fix: update IAM service definitions

TastefulElk · Jun 26, 2023 · 6617f04 · 6617f04
1 parent 0b25b2b
commit 6617f04
Show file tree

Hide file tree

Showing 17 changed files with 2,977 additions and 97 deletions.
diff --git a/src/data/iam-services/amazon-cloudwatch-logs.json b/src/data/iam-services/amazon-cloudwatch-logs.json
@@ -68,6 +68,15 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "DeleteAccountPolicy",
+      "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDataProtectionPolicy.html",
+      "description": "Grants permission to delete a data protection policy attached to an account",
+      "accessLevel": "Write",
+      "resourceTypes": [],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "DeleteDataProtectionPolicy",
       "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDataProtectionPolicy.html",
@@ -172,6 +181,15 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "DescribeAccountPolicies",
+      "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeAccountPolicies.html",
+      "description": "Grants permission to retrieve a data protection policy attached to an account",
+      "accessLevel": "List",
+      "resourceTypes": [],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "DescribeDestinations",
       "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDestinations.html",
@@ -382,6 +400,15 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "PutAccountPolicy",
+      "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html",
+      "description": "Grants permission to attach a data protection policy at account level to detect and redact sensitive information from log events",
+      "accessLevel": "Write",
+      "resourceTypes": [],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "PutDataProtectionPolicy",
       "documentationUrl": "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDataProtectionPolicy.html",

diff --git a/src/data/iam-services/amazon-ec2.json b/src/data/iam-services/amazon-ec2.json
@@ -1506,6 +1506,35 @@
         "ec2:CreateTags"
       ]
     },
+    {
+      "name": "CreateInstanceConnectEndpoint",
+      "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html",
+      "description": "Grants permission to create an EC2 Instance Connect Endpoint that allows you to connect to an instance without a public IPv4 address",
+      "accessLevel": "Write",
+      "resourceTypes": [
+        "instance-connect-endpoint*",
+        "subnet*",
+        "security-group"
+      ],
+      "conditionKeys": [
+        "ec2:SubnetID",
+        "aws:ResourceTag/${TagKey}",
+        "ec2:AvailabilityZone",
+        "ec2:ResourceTag/${TagKey}",
+        "ec2:SubnetID",
+        "ec2:Vpc",
+        "aws:ResourceTag/${TagKey}",
+        "ec2:ResourceTag/${TagKey}",
+        "ec2:SecurityGroupID",
+        "ec2:Vpc",
+        "aws:RequestTag/${TagKey}",
+        "aws:TagKeys",
+        "ec2:Region"
+      ],
+      "dependentActions": [
+        "ec2:CreateTags"
+      ]
+    },
     {
       "name": "CreateInstanceEventWindow",
       "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceEventWindow.html",
@@ -2369,6 +2398,7 @@
         "import-image-task",
         "import-snapshot-task",
         "instance",
+        "instance-connect-endpoint",
         "instance-event-window",
         "internet-gateway",
         "ipam",
@@ -2514,6 +2544,9 @@
         "ec2:Tenancy",
         "aws:ResourceTag/${TagKey}",
         "ec2:ResourceTag/${TagKey}",
+        "ec2:SubnetID",
+        "aws:ResourceTag/${TagKey}",
+        "ec2:ResourceTag/${TagKey}",
         "aws:ResourceTag/${TagKey}",
         "ec2:InternetGatewayID",
         "ec2:ResourceTag/${TagKey}",
@@ -3537,6 +3570,22 @@
       ],
       "dependentActions": []
     },
+    {
+      "name": "DeleteInstanceConnectEndpoint",
+      "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInstanceConnectEndpoint.html",
+      "description": "Grants permission to delete an EC2 Instance Connect Endpoint",
+      "accessLevel": "Write",
+      "resourceTypes": [
+        "instance-connect-endpoint*"
+      ],
+      "conditionKeys": [
+        "aws:ResourceTag/${TagKey}",
+        "ec2:ResourceTag/${TagKey}",
+        "ec2:SubnetID",
+        "ec2:Region"
+      ],
+      "dependentActions": []
+    },
     {
       "name": "DeleteInstanceEventWindow",
       "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInstanceEventWindow.html",
@@ -4119,6 +4168,7 @@
         "import-image-task",
         "import-snapshot-task",
         "instance",
+        "instance-connect-endpoint",
         "instance-event-window",
         "internet-gateway",
         "ipam",
@@ -4344,6 +4394,8 @@
         "ec2:ResourceTag/${TagKey}",
         "aws:ResourceTag/${TagKey}",
         "ec2:ResourceTag/${TagKey}",
+        "aws:ResourceTag/${TagKey}",
+        "ec2:ResourceTag/${TagKey}",
         "aws:TagKeys",
         "ec2:Region"
       ],
@@ -5502,6 +5554,17 @@
       ],
       "dependentActions": []
     },
+    {
+      "name": "DescribeInstanceConnectEndpoints",
+      "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html",
+      "description": "Grants permission to describe EC2 Instance Connect Endpoints",
+      "accessLevel": "List",
+      "resourceTypes": [],
+      "conditionKeys": [
+        "ec2:Region"
+      ],
+      "dependentActions": []
+    },
     {
       "name": "DescribeInstanceCreditSpecifications",
       "documentationUrl": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceCreditSpecifications.html",

