource_types": [ { @@ -146268,7 +178903,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the LoggingConfiguration from the specified WebACL.", + "description": "Grants permission to delete the LoggingConfiguration from a WebACL", "privilege": "DeleteLoggingConfiguration", "resource_types": [ { @@ -146280,7 +178915,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to delete the PermissionPolicy on the specified RuleGroup.", + "description": "Grants permission to delete the PermissionPolicy on a RuleGroup", "privilege": "DeletePermissionPolicy", "resource_types": [ { @@ -146292,7 +178927,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the specified RegexPatternSet.", + "description": "Grants permission to delete a RegexPatternSet", "privilege": "DeleteRegexPatternSet", "resource_types": [ { @@ -146304,7 +178939,7 @@ }, { "access_level": "Write", - "description": "Grants permission to delete the specified RuleGroup.", + "description": "Grants permission to delete a RuleGroup", "privilege": "DeleteRuleGroup", "resource_types": [ { @@ -146316,7 +178951,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to delete the specified WebACL.", + "description": "Grants permission to delete a WebACL", "privilege": "DeleteWebACL", "resource_types": [ { @@ -146328,7 +178963,7 @@ }, { "access_level": "List", - "description": "Grants permission to view high-level information for a managed rule group.", + "description": "Grants permission to retrieve high-level information for a managed rule group", "privilege": "DescribeManagedRuleGroup", "resource_types": [ { @@ -146340,7 +178975,7 @@ }, { "access_level": "Write", - "description": "Grants permission to disassociate Firewall Manager from the specified WebACL.", + "description": "Grants permission to disassociate Firewall Manager from a WebACL", "privilege": "DisassociateFirewallManager", "resource_types": [ { @@ -146352,7 +178987,7 @@ }, { "access_level": "Write", - "description": "Grants permission disassociate a WebACL from an application resource.", + "description": "Grants permission disassociate a WebACL from an application resource", "privilege": "DisassociateWebACL", "resource_types": [ { @@ -146374,7 +179009,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view details about the specified IPSet.", + "description": "Grants permission to retrieve details about an IPSet", "privilege": "GetIPSet", "resource_types": [ { @@ -146393,7 +179028,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view LoggingConfiguration about the specified WebACL.", + "description": "Grants permission to retrieve LoggingConfiguration for a WebACL", "privilege": "GetLoggingConfiguration", "resource_types": [ { @@ -146412,7 +179047,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view PermissionPolicy on the specified RuleGroup.", + "description": "Grants permission to retrieve a PermissionPolicy for a RuleGroup", "privilege": "GetPermissionPolicy", "resource_types": [ { @@ -146424,7 +179059,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view the keys that are currently blocked by a rate-based rule.", + "description": "Grants permission to retrieve the keys that are currently blocked by a rate-based rule", "privilege": "GetRateBasedStatementManagedKeys", "resource_types": [ { @@ -146443,7 +179078,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view details about the specified RegexPatternSet.", + "description": "Grants permission to retrieve details about a RegexPatternSet", "privilege": "GetRegexPatternSet", "resource_types": [ { @@ -146462,7 +179097,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view details about the specified RuleGroup.", + "description": "Grants permission to retrieve details about a RuleGroup", "privilege": "GetRuleGroup", "resource_types": [ { @@ -146481,7 +179116,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose.", + "description": "Grants permission to retrieve detailed information about a sampling of web requests", "privilege": "GetSampledRequests", "resource_types": [ { @@ -146493,7 +179128,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view details about the specified GetWebACL.", + "description": "Grants permission to retrieve details about a WebACL", "privilege": "GetWebACL", "resource_types": [ { @@ -146512,7 +179147,7 @@ }, { "access_level": "Read", - "description": "Grants permission to view the WebACL for the specified resource.", + "description": "Grants permission to retrieve the WebACL that's associated with a resource", "privilege": "GetWebACLForResource", "resource_types": [ { @@ -146534,7 +179169,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of managed rule groups that are available for you to use.", + "description": "Grants permission to retrieve an array of managed rule groups that are available for you to use", "privilege": "ListAvailableManagedRuleGroups", "resource_types": [ { @@ -146546,7 +179181,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of IPSetSummary objects for the IP sets that you manage.", + "description": "Grants permission to retrieve an array of IPSetSummary objects for the IP sets that you manage", "privilege": "ListIPSets", "resource_types": [ { @@ -146558,7 +179193,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of your LoggingConfiguration objects.", + "description": "Grants permission to retrieve an array of your LoggingConfiguration objects", "privilege": "ListLoggingConfigurations", "resource_types": [ { @@ -146570,7 +179205,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of RegexPatternSetSummary objects for the regex pattern sets that you manage.", + "description": "Grants permission to retrieve an array of RegexPatternSetSummary objects for the regex pattern sets that you manage", "privilege": "ListRegexPatternSets", "resource_types": [ { @@ -146582,7 +179217,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of the Amazon Resource Names (ARNs) for the resources that are associated with the specified web ACL.", + "description": "Grants permission to retrieve an array of the Amazon Resource Names (ARNs) for the resources that are associated with a web ACL", "privilege": "ListResourcesForWebACL", "resource_types": [ { @@ -146594,7 +179229,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of RuleGroupSummary objects for the rule groups that you manage.", + "description": "Grants permission to retrieve an array of RuleGroupSummary objects for the rule groups that you manage", "privilege": "ListRuleGroups", "resource_types": [ { @@ -146606,7 +179241,7 @@ }, { "access_level": "Read", - "description": "Grants permission to lists tag for the specified resource.", + "description": "Grants permission to list tags for a resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -146640,7 +179275,7 @@ }, { "access_level": "List", - "description": "Grants permission to view an array of WebACLSummary objects for the web ACLs that you manage.", + "description": "Grants permission to retrieve an array of WebACLSummary objects for the web ACLs that you manage", "privilege": "ListWebACLs", "resource_types": [ { @@ -146652,7 +179287,7 @@ }, { "access_level": "Write", - "description": "Grants permission to create FirewallManagedRulesGroups in the specified WebACL.", + "description": "Grants permission to create FirewallManagedRulesGroups in a WebACL", "privilege": "PutFirewallManagerRuleGroups", "resource_types": [ { @@ -146664,7 +179299,7 @@ }, { "access_level": "Write", - "description": "Grants