Change log of AWS IAM permissions

2024-12-07

26 new actions, 2 new resources, 3 new conditions

Additions

Actions

CreateMonitor
- Description: Grants permission to create a monitor
- Access: Write
- Resources:
  Name: monitor
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateScope
- Description: Grants permission to create a scope
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteMonitor
- Description: Grants permission to delete a monitor
- Access: Write
- Resources:
  Name: monitor
  
  Required: Yes
DeleteScope
- Description: Grants permission to delete a scope
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes
GetMonitor
- Description: Grants permission to get information about a monitor
- Access: Read
- Resources:
  Name: monitor
  
  Required: Yes
GetQueryResultsMonitorTopContributors
- Description: Grants permission to get the results of a query that retrieves top contributors data for a monitor
- Access: Read
- Resources:
  Name: monitor
  
  Required: Yes
GetQueryResultsWorkloadInsightsTopContributors
- Description: Grants permission to get the results of a query that retrieves top contributors for workload insights
- Access: Read
- Resources:
  Name: scope
  
  Required: Yes
GetQueryResultsWorkloadInsightsTopContributorsData
- Description: Grants permission to get the results of a query that retrieves top contributors data points for workload insights
- Access: Read
- Resources:
  Name: scope
  
  Required: Yes
GetQueryStatusMonitorTopContributors
- Description: Grants permission to get the status of a query that retrieves top contributors data for a monitor
- Access: Read
- Resources:
  Name: monitor
  
  Required: Yes
GetQueryStatusWorkloadInsightsTopContributors
- Description: Grants permission to get the status of a query that retrieves top contributors for workload insights
- Access: Read
- Resources:
  Name: scope
  
  Required: Yes
GetQueryStatusWorkloadInsightsTopContributorsData
- Description: Grants permission to get the status of a query that retrieves top contributors data points for workload insights
- Access: Read
- Resources:
  Name: scope
  
  Required: Yes
GetScope
- Description: Grants permission to get information about a scope
- Access: Read
- Resources:
  Name: scope
  
  Required: Yes
ListMonitors
- Description: Grants permission to list all monitors in an account and their statuses
- Access: List
ListScopes
- Description: Grants permission to get all scopes for an account
- Access: List
ListTagsForResource
- Description: Grants permission to list the tags for a resource
- Access: Read
- Resources:
  Name: monitor
  
  Required: No
  
  Name: scope
  
  Required: No
Publish
- Description: Grants permission to publish a report
- Access: Write
StartQueryMonitorTopContributors
- Description: Grants permission to start a query for retrieving top contributors data for a monitor
- Access: Write
- Resources:
  Name: monitor
  
  Required: Yes
StartQueryWorkloadInsightsTopContributors
- Description: Grants permission to start a query for retrieving top contributors data for workload insights
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes
StartQueryWorkloadInsightsTopContributorsData
- Description: Grants permission to start a query for retrieving top contributors data points for workload insights
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes
StopQueryMonitorTopContributors
- Description: Grants permission to stop a query for retrieving top contributors data for a monitor
- Access: Write
- Resources:
  Name: monitor
  
  Required: Yes
StopQueryWorkloadInsightsTopContributors
- Description: Grants permission to stop a query for retrieving top contributors for workload insights
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes
StopQueryWorkloadInsightsTopContributorsData
- Description: Grants permission to stop a query for retrieving top contributors data points for workload insights
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes
TagResource
- Description: Grants permission to add tags to a resource
- Access: Tagging
- Resources:
  Name: monitor
  
  Required: No
  
  Name: scope
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to remove tags from a resource
- Access: Tagging
- Resources:
  Name: monitor
  
  Required: No
  
  Name: scope
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateMonitor
- Description: Grants permission to update a monitor
- Access: Write
- Resources:
  Name: monitor
  
  Required: Yes
UpdateScope
- Description: Grants permission to update a scope
- Access: Write
- Resources:
  Name: scope
  
  Required: Yes

Resources

monitor
- Arn: arn:${Partition}:networkflowmonitor:${Region}:${Account}:monitor/${MonitorName}
- Conditions:
  aws:ResourceTag/${TagKey}
scope
- Arn: arn:${Partition}:networkflowmonitor:${Region}:${Account}:scope/${ScopeId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys in the request
- Type: ArrayOfString

Network Flow Monitor (networkflowmonitor)

Additions