@cloud-copilot/iam-data 0.15.202510281 → 0.15.202511081

package/data/actions/s3tables.json

@@ -29,7 +29,11 @@
     "conditionKeys": [
       "s3tables:namespace",
       "s3tables:SSEAlgorithm",
-      "s3tables:KMSKeyArn"
+      "s3tables:KMSKeyArn",
+      "s3tables:TableBucketTag/${TagKey}",
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys"
     ],
     "dependentActions": []
   },
@@ -47,7 +51,11 @@
     ],
     "conditionKeys": [
       "s3tables:SSEAlgorithm",
-      "s3tables:KMSKeyArn"
+      "s3tables:KMSKeyArn",
+      "s3tables:TableBucketTag/${TagKey}",
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys"
     ],
     "dependentActions": []
   },
@@ -393,6 +401,30 @@
     ],
     "dependentActions": []
   },
+  "listtagsforresource": {
+    "name": "ListTagsForResource",
+    "description": "Grants permission to list the tag for a S3Table's resource",
+    "accessLevel": "List",
+    "resourceTypes": [
+      {
+        "name": "Table",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "TableBucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:ResourceTag/${TagKey}",
+      "s3tables:TableBucketTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "puttablebucketencryption": {
     "name": "PutTableBucketEncryption",
     "description": "Grants permission to put or overwrite encryption configuration on a table bucket",
@@ -534,6 +566,57 @@
     ],
     "dependentActions": []
   },
+  "tagresource": {
+    "name": "TagResource",
+    "description": "Grants permission to tag a S3Table's resource",
+    "accessLevel": "Tagging",
+    "resourceTypes": [
+      {
+        "name": "Table",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "TableBucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:TagKeys",
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "s3tables:TableBucketTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
+  "untagresource": {
+    "name": "UntagResource",
+    "description": "Grants permission to untag a S3Table's resource",
+    "accessLevel": "Tagging",
+    "resourceTypes": [
+      {
+        "name": "Table",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "TableBucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:TagKeys",
+      "aws:ResourceTag/${TagKey}",
+      "s3tables:TableBucketTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "updatetablemetadatalocation": {
     "name": "UpdateTableMetadataLocation",
     "description": "Grants permission to update the metadata location of a table",

package/data/actions/sts.json

@@ -159,6 +159,14 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getdelegatedaccesstoken": {
+    "name": "GetDelegatedAccessToken",
+    "description": "Returns temporary security credentials for accessing an AWS account after temporary delegation request approval. This API requires the tradeInToken provided upon request delegation approval and is intended to be used only by Amazon or AWS Partners",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "getfederationtoken": {
     "name": "GetFederationToken",
     "description": "Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user",
@@ -203,6 +211,20 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getwebidentitytoken": {
+    "name": "GetWebIdentityToken",
+    "description": "Grants permission to obtain a short-lived, publicly verifiable JSON Web Token (JWT) that represents the calling IAM principal's identity",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [
+      "sts:DurationSeconds",
+      "sts:IdentityTokenAudience",
+      "sts:SigningAlgorithm",
+      "aws:TagKeys",
+      "aws:RequestTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "setcontext": {
     "name": "SetContext",
     "isPermissionOnly": true,
@@ -252,6 +274,18 @@
     ],
     "dependentActions": []
   },
+  "taggetwebidentitytoken": {
+    "name": "TagGetWebIdentityToken",
+    "isPermissionOnly": true,
+    "description": "Grants permission to add tags to the JSON Web Token (JWT) generated by the GetWebIdentityToken API",
+    "accessLevel": "Tagging",
+    "resourceTypes": [],
+    "conditionKeys": [
+      "aws:TagKeys",
+      "aws:RequestTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "tagsession": {
     "name": "TagSession",
     "isPermissionOnly": true,

package/data/actions/support-console.json

@@ -80,6 +80,24 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getissueclassificationpredictions": {
+    "name": "GetIssueClassificationPredictions",
+    "isPermissionOnly": true,
+    "description": "Grants permission to get classification predictions of an issue",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "getissuetextsummary": {
+    "name": "GetIssueTextSummary",
+    "isPermissionOnly": true,
+    "description": "Grants permission to get a generated text summary of an issue",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "getquestionnaire": {
     "name": "GetQuestionnaire",
     "isPermissionOnly": true,

package/data/actions/support.json

@@ -175,6 +175,14 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "initiatelivecontactforcase": {
+    "name": "InitiateLiveContactForCase",
+    "description": "Grants permission to initiate a live contact on AWS Support Center. This is an internally managed function",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "putcaseattributes": {
     "name": "PutCaseAttributes",
     "description": "Grants permission to allow secondary services to attach attributes to AWS Support cases. This is an internally managed function",

