Change log of AWS IAM permissions

2026-06-13

17 new actions, 1 new resource | 2 updated actions

Additions

Actions

BatchCreateSecurityRequirements
- Description: Grants permission to batch create security requirements in a customer managed pack
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
- Dependents:
  kms:Decrypt
  
  kms:GenerateDataKeyWithoutPlaintext
  
  kms:ReEncryptFrom
  
  kms:ReEncryptTo
BatchDeleteSecurityRequirements
- Description: Grants permission to batch delete security requirements from a customer managed pack
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
BatchGetSecurityRequirements
- Description: Grants permission to retrieve multiple security requirements in a single request
- Access: Read
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
- Dependents:
  kms:Decrypt
  
  kms:GenerateDataKeyWithoutPlaintext
  
  kms:ReEncryptFrom
  
  kms:ReEncryptTo
BatchUpdateSecurityRequirements
- Description: Grants permission to batch update security requirements within a customer managed pack
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
- Dependents:
  kms:Decrypt
  
  kms:GenerateDataKeyWithoutPlaintext
  
  kms:ReEncryptFrom
  
  kms:ReEncryptTo
CreatePrivateConnection
- Description: Grants permission to create a private connection for VPC Lattice integration
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreateSecurityRequirementPack
- Description: Grants permission to create a customer managed security requirement pack
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  kms:Decrypt
  
  kms:DescribeKey
  
  kms:GenerateDataKeyWithoutPlaintext
  
  kms:ReEncryptFrom
  
  kms:ReEncryptTo
DeletePrivateConnection
- Description: Grants permission to delete a private connection
- Access: Write
- Resources:
  Name: PrivateConnection
  
  Required: Yes
DeleteSecurityRequirementPack
- Description: Grants permission to delete a customer managed security requirement pack and all its associated security requirements
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
DescribePrivateConnection
- Description: Grants permission to describe a private connection
- Access: Read
- Resources:
  Name: PrivateConnection
  
  Required: Yes
GetProviderRegistrationManifest
- Description: Grants permission to retrieve the provider registration manifest used for browser-based integration registration
- Access: Read
GetSecurityRequirementPack
- Description: Grants permission to retrieve a security requirement pack
- Access: Read
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
HandleProviderRegistrationCallback
- Description: Grants permission to handle the provider OAuth registration callback that completes integration setup
- Access: Write
ImportSecurityRequirements
- Description: Grants permission to import security requirements from uploaded documents for a customer managed security requirement pack
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes
- Dependents:
  kms:Decrypt
  
  kms:GenerateDataKeyWithoutPlaintext
  
  kms:ReEncryptFrom
  
  kms:ReEncryptTo
ListPrivateConnections
- Description: Grants permission to list private connections in the account
- Access: List
ListSecurityRequirementPacks
- Description: Grants permission to list all security requirement packs in the account
- Access: List
UpdatePrivateConnectionCertificate
- Description: Grants permission to update the certificate associated with a private connection
- Access: Write
- Resources:
  Name: PrivateConnection
  
  Required: Yes
UpdateSecurityRequirementPack
- Description: Grants permission to update a security requirement pack
- Access: Write
- Resources:
  Name: SecurityRequirementPack
  
  Required: Yes

Resources

PrivateConnection
- Arn: arn:${Partition}:securityagent:${Region}:${Account}:private-connection/${PrivateConnectionName}
- Conditions:
  aws:ResourceTag/${TagKey}

Updates

Actions

TagResource
- ＋ kms:Decrypt
- ＋ kms:GenerateDataKeyWithoutPlaintext
- ＋ kms:ReEncryptFrom
- ＋ kms:ReEncryptTo
ToggleManagedSecurityRequirement
- ＋ PrivateConnection

AWS Security Agent (securityagent)

Additions

Updates