Change log of AWS IAM permissions

2024-12-07

22 new actions, 2 new resources, 3 new conditions

Additions

Actions

BatchGetMemberAccountDetails
- Description: Grants permission to get member account details in batch
- Access: Read
- Resources:
  Name: membership
  
  Required: Yes
CancelMembership
- Description: Grants permission to cancel a membership
- Access: Write
- Resources:
  Name: membership
  
  Required: Yes
CloseCase
- Description: Grants permission to close a case
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
CreateCase
- Description: Grants permission to create a case
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateCaseComment
- Description: Grants permission to create a case comment
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
CreateMembership
- Description: Grants permission to create a membership
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:CreateServiceLinkedRole
  
  organizations:DescribeOrganization
  
  organizations:ListDelegatedAdministrators
GetCase
- Description: Grants permission to get a case
- Access: Read
- Resources:
  Name: case
  
  Required: Yes
GetCaseAttachmentDownloadUrl
- Description: Grants permission to get a case attachment download URL
- Access: Read
- Resources:
  Name: case
  
  Required: Yes
GetCaseAttachmentUploadUrl
- Description: Grants permission to get a case attachment upload URL
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
GetMembership
- Description: Grants permission to get a membership
- Access: Read
- Resources:
  Name: membership
  
  Required: Yes
ListCaseEdits
- Description: Grants permission to list case edits
- Access: Read
- Resources:
  Name: case
  
  Required: Yes
ListCases
- Description: Grants permission to list cases
- Access: List
ListComments
- Description: Grants permission to list case comments
- Access: Read
- Resources:
  Name: case
  
  Required: Yes
ListMemberships
- Description: Grants permission to list memberships
- Access: List
ListTagsForResource
- Description: Grants permission to list the tags attached to the specified resource
- Access: Read
- Resources:
  Name: case
  
  Required: No
  
  Name: membership
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
TagResource
- Description: Grants permission to add tags to the specified resource
- Access: Tagging
- Resources:
  Name: case
  
  Required: No
  
  Name: membership
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to remove tags from the specified resource
- Access: Tagging
- Resources:
  Name: case
  
  Required: No
  
  Name: membership
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UpdateCase
- Description: Grants permission to update a case
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
UpdateCaseComment
- Description: Grants permission to update a case comment
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
UpdateCaseStatus
- Description: Grants permission to update a case status
- Access: Write
- Resources:
  Name: case
  
  Required: Yes
UpdateMembership
- Description: Grants permission to update memberships
- Access: Write
- Resources:
  Name: membership
  
  Required: Yes
- Dependents:
  iam:CreateServiceLinkedRole
UpdateResolverType
- Description: Grants permission to update case resolver type
- Access: Write
- Resources:
  Name: case
  
  Required: Yes

Resources

case
- Arn: arn:${Partition}:security-ir:${Region}:${Account}:case/${CaseId}
- Conditions:
  aws:ResourceTag/${TagKey}
membership
- Arn: arn:${Partition}:security-ir:${Region}:${Account}:membership/${MembershipId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString

AWS Security Incident Response (security-ir)

Additions