package/data/actions/user-subscriptions.json

@@ -41,6 +41,14 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "setoverageconfig": {
+    "name": "SetOverageConfig",
+    "description": "Grants permission to set a User subscription overage configuration",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "updateclaim": {
     "name": "UpdateClaim",
     "description": "Grants permission to update a User subscription Claim",

package/data/actions/vpc-lattice.json

@@ -81,6 +81,12 @@
     "description": "Grants permission to create a resource configuration",
     "accessLevel": "Write",
     "resourceTypes": [
+      {
+        "name": "DomainVerification",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "ResourceConfiguration",
         "required": false,
@@ -271,6 +277,8 @@
     "conditionKeys": [
       "aws:RequestTag/${TagKey}",
       "aws:TagKeys",
+      "vpc-lattice:PrivateDnsPreference",
+      "vpc-lattice:PrivateDnsSpecifiedDomains",
       "vpc-lattice:SecurityGroupIds",
       "vpc-lattice:ServiceNetworkArn",
       "vpc-lattice:VpcId"
@@ -348,6 +356,23 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "deletedomainverification": {
+    "name": "DeleteDomainVerification",
+    "description": "Grants permission to delete a domain verification",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "DomainVerification",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:ResourceTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "deletelistener": {
     "name": "DeleteListener",
     "description": "Grants permission to delete a listener",
@@ -621,6 +646,23 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getdomainverification": {
+    "name": "GetDomainVerification",
+    "description": "Grants permission to get information about a domain verification",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "DomainVerification",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:ResourceTag/${TagKey}"
+    ],
+    "dependentActions": []
+  },
   "getlistener": {
     "name": "GetListener",
     "description": "Grants permission to get information about a listener",
@@ -830,6 +872,14 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "listdomainverifications": {
+    "name": "ListDomainVerifications",
+    "description": "Grants permission to list some or all domain verifications",
+    "accessLevel": "List",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "listlisteners": {
     "name": "ListListeners",
     "description": "Grants permission to list some or all listeners",
@@ -1021,6 +1071,25 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "startdomainverification": {
+    "name": "StartDomainVerification",
+    "description": "Grants permission to start a domain verification",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "DomainVerification",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:TagKeys",
+      "vpc-lattice:DomainName"
+    ],
+    "dependentActions": []
+  },
   "tagresource": {
     "name": "TagResource",
     "description": "Grants permission to tag a vpc-lattice resource",
@@ -1032,6 +1101,12 @@
         "conditionKeys": [],
         "dependentActions": []
       },
+      {
+        "name": "DomainVerification",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "Listener",
         "required": false,
@@ -1117,6 +1192,12 @@
         "conditionKeys": [],
         "dependentActions": []
       },
+      {
+        "name": "DomainVerification",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "Listener",
         "required": false,

package/data/conditionKeys/bedrock-agentcore.json

@@ -54,11 +54,6 @@
     "description": "Filters access by namespace",
     "type": "String"
   },
-  "bedrock-agentcore:securitygroups": {
-    "key": "bedrock-agentcore:securityGroups",
-    "description": "Filters access by the ID of security groups configured for the AgentCore runtime",
-    "type": "ArrayOfString"
-  },
   "bedrock-agentcore:sessionid": {
     "key": "bedrock-agentcore:sessionId",
     "description": "Filters access by Session Id",
@@ -69,11 +64,6 @@
     "description": "Filters access by Memory Strategy Id",
     "type": "String"
   },
-  "bedrock-agentcore:subnets": {
-    "key": "bedrock-agentcore:subnets",
-    "description": "Filters access by the ID of subnets configured for the AgentCore runtime",
-    "type": "ArrayOfString"
-  },
   "bedrock-agentcore:userid": {
     "key": "bedrock-agentcore:userid",
     "description": "Filters access by the static user ID value passed in the request",

