Change log of AWS IAM permissions

2026-03-21

5 new actions | 34 updated actions, 3 updated resources, 3 updated conditions | 11 removed actions, 1 removed condition

Additions

Actions

GetOperatorApp
- Description: Grants permission to get operator auth config for any enabled auth flow
- Access: Read
- Resources:
  Name: agentspace
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list tags for a resource
- Access: Read
- Resources:
  Name: agentspace
  
  Required: No
  
  Name: service
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: agentspace
  
  Required: No
  
  Name: service
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: agentspace
  
  Required: No
  
  Name: service
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
ValidateAwsAssociations
- Description: Grants permission to validate aws association
- Access: Write
- Resources:
  Name: agentspace
  
  Required: Yes

Updates

Actions

ListExecutions
- ＋ {'name': 'agentspace', 'is_required': True}
- ＋ {'name': 'associations', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- － {'name': 'AssociationResource', 'is_required': True}
ListWebhooks
- ＋ {'name': 'agentspace', 'is_required': True}
- ＋ {'name': 'associations', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- － {'name': 'AssociationResource', 'is_required': True}
AssociateService
- ＋ {'name': 'agentspace', 'is_required': True}
- ＋ {'name': 'associations', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- － {'name': 'AssociationResource', 'is_required': True}
GetAssociation
- ＋ {'name': 'service', 'is_required': True}
- － {'name': 'ServiceResource', 'is_required': True}
- ＋ aws:ResourceTag/${TagKey}
DeregisterService
- ＋ {'name': 'agentspace', 'is_required': True}
- ＋ {'name': 'associations', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- － {'name': 'AssociationResource', 'is_required': True}
DiscoverTopology
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- ＋ aws:ResourceTag/${TagKey}
DeleteKnowledgeItem
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
DescribeSupportLevel
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
CreateKnowledgeItem
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- ＋ aws:ResourceTag/${TagKey}
SendMessage
- Old: Grants permission to list knowledge items
  New: Grants permission to send chat messages
- List ⟶ Write
- New_value: [{'name': 'agentspace', 'is_required': True}]
  
  Old_value: []
CreateAgentSpace
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:ResourceTag/${TagKey}
- ＋ aws:TagKeys
EnableOperatorApp
- ＋ {'name': 'agentspace', 'is_required': True}
- ＋ {'name': 'associations', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- － {'name': 'AssociationResource', 'is_required': True}
UpdateOperatorAppIdpConfig
- Old: Grants permission to invoke an agent
  New: Grants permission to update the external Identity Provider configuration for the Operator App
- New_value: [{'name': 'agentspace', 'is_required': True}]
  
  Old_value: []
ListGoals
- ＋ {'name': 'service', 'is_required': True}
- － {'name': 'ServiceResource', 'is_required': True}
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:ResourceTag/${TagKey}
- ＋ aws:TagKeys
ListServices
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
- ＋ aws:ResourceTag/${TagKey}
CreateOneTimeLoginSession
- ＋ {'name': 'service', 'is_required': True}
- － {'name': 'ServiceResource', 'is_required': True}
- ＋ aws:ResourceTag/${TagKey}
GetOperatorAppTeams
- ＋ {'name': 'agentspace', 'is_required': True}
- － {'name': 'AgentSpaceResource', 'is_required': True}
CreateBacklogTask
- ＋ agentspace
CreateChat
- ＋ agentspace
DeleteAgentSpace
- ＋ agentspace
DisableOperatorApp
- ＋ agentspace
EndChatForCase
- ＋ agentspace
GetAgentSpace
- ＋ agentspace
GetBacklogTask
- ＋ agentspace
GetRecommendation
- ＋ agentspace
GetService
- ＋ agentspace
HandleServiceRegistrationCallback
- ＋ agentspace
InitiateChatForCase
- ＋ agentspace
InitiateServiceRegistration
- ＋ agentspace
ListAgentSpaces
- ＋ agentspace
ListAssociations
- ＋ agentspace
RegisterService
- ＋ agentspace
SearchServiceAccessibleResource
- ＋ agentspace
StreamMessage
- ＋ agentspace

Resources

associations
- New_value: []
  
  Old_value: ['aidevops:AssociationResourceAgentSpaceId', 'aidevops:AssociationResourceAssociationId']
service
- ['aidevops:ServiceResourceServiceId'] ⟶ ['aws:ResourceTag/${TagKey}']
agentspace
- ['aidevops:AgentSpaceResourceAgentSpaceId'] ⟶ ['aws:ResourceTag/${TagKey}']

Conditions

aws:RequestTag/${TagKey}
- Old: Filters access by unique identifier for an AgentSpace
  New: Filters access by the tags that are passed in the request
aws:ResourceTag/${TagKey}
- Old: Filters access by unique identifier for an AgentSpace
  New: Filters access by the tags associated with the resource
aws:TagKeys
- Old: Filters access by unique identifier for a service association within an AgentSpace
  New: Filters access by the tag keys that are passed in the request
- String ⟶ ArrayOfString

Deletions

Actions

CreateKnowledgeItem
- Description: Grants permission to create a new knowledge item
- Access: Write
CreateOneTimeLoginSession
- Description: Grants permission to generate secure one-time session for initiating off-console Application login
- Access: Write
- Resources:
  Name: AgentSpaceResource
  
  Required: Yes
DeleteKnowledgeItem
- Description: Grants permission to delete a knowledge item
- Access: Write
DiscoverTopology
- Description: Grants permission to discover topology information
- Access: Write
GetKnowledgeItem
- Description: Grants permission to get a knowledge item
- Access: Read
GetOperatorAppTeams
- Description: Grants permission to enable operator auth config for any enabled auth flow
- Access: Read
- Resources:
  Name: AgentSpaceResource
  
  Required: Yes
HandleServiceRegistrationCallback
- Description: Grants permission to handle OAuth callback from external service
- Access: Read
InitiateServiceRegistration
- Description: Grants permission to initiate OAuth flow
- Access: Read
StreamMessage
- Description: Grants permission to invoke an agent
- Access: Write
UpdateKnowledgeItem
- Description: Grants permission to update a knowledge item
- Access: Write
UpdateOperatorAppTeams
- Description: Grants permission to update the list of teams that the Operator App is enabled for
- Access: Write
- Resources:
  Name: AgentSpaceResource
  
  Required: Yes

Conditions

aidevops:ServiceResourceServiceId
- Description: Filters access by unique identifier for a registered service
- Type: String

AWS DevOps Agent Service (aidevops)

Additions

Updates

Deletions