Skip to content

Commit

Permalink
Merge pull request #768 from udondan/iam-updates
Browse files Browse the repository at this point in the history
  • Loading branch information
udondan authored Jun 16, 2024
2 parents 72e4b3d + ee6e73b commit 1ed2e98
Show file tree
Hide file tree
Showing 90 changed files with 3,707 additions and 117 deletions.
143 changes: 143 additions & 0 deletions CHANGELOG/v0.644.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
**New services:**

- application-signals
- apptest
- pca-connector-scep
- supportrecommendations

**New actions:**

- access-analyzer:CheckNoPublicAccess
- access-analyzer:GenerateFindingRecommendation
- access-analyzer:GetFindingRecommendation
- account:AcceptPrimaryEmailUpdate
- account:GetPrimaryEmail
- account:StartPrimaryEmailUpdate
- batch:GetJobQueueSnapshot
- chatbot:ListTagsForResource
- chatbot:TagResource
- chatbot:UntagResource
- cloudtrail:GenerateQuery
- connect:SearchContactFlowModules
- connect:SearchContactFlows
- controltower:ListControlOperations
- datazone:AssociateEnvironmentRole
- datazone:CreateEnvironmentAction
- datazone:DeleteEnvironmentAction
- datazone:DisassociateEnvironmentRole
- datazone:GetEnvironmentAction
- datazone:ListEnvironmentActions
- datazone:UpdateEnvironmentAction
- ec2:DisableImageDeregistrationProtection
- ec2:EnableImageDeregistrationProtection
- ec2:GetInstanceTpmEkPub
- emr-serverless:AccessLivyEndpoints
- emr-serverless:ListJobRunAttempts
- entityresolution:BatchDeleteUniqueId
- geo:ForecastGeofenceEvents
- geo:VerifyDevicePosition
- glue:BatchPutDataQualityStatisticAnnotation
- glue:DescribeConnectionType
- glue:DescribeEntity
- glue:GetDataQualityModel
- glue:GetDataQualityModelResult
- glue:ListConnectionTypes
- glue:ListDataQualityStatisticAnnotations
- glue:ListDataQualityStatistics
- glue:ListEntities
- glue:PutDataQualityProfileAnnotation
- glue:RefreshOAuth2Tokens
- guardduty:CreateMalwareProtectionPlan
- guardduty:DeleteMalwareProtectionPlan
- guardduty:GetMalwareProtectionPlan
- guardduty:ListMalwareProtectionPlans
- guardduty:UpdateMalwareProtectionPlan
- lakeformation:GetDataLakePrincipal
- launchwizard:GetWorkloadDeploymentPattern
- launchwizard:ListTagsForResource
- launchwizard:TagResource
- launchwizard:UntagResource
- payments:ListPaymentInstruments
- payments:ListTagsForResource
- payments:TagResource
- payments:UntagResource
- payments:UpdatePaymentInstrument
- s3:PauseReplication
- ses:CreateAddonInstance
- ses:CreateAddonSubscription
- ses:CreateArchive
- ses:CreateIngressPoint
- ses:CreateRelay
- ses:CreateRuleSet
- ses:CreateTrafficPolicy
- ses:DeleteAddonInstance
- ses:DeleteAddonSubscription
- ses:DeleteArchive
- ses:DeleteIngressPoint
- ses:DeleteRelay
- ses:DeleteRuleSet
- ses:DeleteTrafficPolicy
- ses:GetAddonInstance
- ses:GetAddonSubscription
- ses:GetArchive
- ses:GetArchiveExport
- ses:GetArchiveMessage
- ses:GetArchiveMessageContent
- ses:GetArchiveSearch
- ses:GetArchiveSearchResults
- ses:GetIngressPoint
- ses:GetRelay
- ses:GetRuleSet
- ses:GetTrafficPolicy
- ses:ListAddonInstances
- ses:ListAddonSubscriptions
- ses:ListArchiveExports
- ses:ListArchiveSearches
- ses:ListArchives
- ses:ListIngressPoints
- ses:ListRelays
- ses:ListRuleSets
- ses:ListTrafficPolicies
- ses:StartArchiveExport
- ses:StartArchiveSearch
- ses:StopArchiveExport
- ses:StopArchiveSearch
- ses:UpdateArchive
- ses:UpdateIngressPoint
- ses:UpdateRelay
- ses:UpdateRuleSet
- ses:UpdateTrafficPolicy
- swf:DeleteActivityType
- swf:DeleteWorkflowType
- tax:BatchDeleteTaxRegistration

