Change log of AWS IAM permissions

2023-08-29

25 new actions, 5 new resources, 3 new conditions

Additions

Actions

CreateConnector
- Description: Grants permission to create a Connector in your account
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  acm-pca:DescribeCertificateAuthority
  
  acm-pca:GetCertificate
  
  acm-pca:GetCertificateAuthorityCertificate
  
  acm-pca:IssueCertificate
  
  ec2:CreateTags
  
  ec2:CreateVpcEndpoint
  
  ec2:DescribeVpcEndpoints
CreateDirectoryRegistration
- Description: Grants permission to create a DirectoryRegistration in your account
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ds:AuthorizeApplication
  
  ds:DescribeDirectories
CreateServicePrincipalName
- Description: Grants permission to create a ServicePrincipalName for a DirectoryRegistration
- Access: Write
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
- Dependents:
  ds:UpdateAuthorizedApplication
CreateTemplate
- Description: Grants permission to create a Template for a Connector
- Access: Write
- Resources:
  Name: Connector
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateTemplateGroupAccessControlEntry
- Description: Grants permission to create a TemplateGroupAccessControlEntry for a Template
- Access: Write
- Resources:
  Name: Template
  
  Required: Yes
DeleteConnector
- Description: Grants permission to delete a Connector in your account
- Access: Write
- Resources:
  Name: Connector
  
  Required: Yes
- Dependents:
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeVpcEndpoints
DeleteDirectoryRegistration
- Description: Grants permission to delete a DirectoryRegistration in your account
- Access: Write
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
- Dependents:
  ds:UnauthorizeApplication
  
  ds:UpdateAuthorizedApplication
DeleteServicePrincipalName
- Description: Grants permission to delete a ServicePrincipalName for a DirectoryRegistration
- Access: Write
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
- Dependents:
  ds:UpdateAuthorizedApplication
DeleteTemplate
- Description: Grants permission to delete a Template for a Connector
- Access: Write
- Resources:
  Name: Template
  
  Required: Yes
DeleteTemplateGroupAccessControlEntry
- Description: Grants permission to delete a TemplateGroupAccessControlEntry for a Template
- Access: Write
- Resources:
  Name: Template
  
  Required: Yes
GetConnector
- Description: Grants permission to get a Connector in your account
- Access: Read
- Resources:
  Name: Connector
  
  Required: Yes
GetDirectoryRegistration
- Description: Grants permission to get a DirectoryRegistration in your account
- Access: Read
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
GetServicePrincipalName
- Description: Grants permission to get a ServicePrincipalName for a DirectoryRegistration
- Access: Read
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
GetTemplate
- Description: Grants permission to get a Template for a Connector
- Access: Read
- Resources:
  Name: Template
  
  Required: Yes
GetTemplateGroupAccessControlEntry
- Description: Grants permission to get a TemplateGroupAccessControlEntry for a Template
- Access: Read
- Resources:
  Name: Template
  
  Required: Yes
ListConnectors
- Description: Grants permission to list the Connectors in your account
- Access: List
ListDirectoryRegistrations
- Description: Grants permission to list the DirectoryRegistrations in your account
- Access: List
ListServicePrincipalNames
- Description: Grants permission to list the ServicePrincipalNames for a DirectoryRegistration
- Access: List
- Resources:
  Name: DirectoryRegistration
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list the tags for a pca-connector-ad resource in your account
- Access: Read
ListTemplateGroupAccessControlEntries
- Description: Grants permission to list the TemplateGroupAccessControlEntries for a Template
- Access: List
- Resources:
  Name: Template
  
  Required: Yes
ListTemplates
- Description: Grants permission to list the Templates for a Connector
- Access: List
- Resources:
  Name: Connector
  
  Required: Yes
TagResource
- Description: Grants permission to tag a pca-connector-ad resource in your account
- Access: Tagging
- Resources:
  Name: Connector
  
  Required: No
  
  Name: DirectoryRegistration
  
  Required: No
  
  Name: Template
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a pca-connector-ad resource in your account
- Access: Tagging
- Resources:
  Name: Connector
  
  Required: No
  
  Name: DirectoryRegistration
  
  Required: No
  
  Name: Template
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateTemplate
- Description: Grants permission to update a Template for a Connector
- Access: Write
- Resources:
  Name: Template
  
  Required: Yes
UpdateTemplateGroupAccessControlEntry
- Description: Grants permission to update a TemplateGroupAccessControlEntry for a Template
- Access: Write
- Resources:
  Name: Template
  
  Required: Yes

Resources

Connector
- Arn: arn:${Partition}:pca-connector-ad:${Region}:${Account}:connector/${ConnectorId}
- Conditions:
  aws:ResourceTag/${TagKey}
DirectoryRegistration
- Arn: arn:${Partition}:pca-connector-ad:${Region}:${Account}:directory-registration/${DirectoryId}
- Conditions:
  aws:ResourceTag/${TagKey}
ServicePrincipalName
- Arn: arn:${Partition}:pca-connector-ad:${Region}:${Account}:directory-registration/${DirectoryId}
Template
- Arn: arn:${Partition}:pca-connector-ad:${Region}:${Account}:connector/${ConnectorId}/template/${TemplateId}
- Conditions:
  aws:ResourceTag/${TagKey}
TemplateGroupAccessControlEntry
- Arn: arn:${Partition}:pca-connector-ad:${Region}:${Account}:connector/${ConnectorId}/template/${TemplateId}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by on the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by on the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by on the tag keys that are passed in the request
- Type: ArrayOfString

AWS Private CA Connector for Active Directory (pca-connector-ad)

Additions