diff --git a/src/data/iam-services/amazon-kendra.json b/src/data/iam-services/amazon-kendra.json
@@ -619,6 +619,17 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "Retrieve",
+      "documentationUrl": "https://docs.aws.amazon.com/kendra/latest/dg/API_Retrieve.html",
+      "description": "Grants permission to retrieve relevant content from an index",
+      "accessLevel": "Read",
+      "resourceTypes": [
+        "index*"
+      ],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "StartDataSourceSyncJob",
       "documentationUrl": "https://docs.aws.amazon.com/kendra/latest/dg/API_StartDataSourceSyncJob.html",

diff --git a/src/data/iam-services/aws-appconfig.json b/src/data/iam-services/aws-appconfig.json
@@ -400,7 +400,9 @@
         "configurationprofile",
         "deployment",
         "deploymentstrategy",
-        "environment"
+        "environment",
+        "extension",
+        "extensionassociation"
       ],
       "conditionKeys": [
         "aws:ResourceTag/${TagKey}"

diff --git a/src/data/iam-services/aws-application-discovery-service.json b/src/data/iam-services/aws-application-discovery-service.json
@@ -54,13 +54,15 @@
       "description": "Grants permission to DeleteTags API. DeleteTags deletes the association between configuration items and one or more tags. This API accepts a list of multiple configuration items",
       "accessLevel": "Tagging",
       "resourceTypes": [],
-      "conditionKeys": [],
+      "conditionKeys": [
+        "aws:TagKeys"
+      ],
       "dependentActions": []
     },
     {
       "name": "DescribeAgents",
       "documentationUrl": "https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeAgents.html",
-      "description": "Grants permission to DescribeAgents API. DescribeAgents lists agents or the Connector by ID or lists all agents/Connectors associated with your user account if you did not specify an ID",
+      "description": "Grants permission to DescribeAgents API. DescribeAgents lists agents or the Connector by ID or lists all agents/Connectors associated with your user if you did not specify an ID",
       "accessLevel": "Read",
       "resourceTypes": [],
       "conditionKeys": [],
@@ -78,7 +80,7 @@
     {
       "name": "DescribeContinuousExports",
       "documentationUrl": "https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeContinuousExports.html",
-      "description": "Grants permission to DescribeContinuousExports API. DescribeContinuousExports lists exports as specified by ID. All continuous exports associated with your user account can be listed if you call DescribeContinuousExports as is without passing any parameters",
+      "description": "Grants permission to DescribeContinuousExports API. DescribeContinuousExports lists exports as specified by ID. All continuous exports associated with your user can be listed if you call DescribeContinuousExports as is without passing any parameters",
       "accessLevel": "Read",
       "resourceTypes": [],
       "conditionKeys": [],
@@ -105,7 +107,7 @@
     {
       "name": "DescribeImportTasks",
       "documentationUrl": "https://docs.aws.amazon.com/application-discovery/latest/APIReference/API_DescribeImportTasks.html",
-      "description": "Grants permission to DescribeImportTasks API. DescribeImportTasks returns an array of import tasks for your account, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more",
+      "description": "Grants permission to DescribeImportTasks API. DescribeImportTasks returns an array of import tasks for your user, including status information, times, IDs, the Amazon S3 Object URL for the import file, and more",
       "accessLevel": "List",
       "resourceTypes": [],
       "conditionKeys": [],
@@ -217,7 +219,9 @@
         "discovery:AssociateConfigurationItemsToApplication",
         "discovery:CreateApplication",
         "discovery:CreateTags",
-        "discovery:ListConfigurations"
+        "discovery:GetDiscoverySummary",
+        "discovery:ListConfigurations",
+        "s3:GetObject"
       ]
     },
     {

