Change log of AWS IAM permissions

2023-12-02

34 new actions, 3 new resources, 1 new condition | 4 updated actions, 1 updated resource

Additions

Actions

CreateApplication
- Description: Grants permission to create an application
- Access: Write
- Resources:
  Name: ApplicationProvider
  
  Required: Yes
  
  Name: Instance
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateApplicationAssignment
- Description: Grants permission to create an application assignment
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
CreateInstance
- Description: Grants permission to create an identity center instance
- Access: Write
- Resources:
  Name: Instance
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:CreateServiceLinkedRole
  
  organizations:DescribeOrganization
CreateTrustedTokenIssuer
- Description: Grants permission to create a trusted token issuer for an instance
- Access: Write
- Resources:
  Name: Instance
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteApplication
- Description: Grants permission to delete an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DeleteApplicationAccessScope
- Description: Grants permission to delete an access scope to an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DeleteApplicationAssignment
- Description: Grants permission to delete an application assignment
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DeleteApplicationAuthenticationMethod
- Description: Grants permission to delete an authentication method to an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DeleteApplicationGrant
- Description: Grants permission to delete a grant from an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DeleteInstance
- Description: Grants permission to delete an identity center instance
- Access: Write
- Resources:
  Name: Instance
  
  Required: Yes
DeleteTrustedTokenIssuer
- Description: Grants permission to delete a trusted token issuer for an instance
- Access: Write
- Resources:
  Name: TrustedTokenIssuer
  
  Required: Yes
DescribeApplication
- Description: Grants permission to obtain information about an application
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DescribeApplicationAssignment
- Description: Grants permission to retrieve an application assignment
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
DescribeApplicationProvider
- Description: Grants permission to describe an application provider
- Access: Read
- Resources:
  Name: ApplicationProvider
  
  Required: Yes
DescribeInstance
- Description: Grants permission to obtain information about an identity center instance
- Access: Read
- Resources:
  Name: Instance
  
  Required: Yes
DescribeTrustedTokenIssuer
- Description: Grants permission to describe a trusted token issuer for an instance
- Access: Read
- Resources:
  Name: TrustedTokenIssuer
  
  Required: Yes
GetApplicationAccessScope
- Description: Grants permission to get an access scope to an application
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
GetApplicationAssignmentConfiguration
- Description: Grants permission to read assignment configurations for an application
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
GetApplicationAuthenticationMethod
- Description: Grants permission to get an authentication method to an application
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
GetApplicationGrant
- Description: Grants permission to obtain details about a grant belonging to an application
- Access: Read
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListAccountAssignmentsForPrincipal
- Description: Grants permission to list accounts assigned to user or group
- Access: List
- Resources:
  Name: Instance
  
  Required: Yes
ListApplicationAccessScopes
- Description: Grants permission to list access scopes to an application
- Access: List
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListApplicationAssignments
- Description: Grants permission to list application assignments
- Access: List
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListApplicationAssignmentsForPrincipal
- Description: Grants permission to list applications assigned to user or group
- Access: List
- Resources:
  Name: Instance
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListApplicationAuthenticationMethods
- Description: Grants permission to list authentication methods to an application
- Access: List
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListApplicationGrants
- Description: Grants permission to list grants from an application
- Access: List
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
ListApplicationProviders
- Description: Grants permission to list application providers
- Access: List
- Resources:
  Name: ApplicationProvider
  
  Required: Yes
ListTrustedTokenIssuers
- Description: Grants permission to list trusted token issuers for an instance
- Access: List
- Resources:
  Name: Instance
  
  Required: Yes
PutApplicationAccessScope
- Description: Grants permission to create/update an access scope to an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
PutApplicationAuthenticationMethod
- Description: Grants permission to create/update an authentication method to an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
PutApplicationGrant
- Description: Grants permission to create/update a grant to an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
UpdateApplication
- Description: Grants permission to update an application
- Access: Write
- Resources:
  Name: Application
  
  Required: Yes
- Conditions:
  sso:ApplicationAccount
UpdateInstance
- Description: Grants permission to update an identity center instance
- Access: Write
- Resources:
  Name: Instance
  
  Required: Yes
UpdateTrustedTokenIssuer
- Description: Grants permission to update a trusted token issuer for an instance
- Access: Write
- Resources:
  Name: TrustedTokenIssuer
  
  Required: Yes

Resources

Application
- Arn: arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId}
- Conditions:
  aws:ResourceTag/${TagKey}
  
  sso:ApplicationAccount
TrustedTokenIssuer
- Arn: arn:${Partition}:sso::${AccountId}:trustedTokenIssuer/${InstanceId}/${TrustedTokenIssuerId}
- Conditions:
  aws:ResourceTag/${TagKey}
ApplicationProvider
- Arn: arn:${Partition}:sso::aws:applicationProvider/${ApplicationProviderId}

Conditions

sso:ApplicationAccount
- Description: Filters access by the account which creates the application
- Type: String

Updates

Actions

ListTagsForResource
- New_value: No
  
  Old_value: Yes
- ＋ Application
- ＋ TrustedTokenIssuer
PutApplicationAssignmentConfiguration
- ＋ Application
- ＋ sso:ApplicationAccount
TagResource
- New_value: No
  
  Old_value: Yes
- ＋ Application
- ＋ TrustedTokenIssuer
UntagResource
- New_value: No
  
  Old_value: Yes
- ＋ Application
- ＋ TrustedTokenIssuer
- － aws:RequestTag/${TagKey}

Resources

Instance
- ＋ aws:ResourceTag/${TagKey}

AWS IAM Identity Center (successor to AWS Single Sign-On) (sso)

Additions

Updates