Change log of AWS IAM permissions

2023-12-02

31 new actions, 3 new resources, 3 new conditions

Additions

Actions

CancelImportTask
- Description: Grants permission to cancel an ongoing import task
- Access: Write
- Resources:
  Name: import-task
  
  Required: Yes
CancelQuery
- Description: Grants permission to cancel a query
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateGraph
- Description: Grants permission to create a new graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:CreateServiceLinkedRole
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
CreateGraphSnapshot
- Description: Grants permission to create a new snapshot from an existing graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
CreateGraphUsingImportTask
- Description: Grants permission to create a new graph while importing data into the new graph
- Access: Write
- Resources:
  Name: import-task
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:CreateServiceLinkedRole
  
  iam:PassRole
  
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
CreatePrivateGraphEndpoint
- Description: Grants permission to create a new private graph endpoint to access the graph from within a vpc
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ec2:CreateVpcEndpoint
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  route53:AssociateVPCWithHostedZone
DeleteDataViaQuery
- Description: Grants permission to delete data via query APIs on the graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteGraph
- Description: Grants permission to delete a graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
DeleteGraphSnapshot
- Description: Grants permission to delete a snapshot
- Access: Write
- Resources:
  Name: graph-snapshot
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeletePrivateGraphEndpoint
- Description: Grants permission to delete a private graph endpoint of a graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
- Dependents:
  ec2:DeleteVpcEndpoints
  
  ec2:DescribeAvailabilityZones
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcAttribute
  
  ec2:DescribeVpcEndpoints
  
  ec2:DescribeVpcs
  
  ec2:ModifyVpcEndpoint
  
  route53:DisassociateVPCFromHostedZone
GetEngineStatus
- Description: Grants permission to get the engine status of the graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetGraph
- Description: Grants permission to get details about a graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetGraphSnapshot
- Description: Grants permission to get details about a snapshot
- Access: Read
- Resources:
  Name: graph-snapshot
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetGraphSummary
- Description: Grants permission to get the summary for the data in the graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetImportTask
- Description: Grants permission to get details about an import task
- Access: Read
- Resources:
  Name: import-task
  
  Required: Yes
GetPrivateGraphEndpoint
- Description: Grants permission to get details about a private graph endpoint of a graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetQueryStatus
- Description: Grants permission to check the status of a given query
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetStatisticsStatus
- Description: Grants permission to get the statistics for the data in the graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListGraphSnapshots
- Description: Grants permission to list the snapshots in your account
- Access: Read
- Resources:
  Name: graph-snapshot
  
  Required: Yes
ListGraphs
- Description: Grants permission to list the graphs in your account
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
ListImportTasks
- Description: Grants permission to list the import tasks in your account
- Access: Read
- Resources:
  Name: import-task
  
  Required: Yes
ListPrivateGraphEndpoints
- Description: Grants permission to list the private graph endpoints for a given graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListQueries
- Description: Grants permission to check the status of all active queries
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListTagsForResource
- Description: Grants permission to lists tag for a Neptune Analytics resource
- Access: Read
- Resources:
  Name: graph
  
  Required: No
  
  Name: graph-snapshot
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
ReadDataViaQuery
- Description: Grants permission to read data via query APIs on the graph
- Access: Read
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ResetGraph
- Description: Grants permission to reset a graph which deletes all data within the graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
RestoreGraphFromSnapshot
- Description: Grants permission to create a new graph from an existing snapshot
- Access: Write
- Resources:
  Name: graph-snapshot
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  kms:CreateGrant
  
  kms:Decrypt
  
  kms:DescribeKey
TagResource
- Description: Grants permission to tag a Neptune Analytics resource
- Access: Tagging
- Resources:
  Name: graph
  
  Required: No
  
  Name: graph-snapshot
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
UntagResource
- Description: Grants permission to untag a Neptune Analytics resource
- Access: Tagging
- Resources:
  Name: graph
  
  Required: No
  
  Name: graph-snapshot
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateGraph
- Description: Grants permission to modify a graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
WriteDataViaQuery
- Description: Grants permission to write data via query APIs on the graph
- Access: Write
- Resources:
  Name: graph
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}

Resources

graph
- Arn: arn:${Partition}:neptune-graph:${Region}:${Account}:graph/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
graph-snapshot
- Arn: arn:${Partition}:neptune-graph:${Region}:${Account}:graph-snapshot/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
import-task
- Arn: arn:${Partition}:neptune-graph:${Region}:${Account}:import-task/${ResourceId}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by a tag's key and value in a request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys in a request
- Type: ArrayOfString

Amazon Neptune Analytics (neptune-graph)

Additions