Change log of AWS IAM permissions

2022-12-03

15 new actions, 2 new resources, 4 new conditions

Additions

Actions

CreateLink
- Description: Grants permission to create a link between a monitoring account and a source account for cross-account monitoring
- Access: Write
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  oam:ResourceTypes
- Dependents:
  oam:TagResource
CreateSink
- Description: Grants permission to create a sink in an account so that it can be used as a monitoring account for cross-account monitoring
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  oam:TagResource
DeleteLink
- Description: Grants permission to delete a link between a monitoring account and a source account for cross-account monitoring
- Access: Write
- Resources:
  Name: Link
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteSink
- Description: Grants permission to delete a cross-account monitoring sink in a monitoring account
- Access: Write
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetLink
- Description: Grants permission to retrieve complete information about one cross-account monitoring link
- Access: Read
- Resources:
  Name: Link
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetSink
- Description: Grants permission to retrieve complete information about one cross-account monitoring sink
- Access: Read
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetSinkPolicy
- Description: Grants permission to retrieve information for the IAM policy for a cross-account monitoring sink
- Access: Read
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListAttachedLinks
- Description: Grants permission to retrieve a list of links that are linked for a cross-account monitoring sink
- Access: Read
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListLinks
- Description: Grants permission to retrieve the ARNs of cross-account monitoring links in this account
- Access: Read
ListSinks
- Description: Grants permission to retrieve the ARNs of cross-account monitoring sinks in this account
- Access: Read
ListTagsForResource
- Description: Grants permission to list the tags for a resource
- Access: Read
- Resources:
  Name: Link
  
  Required: No
  
  Name: Sink
  
  Required: No
PutSinkPolicy
- Description: Grants permission to create or update the IAM policy for a cross-account monitoring sink
- Access: Write
- Resources:
  Name: Sink
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: Link
  
  Required: No
  
  Name: Sink
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: Link
  
  Required: No
  
  Name: Sink
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateLink
- Description: Grants permission to update an existing link between a monitoring account and a source account
- Access: Write
- Resources:
  Name: Link
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  oam:ResourceTypes

Resources

Link
- Arn: arn:${Partition}:oam:${Region}:${Account}:link/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
Sink
- Arn: arn:${Partition}:oam:${Region}:${Account}:sink/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by the presence of tag keys in the request
- Type: ArrayOfString
oam:ResourceTypes
- Description: Filters access by the presence of resource types in the request
- Type: ArrayOfString

Amazon CloudWatch Observability Access Manager (oam)

Additions