Change log of AWS IAM permissions

2023-11-11

15 new actions, 3 new resources, 2 new conditions | 3 updated actions

Additions

Actions

CreateDelivery
- Description: Grants permission to create a delivery connecting a delivery source to a delivery destination
- Access: Write
- Resources:
  Name: delivery
  
  Required: Yes
  
  Name: delivery-destination
  
  Required: Yes
  
  Name: delivery-source
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
DeleteDelivery
- Description: Grants permission to delete a delivery
- Access: Write
- Resources:
  Name: delivery
  
  Required: Yes
DeleteDeliveryDestination
- Description: Grants permission to delete a delivery destination after all associated deliveries are deleted
- Access: Write
- Resources:
  Name: delivery-destination
  
  Required: Yes
DeleteDeliveryDestinationPolicy
- Description: Grants permission to delete a delivery destination policy associated with a delivery destination
- Access: Write
- Resources:
  Name: delivery-destination
  
  Required: Yes
DeleteDeliverySource
- Description: Grants permission to delete a delivery source after all associated deliveries are deleted
- Access: Write
- Resources:
  Name: delivery-destination
  
  Required: Yes
DescribeDeliveries
- Description: Grants permission to retrieve a list of deliveries an account
- Access: List
DescribeDeliveryDestinations
- Description: Grants permission to retrieve a list of delivery destinations an account
- Access: List
DescribeDeliverySources
- Description: Grants permission to retrieve a list of delivery sources in an account
- Access: List
GetDelivery
- Description: Grants permission to retrieve a single delivery
- Access: Read
- Resources:
  Name: delivery
  
  Required: Yes
GetDeliveryDestination
- Description: Grants permission to retrieve a single delivery destination
- Access: Read
- Resources:
  Name: delivery-destination
  
  Required: Yes
GetDeliveryDestinationPolicy
- Description: Grants permission to retrieve a delivery destination policy attached to a delivery destination
- Access: Read
- Resources:
  Name: delivery-destination
  
  Required: Yes
GetDeliverySource
- Description: Grants permission to retrieve a single delivery source
- Access: Read
- Resources:
  Name: delivery-source
  
  Required: Yes
PutDeliveryDestination
- Description: Grants permission to create/update a delivery destination
- Access: Write
- Resources:
  Name: delivery-destination
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  logs:DeliveryDestinationResourceArn
PutDeliveryDestinationPolicy
- Description: Grants permission to attach a delivery destination policy to a delivery destination
- Access: Write
- Resources:
  Name: delivery-destination
  
  Required: Yes
PutDeliverySource
- Description: Grants permission to create/update a delivery source
- Access: Write
- Resources:
  Name: delivery-source
  
  Required: Yes
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  logs:LogGeneratingResourceArns

Resources

delivery-source
- Arn: arn:${Partition}:logs:${Region}:${Account}:delivery-source:${DeliverySourceName}
- Conditions:
  aws:ResourceTag/${TagKey}
delivery
- Arn: arn:${Partition}:logs:${Region}:${Account}:delivery:${DeliveryName}
- Conditions:
  aws:ResourceTag/${TagKey}
delivery-destination
- Arn: arn:${Partition}:logs:${Region}:${Account}:delivery-destination:${DeliverySourceName}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

logs:DeliveryDestinationResourceArn
- Description: Filters access by the Log Destination ARN passed in the request
- Type: ARN
logs:LogGeneratingResourceArns
- Description: Filters access by the Log Generating Resource ARNs passed in the request
- Type: ArrayOfARN

Updates

Actions

ListTagsForResource
- ＋ delivery
- ＋ delivery-destination
- ＋ delivery-source
TagResource
- ＋ delivery
- ＋ delivery-destination
- ＋ delivery-source
UntagResource
- ＋ delivery
- ＋ delivery-destination
- ＋ delivery-source

Amazon CloudWatch Logs (logs)

Additions

Updates