package/data/conditionKeys/ec2.json

@@ -624,6 +624,11 @@
     "description": "Filters access by the ID of a VPC peering connection",
     "type": "String"
   },
+  "ec2:vpcemultiregion": {
+    "key": "ec2:VpceMultiRegion",
+    "description": "Filters access by multi region of the VPC endpoint service",
+    "type": "String"
+  },
   "ec2:vpceservicename": {
     "key": "ec2:VpceServiceName",
     "description": "Filters access by the name of the VPC endpoint service",
@@ -639,6 +644,16 @@
     "description": "Filters access by the private DNS name of the VPC endpoint service",
     "type": "String"
   },
+  "ec2:vpceserviceregion": {
+    "key": "ec2:VpceServiceRegion",
+    "description": "Filters access by the region of the VPC endpoint service",
+    "type": "String"
+  },
+  "ec2:vpcesupportedregion": {
+    "key": "ec2:VpceSupportedRegion",
+    "description": "Filters access by the supported region of the VPC endpoint service",
+    "type": "String"
+  },
   "ec2:transitgatewayattachmentid": {
     "key": "ec2:transitGatewayAttachmentId",
     "description": "Filters access by the ID of a transit gateway attachment",
@@ -673,20 +688,5 @@
     "key": "ec2:transitGatewayRouteTableId",
     "description": "Filters access by the ID of a transit gateway route table",
     "type": "String"
-  },
-  "ec2:vpcemultiregion": {
-    "key": "ec2:vpceMultiRegion",
-    "description": "Filters access by multi region of the VPC endpoint service",
-    "type": "String"
-  },
-  "ec2:vpceserviceregion": {
-    "key": "ec2:vpceServiceRegion",
-    "description": "Filters access by the region of the VPC endpoint service",
-    "type": "String"
-  },
-  "ec2:vpcesupportedregion": {
-    "key": "ec2:vpceSupportedRegion",
-    "description": "Filters access by the supported region of the VPC endpoint service",
-    "type": "String"
   }
 }

package/data/conditionKeys/lambda.json

@@ -34,6 +34,11 @@
     "description": "Filters access by authorization type specified in request. Available during CreateFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, GetFunctionUrlConfig, ListFunctionUrlConfig, AddPermission and RemovePermission operations",
     "type": "String"
   },
+  "lambda:invokedviafunctionurl": {
+    "key": "lambda:InvokedViaFunctionUrl",
+    "description": "Limits the scope of lambda:InvokeFunction action to Function URLs only. Available during AddPermission operation",
+    "type": "Bool"
+  },
   "lambda:layer": {
     "key": "lambda:Layer",
     "description": "Filters access by the ARN of a version of an AWS Lambda layer",

package/data/conditionKeys/mediaconnect.json

@@ -1 +1,17 @@
-{}
+{
+  "aws:requesttag/${tagkey}": {
+    "key": "aws:RequestTag/${TagKey}",
+    "description": "Filters access by tags that are passed in the request",
+    "type": "String"
+  },
+  "aws:resourcetag/${tagkey}": {
+    "key": "aws:ResourceTag/${TagKey}",
+    "description": "Filters access by tags associated with the resource",
+    "type": "String"
+  },
+  "aws:tagkeys": {
+    "key": "aws:TagKeys",
+    "description": "Filters access by tag keys that are passed in the request",
+    "type": "ArrayOfString"
+  }
+}

package/data/conditionKeys/s3tables.json

@@ -1,4 +1,19 @@
 {
+  "aws:requesttag/${tagkey}": {
+    "key": "aws:RequestTag/${TagKey}",
+    "description": "Filters access by the tags that are passed in the request",
+    "type": "String"
+  },
+  "aws:resourcetag/${tagkey}": {
+    "key": "aws:ResourceTag/${TagKey}",
+    "description": "Filters access by the tags associated with the resource",
+    "type": "String"
+  },
+  "aws:tagkeys": {
+    "key": "aws:TagKeys",
+    "description": "Filters access by the tag keys that are passed in the request",
+    "type": "ArrayOfString"
+  },
   "s3tables:kmskeyarn": {
     "key": "s3tables:KMSKeyArn",
     "description": "Filters access by the AWS KMS key ARN for the key used to encrypt a table",
@@ -9,6 +24,11 @@
     "description": "Filters access by the server-side encryption algorithm used to encrypt a table",
     "type": "String"
   },
+  "s3tables:tablebuckettag/${tagkey}": {
+    "key": "s3tables:TableBucketTag/${TagKey}",
+    "description": "Filters access by the tags associated with the table bucket",
+    "type": "String"
+  },
   "s3tables:namespace": {
     "key": "s3tables:namespace",
     "description": "Filters access by the namespaces created in the table bucket",

package/data/conditionKeys/sts.json

@@ -234,6 +234,11 @@
     "description": "Filters access by the unique identifier required when you assume a role in another account",
     "type": "String"
   },
+  "sts:identitytokenaudience": {
+    "key": "sts:IdentityTokenAudience",
+    "description": "Filters access by the audience that is passed in the request",
+    "type": "String"
+  },
   "sts:requestcontext/${contextkey}": {
     "key": "sts:RequestContext/${ContextKey}",
     "description": "Filters access by the session context key-value pairs embedded in the signed context assertion retrieved from a trusted context provider",
@@ -249,6 +254,11 @@
     "description": "Filters access by the role session name required when you assume a role",
     "type": "String"
   },
+  "sts:signingalgorithm": {
+    "key": "sts:SigningAlgorithm",
+    "description": "Filters access by the signing algorithm that is passed in the request",
+    "type": "String"
+  },
   "sts:sourceidentity": {
     "key": "sts:SourceIdentity",
     "description": "Filters access by the source identity that is passed in the request",

