diff --git a/CHANGELOG/v0.661.0.md b/CHANGELOG/v0.661.0.md
new file mode 100644
index 000000000..497082cad
--- /dev/null
+++ b/CHANGELOG/v0.661.0.md
@@ -0,0 +1,21 @@
+**New actions:**
+
+- apigateway:CreateAccessAssociation
+- apigateway:RejectAccessAssociation
+- apigateway:UpdateDomainNameManagementPolicy
+- apigateway:UpdateDomainNamePolicy
+- imagebuilder:ImportDiskImage
+- medialive:ListVersions
+
+**New resource types:**
+
+- apigateway:DomainNameAccessAssociation
+- apigateway:DomainNameAccessAssociations
+- apigateway:PrivateBasePathMapping
+- apigateway:PrivateBasePathMappings
+- apigateway:PrivateDomainName
+
+**New condition keys:**
+
+- apigateway:Request/AccessAssociationSource
+- apigateway:Request/DomainNameArn
diff --git a/README.md b/README.md
index 71852f9f0..e846ad99d 100644
--- a/README.md
+++ b/README.md
@@ -17,9 +17,9 @@
 Support for:
 
 - 417 Services
-- 18178 Actions
-- 1948 Resource Types
-- 1897 Condition keys
+- 18184 Actions
+- 1953 Resource Types
+- 1899 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**
diff --git a/VERSION b/VERSION
index 66c278026..fe784585c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.660.0
+0.661.0
diff --git a/docs/source/conf.py b/docs/source/conf.py
index 7ff5929e5..e01696150 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -24,7 +24,7 @@
 author = 'Daniel Schroeder'
 
 # The full version, including alpha/beta/rc tags
-release = '0.660.0'
+release = '0.661.0'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 1dc7a032d..9f9ab2432 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -31,9 +31,9 @@ AWS IAM policy statement generator with fluent interface.
 Support for:
 
 - 417 Services
-- 18178 Actions
-- 1948 Resource Types
-- 1897 Condition keys
+- 18184 Actions
+- 1953 Resource Types
+- 1899 Condition keys
 
 ..
    /stats
diff --git a/lib/generated/policy-statements/apigatewaymanagement.ts b/lib/generated/policy-statements/apigatewaymanagement.ts
index 402dddc8d..9779b1ae0 100644
--- a/lib/generated/policy-statements/apigatewaymanagement.ts
+++ b/lib/generated/policy-statements/apigatewaymanagement.ts
@@ -29,6 +29,17 @@ export class Apigateway extends PolicyStatement {
     return this.to('AddCertificateToDomain');
   }
 
+  /**
+   * Grants permission to create an access association from an access association source to a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toCreateAccessAssociation() {
+    return this.to('CreateAccessAssociation');
+  }
+
   /**
    * Grants permission to delete a particular resource
    *
@@ -100,6 +111,17 @@ export class Apigateway extends PolicyStatement {
     return this.to('PUT');
   }
 
+  /**
+   * Grants permission to reject an existing access association owned by another account to a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toRejectAccessAssociation() {
+    return this.to('RejectAccessAssociation');
+  }
+
   /**
    * Grants permission to remove certificates for mutual TLS authentication from a domain name. This is an additional authorization control for managing the DomainName resource due to the sensitive nature of mTLS
    *
@@ -122,6 +144,28 @@ export class Apigateway extends PolicyStatement {
     return this.to('SetWebACL');
   }
 
+  /**
+   * Grants permission to update the management policy of a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toUpdateDomainNameManagementPolicy() {
+    return this.to('UpdateDomainNameManagementPolicy');
+  }
+
+  /**
+   * Grants permission to update the invoke policy of a custom domain name for private APIs
+   *
+   * Access Level: Permissions management
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html
+   */
+  public toUpdateDomainNamePolicy() {
+    return this.to('UpdateDomainNamePolicy');
+  }
+
   /**
    * Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy
    *
@@ -136,8 +180,12 @@ export class Apigateway extends PolicyStatement {
   protected accessLevelList: AccessLevelList = {
     'Permissions management': [
       'AddCertificateToDomain',
+      'CreateAccessAssociation',
+      'RejectAccessAssociation',
       'RemoveCertificateFromDomain',
       'SetWebACL',
+      'UpdateDomainNameManagementPolicy',
+      'UpdateDomainNamePolicy',
       'UpdateRestApiPolicy'
     ],
     Write: [
@@ -440,6 +488,40 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames`);
   }
 
