2022-12-07
29 new actions, 5 new resources, 2 new conditions | 9 updated actions
Additions
Actions
-
AttachVerifiedAccessTrustProvider
-
Description:
Grants permission to attach a trust provider to a Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
Name: verified-access-trust-provider
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
CreateVerifiedAccessEndpoint
-
Description:
Grants permission to create a Verified Access endpoint
-
Access:
Write
-
Resources:
Name: verified-access-endpoint
Required: Yes
Name: verified-access-group
Required: Yes
Name: network-interface
Required: No
Name: security-group
Required: No
Name: subnet
Required: No
-
Conditions:
ec2:DomainCertificateArn
ec2:LoadBalancerArn
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:AssociatePublicIpAddress
ec2:AuthorizedService
ec2:AuthorizedUser
ec2:AvailabilityZone
ec2:NetworkInterfaceID
ec2:Permission
ec2:Subnet
ec2:Vpc
ec2:SecurityGroupID
ec2:SubnetID
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
-
Dependents:
ec2:CreateTags
-
CreateVerifiedAccessGroup
-
Description:
Grants permission to create a Verified Access group
-
Access:
Write
-
Resources:
Name: verified-access-group
Required: Yes
Name: verified-access-instance
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
-
Dependents:
ec2:CreateTags
-
CreateVerifiedAccessInstance
-
Description:
Grants permission to create a Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
-
Conditions:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
-
Dependents:
ec2:CreateTags
-
CreateVerifiedAccessTrustProvider
-
Description:
Grants permission to create a verified trust provider
-
Access:
Write
-
Resources:
Name: verified-access-trust-provider
Required: Yes
-
Conditions:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:Region
-
Dependents:
ec2:CreateTags
-
DeleteVerifiedAccessEndpoint
-
Description:
Grants permission to delete a Verified Access endpoint
-
Access:
Write
-
Resources:
Name: verified-access-endpoint
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:DomainCertificateArn
ec2:LoadBalancerArn
ec2:ResourceTag/${TagKey}
ec2:Region
-
DeleteVerifiedAccessGroup
-
Description:
Grants permission to delete a Verified Access group
-
Access:
Write
-
Resources:
Name: verified-access-group
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
DeleteVerifiedAccessInstance
-
Description:
Grants permission to delete a Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
DeleteVerifiedAccessTrustProvider
-
Description:
Grants permission to delete a verified trust provider
-
Access:
Write
-
Resources:
Name: verified-access-trust-provider
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
DescribeAwsNetworkPerformanceMetricSubscriptions
-
Description:
Grants permission to describe the current infrastructure performance metric subscriptions
-
Access:
List
-
Conditions:
ec2:Region
-
DescribeVerifiedAccessEndpoints
-
Description:
Grants permission to describe the specified Verified Access endpoints or all Verified Access endpoints
-
Access:
List
-
Conditions:
ec2:Region
-
DescribeVerifiedAccessGroups
-
Description:
Grants permission to describe the specified Verified Access groups or all Verified Access groups
-
Access:
List
-
Conditions:
ec2:Region
-
DescribeVerifiedAccessInstanceLoggingConfigurations
-
Description:
Grants permission to describe the current logging configuration for the Verified Access instances
-
Access:
List
-
Conditions:
ec2:Region
-
DescribeVerifiedAccessInstances
-
Description:
Grants permission to describe the specified Verified Access instances or all Verified Access instances
-
Access:
List
-
Conditions:
ec2:Region
-
DescribeVerifiedAccessTrustProviders
-
Description:
Grants permission to describe details of existing Verified Access trust providers
-
Access:
List
-
Conditions:
ec2:Region
-
DetachVerifiedAccessTrustProvider
-
Description:
Grants permission to detach a trust provider from a Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
Name: verified-access-trust-provider
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
DisableAwsNetworkPerformanceMetricSubscription
-
Description:
Grants permission to disable infrastructure performance metric subscriptions
-
Access:
Write
-
Conditions:
ec2:Region
-
EnableAwsNetworkPerformanceMetricSubscription
-
Description:
Grants permission to enable infrastructure performance subscriptions
-
Access:
Write
-
Conditions:
ec2:Region
-
EnableReachabilityAnalyzerOrganizationSharing
-
Description:
Grants permission to enable organization sharing of reachability analyzer
-
Access:
Write
-
Conditions:
ec2:Region
-
GetAwsNetworkPerformanceData
-
Description:
Grants permission to get network performance data
-
Access:
Read
-
Conditions:
ec2:Region
-
GetVerifiedAccessEndpointPolicy
-
Description:
Grants permission to show the Verified Access policy associated with the endpoint
-
Access:
List
-
Resources:
Name: verified-access-endpoint
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:DomainCertificateArn
ec2:LoadBalancerArn
ec2:ResourceTag/${TagKey}
ec2:Region
-
GetVerifiedAccessGroupPolicy
-
Description:
Grants permission to show the contents of the Verified Access policy associated with the group
-
Access:
List
-
Resources:
Name: verified-access-group
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessEndpoint
-
Description:
Grants permission to modify the configuration of a Verified Access endpoint
-
Access:
Write
-
Resources:
Name: verified-access-endpoint
Required: Yes
Name: subnet
Required: No
Name: verified-access-group
Required: No
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:DomainCertificateArn
ec2:LoadBalancerArn
ec2:ResourceTag/${TagKey}
ec2:AvailabilityZone
ec2:SubnetID
ec2:Vpc
ec2:Region
-
ModifyVerifiedAccessEndpointPolicy
-
Description:
Grants permission to modify the specified Verified Access endpoint policy
-
Access:
Write
-
Resources:
Name: verified-access-endpoint
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:DomainCertificateArn
ec2:LoadBalancerArn
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessGroup
-
Description:
Grants permission to modify the specified Verified Access Group configuration
-
Access:
Write
-
Resources:
Name: verified-access-group
Required: Yes
Name: verified-access-instance
Required: No
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessGroupPolicy
-
Description:
Grants permission to modify the specified Verified Access group policy
-
Access:
Write
-
Resources:
Name: verified-access-group
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessInstance
-
Description:
Grants permission to modify the configuration of the specified Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessInstanceLoggingConfiguration
-
Description:
Grants permission to modify the logging configuration for the specified Verified Access instance
-
Access:
Write
-
Resources:
Name: verified-access-instance
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
-
ModifyVerifiedAccessTrustProvider
-
Description:
Grants permission to modify the configuration of the specified Verified Access trust provider
-
Access:
Write
-
Resources:
Name: verified-access-trust-provider
Required: Yes
-
Conditions:
aws:ResourceTag/${TagKey}
ec2:ResourceTag/${TagKey}
ec2:Region
Resources
-
verified-access-endpoint
-
Arn:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint/${VerifiedAccessEndpointId}
-
Conditions:
aws:RequestTag/${TagKey}
aws:ResourceTag/${TagKey}
aws:TagKeys
ec2:DomainCertificateArn
ec2:LoadBalancerArn
ec2:Region
ec2:ResourceTag/${TagKey}
-
verified-access-group
-
Arn:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-group/${VerifiedAccessGroupId}
-
Conditions:
aws:RequestTag/${TagKey}
aws:ResourceTag/${TagKey}
aws:TagKeys
ec2:Region
ec2:ResourceTag/${TagKey}
-
verified-access-instance
-
Arn:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}
-
Conditions:
aws:RequestTag/${TagKey}
aws:ResourceTag/${TagKey}
aws:TagKeys
ec2:Region
ec2:ResourceTag/${TagKey}
-
verified-access-policy
-
Arn:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-policy/${VerifiedAccessPolicyId}
-
Conditions:
aws:RequestTag/${TagKey}
aws:ResourceTag/${TagKey}
aws:TagKeys
ec2:Region
ec2:ResourceTag/${TagKey}
-
verified-access-trust-provider
-
Arn:
arn:${Partition}:ec2:${Region}:${Account}:verified-access-trust-provider/${VerifiedAccessTrustProviderId}
-
Conditions:
aws:RequestTag/${TagKey}
aws:ResourceTag/${TagKey}
aws:TagKeys
ec2:Region
ec2:ResourceTag/${TagKey}
Conditions
-
ec2:DomainCertificateArn
-
Description:
Filters access by the ARN of an Amazon Certificate Manager certificate
-
Type:
ARN
-
ec2:LoadBalancerArn
-
Description:
Filters access by the ARN of an Elastic Load Balancer
-
Type:
ARN
Updates
Actions
-
CreateLocalGatewayRoute
Conditions
-
+ ec2:AvailabilityZone
-
+ ec2:NetworkInterfaceID
-
+ ec2:Subnet
-
+ ec2:Vpc
Resources
-
+ network-interface
-
CreateTags
Conditions
-
+ ec2:DomainCertificateArn
-
+ ec2:LoadBalancerArn
Resources
-
+ verified-access-endpoint
-
+ verified-access-group
-
+ verified-access-instance
-
+ verified-access-policy
-
+ verified-access-trust-provider
-
GetTransitGatewayMulticastDomainAssociations
Conditions
-
+ aws:ResourceTag/${TagKey}
-
+ ec2:ResourceTag/${TagKey}
-
SearchTransitGatewayMulticastGroups
Conditions
-
+ aws:ResourceTag/${TagKey}
-
+ ec2:ResourceTag/${TagKey}
-
CreatePublicIpv4Pool
Resources
-
+ {'name': 'ipv4pool-ec2', 'is_required': True}
-
- {'name': 'network-insights-access-scope', 'is_required': True}
-
DeleteResourcePolicy
Resources
-
+ verified-access-group
-
DeleteTags
Resources
-
+ verified-access-endpoint
-
+ verified-access-group
-
+ verified-access-instance
-
+ verified-access-policy
-
+ verified-access-trust-provider
-
GetResourcePolicy
Resources
-
+ verified-access-group
-
PutResourcePolicy
Resources
-
+ verified-access-group