Change log of AWS IAM permissions

2022-07-08

37 new actions, 5 new resources, 8 new conditions

Additions

Actions

ConvertRecoveryPointToSnapshot
- Description: Grants permission to convert a recovery point to a snapshot
- Access: Write
- Resources:
  Name: recoveryPoint
  
  Required: Yes
  
  Name: snapshot
  
  Required: Yes
CreateEndpointAccess
- Description: Grants permission to create an Amazon Redshift Serverless managed VPC endpoint
- Access: Write
- Resources:
  Name: endpointAccess
  
  Required: Yes
CreateNamespace
- Description: Grants permission to create an Amazon Redshift Serverless namespace
- Access: Write
- Resources:
  Name: namespace
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateSnapshot
- Description: Grants permission to create a snapshot of all databases in a namespace
- Access: Write
- Resources:
  Name: snapshot
  
  Required: Yes
CreateUsageLimit
- Description: Grants permission to create a usage limit for a specified Amazon Redshift Serverless usage type
- Access: Write
CreateWorkgroup
- Description: Grants permission to create a workgroup in Amazon Redshift Serverless
- Access: Write
- Resources:
  Name: workgroup
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteEndpointAccess
- Description: Grants permission to delete an Amazon Redshift Serverless managed VPC endpoint
- Access: Write
- Resources:
  Name: endpointAccess
  
  Required: Yes
DeleteNamespace
- Description: Grants permission to delete a namespace from Amazon Redshift Serverless
- Access: Write
- Resources:
  Name: namespace
  
  Required: Yes
DeleteResourcePolicy
- Description: Grants permission to delete the specified resource policy
- Access: Write
DeleteSnapshot
- Description: Grants permission to delete a snapshot from Amazon Redshift Serverless
- Access: Write
- Resources:
  Name: snapshot
  
  Required: Yes
DeleteUsageLimit
- Description: Grants permission to delete a usage limit from Amazon Redshift Serverless
- Access: Write
DeleteWorkgroup
- Description: Grants permission to delete a workgroup
- Access: Write
- Resources:
  Name: workgroup
  
  Required: Yes
GetCredentials
- Description: Grants permission to get a database user name and temporary password with temporary authorization to log on to Amazon Redshift Serverless
- Access: Write
- Resources:
  Name: workgroup
  
  Required: Yes
GetEndpointAccess
- Description: Grants permission to create an Amazon Redshift Serverless managed VPC endpoint
- Access: Read
- Resources:
  Name: endpointAccess
  
  Required: Yes
GetNamespace
- Description: Grants permission to get information about a namespace in Amazon Redshift Serverless
- Access: Read
- Resources:
  Name: namespace
  
  Required: Yes
GetRecoveryPoint
- Description: Grants permission to get information about a recovery point
- Access: Read
- Resources:
  Name: recoveryPoint
  
  Required: Yes
GetResourcePolicy
- Description: Grants permission to get a resource policy
- Access: Read
GetSnapshot
- Description: Grants permission to get information about a specific snapshot
- Access: Read
- Resources:
  Name: snapshot
  
  Required: Yes
GetUsageLimit
- Description: Grants permission to get information about a usage limit in Amazon Redshift Serverless
- Access: Read
GetWorkgroup
- Description: Grants permission to get information about a specific workgroup
- Access: Read
- Resources:
  Name: workgroup
  
  Required: Yes
ListEndpointAccess
- Description: Grants permission to list EndpointAccess objects and relevant information
- Access: List
- Resources:
  Name: endpointAccess
  
  Required: Yes
ListNamespaces
- Description: Grants permission to list namespaces in Amazon Redshift Serverless
- Access: List
ListRecoveryPoints
- Description: Grants permission to list an array of recovery points
- Access: List
- Resources:
  Name: namespace
  
  Required: No
ListSnapshots
- Description: Grants permission to list snapshots
- Access: List
- Resources:
  Name: snapshot
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list the tags assigned to a resource
- Access: List
- Resources:
  Name: namespace
  
  Required: No
  
  Name: workgroup
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
ListUsageLimits
- Description: Grants permission to list all usage limits within Amazon Redshift Serverless
- Access: List
ListWorkgroups
- Description: Grants permission to list workgroups in Amazon Redshift Serverless
- Access: List
PutResourcePolicy
- Description: Grants permission to create or update a resource policy
- Access: Write
RestoreFromRecoveryPoint
- Description: Grants permission to restore the data from a recovery point
- Access: Write
- Resources:
  Name: recoveryPoint
  
  Required: Yes
RestoreFromSnapshot
- Description: Grants permission to restore a namespace from a snapshot
- Access: Write
- Resources:
  Name: snapshot
  
  Required: Yes
TagResource
- Description: Grants permission to assign one or more tags to a resource
- Access: Tagging
- Resources:
  Name: namespace
  
  Required: No
  
  Name: workgroup
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UntagResource
- Description: Grants permission to remove a tag or set of tags from a resource
- Access: Tagging
- Resources:
  Name: namespace
  
  Required: No
  
  Name: workgroup
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateEndpointAccess
- Description: Grants permission to update an Amazon Redshift Serverless managed VPC endpoint
- Access: Write
- Resources:
  Name: endpointAccess
  
  Required: Yes
UpdateNamespace
- Description: Grants permission to update a namespace with the specified configuration settings
- Access: Write
- Resources:
  Name: namespace
  
  Required: Yes
UpdateSnapshot
- Description: Grants permission to update a snapshot
- Access: Write
- Resources:
  Name: snapshot
  
  Required: Yes
UpdateUsageLimit
- Description: Grants permission to update a usage limit in Amazon Redshift Serverless
- Access: Write
UpdateWorkgroup
- Description: Grants permission to update an Amazon Redshift Serverless workgroup with the specified configuration settings
- Access: Write
- Resources:
  Name: workgroup
  
  Required: Yes

Resources

namespace
- Arn: arn:${Partition}:redshift-serverless:${Region}:${Account}:namespace/${NamespaceId}
- Conditions:
  aws:ResourceTag/${TagKey}
snapshot
- Arn: arn:${Partition}:redshift-serverless:${Region}:${Account}:snapshot/${SnapshotId}
workgroup
- Arn: arn:${Partition}:redshift-serverless:${Region}:${Account}:workgroup/${WorkgroupId}
- Conditions:
  aws:ResourceTag/${TagKey}
recoveryPoint
- Arn: arn:${Partition}:redshift-serverless:${Region}:${Account}:recovery-point/${RecoveryPointId}
endpointAccess
- Arn: arn:${Partition}:redshift-serverless:${Region}:${Account}:managedvpcendpoint/${EndpointAccessId}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString
redshift-serverless:endpointAccessId
- Description: Filters access by the endpoint access identifier
- Type: String
redshift-serverless:namespaceId
- Description: Filters access by the namespace identifier
- Type: String
redshift-serverless:recoveryPointId
- Description: Filters access by the recovery point identifier
- Type: String
redshift-serverless:snapshotId
- Description: Filters access by the snapshot identifier
- Type: String
redshift-serverless:workgroupId
- Description: Filters access by the workgroup identifier
- Type: String

Amazon Redshift Serverless (redshift-serverless)

Additions