permission to enables the specified LoggingConfiguration, to start logging from a web ACL.", + "description": "Grants permission to enable a LoggingConfiguration, to start logging for a web ACL", "privilege": "PutLoggingConfiguration", "resource_types": [ { @@ -146678,7 +179313,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to attach the specified IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts.", + "description": "Grants permission to attach an IAM policy to a resource, used to share rule groups between accounts", "privilege": "PutPermissionPolicy", "resource_types": [ { @@ -146690,7 +179325,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to associates tags with the specified AWS resource.", + "description": "Grants permission to associate tags with a AWS resource", "privilege": "TagResource", "resource_types": [ { @@ -146726,7 +179361,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to disassociates tags from an AWS resource.", + "description": "Grants permission to disassociate tags from an AWS resource", "privilege": "UntagResource", "resource_types": [ { @@ -146760,7 +179395,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the specified IPSet.", + "description": "Grants permission to update an IPSet", "privilege": "UpdateIPSet", "resource_types": [ { @@ -146779,7 +179414,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the specified RegexPatternSet.", + "description": "Grants permission to update a RegexPatternSet", "privilege": "UpdateRegexPatternSet", "resource_types": [ { @@ -146798,7 +179433,7 @@ }, { "access_level": "Write", - "description": "Grants permission to update the specified RuleGroup.", + "description": "Grants permission to update a RuleGroup", "privilege": "UpdateRuleGroup", "resource_types": [ { @@ -146817,7 +179452,7 @@ }, { "access_level": "Permissions management", - "description": "Grants permission to update the specified WebACL.", + "description": "Grants permission to update a WebACL", "privilege": "UpdateWebACL", "resource_types": [ { @@ -146903,7 +179538,23 @@ "service_name": "Amazon WorkSpaces Application Manager" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the presence of tag key-value pairs in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on tag key-value pairs attached to the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the presence of tag keys in the request", + "type": "String" + } + ], "prefix": "wellarchitected", "privileges": [ { @@ -146936,7 +179587,10 @@ "privilege": "CreateWorkload", "resource_types": [ { - "condition_keys": [], + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -147059,6 +179713,13 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "workload*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" } ] }, @@ -147146,6 +179807,25 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to list tags for a Well-Architected resource", + "privilege": "ListTagsForResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload*" + }, + { + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "List", "description": "Grants permission to list the workload shares of the specified workload", @@ -147170,6 +179850,45 @@ } ] }, + { + "access_level": "Tagging", + "description": "Grants permission to tag a Well-Architected resource", + "privilege": "TagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload*" + }, + { + "condition_keys": [ + "aws:TagKeys", + "aws:RequestTag/${TagKey}" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Tagging", + "description": "Grants permission to untag a Well-Architected resource", + "privilege": "UntagResource", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workload*" + }, + { + "condition_keys": [ + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Write", "description": "Grants permission to update properties of the specified answer", @@ -147246,7 +179965,9 @@ "resources": [ { "arn": "arn:${Partition}:wellarchitected:${Region}:${Account}:workload/${ResourceId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "workload" } ], @@ -147748,6 +180469,18 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve details for the specified group.", + "privilege": "GetGroup", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, { "access_level": "Read", "description": "Grants permission to get a collection of resources.", @@ -148368,7 +181101,7 @@ "privileges": [ { "access_level": "Write", - "description": "Adds a list of members (users or groups) to a group.", + "description": "Grants permission to add a list of members (users or groups) to a group", "privilege": "AddMembersToGroup", "resource_types": [ { @@ -148380,7 +181113,7 @@ }, { "access_level": "Write", - "description": "Adds a member (user or group) to the resource's set of delegates.", + "description": "Grants permission to add a member (user or group) to the resource's set of delegates", "privilege": "AssociateDelegateToResource", "resource_types": [ { @@ -148392,7 +181125,7 @@ }, { "access_level": "Write", - "description": "Adds a member (user or group) to the group's set.", + "description": "Grants permission to add a member (user or group) to the group's set", "privilege": "AssociateMemberToGroup", "resource_types": [ { @@ -148404,7 +181137,7 @@ }, { "access_level": "Write", - "description": "Cancels a currently running mailbox export job.", + "description": "Grants permission to cancel a currently running mailbox export job", "privilege": "CancelMailboxExportJob", "resource_types": [ { @@ -148416,7 +181149,7 @@ }, { "access_level": "Write", - "description": "Adds an alias to the set of a given member (user or group) of WorkMail.", + "description": "Grants permission to add an alias to the set of a given member (user or group) of WorkMail", "privilege": "CreateAlias", "resource_types": [ { @@ -148428,7 +181161,7 @@ }, { "access_level": "Write", - "description": "Creates a group that can be used in WorkMail by calling the RegisterToWorkMail operation.", + "description": "Grants permission to create a group that can be used in WorkMail by calling the RegisterToWorkMail operation", "privilege": "CreateGroup", "resource_types": [ { @@ -148440,7 +181173,7 @@ }, { "access_level": "Write", - "description": "Create an inbound email flow rule which will apply to all email sent to an organization", + "description": "Grants permission to create an inbound email flow rule which will apply to all email sent to an organization", "privilege": "CreateInboundMailFlowRule", "resource_types": [ { @@ -148452,7 +181185,7 @@ }, { "access_level": "Write", - "description": "Creates a mail domain.", + "description": "Grants permission to create a mail domain", "privilege": "CreateMailDomain", "resource_types": [ { @@ -148464,7 +181197,7 @@ }, { "access_level": "Write", - "description": "Creates a user in the directory and the WorkMail storage but does not enable the user for mail.", + "description": "Grants permission to create a user in the directory", "privilege": "CreateMailUser", "resource_types": [ { @@ -148476,7 +181209,19 @@ }, { "access_level": "Write", - "description": "Creates a new Amazon WorkMail organization.", + "description": "Grants permission to create a new mobile device access rule", + "privilege": "CreateMobileDeviceAccessRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create a new Amazon WorkMail organization", "privilege": "CreateOrganization", "resource_types": [ { @@ -148488,7 +181233,7 @@ }, { "access_level": "Write", - "description": "Create an outbound email flow rule which will apply to all email sent from an organization", + "description": "Grants permission to create an outbound email flow rule which will apply to all email sent from an organization", "privilege": "CreateOutboundMailFlowRule", "resource_types": [ { @@ -148500,7 +181245,7 @@ }, { "access_level": "Write", - "description": "Creates a new WorkMail resource.", + "description": "Grants permission to create a new WorkMail resource", "privilege": "CreateResource", "resource_types": [ { @@ -148512,7 +181257,7 @@ }, { "access_level": "Write", - "description": "Register an SMTP device against a WorkMail organization", + "description": "Grants permission to register an SMTP gateway to a WorkMail organization", "privilege": "CreateSmtpGateway", "resource_types": [ { @@ -148524,7 +181269,7 @@ }, { "access_level": "Write", - "description": "Creates a user who can be used in WorkMail by calling the RegisterToWorkMail operation.", + "description": "Grants permission to create a user, which can be enabled afterwards by calling the RegisterToWorkMail operation", "privilege": "CreateUser", "resource_types": [ { @@ -148536,7 +181281,7 @@ }, { "access_level": "Write", - "description": "Deletes an access control rule for the specified WorkMail organization.", + "description": "Grants permission to delete an access control rule", "privilege": "DeleteAccessControlRule", "resource_types": [ { @@ -148548,7 +181293,7 @@ }, { "access_level": "Write", - "description": "Remove one or more specified aliases from a set of aliases for a given user.", + "description": "Grants permission to remove one or more specified aliases from a set of aliases for a given user", "privilege": "DeleteAlias", "resource_types": [ { @@ -148560,7 +181305,7 @@ }, { "access_level": "Write", - "description": "Deletes a group from WorkMail.", + "description": "Grants permission to delete a group from WorkMail", "privilege": "DeleteGroup", "resource_types": [ { @@ -148572,7 +181317,7 @@ }, { "access_level": "Write", - "description": "Remove an inbound email flow rule to no longer apply to emails sent to an organization", + "description": "Grants permission to remove an inbound email flow rule to no longer apply to emails sent to an organization", "privilege": "DeleteInboundMailFlowRule", "resource_types": [ { @@ -148584,7 +181329,7 @@ }, { "access_level": "Write", - "description": "Removes an unused mail domain from an organization", + "description": "Grants permission to remove an unused mail domain from an organization", "privilege": "DeleteMailDomain", "resource_types": [ { @@ -148596,7 +181341,7 @@ }, { "access_level": "Write", - "description": "Deletes permissions granted to a member (user or group).", + "description": "Grants permission to delete permissions granted to a member (user or group)", "privilege": "DeleteMailboxPermissions", "resource_types": [ { @@ -148608,7 +181353,7 @@ }, { "access_level": "Write", - "description": "Removes a mobile device from a user", + "description": "Grants permission to remove a mobile device from a user", "privilege": "DeleteMobileDevice", "resource_types": [ { @@ -148620,7 +181365,19 @@ }, { "access_level": "Write", - "description": "Deletes an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization.", + "description": "Grants permission to delete a mobile device access rule", + "privilege": "DeleteMobileDeviceAccessRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete an Amazon WorkMail organization and all underlying AWS resources managed by Amazon WorkMail as part of the organization", "privilege": "DeleteOrganization", "resource_types": [ { @@ -148632,7 +181389,7 @@ }, { "access_level": "Write", - "description": "Remove an outbound email flow rule to no longer apply to emails sent from an organization", + "description": "Grants permission to remove an outbound email flow rule so that it no longer applies to emails sent from an organization", "privilege": "DeleteOutboundMailFlowRule", "resource_types": [ { @@ -148644,7 +181401,7 @@ }, { "access_level": "Write", - "description": "Deletes the specified resource.", + "description": "Grants permission to delete the specified resource", "privilege": "DeleteResource", "resource_types": [ { @@ -148656,7 +181413,7 @@ }, { "access_level": "Write", - "description": "Deletes the retention policy based on the supplied organization and policy identifiers.", + "description": "Grants permission to delete the retention policy based on the supplied organization and policy identifiers", "privilege": "DeleteRetentionPolicy", "resource_types": [ { @@ -148668,7 +181425,7 @@ }, { "access_level": "Write", - "description": "Remove an SMTP device from an organization", + "description": "Grants permission to remove an SMTP gateway from an organization", "privilege": "DeleteSmtpGateway", "resource_types": [ { @@ -148680,7 +181437,7 @@ }, { "access_level": "Write", - "description": "Deletes a user from WorkMail and all subsequent systems. The action cannot be undone.", + "description": "Grants permission to delete a user from WorkMail and all subsequent systems", "privilege": "DeleteUser", "resource_types": [ { @@ -148692,7 +181449,7 @@ }, { "access_level": "Write", - "description": "Mark a user, group, or resource as no longer used in WorkMail.", + "description": "Grants permission to mark a user, group, or resource as no longer used in WorkMail", "privilege": "DeregisterFromWorkMail", "resource_types": [ { @@ -148704,7 +181461,7 @@ }, { "access_level": "List", - "description": "Shows a list of directories available for use in creating an organization", + "description": "Grants permission to show a list of directories available for use in creating an organization", "privilege": "DescribeDirectories", "resource_types": [ { @@ -148716,7 +181473,7 @@ }, { "access_level": "List", - "description": "Returns the data available for the group.", + "description": "Grants permission to read the details for a group", "privilege": "DescribeGroup", "resource_types": [ { @@ -148728,7 +181485,7 @@ }, { "access_level": "Read", - "description": "Returns the details of an inbound mail flow rule configured for an organization", + "description": "Grants permission to read the details of an inbound mail flow rule configured for an organization", "privilege": "DescribeInboundMailFlowRule", "resource_types": [ { @@ -148740,7 +181497,7 @@ }, { "access_level": "List", - "description": "Shows a list of KMS Keys available for use in creating an organization", + "description": "Grants permission to show a list of KMS Keys available for use in creating an organization", "privilege": "DescribeKmsKeys", "resource_types": [ { @@ -148752,7 +181509,7 @@ }, { "access_level": "List", - "description": "Shows the details of all mail domains associated with the organization", + "description": "Grants permission to show the details of all mail domains associated with the organization", "privilege": "DescribeMailDomains", "resource_types": [ { @@ -148764,7 +181521,7 @@ }, { "access_level": "List", - "description": "Shows the details of all groups associated with the organization", + "description": "Grants permission to show the details of all groups associated with the organization", "privilege": "DescribeMailGroups", "resource_types": [ { @@ -148776,7 +181533,7 @@ }, { "access_level": "List", - "description": "Shows the details of all users associated with the orgaization", + "description": "Grants