**New resource types:**

- guardduty:malwareprotectionplan
- launchwizard:deployment
- payments:payment-instrument
- ses:addon-instance
- ses:addon-subscription
- ses:mailmanager-archive
- ses:mailmanager-ingress-point
- ses:mailmanager-rule-set
- ses:mailmanager-smtp-relay
- ses:mailmanager-traffic-policy

**New condition keys:**

- account:EmailTargetDomain
- ecs:fargate-ephemeral-storage-kms-key
- launchwizard:RequestTag/${TagKey}
- launchwizard:ResourceTag/${TagKey}
- launchwizard:TagKeys
- payments:RequestTag/${TagKey}
- payments:ResourceTag/${TagKey}
- payments:TagKeys
- pi:Dimensions
- s3:destinationRegion
- s3:isReplicationPauseRequest
- ses:AddonSubscriptionArn
- ses:MailManagerIngressPointType
- ses:MailManagerRuleSetArn
- ses:MailManagerTrafficPolicyArn
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@
<!-- stats -->
Support for:

- 394 Services
- 16676 Actions
- 1788 Resource Types
- 1739 Condition keys
- 398 Services
- 16832 Actions
- 1805 Resource Types
- 1763 Condition keys
<!-- /stats -->

![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.643.0
0.644.0
2 changes: 1 addition & 1 deletion docs/source/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
author = 'Daniel Schroeder'

# The full version, including alpha/beta/rc tags
release = '0.643.0'
release = '0.644.0'

# -- General configuration ---------------------------------------------------

Expand Down
8 changes: 4 additions & 4 deletions docs/source/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ AWS IAM policy statement generator with fluent interface.
Support for:

- 394 Services
- 16676 Actions
- 1788 Resource Types
- 1739 Condition keys
- 398 Services
- 16832 Actions
- 1805 Resource Types
- 1763 Condition keys

