From 0f1ee02f709426a64cd209794131dc2e1060dc4c Mon Sep 17 00:00:00 2001 From: TobiLG Date: Fri, 10 Jan 2025 04:09:36 +0000 Subject: [PATCH] [no ci] Data update on 2025-01-10T04:09:36 --- .../v2/policy.json | 198 ++++++ .../v2/policy.json | 252 +++++++ .../v2/policy.json | 40 ++ .../v3/policy.json | 48 ++ package-lock.json | 4 +- package.json | 2 +- src/managedPolicies.json | 640 ++++++++++++++++-- 7 files changed, 1136 insertions(+), 48 deletions(-) create mode 100644 data/json/AmazonDataZoneSageMakerProvisioningRolePolicy/v2/policy.json create mode 100644 data/json/AmazonEKSLoadBalancingPolicy/v2/policy.json create mode 100644 data/json/AmazonWorkSpacesThinClientFullAccess/v2/policy.json create mode 100644 data/json/AmazonWorkSpacesThinClientReadOnlyAccess/v3/policy.json diff --git a/data/json/AmazonDataZoneSageMakerProvisioningRolePolicy/v2/policy.json b/data/json/AmazonDataZoneSageMakerProvisioningRolePolicy/v2/policy.json new file mode 100644 index 00000000..62c4507b --- /dev/null +++ b/data/json/AmazonDataZoneSageMakerProvisioningRolePolicy/v2/policy.json @@ -0,0 +1,198 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CreateSageMakerStudio", + "Effect": "Allow", + "Action": [ + "sagemaker:CreateDomain" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + }, + "ForAnyValue:StringEquals": { + "aws:TagKeys": [ + "AmazonDataZoneEnvironment" + ] + }, + "Null": { + "aws:TagKeys": "false", + "aws:ResourceTag/AmazonDataZoneEnvironment": "false", + "aws:RequestTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "DeleteSageMakerStudio", + "Effect": "Allow", + "Action": [ + "sagemaker:DeleteDomain" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + }, + "ForAnyValue:StringLike": { + "aws:TagKeys": [ + "AmazonDataZoneEnvironment" + ] + }, + "Null": { + "aws:TagKeys": "false", + "aws:ResourceTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentSageMakerDescribePermissions", + "Effect": "Allow", + "Action": [ + "sagemaker:DescribeDomain" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "IamPassRolePermissions", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "glue.amazonaws.com", + "lakeformation.amazonaws.com", + "sagemaker.amazonaws.com" + ], + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToCreateEnvironmentRole", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ], + "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary" + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToManageEnvironmentRole", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:GetRolePolicy", + "iam:DeleteRole" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToCreateSageMakerServiceRole", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentParameterValidation", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "sagemaker:ListDomains" + ], + "Resource": "*" + }, + { + "Sid": "AmazonDataZoneEnvironmentKMSKeyValidation", + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:*:*:key/*", + "Condition": { + "Null": { + "aws:ResourceTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentGluePermissions", + "Effect": "Allow", + "Action": [ + "glue:CreateConnection", + "glue:DeleteConnection", + "glue:GetConnection" + ], + "Resource": [ + "arn:aws:glue:*:*:connection/dz-sm-athena-glue-connection-*", + "arn:aws:glue:*:*:connection/dz-sm-redshift-cluster-connection-*", + "arn:aws:glue:*:*:connection/dz-sm-redshift-serverless-connection-*", + "arn:aws:glue:*:*:catalog" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + } + ] +} \ No newline at end of file diff --git a/data/json/AmazonEKSLoadBalancingPolicy/v2/policy.json b/data/json/AmazonEKSLoadBalancingPolicy/v2/policy.json new file mode 100644 index 00000000..c0453b5f --- /dev/null +++ b/data/json/AmazonEKSLoadBalancingPolicy/v2/policy.json @@ -0,0 +1,252 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateRule", + "ec2:CreateSecurityGroup" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "arn:aws:ec2:*:*:vpc/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group-rule/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Name": "eks-cluster-sg*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateLoadBalancer", + "CreateTargetGroup", + "CreateListener", + "CreateRule" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateSecurityGroup", + "AuthorizeSecurityGroupIngress" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:ModifyListenerAttributes", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL" + ], + "Resource": [ + "arn:aws:wafv2:*:*:*/webacl/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "shield:CreateProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:DeleteProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:TagResource" + ], + "Resource": "arn:aws:shield::*:protection/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:DescribeTargetGroups" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInternetGateways", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeClassicLinkInstances", + "ec2:DescribeRouteTables", + "ec2:DescribeCoipPools", + "ec2:GetCoipPoolUsage", + "ec2:GetSecurityGroupsForVpc", + "ec2:DescribeVpcPeeringConnections" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } + } + } + ] +} \ No newline at end of file diff --git a/data/json/AmazonWorkSpacesThinClientFullAccess/v2/policy.json b/data/json/AmazonWorkSpacesThinClientFullAccess/v2/policy.json new file mode 100644 index 00000000..a94ddbfb --- /dev/null +++ b/data/json/AmazonWorkSpacesThinClientFullAccess/v2/policy.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowThinClientFullAccess", + "Effect": "Allow", + "Action": [ + "thinclient:*" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesAccess", + "Effect": "Allow", + "Action": [ + "workspaces:DescribeConnectionAliases", + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesSecureBrowserAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/data/json/AmazonWorkSpacesThinClientReadOnlyAccess/v3/policy.json b/data/json/AmazonWorkSpacesThinClientReadOnlyAccess/v3/policy.json new file mode 100644 index 00000000..9865b512 --- /dev/null +++ b/data/json/AmazonWorkSpacesThinClientReadOnlyAccess/v3/policy.json @@ -0,0 +1,48 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowThinClientReadAccess", + "Effect": "Allow", + "Action": [ + "thinclient:GetDevice", + "thinclient:GetDeviceDetails", + "thinclient:GetEnvironment", + "thinclient:GetSoftwareSet", + "thinclient:ListDevices", + "thinclient:ListDeviceSessions", + "thinclient:ListEnvironments", + "thinclient:ListSoftwareSets", + "thinclient:ListTagsForResource" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesAccess", + "Effect": "Allow", + "Action": [ + "workspaces:DescribeConnectionAliases", + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesSecureBrowserAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index a0f48f11..ea982ac8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "aws-iam-managed-policies", - "version": "0.0.298", + "version": "0.0.299", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "aws-iam-managed-policies", - "version": "0.0.298", + "version": "0.0.299", "license": "MIT", "dependencies": { "deep-object-diff": "^1.1.9" diff --git a/package.json b/package.json index f2c7d316..f661b6f6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "aws-iam-managed-policies", - "version": "0.0.298", + "version": "0.0.299", "description": "Provides AWS IAM Managed Policies historical data as a convenient npm package that can be used in other OSS projects.", "main": "./dist/index.js", "types": "./dist/index.d.ts", diff --git a/src/managedPolicies.json b/src/managedPolicies.json index 83f87852..405fc590 100644 --- a/src/managedPolicies.json +++ b/src/managedPolicies.json @@ -644350,8 +644350,8 @@ }, "AmazonDataZoneSageMakerProvisioningRolePolicy": { "arn": "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerProvisioningRolePolicy", - "latestVersionId": "v1", - "versionsCount": 1, + "latestVersionId": "v2", + "versionsCount": 2, "versions": { "v1": { "createdDate": "2024-04-23T23:32:28.000Z", @@ -644552,10 +644552,211 @@ } ] } + }, + "v2": { + "createdDate": "2024-04-23T23:32:28.000Z", + "document": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CreateSageMakerStudio", + "Effect": "Allow", + "Action": [ + "sagemaker:CreateDomain" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + }, + "ForAnyValue:StringEquals": { + "aws:TagKeys": [ + "AmazonDataZoneEnvironment" + ] + }, + "Null": { + "aws:TagKeys": "false", + "aws:ResourceTag/AmazonDataZoneEnvironment": "false", + "aws:RequestTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "DeleteSageMakerStudio", + "Effect": "Allow", + "Action": [ + "sagemaker:DeleteDomain" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + }, + "ForAnyValue:StringLike": { + "aws:TagKeys": [ + "AmazonDataZoneEnvironment" + ] + }, + "Null": { + "aws:TagKeys": "false", + "aws:ResourceTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentSageMakerDescribePermissions", + "Effect": "Allow", + "Action": [ + "sagemaker:DescribeDomain" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "IamPassRolePermissions", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "glue.amazonaws.com", + "lakeformation.amazonaws.com", + "sagemaker.amazonaws.com" + ], + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToCreateEnvironmentRole", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ], + "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary" + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToManageEnvironmentRole", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:GetRolePolicy", + "iam:DeleteRole" + ], + "Resource": [ + "arn:aws:iam::*:role/sm-provisioning/datazone_usr*" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZonePermissionsToCreateSageMakerServiceRole", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentParameterValidation", + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "sagemaker:ListDomains" + ], + "Resource": "*" + }, + { + "Sid": "AmazonDataZoneEnvironmentKMSKeyValidation", + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:*:*:key/*", + "Condition": { + "Null": { + "aws:ResourceTag/AmazonDataZoneEnvironment": "false" + } + } + }, + { + "Sid": "AmazonDataZoneEnvironmentGluePermissions", + "Effect": "Allow", + "Action": [ + "glue:CreateConnection", + "glue:DeleteConnection", + "glue:GetConnection" + ], + "Resource": [ + "arn:aws:glue:*:*:connection/dz-sm-athena-glue-connection-*", + "arn:aws:glue:*:*:connection/dz-sm-redshift-cluster-connection-*", + "arn:aws:glue:*:*:connection/dz-sm-redshift-serverless-connection-*", + "arn:aws:glue:*:*:catalog" + ], + "Condition": { + "StringEquals": { + "aws:CalledViaFirst": [ + "cloudformation.amazonaws.com" + ] + } + } + } + ] + } } }, "createdDate": "2024-04-23T23:32:28.000Z", - "lastUpdatedDate": "2024-04-23T23:32:28.000Z" + "lastUpdatedDate": "2025-01-09T20:52:06.000Z" }, "AmazonDataZoneSageMakerManageAccessRolePolicy": { "arn": "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerManageAccessRolePolicy", @@ -648633,8 +648834,8 @@ }, "AmazonWorkSpacesThinClientReadOnlyAccess": { "arn": "arn:aws:iam::aws:policy/AmazonWorkSpacesThinClientReadOnlyAccess", - "latestVersionId": "v2", - "versionsCount": 2, + "latestVersionId": "v3", + "versionsCount": 3, "versions": { "v1": { "createdDate": "2024-07-19T08:50:52.000Z", @@ -648707,50 +648908,101 @@ } ] } - } - }, - "createdDate": "2024-07-19T08:50:52.000Z", - "lastUpdatedDate": "2024-08-09T07:11:12.000Z" - }, - "AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy": { - "arn": "arn:aws:iam::aws:policy/AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy", - "latestVersionId": "v1", - "versionsCount": 1, - "versions": { - "v1": { - "createdDate": "2024-07-27T00:35:42.000Z", + }, + "v3": { + "createdDate": "2024-07-19T08:50:52.000Z", "document": { "Version": "2012-10-17", "Statement": [ { - "Sid": "S3Operations", + "Sid": "AllowThinClientReadAccess", "Effect": "Allow", "Action": [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:GetBucketCors", - "s3:GetBucketLocation", - "s3:AbortMultipartUpload" - ], - "Resource": [ - "arn:aws:s3:::*SageMaker*", - "arn:aws:s3:::*sagemaker*" + "thinclient:GetDevice", + "thinclient:GetDeviceDetails", + "thinclient:GetEnvironment", + "thinclient:GetSoftwareSet", + "thinclient:ListDevices", + "thinclient:ListDeviceSessions", + "thinclient:ListEnvironments", + "thinclient:ListSoftwareSets", + "thinclient:ListTagsForResource" ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } + "Resource": "*" }, { - "Sid": "S3GetObjectOperation", + "Sid": "AllowWorkSpacesAccess", "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::*", - "Condition": { - "StringEqualsIgnoreCase": { - "s3:ExistingObjectTag/SageMaker": "true" + "Action": [ + "workspaces:DescribeConnectionAliases", + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesSecureBrowserAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" + } + ] + } + } + }, + "createdDate": "2024-07-19T08:50:52.000Z", + "lastUpdatedDate": "2025-01-09T16:52:05.000Z" + }, + "AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy": { + "arn": "arn:aws:iam::aws:policy/AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy", + "latestVersionId": "v1", + "versionsCount": 1, + "versions": { + "v1": { + "createdDate": "2024-07-27T00:35:42.000Z", + "document": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3Operations", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:GetBucketCors", + "s3:GetBucketLocation", + "s3:AbortMultipartUpload" + ], + "Resource": [ + "arn:aws:s3:::*SageMaker*", + "arn:aws:s3:::*sagemaker*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "S3GetObjectOperation", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::*", + "Condition": { + "StringEqualsIgnoreCase": { + "s3:ExistingObjectTag/SageMaker": "true" }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" @@ -648965,8 +649217,8 @@ }, "AmazonWorkSpacesThinClientFullAccess": { "arn": "arn:aws:iam::aws:policy/AmazonWorkSpacesThinClientFullAccess", - "latestVersionId": "v1", - "versionsCount": 1, + "latestVersionId": "v2", + "versionsCount": 2, "versions": { "v1": { "createdDate": "2024-08-09T07:25:24.000Z", @@ -649009,10 +649261,53 @@ } ] } + }, + "v2": { + "createdDate": "2024-08-09T07:25:24.000Z", + "document": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowThinClientFullAccess", + "Effect": "Allow", + "Action": [ + "thinclient:*" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesAccess", + "Effect": "Allow", + "Action": [ + "workspaces:DescribeConnectionAliases", + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesSecureBrowserAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" + } + ] + } } }, "createdDate": "2024-08-09T07:25:24.000Z", - "lastUpdatedDate": "2024-08-09T07:25:24.000Z" + "lastUpdatedDate": "2025-01-09T16:52:06.000Z" }, "AWSCompromisedKeyQuarantineV3": { "arn": "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV3", @@ -651059,8 +651354,8 @@ }, "AmazonEKSLoadBalancingPolicy": { "arn": "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy", - "latestVersionId": "v1", - "versionsCount": 1, + "latestVersionId": "v2", + "versionsCount": 2, "versions": { "v1": { "createdDate": "2024-10-30T20:18:06.000Z", @@ -651295,10 +651590,265 @@ } ] } + }, + "v2": { + "createdDate": "2024-10-30T20:18:06.000Z", + "document": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateRule", + "ec2:CreateSecurityGroup" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "arn:aws:ec2:*:*:vpc/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group-rule/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Name": "eks-cluster-sg*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateLoadBalancer", + "CreateTargetGroup", + "CreateListener", + "CreateRule" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateSecurityGroup", + "AuthorizeSecurityGroupIngress" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:ModifyListenerAttributes", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL" + ], + "Resource": [ + "arn:aws:wafv2:*:*:*/webacl/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "shield:CreateProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:DeleteProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:TagResource" + ], + "Resource": "arn:aws:shield::*:protection/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:DescribeTargetGroups" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInternetGateways", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeClassicLinkInstances", + "ec2:DescribeRouteTables", + "ec2:DescribeCoipPools", + "ec2:GetCoipPoolUsage", + "ec2:GetSecurityGroupsForVpc", + "ec2:DescribeVpcPeeringConnections" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } + } + } + ] + } } }, "createdDate": "2024-10-30T20:18:06.000Z", - "lastUpdatedDate": "2024-10-30T20:18:06.000Z" + "lastUpdatedDate": "2025-01-09T22:37:06.000Z" }, "AmazonEKSBlockStoragePolicy": { "arn": "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy",