Change log of AWS IAM permissions

2024-09-20

17 new actions, 1 new resource, 6 new conditions

Additions

Actions

AddGroupMember
- Description: Grants permission to add a member to a group on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:MemberName
  
  ds-data:Realm
  
  ds-data:MemberRealm
  
  ds-data:Identifier
- Dependents:
  ds:AccessDSData
CreateGroup
- Description: Grants permission to create a group on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
CreateUser
- Description: Grants permission to create a user on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
DeleteGroup
- Description: Grants permission to delete a group on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
DeleteUser
- Description: Grants permission to delete a user on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
DescribeGroup
- Description: Grants permission to describe a group on a directory
- Access: Read
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
DescribeUser
- Description: Grants permission to describe a user on a directory
- Access: Read
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
DisableUser
- Description: Grants permission to disable a user on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
ListGroupMembers
- Description: Grants permission to list members in a group on a directory
- Access: List
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Realm
  
  ds-data:MemberRealm
  
  ds-data:Identifier
- Dependents:
  ds:AccessDSData
ListGroups
- Description: Grants permission to list groups on a directory
- Access: List
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:Realm
- Dependents:
  ds:AccessDSData
ListGroupsForMember
- Description: Grants permission to list the groups that a member is in on a directory
- Access: List
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Realm
  
  ds-data:MemberRealm
  
  ds-data:Identifier
- Dependents:
  ds:AccessDSData
ListUsers
- Description: Grants permission to list users on a directory
- Access: List
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:Realm
- Dependents:
  ds:AccessDSData
RemoveGroupMember
- Description: Grants permission to remove a member from a group on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:MemberName
  
  ds-data:Realm
  
  ds-data:MemberRealm
  
  ds-data:Identifier
- Dependents:
  ds:AccessDSData
SearchGroups
- Description: Grants permission to search for groups on a directory
- Access: Read
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:Realm
- Dependents:
  ds-data:DescribeGroup
  
  ds:AccessDSData
SearchUsers
- Description: Grants permission to search for users on a directory
- Access: Read
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:Realm
- Dependents:
  ds-data:DescribeUser
  
  ds:AccessDSData
UpdateGroup
- Description: Grants permission to update a group on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData
UpdateUser
- Description: Grants permission to update a user on a directory
- Access: Write
- Resources:
  Name: directory
  
  Required: Yes
- Conditions:
  ds-data:SAMAccountName
  
  ds-data:Identifier
  
  ds-data:Realm
- Dependents:
  ds:AccessDSData

Resources

directory
- Arn: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:ResourceTag/${TagKey}
- Description: Filters access by the AWS DS Resource being acted upon
- Type: String
ds-data:Identifier
- Description: Filters access by the type of identifier provided in the request (i.e. SAM Account Name)
- Type: String
ds-data:MemberName
- Description: Filters access by the directory SAM Account Name included in the MemberName input of the request
- Type: String
ds-data:MemberRealm
- Description: Filters access by the directory realm name included in the MemberRealm input of the request
- Type: String
ds-data:Realm
- Description: Filters access by the directory realm name for the request
- Type: String
ds-data:SAMAccountName
- Description: Filters access by the directory SAM Account Name included in the SAMAccountName input of the request
- Type: String

AWS Directory Service Data (ds-data)

Additions