Change log of AWS IAM permissions

2024-12-07

19 new actions, 4 new resources, 2 new conditions | 3 updated actions

Additions

Actions

AssociateViaAWSService-EventsAndStates
- Description: Grants permission to associate a resource configuration through Amazon EventBridge and AWS Step Functions service networks
- Access: Permissions management
CreateResourceConfiguration
- Description: Grants permission to create a resource configuration
- Access: Write
- Resources:
  Name: ResourceConfiguration
  
  Required: No
  
  Name: ResourceGateway
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateResourceGateway
- Description: Grants permission to create a resource gateway
- Access: Write
- Resources:
  Name: ResourceGateway
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:VpcId
- Dependents:
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcs
CreateServiceNetworkResourceAssociation
- Description: Grants permission to create an association between a service network and a resource
- Access: Write
- Resources:
  Name: ResourceConfiguration
  
  Required: Yes
  
  Name: ServiceNetwork
  
  Required: Yes
  
  Name: ServiceNetworkResourceAssociation
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:ResourceConfigurationArn
  
  vpc-lattice:ServiceNetworkArn
CreateServiceNetworkVpcEndpointAssociation
- Description: Grants permission to create an association between a service network and VPC endpoint
- Access: Permissions management
DeleteResourceConfiguration
- Description: Grants permission to delete a resource configuration
- Access: Write
- Resources:
  Name: ResourceConfiguration
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteResourceEndpointAssociation
- Description: Grants permission to delete a resource endpoint association
- Access: Write
- Resources:
  Name: ResourceEndpointAssociation
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteResourceGateway
- Description: Grants permission to delete a resource gateway
- Access: Write
- Resources:
  Name: ResourceGateway
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteServiceNetworkResourceAssociation
- Description: Grants permission to delete the association between a service network and resource
- Access: Write
- Resources:
  Name: ServiceNetworkResourceAssociation
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetResourceConfiguration
- Description: Grants permission to get information about a resource configuration
- Access: Read
- Resources:
  Name: ResourceConfiguration
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetResourceGateway
- Description: Grants permission to get information about a resource gateway
- Access: Read
- Resources:
  Name: ResourceGateway
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetServiceNetworkResourceAssociation
- Description: Grants permission to get information about an association between a service network and resource configuration
- Access: Read
- Resources:
  Name: ServiceNetworkResourceAssociation
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListResourceConfigurations
- Description: Grants permission to list some or all resource configurations
- Access: List
ListResourceEndpointAssociations
- Description: Grants permission to list some or all associations between a resource configuration and VPC endpoint
- Access: List
- Conditions:
  vpc-lattice:ResourceConfigurationArn
  
  vpc-lattice:VpcEndpointId
ListResourceGateways
- Description: Grants permission to list some or all resource gateways
- Access: List
ListServiceNetworkResourceAssociations
- Description: Grants permission to list some or all associations between a service network and resource configuration
- Access: List
ListServiceNetworkVpcEndpointAssociations
- Description: Grants permission to list some or all associations between a service network and VPC endpoint
- Access: List
UpdateResourceConfiguration
- Description: Grants permission to update a resource configuration
- Access: Write
- Resources:
  Name: ResourceConfiguration
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateResourceGateway
- Description: Grants permission to update a resource gateway
- Access: Write
- Resources:
  Name: ResourceGateway
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  vpc-lattice:SecurityGroupIds

Resources

ResourceConfiguration
- Arn: arn:${Partition}:vpc-lattice:${Region}:${Account}:resourceconfiguration/${ResourceConfigurationId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
ResourceEndpointAssociation
- Arn: arn:${Partition}:vpc-lattice:${Region}:${Account}:resourceendpointassociation/${ResourceEndpointAssociationId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:ResourceConfigurationArn
  
  vpc-lattice:VpcEndpointId
ResourceGateway
- Arn: arn:${Partition}:vpc-lattice:${Region}:${Account}:resourcegateway/${ResourceGatewayId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:VpcId
ServiceNetworkResourceAssociation
- Arn: arn:${Partition}:vpc-lattice:${Region}:${Account}:servicenetworkresourceassociation/${ServiceNetworkResourceAssociationId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  vpc-lattice:ResourceConfigurationArn
  
  vpc-lattice:ServiceNetworkArn

Conditions

vpc-lattice:ResourceConfigurationArn
- Description: Filters access by the ARN of a resource configuration
- Type: ARN
vpc-lattice:VpcEndpointId
- Description: Filters access by the ID of a VPC endpoint
- Type: String

Updates

Actions

CreateListener
- ＋ ResourceConfiguration
- ＋ Service
- ＋ ServiceNetwork
GetAccessLogSubscription
- ＋ ResourceConfiguration
ListServiceNetworkVpcAssociations
- ＋ ResourceConfiguration

Amazon VPC Lattice (vpc-lattice)

Additions

Updates