Change log of AWS IAM permissions

2025-06-19

24 new actions, 3 new resources, 5 new conditions

Additions

Actions

CancelSession
- Description: Grants permission to cancel an approval session
- Access: Write
- Resources:
  Name: session
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  mpa:RequestedOperation
  
  mpa:ProtectedResourceAccount
CreateApprovalTeam
- Description: Grants permission to create an approval team
- Access: Write
- Resources:
  Name: approval-team
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
CreateIdentitySource
- Description: Grants permission to create an identity source
- Access: Write
- Resources:
  Name: identity-source
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
DeleteIdentitySource
- Description: Grants permission to delete an identity source
- Access: Write
- Resources:
  Name: identity-source
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteInactiveApprovalTeamVersion
- Description: Grants permission to delete an inactive approval team
- Access: Write
- Resources:
  Name: approval-team
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteResourcePolicy
- Description: Grants permission to delete a resource policy
- Access: Permissions management
GetApprovalTeam
- Description: Grants permission to retrieve details for an approval team
- Access: Read
- Resources:
  Name: approval-team
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetIdentitySource
- Description: Grants permission to retrieve details for an identity source
- Access: Read
- Resources:
  Name: identity-source
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetPolicyVersion
- Description: Grants permission to retrieve details for a policy
- Access: Read
GetResourcePolicy
- Description: Grants permission to retrieve details for a specific resource
- Access: Read
GetSession
- Description: Grants permission to retrieve details for an approval session
- Access: Read
- Resources:
  Name: session
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  mpa:RequestedOperation
  
  mpa:ProtectedResourceAccount
ListApprovalTeams
- Description: Grants permission to list approval teams
- Access: List
ListIdentitySources
- Description: Grants permission to list identity sources
- Access: List
ListPolicies
- Description: Grants permission to list policies
- Access: List
ListPolicyVersions
- Description: Grants permission to list the versions for policies
- Access: List
ListResourcePolicies
- Description: Grants permission to list policies for a resource
- Access: List
ListSessions
- Description: Grants permission to list approval sessions
- Access: List
ListTagsForResource
- Description: Grants permission to list tags for a resource
- Access: List
PutResourcePolicy
- Description: Grants permission to create or update policies for a resource
- Access: Permissions management
StartActiveApprovalTeamDeletion
- Description: Grants permission to start the deletion process for an active approval team
- Access: Write
- Resources:
  Name: approval-team
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
StartSession
- Description: Grants permission to start an approval session
- Access: Write
- Resources:
  Name: session
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  mpa:RequestedOperation
  
  mpa:ProtectedResourceAccount
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UpdateApprovalTeam
- Description: Grants permission to update approval team
- Access: Write
- Resources:
  Name: approval-team
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}

Resources

approval-team
- Arn: arn:${Partition}:mpa:${Region}:${Account}:approval-team/${Arn}
- Conditions:
  aws:ResourceTag/${TagKey}
identity-source
- Arn: arn:${Partition}:mpa:${Region}:${Account}:identity-source/${IdentitySourceArn}
- Conditions:
  aws:ResourceTag/${TagKey}
session
- Arn: arn:${Partition}:mpa:${Region}:${Account}:session/${SessionArn}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by a tag key and value pair that is allowed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by a tag key and value pair of a resource
- Type: String
aws:TagKeys
- Description: Filters access by a list of tag keys that are allowed in the request
- Type: ArrayOfString
mpa:ProtectedResourceAccount
- Description: Filters access by the account that owns the resource that is the target of the operation that requires approval
- Type: String
mpa:RequestedOperation
- Description: Filters access by a requested operation that requires team approval before it can be executed
- Type: String

Multi-party approval (mpa)

Additions