permission to show the details of all users associated with the organization", "privilege": "DescribeMailUsers", "resource_types": [ { @@ -148788,7 +181545,7 @@ }, { "access_level": "Read", - "description": "Retrieve details of a mailbox export job.", + "description": "Grants permission to retrieve details of a mailbox export job", "privilege": "DescribeMailboxExportJob", "resource_types": [ { @@ -148800,7 +181557,7 @@ }, { "access_level": "List", - "description": "Provides more information regarding a given organization based on its identifier.", + "description": "Grants permission to read details of an organization", "privilege": "DescribeOrganization", "resource_types": [ { @@ -148812,7 +181569,7 @@ }, { "access_level": "List", - "description": "Shows a summary of all organizations associated with the account", + "description": "Grants permission to show a summary of all organizations associated with the account", "privilege": "DescribeOrganizations", "resource_types": [ { @@ -148824,7 +181581,7 @@ }, { "access_level": "Read", - "description": "Returns the details of an outbound mail flow rule configured for an organization", + "description": "Grants permission to read the details of an outbound mail flow rule configured for an organization", "privilege": "DescribeOutboundMailFlowRule", "resource_types": [ { @@ -148836,7 +181593,7 @@ }, { "access_level": "List", - "description": "Returns the data available for the resource.", + "description": "Grants permission to read the details for a resource", "privilege": "DescribeResource", "resource_types": [ { @@ -148848,7 +181605,7 @@ }, { "access_level": "Read", - "description": "Returns the details of an SMTP device registered against an organization", + "description": "Grants permission to read the details of an SMTP gateway registered to an organization", "privilege": "DescribeSmtpGateway", "resource_types": [ { @@ -148860,7 +181617,7 @@ }, { "access_level": "List", - "description": "Provides information regarding the user.", + "description": "Grants permission to read details for a user", "privilege": "DescribeUser", "resource_types": [ { @@ -148872,7 +181629,7 @@ }, { "access_level": "Write", - "description": "Disable a mail group when it is not being used and, to allow it to be deleted", + "description": "Grants permission to disable a mail group when it is not being used, in order to allow it to be deleted", "privilege": "DisableMailGroups", "resource_types": [ { @@ -148884,7 +181641,7 @@ }, { "access_level": "Write", - "description": "Disable a user mailbox when it is no longer being used, and to allow it to be deleted", + "description": "Grants permission to disable a user mailbox when it is no longer being used, in order to allow it to be deleted", "privilege": "DisableMailUsers", "resource_types": [ { @@ -148896,7 +181653,7 @@ }, { "access_level": "Write", - "description": "Removes a member from the resource's set of delegates.", + "description": "Grants permission to remove a member from the resource's set of delegates", "privilege": "DisassociateDelegateFromResource", "resource_types": [ { @@ -148908,7 +181665,7 @@ }, { "access_level": "Write", - "description": "Removes a member from a group.", + "description": "Grants permission to remove a member from a group", "privilege": "DisassociateMemberFromGroup", "resource_types": [ { @@ -148920,7 +181677,7 @@ }, { "access_level": "Write", - "description": "Enable a mail domain in the organization", + "description": "Grants permission to enable a mail domain in the organization", "privilege": "EnableMailDomain", "resource_types": [ { @@ -148932,7 +181689,7 @@ }, { "access_level": "Write", - "description": "Enable a mail group after it has been created to allow it to receive mail", + "description": "Grants permission to enable a mail group after it has been created to allow it to receive mail", "privilege": "EnableMailGroups", "resource_types": [ { @@ -148944,7 +181701,7 @@ }, { "access_level": "Write", - "description": "Enable a user's mailbox after it has been created to allow it to receive mail", + "description": "Grants permission to enable a user's mailbox after it has been created to allow it to receive mail", "privilege": "EnableMailUsers", "resource_types": [ { @@ -148956,7 +181713,7 @@ }, { "access_level": "Read", - "description": "Gets the effects of an organization's access control rules as they apply to a specified IPv4 address, access protocol action, or user ID.", + "description": "Grants permission to get the effects of access control rules as they apply to a specified IPv4 address, access protocol action, or user ID", "privilege": "GetAccessControlEffect", "resource_types": [ { @@ -148968,7 +181725,7 @@ }, { "access_level": "Read", - "description": "Retrieves the retention policy associated at an organizational level.", + "description": "Grants permission to retrieve the retention policy associated at an organizational level", "privilege": "GetDefaultRetentionPolicy", "resource_types": [ { @@ -148980,7 +181737,7 @@ }, { "access_level": "Read", - "description": "Returns journaling and fallback email addresses configured for email journaling", + "description": "Grants permission to read the configured journaling and fallback email addresses for email journaling", "privilege": "GetJournalingRules", "resource_types": [ { @@ -148992,7 +181749,7 @@ }, { "access_level": "Read", - "description": "Get the details of the mail domain", + "description": "Grants permission to get the details of the mail domain", "privilege": "GetMailDomainDetails", "resource_types": [ { @@ -149004,7 +181761,7 @@ }, { "access_level": "Read", - "description": "Get the details of the mail group", + "description": "Grants permission to get the details of the mail group", "privilege": "GetMailGroupDetails", "resource_types": [ { @@ -149016,7 +181773,7 @@ }, { "access_level": "Read", - "description": "Get the details of the user's mailbox and account", + "description": "Grants permission to get the details of the user's mailbox and account", "privilege": "GetMailUserDetails", "resource_types": [ { @@ -149028,7 +181785,7 @@ }, { "access_level": "Read", - "description": "Returns the details of the user's mailbox.", + "description": "Grants permission to read the details of the user's mailbox", "privilege": "GetMailboxDetails", "resource_types": [ { @@ -149040,7 +181797,19 @@ }, { "access_level": "Read", - "description": "Get the details of the mobile device", + "description": "Grants permission to simulate the effect of the mobile device access rules for the given attributes of a sample access event", + "privilege": "GetMobileDeviceAccessEffect", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to get the details of the mobile device", "privilege": "GetMobileDeviceDetails", "resource_types": [ { @@ -149052,7 +181821,7 @@ }, { "access_level": "Read", - "description": "Get a list of the mobile devices associated with the user", + "description": "Grants permission to get a list of the mobile devices associated with the user", "privilege": "GetMobileDevicesForUser", "resource_types": [ { @@ -149064,7 +181833,7 @@ }, { "access_level": "Read", - "description": "Get the details of the mobile device policy associated with the organization", + "description": "Grants permission to get the details of the mobile device policy associated with the organization", "privilege": "GetMobilePolicyDetails", "resource_types": [ { @@ -149076,7 +181845,7 @@ }, { "access_level": "List", - "description": "Lists the access control rules for the specified organization.", + "description": "Grants permission to list the access control rules", "privilege": "ListAccessControlRules", "resource_types": [ { @@ -149088,7 +181857,7 @@ }, { "access_level": "List", - "description": "Creates a paginated call to list the aliases associated with a given entity.", + "description": "Grants permission to list the aliases associated with a given entity", "privilege": "ListAliases", "resource_types": [ { @@ -149100,7 +181869,7 @@ }, { "access_level": "List", - "description": "Returns an overview of the members of a group. Users and groups can be members of a group.", + "description": "Grants permission to read an overview of the members of a group. Users and groups can be members of a group", "privilege": "ListGroupMembers", "resource_types": [ { @@ -149112,7 +181881,7 @@ }, { "access_level": "List", - "description": "Returns summaries of the organization's groups.", + "description": "Grants permission to list summaries of the organization's groups", "privilege": "ListGroups", "resource_types": [ { @@ -149124,7 +181893,7 @@ }, { "access_level": "List", - "description": "Returns a list of inbound mail flow rules configured for an organization", + "description": "Grants permission to list inbound mail flow rules configured for an organization", "privilege": "ListInboundMailFlowRules", "resource_types": [ { @@ -149136,7 +181905,7 @@ }, { "access_level": "List", - "description": "List mailbox export jobs.", + "description": "Grants permission to list mailbox export jobs", "privilege": "ListMailboxExportJobs", "resource_types": [ { @@ -149148,7 +181917,7 @@ }, { "access_level": "List", - "description": "Lists the mailbox permissions associated with a user, group, or resource mailbox.", + "description": "Grants permission to list the mailbox permissions associated with a user, group, or resource mailbox", "privilege": "ListMailboxPermissions", "resource_types": [ { @@ -149160,7 +181929,7 @@ }, { "access_level": "Read", - "description": "Get a list of all the members in a mail group", + "description": "Grants permission to get a list of all the members in a mail group", "privilege": "ListMembersInMailGroup", "resource_types": [ { @@ -149172,7 +181941,19 @@ }, { "access_level": "List", - "description": "Returns summaries of the customer's non-deleted organizations.", + "description": "Grants permission to list the mobile device access rules", + "privilege": "ListMobileDeviceAccessRules", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to list the non-deleted organizations", "privilege": "ListOrganizations", "resource_types": [ { @@ -149184,7 +181965,7 @@ }, { "access_level": "List", - "description": "Returns a list of outbound mail flow rules configured for an organization", + "description": "Grants permission to list outbound mail flow rules configured for an organization", "privilege": "ListOutboundMailFlowRules", "resource_types": [ { @@ -149196,7 +181977,7 @@ }, { "access_level": "List", - "description": "Lists the delegates associated with a resource.", + "description": "Grants permission to list the delegates associated with a resource", "privilege": "ListResourceDelegates", "resource_types": [ { @@ -149208,7 +181989,7 @@ }, { "access_level": "List", - "description": "Returns summaries of the organization's resources.", + "description": "Grants permission to list the organization's resources", "privilege": "ListResources", "resource_types": [ { @@ -149220,7 +182001,7 @@ }, { "access_level": "List", - "description": "Returns a list of SMTP devices registered against the organization", + "description": "Grants permission to list SMTP gateways registered to the organization", "privilege": "ListSmtpGateways", "resource_types": [ { @@ -149232,7 +182013,7 @@ }, { "access_level": "List", - "description": "Grants permission to list the tags applied to an Amazon WorkMail organization resource.", + "description": "Grants permission to list the tags applied to an Amazon WorkMail organization resource", "privilege": "ListTagsForResource", "resource_types": [ { @@ -149244,7 +182025,7 @@ }, { "access_level": "List", - "description": "Returns summaries of the organization's users.", + "description": "Grants permission to list the organization's users", "privilege": "ListUsers", "resource_types": [ { @@ -149256,7 +182037,7 @@ }, { "access_level": "Write", - "description": "Adds a new access control rule for the specified organization. The rule allows or denies access to the organization for the specified IPv4 addresses, access protocol actions, and user IDs. Adding a new rule with the same name as an existing rule replaces the older rule.", + "description": "Grants permission to add a new access control rule", "privilege": "PutAccessControlRule", "resource_types": [ { @@ -149268,7 +182049,7 @@ }, { "access_level": "Write", - "description": "Sets permissions for a user, group, or resource. This replaces any pre-existing permissions.", + "description": "Grants permission to set permissions for a user, group, or resource, replacing any existing permissions", "privilege": "PutMailboxPermissions", "resource_types": [ { @@ -149280,7 +182061,7 @@ }, { "access_level": "Write", - "description": "Adds or updates the retention policy for the specified organization.", + "description": "Grants permission to add or update the retention policy", "privilege": "PutRetentionPolicy", "resource_types": [ { @@ -149292,7 +182073,7 @@ }, { "access_level": "Write", - "description": "Registers an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities.", + "description": "Grants permission to register an existing and disabled user, group, or resource for use by associating a mailbox and calendaring capabilities", "privilege": "RegisterToWorkMail", "resource_types": [ { @@ -149304,7 +182085,7 @@ }, { "access_level": "Write", - "description": "Remove members from a mail group", + "description": "Grants permission to remove members from a mail group", "privilege": "RemoveMembersFromGroup", "resource_types": [ { @@ -149316,7 +182097,7 @@ }, { "access_level": "Write", - "description": "Allows the administrator to reset the password for a user.", + "description": "Grants permission to allow the administrator to reset the password for a user", "privilege": "ResetPassword", "resource_types": [ { @@ -149328,7 +182109,7 @@ }, { "access_level": "Write", - "description": "Reset the password for a user's account", + "description": "Grants permission to reset the password for a user's account", "privilege": "ResetUserPassword", "resource_types": [ { @@ -149340,7 +182121,7 @@ }, { "access_level": "Read", - "description": "Prefix search to find a specific user in a mail group", + "description": "Grants permission to perform a prefix search to find a specific user in a mail group", "privilege": "SearchMembers", "resource_types": [ { @@ -149352,7 +182133,7 @@ }, { "access_level": "Write", - "description": "Mark a user as being an administrator", + "description": "Grants permission to mark a user as being an administrator", "privilege": "SetAdmin", "resource_types": [ { @@ -149364,7 +182145,7 @@ }, { "access_level": "Write", - "description": "Set the default mail domain for the organization", + "description": "Grants permission to set the default mail domain for the organization", "privilege": "SetDefaultMailDomain", "resource_types": [ { @@ -149376,7 +182157,7 @@ }, { "access_level": "Write", - "description": "Set journaling and fallback email addresses for email journaling", + "description": "Grants permission to set journaling and fallback email addresses for email journaling", "privilege": "SetJournalingRules", "resource_types": [ { @@ -149388,7 +182169,7 @@ }, { "access_level": "Write", - "description": "Set the details of the mail group which has just been created", + "description": "Grants permission to set the details of the mail group which has just been created", "privilege": "SetMailGroupDetails", "resource_types": [ { @@ -149400,7 +182181,7 @@ }, { "access_level": "Write", - "description": "Set the details for the user account which has just been created", + "description": "Grants permission to set the details for the user account which has just been created", "privilege": "SetMailUserDetails", "resource_types": [ { @@ -149412,7 +182193,7 @@ }, { "access_level": "Write", - "description": "Set the details of a mobile policy associated with the organization", + "description": "Grants permission to set the details of a mobile policy associated with the organization", "privilege": "SetMobilePolicyDetails", "resource_types": [ { @@ -149424,7 +182205,7 @@ }, { "access_level": "Write", - "description": "Start a new mailbox export job.", + "description": "Grants permission to start a new mailbox export job", "privilege": "StartMailboxExportJob", "resource_types": [ { @@ -149436,7 +182217,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to tag the specified Amazon WorkMail organization resource.", + "description": "Grants permission to tag the specified Amazon WorkMail organization resource", "privilege": "TagResource", "resource_types": [ { @@ -149448,7 +182229,7 @@ }, { "access_level": "Write", - "description": "Test what inbound rules will apply to an email with a given sender and recipient", + "description": "Grants permission to test what inbound rules will apply to an email with a given sender and recipient", "privilege": "TestInboundMailFlowRules", "resource_types": [ { @@ -149460,7 +182241,7 @@ }, { "access_level": "Write", - "description": "Test what outbound rules will apply to an email with a given sender and recipient", + "description": "Grants permission to test what outbound rules will apply to an email with a given sender and recipient", "privilege": "TestOutboundMailFlowRules", "resource_types": [ { @@ -149472,7 +182253,7 @@ }, { "access_level": "Tagging", - "description": "Grants permission to untag the specified Amazon WorkMail organization resource.", + "description": "Grants permission to untag the specified Amazon WorkMail organization resource", "privilege": "UntagResource", "resource_types": [ { @@ -149484,7 +182265,7 @@ }, { "access_level": "Write", - "description": "Update the details of an inbound email flow rule which will apply to all email sent to an organization", + "description": "Grants permission to update the details of an inbound email flow rule which will apply to all email sent to an organization", "privilege": "UpdateInboundMailFlowRule", "resource_types": [ { @@ -149496,7 +182277,7 @@ }, { "access_level": "Write", - "description": "Updates the maximum size (in MB) of the user's mailbox.", + "description": "Grants permission to update the maximum size (in MB) of the user's mailbox", "privilege": "UpdateMailboxQuota", "resource_types": [ { @@ -149508,7 +182289,19 @@ }, { "access_level": "Write", - "description": "Update the details of an outbound email flow rule which will apply to all email sent from an organization", + "description": "Grants permission to update an mobile device access rule", + "privilege": "UpdateMobileDeviceAccessRule", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "organization*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the details of an outbound email flow rule which will apply to all email sent from an organization", "privilege": "UpdateOutboundMailFlowRule", "resource_types": [ { @@ -149520,7 +182313,7 @@ }, { "access_level": "Write", - "description": "Updates the primary email for a user, group, or resource.", + "description": "Grants permission to update the primary email for a user, group, or resource", "privilege": "UpdatePrimaryEmailAddress", "resource_types": [ { @@ -149532,7 +182325,7 @@ }, { "access_level": "Write", - "description": "Updates data for the resource. To retrieve the latest information, it must be preceded by a DescribeResource call.", + "description": "Grants permission to update details for the resource", "privilege": "UpdateResource", "resource_types": [ { @@ -149544,7 +182337,7 @@ }, { "access_level": "Write", - "description": "Update the details of an existing SMTP device registered against an organization", + "description": "Grants permission to update the details of an existing SMTP gateway registered to an organization", "privilege": "UpdateSmtpGateway", "resource_types": [ { @@ -149556,7 +182349,7 @@ }, { "access_level": "Write", - "description": "Remotely wipe the mobile device associated with a user's account", + "description": "Grants permission to remotely wipe the mobile device associated with a user's account", "privilege": "WipeMobileDevice", "resource_types": [ { @@ -149593,6 +182386,18 @@ "resource_type": "RawMessage*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the content of email messages with the specified message ID", + "privilege": "PutRawMessageContent", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "RawMessage*" + } + ] } ], "resources": [ @@ -149605,24 +182410,62 @@ "service_name": "Amazon WorkMail Message Flow" }, { - "conditions": [], + "conditions": [ + { + "condition": "aws:RequestTag/${TagKey}", + "description": "Filters access based on the tags that are passed in the request", + "type": "String" + }, + { + "condition": "aws:ResourceTag/${TagKey}", + "description": "Filters access based on the tags associated with the resource", + "type": "String" + }, + { + "condition": "aws:TagKeys", + "description": "Filters access based on the tag keys that are passed in the request", + "type": "String" + } + ], "prefix": "workspaces", "privileges": [ { "access_level": "Write", - "description": "Associates the specified IP access control group with the specified directory.", + "description": "Grants permission to associate connection aliases with directories", + "privilege": "AssociateConnectionAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connectionalias*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to associate IP access control groups with directories", "privilege": "AssociateIpGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directoryid*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceipgroup*" } ] }, { "access_level": "Write", - "description": "Adds one or more rules to the specified IP access control group.", + "description": "Grants permission to add rules to IP access control groups", "privilege": "AuthorizeIpRules", "resource_types": [ { @@ -149634,11 +182477,51 @@ }, { "access_level": "Write", - "description": "Creates an IP access control group.", - "privilege": "CreateIpGroup", + "description": "Grants permission to copy a WorkSpace image", + "privilege": "CopyWorkspaceImage", "resource_types": [ { "condition_keys": [], + "dependent_actions": [ + "workspaces:DescribeWorkspaceImages" + ], + "resource_type": "workspaceimage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create connection