..
/stats
Expand Down
1 change: 1 addition & 0 deletions examples/access-levels-write/access-levels-write.result
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
"s3:DeleteStorageLensGroup",
"s3:DissociateAccessGrantsIdentityCenter",
"s3:InitiateReplication",
"s3:PauseReplication",
"s3:PutAccelerateConfiguration",
"s3:PutAccessGrantsInstanceResourcePolicy",
"s3:PutAccessPointConfigurationForObjectLambda",
Expand Down
4 changes: 3 additions & 1 deletion examples/full-cdk-policy/full-cdk-policy.result
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,15 @@
},
{
"Action": [
"account:AcceptPrimaryEmailUpdate",
"account:CloseAccount",
"account:DeleteAlternateContact",
"account:DisableRegion",
"account:EnableRegion",
"account:PutAlternateContact",
"account:PutChallengeQuestions",
"account:PutContactInformation"
"account:PutContactInformation",
"account:StartPrimaryEmailUpdate"
],
"Resource": "*",
"Effect": "Deny"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,7 @@
"ec2:GetHostReservationPurchasePreview",
"ec2:GetImageBlockPublicAccessState",
"ec2:GetInstanceMetadataDefaults",
"ec2:GetInstanceTpmEkPub",
"ec2:GetInstanceTypesFromInstanceRequirements",
"ec2:GetInstanceUefiData",
"ec2:GetIpamAddressHistory",
Expand Down
7 changes: 6 additions & 1 deletion lib/generated/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export { CloudfrontKeyvaluestore } from './policy-statements/cloudfrontkeyvalues
export { Cloudsearch } from './policy-statements/cloudsearch';
export { Cloudwatch } from './policy-statements/cloudwatch';
export { Applicationinsights } from './policy-statements/cloudwatchapplicationinsights';
export { ApplicationSignals } from './policy-statements/cloudwatchapplicationsignals';
export { Evidently } from './policy-statements/cloudwatchevidently';
export { Internetmonitor } from './policy-statements/cloudwatchinternetmonitor';
export { Logs } from './policy-statements/cloudwatchlogs';
Expand Down Expand Up @@ -158,6 +159,7 @@ export { SagemakerGroundtruthSynthetic } from './policy-statements/sagemakergrou
export { Securitylake } from './policy-statements/securitylake';
export { Ses } from './policy-statements/ses';
export { Sdb } from './policy-statements/simpledb';
export { SesMailmanager } from './policy-statements/simpleemailservice-mailmanager';
export { SesV2 } from './policy-statements/simpleemailservicev2';
export { Swf } from './policy-statements/simpleworkflowservice';
export { Sns } from './policy-statements/sns';
Expand All @@ -176,8 +178,8 @@ export { Workmail } from './policy-statements/workmail';
export { Workmailmessageflow } from './policy-statements/workmailmessageflow';
export { Workspaces } from './policy-statements/workspaces';
export { Wam } from './policy-statements/workspacesapplicationmanager';
export { WorkspacesWeb } from './policy-statements/workspacessecurebrowser';
export { Thinclient } from './policy-statements/workspacesthinclient';
export { WorkspacesWeb } from './policy-statements/workspacesweb';
export { KafkaCluster } from './policy-statements/apachekafkaapisforamazonmskclusters';
export { Arsenal } from './policy-statements/applicationdiscoveryarsenal';
export { Account } from './policy-statements/accountmanagement';
Expand Down Expand Up @@ -320,6 +322,7 @@ export { Launchwizard } from './policy-statements/launchwizard';
export { LicenseManager } from './policy-statements/licensemanager';
export { LicenseManagerLinuxSubscriptions } from './policy-statements/licensemanagerlinuxsubscriptionsmanager';
export { LicenseManagerUserSubscriptions } from './policy-statements/licensemanagerusersubscriptions';
export { Apptest } from './policy-statements/mainframemodernizationapplicationtestingprovidestoolsandresourcesforautomatedfunctionalequivalencetestingforyourmigrationprojects-';
export { M2 } from './policy-statements/mainframemodernizationservice';
export { AwsMarketplace } from './policy-statements/marketplace';
export { AwsMarketplaceCatalog } from './policy-statements/marketplacecatalog';
Expand Down Expand Up @@ -354,6 +357,7 @@ export { Payments } from './policy-statements/payments';
export { Pi } from './policy-statements/performanceinsights';
export { Pricing } from './policy-statements/pricelist';
export { PcaConnectorAd } from './policy-statements/privatecaconnectorforactivedirectory';
export { PcaConnectorScep } from './policy-statements/privatecaconnectorforscep';
export { AcmPca } from './policy-statements/privatecertificateauthority';
export { Proton } from './policy-statements/proton';
export { PurchaseOrders } from './policy-statements/purchaseordersconsole';
Expand Down Expand Up @@ -385,6 +389,7 @@ export { Scn } from './policy-statements/supplychain';
export { Support } from './policy-statements/support';
export { Supportapp } from './policy-statements/supportappinslack';
export { Supportplans } from './policy-statements/supportplans';
export { Supportrecommendations } from './policy-statements/supportrecommendations';
export { Sustainability } from './policy-statements/sustainability';
export { Ssm } from './policy-statements/systemsmanager';
export { SsmSap } from './policy-statements/systemsmanagerforsap';
Expand Down
60 changes: 59 additions & 1 deletion lib/generated/policy-statements/accountmanagement.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,20 @@ export class Account extends PolicyStatement {
super(sid);
}

