Change log of AWS IAM permissions

2024-12-07

12 new actions, 1 new resource, 4 new conditions

Additions

Actions

CreateCluster
- Description: Grants permission to create new clusters
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:CreateServiceLinkedRole
CreateMultiRegionClusters
- Description: Grants permission to create multi-Region clusters. Creating multi-Region clusters also requires CreateCluster permission in each specified Region
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
- Conditions:
  dsql:WitnessRegion
- Dependents:
  dsql:CreateCluster
DbConnect
- Description: Grants permission to connect to the database
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
DbConnectAdmin
- Description: Grants permission to connect to the database with admin role. Connecting with any other role requires DbConnect permission
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
DeleteCluster
- Description: Grants permission to delete a cluster and all of its data
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
DeleteMultiRegionClusters
- Description: Grants permission to delete multi-Region clusters. Deleting multi-Region clusters also requires DeleteCluster permission in each specified Region
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes
- Dependents:
  dsql:DeleteCluster
GetCluster
- Description: Grants permission to get information about a cluster
- Access: Read
- Resources:
  Name: Cluster
  
  Required: Yes
ListClusters
- Description: Grants permission to retrieve a list of clusters
- Access: List
ListTagsForResource
- Description: Grants permission to list all tags on an Aurora DSQL resource
- Access: Read
- Resources:
  Name: Cluster
  
  Required: Yes
TagResource
- Description: Grants permission to add tags to Aurora DSQL resources
- Access: Tagging
- Resources:
  Name: Cluster
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to remove tags from Aurora DSQL resources
- Access: Tagging
- Resources:
  Name: Cluster
  
  Required: Yes
- Conditions:
  aws:TagKeys
UpdateCluster
- Description: Grants permission to modify cluster attributes
- Access: Write
- Resources:
  Name: Cluster
  
  Required: Yes

Resources

Cluster
- Arn: arn:${Partition}:dsql:${Region}:${Account}:cluster/${Identifier}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by a tag key and value pair that is allowed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by a list of tag keys that are allowed in the request
- Type: ArrayOfString
dsql:WitnessRegion
- Description: Filters access by the witness region of linked clusters
- Type: ArrayOfString

Amazon Aurora DSQL (dsql)

Additions