+  /**
+   * Adds a resource of type DomainNameAccessAssociation to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainNameAccessAssociation.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param sourceType - Identifier for the sourceType.
+   * @param sourceId - Identifier for the sourceId.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   */
+  public onDomainNameAccessAssociation(domainName: string, sourceType: string, sourceId: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnameaccessassociations/domainname/${ domainName }/${ sourceType }/${ sourceId }`);
+  }
+
+  /**
+   * Adds a resource of type DomainNameAccessAssociations to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainNameAccessAssociation.html
+   *
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifRequestAccessAssociationSource()
+   * - .ifRequestDomainNameArn()
+   * - .ifAwsResourceTag()
+   */
+  public onDomainNameAccessAssociations(account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnameaccessassociations`);
+  }
+
   /**
    * Adds a resource of type GatewayResponse to the statement
    *
@@ -584,6 +666,61 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/restapis/${ restApiId }/models`);
   }
 
+  /**
+   * Adds a resource of type PrivateBasePathMapping to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_BasePathMapping.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param basePath - Identifier for the basePath.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateBasePathMapping(domainName: string, domainIdentifier: string, basePath: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames/${ domainName }+${ domainIdentifier }/basepathmappings/${ basePath }`);
+  }
+
+  /**
+   * Adds a resource of type PrivateBasePathMappings to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_BasePathMapping.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateBasePathMappings(domainName: string, domainIdentifier: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/domainnames/${ domainName }+${ domainIdentifier }/basepathmappings`);
+  }
+
+  /**
+   * Adds a resource of type PrivateDomainName to the statement
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/api/API_DomainName.html
+   *
+   * @param domainName - Identifier for the domainName.
+   * @param domainIdentifier - Identifier for the domainIdentifier.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifRequestEndpointType()
+   * - .ifResourceEndpointType()
+   * - .ifAwsResourceTag()
+   */
+  public onPrivateDomainName(domainName: string, domainIdentifier: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:/domainnames/${ domainName }+${ domainIdentifier }`);
+  }
+
   /**
    * Adds a resource of type RequestValidator to the statement
    *
@@ -883,6 +1020,21 @@ export class Apigateway extends PolicyStatement {
     return this.on(`arn:${ partition ?? this.defaultPartition }:apigateway:${ region ?? this.defaultRegion }::/tags/${ urlEncodedResourceARN }`);
   }
 
+  /**
+   * Filters access by access association source. Available during the CreateDomainNameAccessAssociation operation
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html
+   *
+   * Applies to resource types:
+   * - DomainNameAccessAssociations
+   *
+   * @param value The value(s) to check
+   * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+   */
+  public ifRequestAccessAssociationSource(value: string | string[], operator?: Operator | string) {
+    return this.if(`Request/AccessAssociationSource`, value, operator ?? 'StringLike');
+  }
+
   /**
    * Filters access by access log destination. Available during the CreateStage and UpdateStage operations
    *
@@ -998,6 +1150,21 @@ export class Apigateway extends PolicyStatement {
     return this.if(`Request/DisableExecuteApiEndpoint`, (typeof value !== 'undefined' ? value : true), 'Bool');
   }
 
