Change log of AWS IAM permissions

2025-12-09

23 new actions, 1 new resource, 3 new conditions

Additions

Actions

AssociateAccounts
- Description: Grants permission to associate member accounts with the management account
- Access: Write
CreateAutomationRule
- Description: Grants permission to create automation rule
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteAutomationRule
- Description: Grants permission to delete automation rule
- Access: Write
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DisassociateAccounts
- Description: Grants permission to disassociate member accounts from the management account
- Access: Write
GetAutomationEvent
- Description: Grants permission to get automation event details
- Access: Read
GetAutomationRule
- Description: Grants permission to get automation rule
- Access: Read
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetEnrollmentConfiguration
- Description: Grants permission to get enrollment configuration
- Access: Read
ListAccounts
- Description: Grants permission to list the accounts in your organization that are enrolled in Compute Optimizer and whether they have enabled the Automation feature
- Access: List
ListAutomationEventSteps
- Description: Grants permission to list automation event steps
- Access: List
ListAutomationEventSummaries
- Description: Grants permission to list automation event summaries
- Access: List
ListAutomationEvents
- Description: Grants permission to list automation events
- Access: List
ListAutomationRulePreview
- Description: Grants permission to list automation rule preview results
- Access: List
- Dependents:
  ec2:DescribeVolumes
ListAutomationRulePreviewSummaries
- Description: Grants permission to list automation rule preview summaries
- Access: List
ListAutomationRules
- Description: Grants permission to list automation rules
- Access: List
ListRecommendedActionSummaries
- Description: Grants permission to list recommended action summaries
- Access: List
ListRecommendedActions
- Description: Grants permission to list recommended actions
- Access: List
- Dependents:
  ec2:DescribeVolumes
ListTagsForResource
- Description: Grants permission to list tags for automation rule
- Access: List
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
RollbackAutomationEvent
- Description: Grants permission to initiate a rollback for an automation event
- Access: Write
StartAutomationEvent
- Description: Grants permission to initiate an on-demand automation for a recommended action
- Access: Write
TagResource
- Description: Grants permission to add tags to automation rule
- Access: Tagging
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to remove tags from automation rule
- Access: Tagging
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UpdateAutomationRule
- Description: Grants permission to update automation rule
- Access: Write
- Resources:
  Name: AutomationRule
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateEnrollmentConfiguration
- Description: Grants permission to update enrollment configuration for the Compute Optimizer automation feature
- Access: Write

Resources

AutomationRule
- Arn: arn:${Partition}:compute-optimizer::${Account}:automation-rule/${RuleId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString

AWS Compute Optimizer Automation (aco-automation)

Additions