package/data/conditionKeys/vpc-lattice.json

@@ -19,6 +19,21 @@
     "description": "Filters access by the auth type specified in the request",
     "type": "String"
   },
+  "vpc-lattice:domainname": {
+    "key": "vpc-lattice:DomainName",
+    "description": "Filters access by the domain name",
+    "type": "String"
+  },
+  "vpc-lattice:privatednspreference": {
+    "key": "vpc-lattice:PrivateDnsPreference",
+    "description": "Filters access by the private dns preference",
+    "type": "String"
+  },
+  "vpc-lattice:privatednsspecifieddomains": {
+    "key": "vpc-lattice:PrivateDnsSpecifiedDomains",
+    "description": "Filters access by the private dns domains",
+    "type": "ArrayOfString"
+  },
   "vpc-lattice:protocol": {
     "key": "vpc-lattice:Protocol",
     "description": "Filters access by the protocol specified in the request",

package/data/conditionPatterns.json

@@ -113,6 +113,9 @@
     "s3express:AccessPointTag/.+?": "s3express:AccessPointTag/${TagKey}",
     "s3express:BucketTag/.+?": "s3express:BucketTag/${TagKey}"
   },
+  "s3tables": {
+    "s3tables:TableBucketTag/.+?": "s3tables:TableBucketTag/${TagKey}"
+  },
   "s3-outposts": {
     "s3-outposts:ExistingObjectTag/.+?": "s3-outposts:ExistingObjectTag/<key>",
     "s3-outposts:RequestObjectTag/.+?": "s3-outposts:RequestObjectTag/<key>"

package/data/resourceTypes/aps.json

@@ -17,6 +17,15 @@
       "aws:TagKeys"
     ]
   },
+  "anomalydetector": {
+    "key": "anomalydetector",
+    "arn": "arn:${Partition}:aps:${Region}:${Account}:anomalydetector/${WorkspaceId}/${AnomalyDetectorId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys"
+    ]
+  },
   "scraper": {
     "key": "scraper",
     "arn": "arn:${Partition}:aps:${Region}:${Account}:scraper/${ScraperId}",

package/data/resourceTypes/bedrock.json

@@ -3,6 +3,10 @@
     "key": "foundation-model",
     "arn": "arn:${Partition}:bedrock:${Region}::foundation-model/${ResourceId}"
   },
+  "system-tool": {
+    "key": "system-tool",
+    "arn": "arn:${Partition}:bedrock::${Account}:system-tool/${ResourceId}"
+  },
   "async-invoke": {
     "key": "async-invoke",
     "arn": "arn:${Partition}:bedrock:${Region}:${Account}:async-invoke/${ResourceId}",

package/data/resourceTypes/ec2.json

@@ -28,6 +28,19 @@
       "ec2:ResourceTag/${TagKey}"
     ]
   },
+  "capacity-manager-data-export": {
+    "key": "capacity-manager-data-export",
+    "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-manager-data-export/${CapacityManagerDataExportId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
   "capacity-reservation-fleet": {
     "key": "capacity-reservation-fleet",
     "arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation-fleet/${CapacityReservationFleetId}",
@@ -1163,6 +1176,7 @@
       "ec2:LaunchTemplate",
       "ec2:ManagedResourceOperator",
       "ec2:ParentSnapshot",
+      "ec2:ParentVolume",
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}",
       "ec2:VolumeID",
@@ -1208,10 +1222,10 @@
       "ec2:Attribute/${AttributeName}",
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}",
+      "ec2:VpceMultiRegion",
       "ec2:VpceServiceName",
       "ec2:VpceServiceOwner",
-      "ec2:vpceMultiRegion",
-      "ec2:vpceServiceRegion"
+      "ec2:VpceServiceRegion"
     ]
   },
   "vpc-endpoint-service": {
@@ -1225,10 +1239,10 @@
       "ec2:Attribute/${AttributeName}",
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}",
+      "ec2:VpceMultiRegion",
       "ec2:VpceServicePrivateDnsName",
-      "ec2:vpceMultiRegion",
-      "ec2:vpceServiceRegion",
-      "ec2:vpceSupportedRegion"
+      "ec2:VpceServiceRegion",
+      "ec2:VpceSupportedRegion"
     ]
   },
   "vpc-endpoint-service-permission": {

package/data/resourceTypes/guardduty.json

@@ -43,7 +43,10 @@
   },
   "publishingdestination": {
     "key": "publishingDestination",
-    "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/publishingDestination/${PublishingDestinationId}"
+    "arn": "arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/publishingdestination/${PublishingDestinationId}",
+    "conditionKeys": [
+      "aws:ResourceTag/${TagKey}"
+    ]
   },
   "malwareprotectionplan": {
     "key": "malwareprotectionplan",