+  /**
+   * Filters access by domain name ARN. Available during the CreateDomainNameAccessAssociation operation
+   *
+   * https://docs.aws.amazon.com/apigateway/latest/developerguide/security_iam_service-with-iam.html
+   *
+   * Applies to resource types:
+   * - DomainNameAccessAssociations
+   *
+   * @param value The value(s) to check
+   * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike`
+   */
+  public ifRequestDomainNameArn(value: string | string[], operator?: Operator | string) {
+    return this.if(`Request/DomainNameArn`, value, operator ?? 'ArnLike');
+  }
+
   /**
    * Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateRestApi, and UpdateRestApi operations
    *
@@ -1006,6 +1173,7 @@ export class Apigateway extends PolicyStatement {
    * Applies to resource types:
    * - DomainName
    * - DomainNames
+   * - PrivateDomainName
    * - RestApi
    * - RestApis
    *
@@ -1209,6 +1377,7 @@ export class Apigateway extends PolicyStatement {
    *
    * Applies to resource types:
    * - DomainName
+   * - PrivateDomainName
    * - RestApi
    *
    * @param value The value(s) to check
@@ -1320,6 +1489,7 @@ export class Apigateway extends PolicyStatement {
    * - DocumentationVersions
    * - DomainName
    * - DomainNames
+   * - DomainNameAccessAssociations
    * - GatewayResponse
    * - GatewayResponses
    * - Integration
@@ -1328,6 +1498,9 @@ export class Apigateway extends PolicyStatement {
    * - MethodResponse
    * - Model
    * - Models
+   * - PrivateBasePathMapping
+   * - PrivateBasePathMappings
+   * - PrivateDomainName
    * - RequestValidator
    * - RequestValidators
    * - Resource
diff --git a/lib/generated/policy-statements/ec2imagebuilder.ts b/lib/generated/policy-statements/ec2imagebuilder.ts
index 4b7163ab4..9b23fab10 100644
--- a/lib/generated/policy-statements/ec2imagebuilder.ts
+++ b/lib/generated/policy-statements/ec2imagebuilder.ts
@@ -516,6 +516,26 @@ export class Imagebuilder extends PolicyStatement {
     return this.to('ImportComponent');
   }
 
+  /**
+   * Grants permission to import a disk image
+   *
+   * Access Level: Write
+   *
+   * Dependent actions:
+   * - iam:CreateServiceLinkedRole
+   * - iam:PassRole
+   * - imagebuilder:GetInfrastructureConfiguration
+   * - imagebuilder:GetWorkflow
+   * - imagebuilder:TagResource
+   * - s3:GetObject
+   * - s3:ListBucket
+   *
+   * https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImportDiskImage.html
+   */
+  public toImportDiskImage() {
+    return this.to('ImportDiskImage');
+  }
+
   /**
    * Grants permission to import an image
    *
@@ -963,6 +983,7 @@ export class Imagebuilder extends PolicyStatement {
       'DeleteLifecyclePolicy',
       'DeleteWorkflow',
       'ImportComponent',
+      'ImportDiskImage',
       'ImportVmImage',
       'SendWorkflowStepAction',
       'StartImagePipelineExecution',
@@ -1316,6 +1337,7 @@ export class Imagebuilder extends PolicyStatement {
    * - .toCreateLifecyclePolicy()
    * - .toCreateWorkflow()
    * - .toImportComponent()
+   * - .toImportDiskImage()
    * - .toImportVmImage()
    * - .toTagResource()
    *
@@ -1378,6 +1400,7 @@ export class Imagebuilder extends PolicyStatement {
    * - .toCreateLifecyclePolicy()
    * - .toCreateWorkflow()
    * - .toImportComponent()
+   * - .toImportDiskImage()
    * - .toImportVmImage()
    * - .toTagResource()
    * - .toUntagResource()
diff --git a/lib/generated/policy-statements/elementalmedialive.ts b/lib/generated/policy-statements/elementalmedialive.ts
index cba669fd2..f7f2f34e5 100644
--- a/lib/generated/policy-statements/elementalmedialive.ts
+++ b/lib/generated/policy-statements/elementalmedialive.ts
@@ -972,6 +972,17 @@ export class Medialive extends PolicyStatement {
     return this.to('ListTagsForResource');
   }
 
