Change log of AWS IAM permissions

2021-08-13

13 new actions, 2 new resources, 3 new conditions

Additions

Actions

CancelTask
- Description: Grants permission to cancel tasks on remote devices
- Access: Write
- Resources:
  Name: task
  
  Required: Yes
CreateTask
- Description: Grants permission to create tasks on remote devices
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DescribeDevice
- Description: Grants permission to describe a remotely-managed device
- Access: Read
- Resources:
  Name: managed-device
  
  Required: Yes
DescribeDeviceEc2Instances
- Description: Grants permission to describe a remotely-managed device's EC2 instances
- Access: Read
- Resources:
  Name: managed-device
  
  Required: Yes
DescribeExecution
- Description: Grants permission to describe task executions
- Access: Read
DescribeTask
- Description: Grants permission to describe a task
- Access: Read
- Resources:
  Name: task
  
  Required: Yes
ListDeviceResources
- Description: Grants permission to list a remotely-managed device's resources
- Access: List
- Resources:
  Name: managed-device
  
  Required: Yes
ListDevices
- Description: Grants permission to list remotely-managed devices
- Access: List
ListExecutions
- Description: Grants permission to list task executions
- Access: List
ListTagsForResource
- Description: Grants permission to list the tags for a resource (device or task)
- Access: Read
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
ListTasks
- Description: Grants permission to list tasks
- Access: List
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: managed-device
  
  Required: No
  
  Name: task
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: managed-device
  
  Required: No
  
  Name: task
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys

Resources

managed-device
- Arn: arn:${Partition}:snow-device-management:${Region}:${Account}:managed-device/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
task
- Arn: arn:${Partition}:snow-device-management:${Region}:${Account}:task/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access based on the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access based on tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access based on the presence of tag keys in the request
- Type: String

AWS Snow Device Management (snow-device-management)

Additions