Change log of AWS IAM permissions

2021-11-10

3 new conditions | 20 updated actions, 1 updated resource, 4 updated conditions

Additions

Conditions

aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
secretsmanager:AddReplicaRegions
- Description: Filters access by the list of Regions in which to replicate the secret
- Type: ArrayOfString
secretsmanager:ForceOverwriteReplicaSecret
- Description: Filters access by whether to overwrite a secret with the same name in the destination Region
- Type: Bool

Updates

Actions

CancelRotateSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
CreateSecret
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:AddReplicaRegions
- ＋ secretsmanager:ForceOverwriteReplicaSecret
- － aws:RequestTag/tag-key
DeleteResourcePolicy
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
DeleteSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
DescribeSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
GetResourcePolicy
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
GetSecretValue
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
ListSecretVersionIds
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
PutResourcePolicy
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
PutSecretValue
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
RemoveRegionsFromReplication
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
ReplicateSecretToRegions
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
- ＋ secretsmanager:AddReplicaRegions
- ＋ secretsmanager:ForceOverwriteReplicaSecret
RestoreSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
RotateSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
StopReplicationToReplica
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
TagResource
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
- － aws:RequestTag/tag-key
UntagResource
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
UpdateSecret
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
UpdateSecretVersionStage
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion
ValidateResourcePolicy
- ＋ aws:ResourceTag/${TagKey}
- ＋ secretsmanager:SecretPrimaryRegion

Resources

Secret
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:ResourceTag/${TagKey}
- － aws:RequestTag/tag-key

Conditions

secretsmanager:BlockPublicPolicy
- Boolean ⟶ Bool
secretsmanager:ForceDeleteWithoutRecovery
- Boolean ⟶ Bool
secretsmanager:RecoveryWindowInDays
- Long ⟶ Numeric
aws:RequestTag/${TagKey}
- Old: Filters access by a key that is present in the request the user makes to the Secrets Manager service.
  New: Filters access by a key that is present in the request the user makes to the Secrets Manager service

AWS Secrets Manager (secretsmanager)

Additions

Updates