+  /**
+   * Grants permission to list available versions of MediaLive
+   *
+   * Access Level: List
+   *
+   * https://docs.aws.amazon.com/medialive/latest/ug/medialive-versions.html
+   */
+  public toListVersions() {
+    return this.to('ListVersions');
+  }
+
   /**
    * Grants permission to the node to poll the cluster
    *
@@ -1508,7 +1519,8 @@ export class Medialive extends PolicyStatement {
       'ListOfferings',
       'ListReservations',
       'ListSignalMaps',
-      'ListTagsForResource'
+      'ListTagsForResource',
+      'ListVersions'
     ]
   };
 
diff --git a/stats/actions/apigateway b/stats/actions/apigateway
index 187465372..9f7c3b331 100644
--- a/stats/actions/apigateway
+++ b/stats/actions/apigateway
@@ -1,9 +1,13 @@
 apigateway:AddCertificateToDomain;Permissions management
+apigateway:CreateAccessAssociation;Permissions management
 apigateway:DELETE;Write
 apigateway:GET;Read
 apigateway:PATCH;Write
 apigateway:POST;Write
 apigateway:PUT;Write
+apigateway:RejectAccessAssociation;Permissions management
 apigateway:RemoveCertificateFromDomain;Permissions management
 apigateway:SetWebACL;Permissions management
+apigateway:UpdateDomainNameManagementPolicy;Permissions management
+apigateway:UpdateDomainNamePolicy;Permissions management
 apigateway:UpdateRestApiPolicy;Permissions management
diff --git a/stats/actions/imagebuilder b/stats/actions/imagebuilder
index ef7a0a360..aa824500e 100644
--- a/stats/actions/imagebuilder
+++ b/stats/actions/imagebuilder
@@ -36,6 +36,7 @@ imagebuilder:GetWorkflow;Read
 imagebuilder:GetWorkflowExecution;Read
 imagebuilder:GetWorkflowStepExecution;Read
 imagebuilder:ImportComponent;Write
+imagebuilder:ImportDiskImage;Write
 imagebuilder:ImportVmImage;Write
 imagebuilder:ListComponentBuildVersions;List
 imagebuilder:ListComponents;List
diff --git a/stats/actions/medialive b/stats/actions/medialive
index 15a6fc2ba..11a9e1581 100644
--- a/stats/actions/medialive
+++ b/stats/actions/medialive
@@ -79,6 +79,7 @@ medialive:ListOfferings;List
 medialive:ListReservations;List
 medialive:ListSignalMaps;List
 medialive:ListTagsForResource;List
+medialive:ListVersions;List
 medialive:PollAnywhere;Write
 medialive:PurchaseOffering;Write
 medialive:RebootInputDevice;Write
diff --git a/stats/conditions/apigateway b/stats/conditions/apigateway
index c9b0f7434..190348cc2 100644
--- a/stats/conditions/apigateway
+++ b/stats/conditions/apigateway
@@ -1,3 +1,4 @@
+apigateway:Request/AccessAssociationSource
 apigateway:Request/AccessLoggingDestination
 apigateway:Request/AccessLoggingFormat
 apigateway:Request/ApiKeyRequired
@@ -5,6 +6,7 @@ apigateway:Request/ApiName
 apigateway:Request/AuthorizerType
 apigateway:Request/AuthorizerUri
 apigateway:Request/DisableExecuteApiEndpoint
+apigateway:Request/DomainNameArn
 apigateway:Request/EndpointType
 apigateway:Request/MtlsTrustStoreUri
 apigateway:Request/MtlsTrustStoreVersion
diff --git a/stats/resources/apigateway b/stats/resources/apigateway
index cf94753a1..d8c50f4cd 100644
--- a/stats/resources/apigateway
+++ b/stats/resources/apigateway
@@ -21,6 +21,8 @@ apigateway:DocumentationParts
 apigateway:DocumentationVersion
 apigateway:DocumentationVersions
 apigateway:DomainName
+apigateway:DomainNameAccessAssociation
+apigateway:DomainNameAccessAssociations
 apigateway:DomainNames
 apigateway:ExportedAPI
 apigateway:GatewayResponse
@@ -34,6 +36,9 @@ apigateway:MethodResponse
 apigateway:Model
 apigateway:ModelTemplate
 apigateway:Models
+apigateway:PrivateBasePathMapping
+apigateway:PrivateBasePathMappings
+apigateway:PrivateDomainName
 apigateway:RequestValidator
 apigateway:RequestValidators
 apigateway:Resource