Change log of AWS IAM permissions

2023-12-02

25 new actions, 4 new resources, 4 new conditions

Additions

Actions

CreateAudienceModel
- Description: Grants permission to create an audience model
- Access: Write
- Resources:
  Name: trainingdataset
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateConfiguredAudienceModel
- Description: Grants permission to create a configured audience model
- Access: Write
- Resources:
  Name: audiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateTrainingDataset
- Description: Grants permission to create a training dataset, or seed audience. In Clean Rooms ML, the TrainingDataset is metadata that points to a Glue table, which is read only during AudienceModel creation
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteAudienceGenerationJob
- Description: Grants permission to delete the specified audience generation job, and removes all data associated with the job
- Access: Write
- Resources:
  Name: audiencegenerationjob
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteAudienceModel
- Description: Grants permission to delete the specified audience generation job, and removes all data associated with the job
- Access: Write
- Resources:
  Name: audiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteConfiguredAudienceModel
- Description: Grants permission to delete the specified configured audience model
- Access: Write
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteConfiguredAudienceModelPolicy
- Description: Grants permission to delete the specified configured audience model policy
- Access: Write
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteTrainingDataset
- Description: Grants permission to delete a training dataset
- Access: Write
- Resources:
  Name: trainingdataset
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
GetAudienceGenerationJob
- Description: Grants permission to return information about an audience generation job
- Access: Read
- Resources:
  Name: audiencegenerationjob
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
GetAudienceModel
- Description: Grants permission to return information about an audience model
- Access: Read
- Resources:
  Name: audiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
GetConfiguredAudienceModel
- Description: Grants permission to return information about a configured audience model
- Access: Read
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
GetConfiguredAudienceModelPolicy
- Description: Grants permission to return information about a configured audience model policy
- Access: Read
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
GetTrainingDataset
- Description: Grants permission to return information about a training dataset
- Access: Read
- Resources:
  Name: trainingdataset
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
ListAudienceExportJobs
- Description: Grants permission to return a list of the audience export jobs
- Access: List
- Resources:
  Name: audiencegenerationjob
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
ListAudienceGenerationJobs
- Description: Grants permission to return a list of audience generation jobs
- Access: List
- Resources:
  Name: configuredaudiencemodel
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
ListAudienceModels
- Description: Grants permission to return a list of audience models
- Access: List
ListConfiguredAudienceModels
- Description: Grants permission to return a list of configured audience models
- Access: List
ListTagsForResource
- Description: Grants permission to return a list of tags for a provided resource
- Access: List
- Resources:
  Name: audiencegenerationjob
  
  Required: No
  
  Name: audiencemodel
  
  Required: No
  
  Name: configuredaudiencemodel
  
  Required: No
  
  Name: trainingdataset
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:ResourceTag/${TagKey}
ListTrainingDatasets
- Description: Grants permission to return a list of training datasets
- Access: List
PutConfiguredAudienceModelPolicy
- Description: Grants permission to create or update the resource policy for a configured audience model
- Access: Permissions management
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
StartAudienceExportJob
- Description: Grants permission to export an audience of a specified size after you have generated an audience
- Access: Write
- Resources:
  Name: audiencegenerationjob
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
StartAudienceGenerationJob
- Description: Grants permission to start the audience generation job
- Access: Write
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  cleanrooms-ml:CollaborationId
TagResource
- Description: Grants permission to tag a specific resource
- Access: Tagging
- Resources:
  Name: audiencegenerationjob
  
  Required: No
  
  Name: audiencemodel
  
  Required: No
  
  Name: configuredaudiencemodel
  
  Required: No
  
  Name: trainingdataset
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:RequestTag/${TagKey}
  
  aws:ResourceTag/${TagKey}
UnTagResource
- Description: Grants permission to untag a specific resource
- Access: Tagging
- Resources:
  Name: audiencegenerationjob
  
  Required: No
  
  Name: audiencemodel
  
  Required: No
  
  Name: configuredaudiencemodel
  
  Required: No
  
  Name: trainingdataset
  
  Required: No
- Conditions:
  aws:TagKeys
  
  aws:ResourceTag/${TagKey}
UpdateConfiguredAudienceModel
- Description: Grants permission to update a configured audience model.
- Access: Write
- Resources:
  Name: configuredaudiencemodel
  
  Required: Yes
  
  Name: audiencemodel
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys

Resources

trainingdataset
- Arn: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:training-dataset/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
audiencemodel
- Arn: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:audience-model/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
configuredaudiencemodel
- Arn: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:configured-audience-model/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
audiencegenerationjob
- Arn: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:audience-generation-job/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the presence of tag key-value pairs in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by tag key-value pairs attached to the resource
- Type: String
aws:TagKeys
- Description: Filters access by the presence of tag keys in the request
- Type: ArrayOfString
cleanrooms-ml:CollaborationId
- Description: Filters access by clean rooms collaboration id
- Type: String

AWS Clean Rooms ML (cleanrooms-ml)

Additions