aliases for use with cross-Region redirection", + "privilege": "CreateConnectionAlias", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create IP access control groups", + "privilege": "CreateIpGroup", + "resource_types": [ + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], "dependent_actions": [], "resource_type": "" } @@ -149646,7 +182529,7 @@ }, { "access_level": "Tagging", - "description": "Creates tags for a WorkSpace.", + "description": "Grants permission to create tags for WorkSpaces resources", "privilege": "CreateTags", "resource_types": [ { @@ -149658,7 +182541,29 @@ }, { "access_level": "Write", - "description": "Creates one or more WorkSpaces.", + "description": "Grants permission to create a WorkSpace bundle", + "privilege": "CreateWorkspaceBundle", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [ + "workspaces:CreateTags" + ], + "resource_type": "workspaceimage*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to create one or more WorkSpaces", "privilege": "CreateWorkspaces", "resource_types": [ { @@ -149670,12 +182575,32 @@ "condition_keys": [], "dependent_actions": [], "resource_type": "workspacebundle*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete connection aliases", + "privilege": "DeleteConnectionAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connectionalias*" } ] }, { "access_level": "Write", - "description": "Deletes the specified IP access control group.", + "description": "Grants permission to delete IP access control groups", "privilege": "DeleteIpGroup", "resource_types": [ { @@ -149686,8 +182611,8 @@ ] }, { - "access_level": "Write", - "description": "Deletes tags from a Workspace.", + "access_level": "Tagging", + "description": "Grants permission to delete tags from WorkSpaces resources", "privilege": "DeleteTags", "resource_types": [ { @@ -149699,19 +182624,43 @@ }, { "access_level": "Write", - "description": "Deletes the specified workspace image.", + "description": "Grants permission to delete WorkSpace bundles", + "privilege": "DeleteWorkspaceBundle", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspacebundle*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to delete WorkSpace images", "privilege": "DeleteWorkspaceImage", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "workspaceimage*" } ] }, { - "access_level": "List", - "description": "Retrieves a list that describes the configuration of bring your own license (BYOL) for the specified account.", + "access_level": "Write", + "description": "Grants permission to deregister directories from use with Amazon WorkSpaces", + "privilege": "DeregisterWorkspaceDirectory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve the configuration of Bring Your Own License (BYOL) for WorkSpaces accounts", "privilege": "DescribeAccount", "resource_types": [ { @@ -149722,8 +182671,8 @@ ] }, { - "access_level": "List", - "description": "Retrieves a list that describes modifications to the configuration of bring your own license (BYOL) for the specified account.", + "access_level": "Read", + "description": "Grants permission to retrieve modifications to the configuration of Bring Your Own License (BYOL) for WorkSpaces accounts", "privilege": "DescribeAccountModifications", "resource_types": [ { @@ -149735,7 +182684,7 @@ }, { "access_level": "List", - "description": "Describe client properties about the specified resources.", + "description": "Grants permission to retrieve information about WorkSpaces clients", "privilege": "DescribeClientProperties", "resource_types": [ { @@ -149746,8 +182695,32 @@ ] }, { - "access_level": "List", - "description": "Retrieves information about the IP access control groups of your account in the region.", + "access_level": "Read", + "description": "Grants permission to retrieve the permissions that the owners of connection aliases have granted to other AWS accounts for connection aliases", + "privilege": "DescribeConnectionAliasPermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connectionalias*" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve a list that describes the connection aliases used for cross-Region redirection", + "privilege": "DescribeConnectionAliases", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about IP access control groups", "privilege": "DescribeIpGroups", "resource_types": [ { @@ -149759,7 +182732,7 @@ }, { "access_level": "List", - "description": "Describes tags for a WorkSpace.", + "description": "Grants permission to describe the tags for WorkSpaces resources", "privilege": "DescribeTags", "resource_types": [ { @@ -149771,19 +182744,19 @@ }, { "access_level": "List", - "description": "Obtains information about the WorkSpace bundles that are available to your account in the specified region.", + "description": "Grants permission to obtain information about WorkSpace bundles", "privilege": "DescribeWorkspaceBundles", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "workspacebundle*" + "resource_type": "" } ] }, { - "access_level": "List", - "description": "Retrieves information about the AWS Directory Service directories in the region that are registered with Amazon WorkSpaces and are available to your account.", + "access_level": "Read", + "description": "Grants permission to retrieve information about directories that are registered with WorkSpaces", "privilege": "DescribeWorkspaceDirectories", "resource_types": [ { @@ -149793,9 +182766,21 @@ } ] }, + { + "access_level": "Read", + "description": "Grants permission to retrieve information about WorkSpace image permissions", + "privilege": "DescribeWorkspaceImagePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceimage*" + } + ] + }, { "access_level": "List", - "description": "Retrieves a list that describes one or more specified images.", + "description": "Grants permission to retrieve information about WorkSpace images", "privilege": "DescribeWorkspaceImages", "resource_types": [ { @@ -149807,7 +182792,19 @@ }, { "access_level": "List", - "description": "Obtains information about the specified WorkSpaces.", + "description": "Grants permission to retrieve information about WorkSpace snapshots", + "privilege": "DescribeWorkspaceSnapshots", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceid*" + } + ] + }, + { + "access_level": "List", + "description": "Grants permission to obtain information about WorkSpaces", "privilege": "DescribeWorkspaces", "resource_types": [ { @@ -149819,7 +182816,7 @@ }, { "access_level": "Read", - "description": "Describes the connection status of a specified WorkSpace.", + "description": "Grants permission to obtain the connection status of WorkSpaces", "privilege": "DescribeWorkspacesConnectionStatus", "resource_types": [ { @@ -149831,31 +182828,51 @@ }, { "access_level": "Write", - "description": "Disassociates the specified IP access control group from the specified directory.", + "description": "Grants permission to disassociate connection aliases from directories", + "privilege": "DisassociateConnectionAlias", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connectionalias*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to disassociate IP access control groups from directories", "privilege": "DisassociateIpGroups", "resource_types": [ { "condition_keys": [], "dependent_actions": [], - "resource_type": "" + "resource_type": "directoryid*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceipgroup*" } ] }, { "access_level": "Write", - "description": "Import