Change log of AWS IAM permissions

2025-04-29

25 new actions, 2 new resources | 2 updated actions

Additions

Actions

AssociateDistributionTenantWebACL
- Description: Grants permission to associate a distribution tenant with an AWS WAF web ACL
- Access: Write
- Resources:
  Name: distribution-tenant
  
  Required: Yes
AssociateDistributionWebACL
- Description: Grants permission to associate a distribution with an AWS WAF web ACL
- Access: Write
- Resources:
  Name: distribution
  
  Required: Yes
CreateConnectionGroup
- Description: Grants permission to create a connection group
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateDistributionTenant
- Description: Grants permission to create a distribution tenant
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateInvalidationForDistributionTenant
- Description: Grants permission to create an invalidation for a distribution tenant
- Access: Write
- Resources:
  Name: distribution-tenant
  
  Required: Yes
DeleteConnectionGroup
- Description: Grants permission to delete a connection group
- Access: Write
- Resources:
  Name: connection-group
  
  Required: Yes
DeleteDistributionTenant
- Description: Grants permission to delete a distribution tenant
- Access: Write
- Resources:
  Name: distribution-tenant
  
  Required: Yes
DisassociateDistributionTenantWebACL
- Description: Grants permission to disassociate a distribution tenant from an AWS WAF web ACL
- Access: Write
- Resources:
  Name: distribution-tenant
  
  Required: Yes
DisassociateDistributionWebACL
- Description: Grants permission to disassociate a distribution from an AWS WAF web ACL
- Access: Write
- Resources:
  Name: distribution
  
  Required: Yes
GetConnectionGroup
- Description: Grants permission to get information about a connection group
- Access: Read
- Resources:
  Name: connection-group
  
  Required: Yes
GetConnectionGroupByRoutingEndpoint
- Description: Grants permission to get information about a connection group by the specified routing endpoint
- Access: Read
- Resources:
  Name: connection-group
  
  Required: Yes
GetDistributionTenant
- Description: Grants permission to get information about a distribution tenant
- Access: Read
- Resources:
  Name: distribution-tenant
  
  Required: Yes
GetDistributionTenantByDomain
- Description: Grants permission to get information about a distribution tenant by the associated domain
- Access: Read
- Resources:
  Name: distribution-tenant
  
  Required: Yes
GetInvalidationForDistributionTenant
- Description: Grants permission to get information about an invalidation for a distribution tenant
- Access: Read
- Resources:
  Name: distribution-tenant
  
  Required: Yes
GetManagedCertificateDetails
- Description: Grants permission to get details about a CloudFront managed certificate
- Access: Read
- Resources:
  Name: distribution-tenant
  
  Required: Yes
ListConnectionGroups
- Description: Grants permission to list the connection groups in your AWS account
- Access: List
ListDistributionTenants
- Description: Grants permission to list the distribution tenants in your AWS account
- Access: List
ListDistributionTenantsByCustomization
- Description: Grants permission to list the distribution tenants by the customization that you specify
- Access: List
ListDistributionsByConnectionMode
- Description: Grants permission to list the distributions by the specified connection mode
- Access: List
ListDomainConflicts
- Description: Grants permission to list domain conflicts for a specified domain
- Access: List
- Resources:
  Name: distribution
  
  Required: No
  
  Name: distribution-tenant
  
  Required: No
ListInvalidationsForDistributionTenant
- Description: Grants permission to list the invalidations for a distribution tenant
- Access: List
- Resources:
  Name: distribution-tenant
  
  Required: Yes
UpdateConnectionGroup
- Description: Grants permission to update a connection group
- Access: Write
- Resources:
  Name: connection-group
  
  Required: Yes
UpdateDistributionTenant
- Description: Grants permission to update a distribution tenant
- Access: Write
- Resources:
  Name: distribution-tenant
  
  Required: Yes
UpdateDomainAssociation
- Description: Grants permission to update a domain association
- Access: Write
- Resources:
  Name: distribution
  
  Required: No
  
  Name: distribution-tenant
  
  Required: No
VerifyDnsConfiguration
- Description: Grants permission to verify the DNS configuration for a specified domain
- Access: Read
- Resources:
  Name: distribution-tenant
  
  Required: No

Resources

distribution-tenant
- Arn: arn:${Partition}:cloudfront::${Account}:distribution-tenant/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}
connection-group
- Arn: arn:${Partition}:cloudfront::${Account}:connection-group/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}

Updates

Actions

CreateFunction
- ＋ cloudfront:CreateConnectionGroup
UpdateResponseHeadersPolicy
- ＋ connection-group
- ＋ distribution-tenant

Amazon CloudFront (cloudfront)

Additions

Updates