Change log of AWS IAM permissions

2025-12-06

48 new actions, 5 new resources, 3 new conditions

Additions

Actions

AllowVendedLogDeliveryForResource
- Description: Grants permission to deliver logs for a global resolver
- Access: Permissions management
- Resources:
  Name: global-resolver
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
AssociateHostedZone
- Description: Grants permission to associate a resource to a hosted zone
- Access: Write
BatchCreateFirewallRule
- Description: Grants permission to create multiple firewall rules
- Access: Write
BatchDeleteFirewallRule
- Description: Grants permission to delete multiple firewall rules
- Access: Write
BatchUpdateFirewallRule
- Description: Grants permission to update multiple firewall rules
- Access: Write
CreateAccessSource
- Description: Grants permission to create an access source
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateAccessToken
- Description: Grants permission to create an access token
- Access: Write
- Resources:
  Name: access-token
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateDNSView
- Description: Grants permission to create a dns view
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateFirewallDomainList
- Description: Grants permission to create a firewall domain list
- Access: Write
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateFirewallRule
- Description: Grants permission to create a firewall rule
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
  
  Name: firewall-domain-list
  
  Required: No
CreateGlobalResolver
- Description: Grants permission to create a global resolver
- Access: Write
- Resources:
  Name: global-resolver
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteAccessSource
- Description: Grants permission to delete an access source
- Access: Write
- Resources:
  Name: access-source
  
  Required: Yes
DeleteAccessToken
- Description: Grants permission to delete an access token
- Access: Write
- Resources:
  Name: access-token
  
  Required: Yes
DeleteDNSView
- Description: Grants permission to delete a dns view
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
DeleteFirewallDomainList
- Description: Grants permission to delete a firewall domain list
- Access: Write
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
DeleteFirewallRule
- Description: Grants permission to delete a firewall rule
- Access: Write
DeleteGlobalResolver
- Description: Grants permission to delete a global resolver
- Access: Write
- Resources:
  Name: global-resolver
  
  Required: Yes
DisableDNSView
- Description: Grants permission to disable a dns view
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
DisassociateHostedZone
- Description: Grants permission to disassociate a hosted zone from a resource
- Access: Write
EnableDNSView
- Description: Grants permission to enable a dns view
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
GetAccessSource
- Description: Grants permission to get an access source
- Access: Read
- Resources:
  Name: access-source
  
  Required: Yes
GetAccessToken
- Description: Grants permission to get an access token
- Access: Read
- Resources:
  Name: access-token
  
  Required: Yes
GetDNSView
- Description: Grants permission to get a dns view
- Access: Read
- Resources:
  Name: dns-view
  
  Required: Yes
GetFirewallDomainList
- Description: Grants permission to get a firewall domain list
- Access: Read
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
GetFirewallRule
- Description: Grants permission to get a firewall rule
- Access: Read
GetGlobalResolver
- Description: Grants permission to get a global resolver
- Access: Read
- Resources:
  Name: global-resolver
  
  Required: Yes
GetHostedZoneAssociation
- Description: Grants permission to get a hosted zone association
- Access: Read
GetManagedFirewallDomainList
- Description: Grants permission to get a managed firewall domain list
- Access: Read
ImportFirewallDomains
- Description: Grants permission to import firewall domains from an S3 bucket
- Access: Write
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
- Dependents:
  s3:GetObject
  
  s3:ListBucket
ListAccessSources
- Description: Grants permission to list access sources
- Access: List
ListAccessTokens
- Description: Grants permission to list access tokens
- Access: List
ListDNSViews
- Description: Grants permission to list dns views
- Access: List
ListFirewallDomainLists
- Description: Grants permission to list firewall domain lists
- Access: List
ListFirewallDomains
- Description: Grants permission to list firewall domains
- Access: Read
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
ListFirewallRules
- Description: Grants permission to list firewall rules
- Access: List
- Resources:
  Name: dns-view
  
  Required: Yes
ListGlobalResolvers
- Description: Grants permission to list global resolvers
- Access: List
ListHostedZoneAssociations
- Description: Grants permission to list hosted zone associations
- Access: List
ListManagedFirewallDomainLists
- Description: Grants permission to list managed firewall domain lists
- Access: List
ListTagsForResource
- Description: Grants permission to list tags for a resource
- Access: Write
- Resources:
  Name: access-source
  
  Required: No
  
  Name: access-token
  
  Required: No
  
  Name: dns-view
  
  Required: No
  
  Name: firewall-domain-list
  
  Required: No
  
  Name: global-resolver
  
  Required: No
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: access-source
  
  Required: No
  
  Name: access-token
  
  Required: No
  
  Name: dns-view
  
  Required: No
  
  Name: firewall-domain-list
  
  Required: No
  
  Name: global-resolver
  
  Required: No
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: access-source
  
  Required: No
  
  Name: access-token
  
  Required: No
  
  Name: dns-view
  
  Required: No
  
  Name: firewall-domain-list
  
  Required: No
  
  Name: global-resolver
  
  Required: No
- Conditions:
  aws:TagKeys
UpdateAccessSource
- Description: Grants permission to update an access source
- Access: Write
- Resources:
  Name: access-source
  
  Required: Yes
UpdateAccessToken
- Description: Grants permission to update an access token
- Access: Write
- Resources:
  Name: access-token
  
  Required: Yes
UpdateDNSView
- Description: Grants permission to update a dns view
- Access: Write
- Resources:
  Name: dns-view
  
  Required: Yes
UpdateFirewallDomains
- Description: Grants permission to update firewall domains
- Access: Write
- Resources:
  Name: firewall-domain-list
  
  Required: Yes
UpdateFirewallRule
- Description: Grants permission to update an firewall rule
- Access: Write
UpdateGlobalResolver
- Description: Grants permission to update a global resolver
- Access: Write
- Resources:
  Name: global-resolver
  
  Required: Yes
UpdateHostedZoneAssociation
- Description: Grants permission to update a hosted zone association
- Access: Write

Resources

access-source
- Arn: arn:${Partition}:route53globalresolver::${Account}:access-source/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}
access-token
- Arn: arn:${Partition}:route53globalresolver::${Account}:access-token/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}
dns-view
- Arn: arn:${Partition}:route53globalresolver::${Account}:dns-view/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}
firewall-domain-list
- Arn: arn:${Partition}:route53globalresolver::${Account}:firewall-domain-list/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}
global-resolver
- Arn: arn:${Partition}:route53globalresolver::${Account}:global-resolver/${Id}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by a tag key and value pair that is allowed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by a tag key and value pair of a resource
- Type: String
aws:TagKeys
- Description: Filters access by a list of tag keys that are allowed in the request
- Type: ArrayOfString

AWS Route53 Global Resolver (route53globalresolver)

Additions