Change log of AWS IAM permissions

2024-12-10

20 new actions, 3 new resources, 3 new conditions | 13 updated actions, 1 updated resource

Additions

Actions

CancelDeclarativePoliciesReport
- Description: Grants permission to cancel a declarative policies report
- Access: Write
- Resources:
  Name: declarative-policies-report
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
CreateVpcBlockPublicAccessExclusion
- Description: Grants permission to create an exclusion list for blocked public access on a VPC
- Access: Write
- Resources:
  Name: subnet
  
  Required: No
  
  Name: vpc
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:AvailabilityZone
  
  ec2:ResourceTag/${TagKey}
  
  ec2:SubnetID
  
  ec2:Vpc
  
  ec2:Ipv4IpamPoolId
  
  ec2:Ipv6IpamPoolId
  
  ec2:Tenancy
  
  ec2:VpcID
  
  ec2:Region
- Dependents:
  ec2:CreateTags
DeleteVpcBlockPublicAccessExclusion
- Description: Grants permission to delete an exclusion list for blocked public access on a VPC
- Access: Write
- Resources:
  Name: vpc-block-public-access-exclusion
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
DescribeCapacityBlockExtensionHistory
- Description: Grants permission to describe Capacity Block extensions history
- Access: List
- Resources:
  Name: capacity-reservation
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:AvailabilityZone
  
  ec2:CapacityReservationFleet
  
  ec2:CreateDate
  
  ec2:DestinationCapacityReservationId
  
  ec2:EbsOptimized
  
  ec2:EndDate
  
  ec2:EndDateType
  
  ec2:InstanceCount
  
  ec2:InstanceMatchCriteria
  
  ec2:InstancePlatform
  
  ec2:InstanceType
  
  ec2:OutpostArn
  
  ec2:PlacementGroup
  
  ec2:ResourceTag/${TagKey}
  
  ec2:SourceCapacityReservationId
  
  ec2:Tenancy
  
  ec2:Region
DescribeCapacityBlockExtensionOfferings
- Description: Grants permission to describe Capacity Block extensions offerings
- Access: List
- Resources:
  Name: capacity-reservation
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:AvailabilityZone
  
  ec2:CapacityReservationFleet
  
  ec2:CreateDate
  
  ec2:DestinationCapacityReservationId
  
  ec2:EbsOptimized
  
  ec2:EndDate
  
  ec2:EndDateType
  
  ec2:InstanceCount
  
  ec2:InstanceMatchCriteria
  
  ec2:InstancePlatform
  
  ec2:InstanceType
  
  ec2:OutpostArn
  
  ec2:PlacementGroup
  
  ec2:ResourceTag/${TagKey}
  
  ec2:SourceCapacityReservationId
  
  ec2:Tenancy
  
  ec2:Region
DescribeDeclarativePoliciesReports
- Description: Grants permission to describe one or more declarative policies reports
- Access: List
- Conditions:
  ec2:Region
DescribeVpcBlockPublicAccessExclusions
- Description: Grants permission to describe an exclusion list for blocked public access on a VPC
- Access: List
- Resources:
  Name: vpc-block-public-access-exclusion
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
DescribeVpcBlockPublicAccessOptions
- Description: Grants permission to describe options for blocked public access on a VPC
- Access: List
- Conditions:
  ec2:Region
DescribeVpcEndpointAssociations
- Description: Grants permission to describe the VPC endpoint associations
- Access: List
- Resources:
  Name: vpc-endpoint
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:VpceServiceName
  
  ec2:VpceServiceOwner
  
  ec2:Region
DisableAllowedImagesSettings
- Description: Grants permission to disable allowed images settings
- Access: Write
- Conditions:
  ec2:Region
EnableAllowedImagesSettings
- Description: Grants permission to enable allowed images settings
- Access: Write
- Conditions:
  ec2:Region
ExportVerifiedAccessInstanceClientConfiguration
- Description: Grants permission to export a verified access instance client configuration
- Access: Read
- Resources:
  Name: verified-access-instance
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
GetAllowedImagesSettings
- Description: Grants permission to get the allowed settings for images
- Access: Read
- Conditions:
  ec2:Region
GetDeclarativePoliciesReportSummary
- Description: Grants permission to get the report summary of declarative policies
- Access: Read
- Resources:
  Name: declarative-policies-report
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
GetVerifiedAccessEndpointTargets
- Description: Grants permission to get verified access endpoint targets
- Access: List
- Resources:
  Name: verified-access-endpoint
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
ModifyVpcBlockPublicAccessExclusion
- Description: Grants permission to modify an exclusion list for blocked public access on a VPC
- Access: Write
- Resources:
  Name: vpc-block-public-access-exclusion
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:ResourceTag/${TagKey}
  
  ec2:Region
ModifyVpcBlockPublicAccessOptions
- Description: Grants permission to modify options for blocked public access on a VPC
- Access: Write
- Conditions:
  ec2:Region
PurchaseCapacityBlockExtension
- Description: Grants permission to purchase a Capacity Block extension
- Access: Write
- Resources:
  Name: capacity-reservation
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  ec2:CapacityReservationFleet
  
  ec2:Region
ReplaceImageCriteriaInAllowedImagesSettings
- Description: Grants permission to replace image criteria in allowed images settings
- Access: Write
- Conditions:
  ec2:Region
StartDeclarativePoliciesReport
- Description: Grants permission to start a declarative policies report
- Access: Read
- Conditions:
  ec2:Region

Resources

declarative-policies-report
- Arn: arn:${Partition}:ec2:${Region}:${Account}:declarative-policies-report/${DeclarativePoliciesReportId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  ec2:Region
  
  ec2:ResourceTag/${TagKey}
verified-access-endpoint-target
- Arn: arn:${Partition}:ec2:${Region}:${Account}:verified-access-endpoint-target/${VerifiedAccessEndpointTargetId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  ec2:Region
  
  ec2:ResourceTag/${TagKey}
vpc-block-public-access-exclusion
- Arn: arn:${Partition}:ec2:${Region}:${Account}:vpc-block-public-access-exclusion/${VpcBlockPublicAccessExclusionId}
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  ec2:Region
  
  ec2:ResourceTag/${TagKey}

Conditions

ec2:vpceMultiRegion
- Description: Filters access by multi region of the VPC endpoint service
- Type: String
ec2:vpceServiceRegion
- Description: Filters access by the region of the VPC endpoint service
- Type: String
ec2:vpceSupportedRegion
- Description: Filters access by the supported region of the VPC endpoint service
- Type: String

Updates

Actions

AcceptVpcEndpointConnections
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
CreateTrafficMirrorFilter
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceServiceRegion
- ＋ ec2:vpceSupportedRegion
- ＋ declarative-policies-report
- ＋ verified-access-endpoint-target
CreateVpcPeeringConnection
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceServiceRegion
CreateVpnConnection
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceServiceRegion
DeleteVpcPeeringConnection
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
DeleteVpnConnection
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
DetachNetworkInterface
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
ProvisionIpamPoolCidr
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
ProvisionPublicIpv4PoolCidr
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
PurchaseCapacityBlock
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
PurchaseHostReservation
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
ResetImageAttribute
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceSupportedRegion
DeleteTrafficMirrorFilterRule
- ＋ declarative-policies-report
- ＋ verified-access-endpoint-target

Resources

vpc
- ＋ ec2:vpceMultiRegion
- ＋ ec2:vpceServiceRegion
- ＋ ec2:vpceSupportedRegion

Amazon EC2 (ec2)

Additions

Updates