@cloud-copilot/iam-data 0.15.202511201 → 0.15.202511221

package/data/actions/s3.json

@@ -253,7 +253,9 @@
       "s3:x-amz-grant-read-acp",
       "s3:x-amz-grant-write",
       "s3:x-amz-grant-write-acp",
-      "s3:x-amz-object-ownership"
+      "s3:x-amz-object-ownership",
+      "aws:RequestTag/${TagKey}",
+      "aws:TagKeys"
     ],
     "dependentActions": []
   },
@@ -1284,6 +1286,28 @@
     ],
     "dependentActions": []
   },
+  "getbucketabac": {
+    "name": "GetBucketAbac",
+    "description": "Grants permission to retrieve ABAC configuration for a general purpose bucket",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "bucket",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3:authType",
+      "s3:ResourceAccount",
+      "s3:signatureAge",
+      "s3:signatureversion",
+      "s3:TlsVersion",
+      "s3:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "getbucketacl": {
     "name": "GetBucketAcl",
     "description": "Grants permission to use the acl subresource to return the access control list (ACL) of an Amazon S3 bucket",
@@ -2724,6 +2748,12 @@
         "conditionKeys": [],
         "dependentActions": []
       },
+      {
+        "name": "bucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "storagelensgroup",
         "required": false,
@@ -2952,6 +2982,28 @@
     ],
     "dependentActions": []
   },
+  "putbucketabac": {
+    "name": "PutBucketAbac",
+    "description": "Grants permission to set ABAC configuration for a general purpose bucket",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "bucket",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3:authType",
+      "s3:ResourceAccount",
+      "s3:signatureAge",
+      "s3:signatureversion",
+      "s3:TlsVersion",
+      "s3:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "putbucketacl": {
     "name": "PutBucketAcl",
     "description": "Grants permission to set the permissions on an existing bucket using access control lists (ACLs)",
@@ -3847,6 +3899,12 @@
         "conditionKeys": [],
         "dependentActions": []
       },
+      {
+        "name": "bucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "storagelensgroup",
         "required": false,
@@ -3895,6 +3953,12 @@
         "conditionKeys": [],
         "dependentActions": []
       },
+      {
+        "name": "bucket",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "storagelensgroup",
         "required": false,

package/data/actions/secretsmanager.json

@@ -24,7 +24,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -50,7 +51,8 @@
       "aws:TagKeys",
       "secretsmanager:ResourceTag/tag-key",
       "secretsmanager:AddReplicaRegions",
-      "secretsmanager:ForceOverwriteReplicaSecret"
+      "secretsmanager:ForceOverwriteReplicaSecret",
+      "secretsmanager:Type"
     ],
     "dependentActions": []
   },
@@ -71,7 +73,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -94,7 +97,8 @@
       "secretsmanager:ForceDeleteWithoutRecovery",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -115,7 +119,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -144,7 +149,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -167,7 +173,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -188,7 +195,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -218,7 +226,8 @@
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
       "secretsmanager:BlockPublicPolicy",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -239,7 +248,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -260,7 +270,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -283,7 +294,8 @@
       "aws:ResourceTag/${TagKey}",
       "secretsmanager:SecretPrimaryRegion",
       "secretsmanager:AddReplicaRegions",
-      "secretsmanager:ForceOverwriteReplicaSecret"
+      "secretsmanager:ForceOverwriteReplicaSecret",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -304,7 +316,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -328,7 +341,9 @@
       "aws:ResourceTag/${TagKey}",
       "secretsmanager:SecretPrimaryRegion",
       "secretsmanager:ModifyRotationRules",
-      "secretsmanager:RotateImmediately"
+      "secretsmanager:RotateImmediately",
+      "secretsmanager:resource/Type",
+      "secretsmanager:ExternalSecretRotationRoleArn"
     ],
     "dependentActions": []
   },
@@ -349,7 +364,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -372,7 +388,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -394,7 +411,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -418,7 +436,9 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:Type",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -440,7 +460,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   },
@@ -461,7 +482,8 @@
       "secretsmanager:resource/AllowRotationLambdaArn",
       "secretsmanager:ResourceTag/tag-key",
       "aws:ResourceTag/${TagKey}",
-      "secretsmanager:SecretPrimaryRegion"
+      "secretsmanager:SecretPrimaryRegion",
+      "secretsmanager:resource/Type"
     ],
     "dependentActions": []
   }