diff --git a/src/data/iam-services/aws-application-migration-service.json b/src/data/iam-services/aws-application-migration-service.json
@@ -517,6 +517,15 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "ListManagedAccounts",
+      "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_ListManagedAccounts.html",
+      "description": "Grants permission to list managed accounts",
+      "accessLevel": "List",
+      "resourceTypes": [],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "ListSourceServerActions",
       "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_ListSourceServerActions.html",
@@ -623,6 +632,17 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "PauseReplication",
+      "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_PauseReplication.html",
+      "description": "Grants permission to pause replication",
+      "accessLevel": "Write",
+      "resourceTypes": [
+        "SourceServerResource*"
+      ],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "PutSourceServerAction",
       "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_PutSourceServerAction.html",
@@ -679,6 +699,17 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "ResumeReplication",
+      "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_ResumeReplication.html",
+      "description": "Grants permission to resume replication",
+      "accessLevel": "Write",
+      "resourceTypes": [
+        "SourceServerResource*"
+      ],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "RetryDataReplication",
       "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_RetryDataReplication.html",
@@ -921,6 +952,17 @@
         "mgn:ListTagsForResource"
       ]
     },
+    {
+      "name": "StopReplication",
+      "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_StopReplication.html",
+      "description": "Grants permission to stop replication",
+      "accessLevel": "Write",
+      "resourceTypes": [
+        "SourceServerResource*"
+      ],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "TagResource",
       "documentationUrl": "https://docs.aws.amazon.com/mgn/latest/APIReference/API_TagResource.html",

diff --git a/src/data/iam-services/aws-audit-manager.json b/src/data/iam-services/aws-audit-manager.json
@@ -302,6 +302,15 @@
       "conditionKeys": [],
       "dependentActions": []
     },
+    {
+      "name": "GetEvidenceFileUploadUrl",
+      "documentationUrl": "https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetEvidenceFileUploadUrl.html",
+      "description": "Grants permission to get a presigned Amazon S3 URL that can be used to upload a file as manual evidence",
+      "accessLevel": "Read",
+      "resourceTypes": [],
+      "conditionKeys": [],
+      "dependentActions": []
+    },
     {
       "name": "GetEvidenceFolder",
       "documentationUrl": "https://docs.aws.amazon.com/audit-manager/latest/APIReference/API_GetEvidenceFolder.html",

diff --git a/src/data/iam-services/aws-backup.json b/src/data/iam-services/aws-backup.json
@@ -612,6 +612,7 @@
         "backupPlan",
         "backupVault",
         "framework",
+        "legalHold",
         "recoveryPoint",
         "reportPlan"
       ],
@@ -661,10 +662,7 @@
       "resourceTypes": [
         "backupVault*"
       ],
-      "conditionKeys": [
-        "aws:RequestTag/${TagKey}",
-        "aws:TagKeys"
-      ],
+      "conditionKeys": [],
       "dependentActions": [
         "iam:PassRole"
       ]
@@ -760,10 +758,7 @@
       "resourceTypes": [
         "backupPlan*"
       ],
-      "conditionKeys": [
-        "aws:RequestTag/${TagKey}",
-        "aws:TagKeys"
-      ],
+      "conditionKeys": [],
       "dependentActions": []
     },
     {
@@ -774,10 +769,7 @@
       "resourceTypes": [
         "framework*"
       ],
-      "conditionKeys": [
-        "aws:RequestTag/${TagKey}",
-        "aws:TagKeys"
-      ],
+      "conditionKeys": [],
       "dependentActions": []
     },
     {