Change log of AWS IAM permissions

2022-11-17

20 new actions, 2 new resources, 3 new conditions

Additions

Actions

BackupDatabase
- Description: Grants permission to perform backup operation on a specified database
- Access: Write
DeleteResourcePermission
- Description: Grants permission to delete the SSM for SAP level resource permissions associated with a SSM for SAP database resource
- Access: Write
DeregisterApplication
- Description: Grants permission to deregister an SAP application with SSM for SAP
- Access: Write
GetApplication
- Description: Grants permission to access information about an application registered with SSM for SAP by providing the application ID or application ARN
- Access: Read
GetComponent
- Description: Grants permission to access information about a component registered with SSM for SAP by providing the application ID and component ID
- Access: Read
GetDatabase
- Description: Grants permission to access information about a database registered with SSM for SAP by providing the application ID, component ID, and database ID
- Access: Read
GetOperation
- Description: Grants permission to access information about an operation by providing its operation ID
- Access: Read
GetResourcePermission
- Description: Grants permission to get the SSM for SAP level resource permissions associated with a SSM for SAP database resource
- Access: Read
ListApplications
- Description: Grants permission to retrieve a list of all applications registered with SSM for SAP under the customer AWS account
- Access: List
ListComponents
- Description: Grants permission to retrieve a list of all components in the account of customer, or a specific application
- Access: List
ListDatabases
- Description: Grants permission to retrieve a list of all databases in the account of customer, or a specific application
- Access: List
ListOperations
- Description: Grants permission to retrieve a list of all operations in the account of customer, additional filters can be applied
- Access: List
ListTagsForResource
- Description: Grants permission to list the tags on a specified resource ARN
- Access: Read
PutResourcePermission
- Description: Grants permission to add the SSM for SAP level resource permissions associated with a SSM for SAP database resource
- Access: Write
RegisterApplication
- Description: Grants permission to registers an SAP application with SSM for SAP
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
RestoreDatabase
- Description: Grants permission to restore a database from another database
- Access: Write
TagResource
- Description: Grants permission to tag a specified resource ARN
- Access: Tagging
- Resources:
  Name: application
  
  Required: No
  
  Name: database
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
UntagResource
- Description: Grants permission to remove tags from a specified resource ARN
- Access: Tagging
- Resources:
  Name: application
  
  Required: No
  
  Name: database
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateApplicationSettings
- Description: Grants permission to update settings of a registered SSM for SAP application
- Access: Write
UpdateHANABackupSettings
- Description: Grants permission to update the HANA backup settings of a specified database
- Access: Write

Resources

application
- Arn: arn:${Partition}:ssm-sap:${Region}:${Account}:${ApplicationType}/${ApplicationId}
- Conditions:
  aws:ResourceTag/${TagKey}
database
- Arn: arn:${Partition}:ssm-sap:${Region}:${Account}:${ApplicationType}/${ApplicationId}/DB/${DatabaseId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString

AWS Systems Manager for SAP (ssm-sap)

Additions