Change log of AWS IAM permissions

2021-12-04

23 new actions, 4 new resources, 8 new conditions

Additions

Actions

CreateApplication
- Description: Grants permission to create an application within an environment
- Access: Write
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateEnvironment
- Description: Grants permission to create an environment
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateRoute
- Description: Grants permission to create a route within an application
- Access: Write
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:SourcePath
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateService
- Description: Grants permission to create a service within an application
- Access: Write
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteApplication
- Description: Grants permission to delete an application from an environment
- Access: Write
- Resources:
  Name: application
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:ResourceTag/${TagKey}
DeleteEnvironment
- Description: Grants permission to delete an environment
- Access: Write
- Resources:
  Name: environment
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteResourcePolicy
- Description: Grants permission to delete a resource policy
- Access: Write
DeleteRoute
- Description: Grants permission to delete a route from an application
- Access: Write
- Resources:
  Name: route
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:SourcePath
  
  aws:ResourceTag/${TagKey}
DeleteService
- Description: Grants permission to delete a service from an application
- Access: Write
- Resources:
  Name: service
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:ResourceTag/${TagKey}
GetApplication
- Description: Grants permission to get more information about an application
- Access: Read
- Resources:
  Name: application
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:ResourceTag/${TagKey}
GetEnvironment
- Description: Grants permission to get more information for an environment
- Access: Read
- Resources:
  Name: environment
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetResourcePolicy
- Description: Grants permission to get the details about a resource policy
- Access: Read
GetRoute
- Description: Grants permission to get more information about a route
- Access: Read
- Resources:
  Name: route
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:SourcePath
  
  aws:ResourceTag/${TagKey}
GetService
- Description: Grants permission to get more information about a service
- Access: Read
- Resources:
  Name: service
  
  Required: Yes
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  aws:ResourceTag/${TagKey}
ListApplications
- Description: Grants permission to list all the applications in an environment
- Access: Read
- Resources:
  Name: environment
  
  Required: Yes
ListEnvironmentVpcs
- Description: Grants permission to list all the VPCs for the environment
- Access: Read
- Resources:
  Name: environment
  
  Required: Yes
ListEnvironments
- Description: Grants permission to list all environments
- Access: Read
ListRoutes
- Description: Grants permission to list all the routes in an application
- Access: Read
- Resources:
  Name: environment
  
  Required: Yes
ListServices
- Description: Grants permission to list all the services in an environment
- Access: Read
- Resources:
  Name: environment
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list all the tags for a given resource
- Access: Read
PutResourcePolicy
- Description: Grants permission to add a resource policy
- Access: Write
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: application
  
  Required: No
  
  Name: environment
  
  Required: No
  
  Name: route
  
  Required: No
  
  Name: service
  
  Required: No
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:SourcePath
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UntagResource
- Description: Grants permission to remove a tag from a resource
- Access: Tagging
- Resources:
  Name: application
  
  Required: No
  
  Name: environment
  
  Required: No
  
  Name: route
  
  Required: No
  
  Name: service
  
  Required: No
- Conditions:
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:SourcePath
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}

Resources

environment
- Arn: arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}
- Conditions:
  aws:ResourceTag/${TagKey}
application
- Arn: arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}
- Conditions:
  aws:ResourceTag/${TagKey}
  
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
service
- Arn: arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}/service/${ServiceId}
- Conditions:
  aws:ResourceTag/${TagKey}
  
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:ServiceCreatedByAccount
route
- Arn: arn:${Partition}:refactor-spaces:${Region}:${Account}:environment/${EnvironmentId}/application/${ApplicationId}/route/${RouteId}
- Conditions:
  aws:ResourceTag/${TagKey}
  
  refactor-spaces:ApplicationCreatedByAccount
  
  refactor-spaces:CreatedByAccountIds
  
  refactor-spaces:RouteCreatedByAccount
  
  refactor-spaces:ServiceCreatedByAccount
  
  refactor-spaces:SourcePath

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by the presence of tag keys in the request
- Type: String
refactor-spaces:ApplicationCreatedByAccount
- Description: Filters access by restricting the action to only those accounts that created the application within an environment
- Type: String
refactor-spaces:CreatedByAccountIds
- Description: Filters access by the accounts that created the resource
- Type: ArrayOfString
refactor-spaces:RouteCreatedByAccount
- Description: Filters access by restricting the action to only those accounts that created the route within an application
- Type: String
refactor-spaces:ServiceCreatedByAccount
- Description: Filters access by restricting the action to only those accounts that created the service within an application
- Type: String
refactor-spaces:SourcePath
- Description: Filters access by the path of the route
- Type: String

AWS Migration Hub Refactor Spaces (refactor-spaces)

Additions