/**
* Grants permission to accept the process to update the primary email address of an account
*
* Access Level: Write
*
* Possible conditions:
* - .ifEmailTargetDomain()
*
* https://docs.aws.amazon.com/accounts/latest/reference/API_AcceptPrimaryEmailUpdate.html
*/
public toAcceptPrimaryEmailUpdate() {
return this.to('AcceptPrimaryEmailUpdate');
}

/**
* Grants permission to close an account
*
Expand Down Expand Up @@ -118,6 +132,17 @@ export class Account extends PolicyStatement {
return this.to('GetContactInformation');
}

/**
* Grants permission to retrieve the primary email address of an account
*
* Access Level: Read
*
* https://docs.aws.amazon.com/accounts/latest/reference/API_GetPrimaryEmail.html
*/
public toGetPrimaryEmail() {
return this.to('GetPrimaryEmail');
}

/**
* Grants permission to get the opt-in status of a Region
*
Expand Down Expand Up @@ -179,21 +204,38 @@ export class Account extends PolicyStatement {
return this.to('PutContactInformation');
}

/**
* Grants permission to start the process to update the primary email address of an account
*
* Access Level: Write
*
* Possible conditions:
* - .ifEmailTargetDomain()
*
* https://docs.aws.amazon.com/accounts/latest/reference/API_StartPrimaryEmailUpdate.html
*/
public toStartPrimaryEmailUpdate() {
return this.to('StartPrimaryEmailUpdate');
}

protected accessLevelList: AccessLevelList = {
Write: [
'AcceptPrimaryEmailUpdate',
'CloseAccount',
'DeleteAlternateContact',
'DisableRegion',
'EnableRegion',
'PutAlternateContact',
'PutChallengeQuestions',
'PutContactInformation'
'PutContactInformation',
'StartPrimaryEmailUpdate'
],
Read: [
'GetAccountInformation',
'GetAlternateContact',
'GetChallengeQuestions',
'GetContactInformation',
'GetPrimaryEmail',
'GetRegionOptStatus'
],
List: [
Expand Down Expand Up @@ -269,6 +311,22 @@ export class Account extends PolicyStatement {
return this.if(`AlternateContactTypes`, value, operator ?? 'StringLike');
}

/**
* Filters access by email domain of the target email address
*
* https://docs.aws.amazon.com/accounts/latest/reference/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys
*
* Applies to actions:
* - .toAcceptPrimaryEmailUpdate()
* - .toStartPrimaryEmailUpdate()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
public ifEmailTargetDomain(value: string | string[], operator?: Operator | string) {
return this.if(`EmailTargetDomain`, value, operator ?? 'StringLike');
}

/**
* Filters access by a list of Regions. Enables or disables all the Regions specified here
*
Expand Down
12 changes: 12 additions & 0 deletions lib/generated/policy-statements/batch.ts
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,17 @@ export class Batch extends PolicyStatement {
return this.to('DescribeSchedulingPolicies');
}

/**
* Grants permission to get a snapshot of an AWS Batch job queue in your account
*
* Access Level: Read
*
* https://docs.aws.amazon.com/batch/latest/APIReference/API_GetJobQueueSnapshot.html
*/
public toGetJobQueueSnapshot() {
return this.to('GetJobQueueSnapshot');
}

/**
* Grants permission to list jobs for a specified AWS Batch job queue in your account
*
Expand Down Expand Up @@ -347,6 +358,7 @@ export class Batch extends PolicyStatement {
'DescribeJobQueues',
'DescribeJobs',
'DescribeSchedulingPolicies',
'GetJobQueueSnapshot',
'ListSchedulingPolicies',
'ListTagsForResource'
],
Expand Down
Loading

0 comments on commit 1ed2e98

Please sign in to comment.