Change log of AWS IAM permissions

2026-05-09

33 new actions, 3 new conditions | 12 updated actions, 1 updated resource

Additions

Actions

ArchiveAgent
- Description: Grants permission to archive a managed agent
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ArchiveEnvironment
- Description: Grants permission to archive a managed agent environment
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ArchiveMemoryStore
- Description: Grants permission to archive a memory store
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ArchiveSession
- Description: Grants permission to archive a managed agent session
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ArchiveVault
- Description: Grants permission to archive a credential vault
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateAgent
- Description: Grants permission to create a managed agent in a workspace
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateEnvironment
- Description: Grants permission to create a managed agent environment in a workspace
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateMemoryStore
- Description: Grants permission to create a managed agent memory store in a workspace
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateSession
- Description: Grants permission to create a managed agent session in a workspace
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateUserProfileEnrollmentUrl
- Description: Grants permission to create an enrollment URL for a user profile
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
CreateVault
- Description: Grants permission to create a managed agent credential vault in a workspace
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteEnvironment
- Description: Grants permission to delete a managed agent environment
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteMemoryStore
- Description: Grants permission to delete a memory store
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteSession
- Description: Grants permission to delete a managed agent session
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteVault
- Description: Grants permission to delete a credential vault
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetAgent
- Description: Grants permission to retrieve details or versions of a managed agent
- Access: Read
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetEnvironment
- Description: Grants permission to retrieve details of a managed agent environment
- Access: Read
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetMemoryStore
- Description: Grants permission to retrieve details of a memory store, its memories, or its memory versions
- Access: Read
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetSession
- Description: Grants permission to retrieve details, events, or resources of a managed agent session
- Access: Read
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
GetVault
- Description: Grants permission to retrieve details of a credential vault or its credentials
- Access: Read
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListAgents
- Description: Grants permission to list managed agents in a workspace
- Access: List
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListEnvironments
- Description: Grants permission to list managed agent environments in a workspace
- Access: List
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListMemoriesStore
- Description: Grants permission to list managed agent memory stores in a workspace
- Access: List
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListSessions
- Description: Grants permission to list managed agent sessions in a workspace
- Access: List
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
ListTagsForResource
- Description: Grants permission to list tags for a resource
- Access: Read
- Resources:
  Name: workspace
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
ListVaults
- Description: Grants permission to list managed agent credential vaults in a workspace
- Access: List
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: workspace
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: workspace
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UpdateAgent
- Description: Grants permission to update a managed agent
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateEnvironment
- Description: Grants permission to update a managed agent environment
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateMemoryStore
- Description: Grants permission to update a memory store, mutate its memories, or redact a memory version
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateSession
- Description: Grants permission to update a managed agent session, append session events, or manage its resources
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
UpdateVault
- Description: Grants permission to update a credential vault or manage its stored credentials
- Access: Write
- Resources:
  Name: workspace
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString

Updates

Actions

CreateBatchInference
- ＋ aws:ResourceTag/${TagKey}
CreateSkill
- ＋ aws:ResourceTag/${TagKey}
CreateUserProfile
- ＋ aws:ResourceTag/${TagKey}
DeleteBatchInference
- ＋ aws:ResourceTag/${TagKey}
DeleteSkill
- ＋ aws:ResourceTag/${TagKey}
GetAccountStatus
- ＋ aws:ResourceTag/${TagKey}
GetModel
- ＋ aws:ResourceTag/${TagKey}
GetSkill
- ＋ aws:ResourceTag/${TagKey}
ListBatchInferences
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:TagKeys
ListFiles
- ＋ aws:ResourceTag/${TagKey}
ListSkills
- ＋ aws:ResourceTag/${TagKey}
UpdateSkill
- ＋ aws:ResourceTag/${TagKey}

Resources

workspace
- ＋ aws:ResourceTag/${TagKey}

Claude Platform on AWS (aws-external-anthropic)

Additions

Updates