Change log of AWS IAM permissions

2022-12-03

13 new actions, 2 new resources, 3 new conditions

Additions

Actions

CreateCluster
- Description: Grants permission to create a new Amazon DocDB-Elastic cluster
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ec2:CreateVpcEndpoint
  
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  iam:CreateServiceLinkedRole
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
  
  kms:GenerateDataKey
  
  secretsmanager:DescribeSecret
  
  secretsmanager:GetResourcePolicy
  
  secretsmanager:GetSecretValue
  
  secretsmanager:ListSecretVersionIds
  
  secretsmanager:ListSecrets
CreateClusterSnapshot
- Description: Grants permission to create a new Amazon DocDB-Elastic cluster snapshot
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:CreateVpcEndpoint
  
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  iam:CreateServiceLinkedRole
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
  
  kms:GenerateDataKey
  
  secretsmanager:DescribeSecret
  
  secretsmanager:GetResourcePolicy
  
  secretsmanager:GetSecretValue
  
  secretsmanager:ListSecretVersionIds
  
  secretsmanager:ListSecrets
DeleteCluster
- Description: Grants permission to delete a cluster
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
DeleteClusterSnapshot
- Description: Grants permission to delete a cluster snapshot
- Access: Write
- Resources:
  Name: cluster-snapshot
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
GetCluster
- Description: Grants permission to view details about a cluster
- Access: Read
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetClusterSnapshot
- Description: Grants permission to view details about a cluster snapshot
- Access: Read
- Resources:
  Name: cluster-snapshot
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListClusterSnapshots
- Description: Grants permission to list the cluster snapshots in your account
- Access: List
ListClusters
- Description: Grants permission to list the clusters in your account
- Access: List
ListTagsForResource
- Description: Grants permission to lists tag for an DocumentDB Elastic resource
- Access: List
- Resources:
  Name: cluster
  
  Required: No
  
  Name: cluster-snapshot
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
RestoreClusterFromSnapshot
- Description: Grants permission to restore cluster from a Amazon DocDB-Elastic cluster snapshot
- Access: Write
- Resources:
  Name: cluster-snapshot
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:CreateVpcEndpoint
  
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  iam:CreateServiceLinkedRole
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
  
  kms:GenerateDataKey
  
  secretsmanager:DescribeSecret
  
  secretsmanager:GetResourcePolicy
  
  secretsmanager:GetSecretValue
  
  secretsmanager:ListSecretVersionIds
  
  secretsmanager:ListSecrets
TagResource
- Description: Grants permission to tag an DocumentDB Elastic resource
- Access: Tagging
- Resources:
  Name: cluster
  
  Required: No
  
  Name: cluster-snapshot
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UntagResource
- Description: Grants permission to untag a DocumentDB Elastic resource
- Access: Tagging
- Resources:
  Name: cluster
  
  Required: No
  
  Name: cluster-snapshot
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateCluster
- Description: Grants permission to modify a cluster
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:CreateVpcEndpoint
  
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
  
  kms:GenerateDataKey
  
  secretsmanager:DescribeSecret
  
  secretsmanager:GetResourcePolicy
  
  secretsmanager:GetSecretValue
  
  secretsmanager:ListSecretVersionIds
  
  secretsmanager:ListSecrets

Resources

cluster
- Arn: arn:${Partition}:docdb-elastic:${Region}:${Account}:cluster/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
cluster-snapshot
- Arn: arn:${Partition}:docdb-elastic:${Region}:${Account}:cluster-snapshot/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access based on the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access based on tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access based on the presence of tag keys in the request
- Type: ArrayOfString

Amazon DocumentDB Elastic Clusters (docdb-elastic)

Additions