a licensed EC2 image to into Amazon WorkSpaces.", + "description": "Grants permission to import Bring Your Own License (BYOL) images into Amazon WorkSpaces", "privilege": "ImportWorkspaceImage", "resource_types": [ { "condition_keys": [], - "dependent_actions": [], + "dependent_actions": [ + "ec2:DescribeImages", + "ec2:ModifyImageAttribute" + ], "resource_type": "" } ] }, { "access_level": "List", - "description": "List available CIDR ranges for a CIDR range constraint.", + "description": "Grants permission to list the available CIDR ranges for enabling Bring Your Own License (BYOL) for WorkSpaces accounts", "privilege": "ListAvailableManagementCidrRanges", "resource_types": [ { @@ -149867,7 +182884,24 @@ }, { "access_level": "Write", - "description": "Modify the configuration of bring your own license (BYOL) for the specified account.", + "description": "Grants permission to migrate WorkSpaces", + "privilege": "MigrateWorkspace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspacebundle*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the configuration of Bring Your Own License (BYOL) for WorkSpaces accounts", "privilege": "ModifyAccount", "resource_types": [ { @@ -149879,7 +182913,7 @@ }, { "access_level": "Write", - "description": "Modify the client properties of a specified resource.", + "description": "Grants permission to modify the properties of WorkSpaces clients", "privilege": "ModifyClientProperties", "resource_types": [ { @@ -149889,9 +182923,45 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to modify the self-service WorkSpace management capabilities for your users", + "privilege": "ModifySelfservicePermissions", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, { "access_level": "Write", - "description": "Modifies the WorkSpace properties, including the running mode and AutoStop time.", + "description": "Grants permission to specify which devices and operating systems users can use to access their WorkSpaces", + "privilege": "ModifyWorkspaceAccessProperties", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify the default properties used to create WorkSpaces", + "privilege": "ModifyWorkspaceCreationProperties", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to modify WorkSpace properties, including the running mode and the AutoStop period", "privilege": "ModifyWorkspaceProperties", "resource_types": [ { @@ -149903,7 +182973,7 @@ }, { "access_level": "Write", - "description": "Modify the state of specified WorkSpaces.", + "description": "Grants permission to modify the state of WorkSpaces", "privilege": "ModifyWorkspaceState", "resource_types": [ { @@ -149915,7 +182985,7 @@ }, { "access_level": "Write", - "description": "Reboots the specified WorkSpaces.", + "description": "Grants permission to reboot WorkSpaces", "privilege": "RebootWorkspaces", "resource_types": [ { @@ -149927,7 +182997,7 @@ }, { "access_level": "Write", - "description": "Rebuilds the specified WorkSpaces.", + "description": "Grants permission to rebuild WorkSpaces", "privilege": "RebuildWorkspaces", "resource_types": [ { @@ -149939,7 +183009,39 @@ }, { "access_level": "Write", - "description": "Removes one or more rules from the specified IP access control group.", + "description": "Grants permission to register directories for use with Amazon WorkSpaces", + "privilege": "RegisterWorkspaceDirectory", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "directoryid*" + }, + { + "condition_keys": [ + "aws:RequestTag/${TagKey}", + "aws:TagKeys" + ], + "dependent_actions": [], + "resource_type": "" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to restore WorkSpaces", + "privilege": "RestoreWorkspace", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceid*" + } + ] + }, + { + "access_level": "Write", + "description": "Grants permission to remove rules from IP access control groups", "privilege": "RevokeIpRules", "resource_types": [ { @@ -149951,7 +183053,7 @@ }, { "access_level": "Write", - "description": "Starts the specified WorkSpaces.", + "description": "Grants permission to start AutoStop WorkSpaces", "privilege": "StartWorkspaces", "resource_types": [ { @@ -149963,7 +183065,7 @@ }, { "access_level": "Write", - "description": "Stops the specified WorkSpaces.", + "description": "Grants permission to stop AutoStop WorkSpaces", "privilege": "StopWorkspaces", "resource_types": [ { @@ -149975,7 +183077,7 @@ }, { "access_level": "Write", - "description": "Terminates the specified WorkSpaces.", + "description": "Grants permission to terminate WorkSpaces", "privilege": "TerminateWorkspaces", "resource_types": [ { @@ -149985,9 +183087,21 @@ } ] }, + { + "access_level": "Permissions management", + "description": "Grants permission to share or unshare connection aliases with other accounts", + "privilege": "UpdateConnectionAliasPermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "connectionalias*" + } + ] + }, { "access_level": "Write", - "description": "Replaces the current rules of the specified IP access control group with the specified rules.", + "description": "Grants permission to replace rules for IP access control groups", "privilege": "UpdateRulesOfIpGroup", "resource_types": [ { @@ -149996,28 +183110,79 @@ "resource_type": "workspaceipgroup*" } ] + }, + { + "access_level": "Write", + "description": "Grants permission to update the WorkSpace images used in WorkSpace bundles", + "privilege": "UpdateWorkspaceBundle", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspacebundle*" + }, + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceimage*" + } + ] + }, + { + "access_level": "Permissions management", + "description": "Grants permission to share or unshare WorkSpace images with other accounts by specifying whether other accounts have permission to copy the image", + "privilege": "UpdateWorkspaceImagePermission", + "resource_types": [ + { + "condition_keys": [], + "dependent_actions": [], + "resource_type": "workspaceimage*" + } + ] } ], "resources": [ + { + "arn": "arn:${Partition}:workspaces:${Region}:${Account}:directory/${DirectoryId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "directoryid" + }, { "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspacebundle/${BundleId}", - "condition_keys": [], + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], "resource": "workspacebundle" }, { - "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspaceipgroup/${GroupId}", - "condition_keys": [], - "resource": "workspaceipgroup" + "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspace/${WorkspaceId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workspaceid" }, { - "arn": "arn:${Partition}:workspaces:${Region}:${Account}:directory/${DirectoryId}", - "condition_keys": [], - "resource": "directoryid" + "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspaceimage/${ImageId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workspaceimage" }, { - "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspace/${WorkspaceId}", - "condition_keys": [], - "resource": "workspaceid" + "arn": "arn:${Partition}:workspaces:${Region}:${Account}:workspaceipgroup/${GroupId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "workspaceipgroup" + }, + { + "arn": "arn:${Partition}:workspaces:${Region}:${Account}:connectionalias/${ConnectionAliasId}", + "condition_keys": [ + "aws:ResourceTag/${TagKey}" + ], + "resource": "connectionalias" } ], "service_name": "Amazon WorkSpaces"