package/data/actions/securityhub.json

@@ -944,6 +944,21 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getfindingstrendsv2": {
+    "name": "GetFindingsTrendsV2",
+    "description": "Grants permission to retrieve findings trends",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "hubv2",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "getfreetrialenddate": {
     "name": "GetFreeTrialEndDate",
     "isPermissionOnly": true,
@@ -1082,6 +1097,21 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "getresourcestrendsv2": {
+    "name": "GetResourcesTrendsV2",
+    "description": "Grants permission to retrieve resources trends",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "hubv2",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "getresourcesv2": {
     "name": "GetResourcesV2",
     "description": "Grants permission to retrieve a list of resources",

package/data/actions/signin.json

@@ -1,7 +1,23 @@
 {
+  "authorizeoauth2access": {
+    "name": "AuthorizeOAuth2Access",
+    "description": "Grants permission to authenticate through a browser and obtain an OAuth 2.0 authorization code for credential exchange",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "createoauth2token": {
+    "name": "CreateOAuth2Token",
+    "description": "Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "createtrustedidentitypropagationapplicationforconsole": {
     "name": "CreateTrustedIdentityPropagationApplicationForConsole",
-    "description": "Grants permission to create an Identity Center application that represents the the console on an Identity Center organization instance",
+    "description": "Grants permission to create an Identity Center application that represents the AWS Management Console on an Identity Center organization instance",
     "accessLevel": "Write",
     "resourceTypes": [],
     "conditionKeys": [],
@@ -17,7 +33,7 @@
   },
   "listtrustedidentitypropagationapplicationsforconsole": {
     "name": "ListTrustedIdentityPropagationApplicationsForConsole",
-    "description": "Grants permission to list all Identity Center applications that represent the the console",
+    "description": "Grants permission to list all Identity Center applications that represent the AWS Management Console",
     "accessLevel": "List",
     "resourceTypes": [],
     "conditionKeys": [],

package/data/actions/ssm.json

@@ -1013,7 +1013,7 @@
   },
   "executeapi": {
     "name": "ExecuteAPI",
-    "description": "Grants permission to a Systems Manager delegated administrator to view related resource details about OpsItems across multiple AWS accounts in the the console",
+    "description": "Grants permission to a Systems Manager delegated administrator to view related resource details about OpsItems across multiple AWS accounts in the AWS Management Console",
     "accessLevel": "Read",
     "resourceTypes": [],
     "conditionKeys": [],

package/data/actions/tag.json

@@ -39,6 +39,14 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "listrequiredtags": {
+    "name": "ListRequiredTags",
+    "description": "Grants permission to list required tags for supported resource types in the calling account",
+    "accessLevel": "List",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "startreportcreation": {
     "name": "StartReportCreation",
     "description": "Grants permission to start generating a report listing all tagged resources in accounts across your organization, and whether each resource is compliant with the effective tag policy",

package/data/conditionKeys/bedrock-agentcore.json

@@ -44,6 +44,11 @@
     "description": "Filters access by the subject claim (sub) in the JWT passed in the request",
     "type": "String"
   },
+  "bedrock-agentcore:kmskeyarn": {
+    "key": "bedrock-agentcore:KmsKeyArn",
+    "description": "Filters access by KMS Key arn provided",
+    "type": "String"
+  },
   "bedrock-agentcore:actorid": {
     "key": "bedrock-agentcore:actorId",
     "description": "Filters access by Actor Id",

package/data/conditionKeys/bedrock.json

@@ -39,6 +39,11 @@
     "description": "Filters access by the specified prompt router",
     "type": "ARN"
   },
+  "bedrock:servicetier": {
+    "key": "bedrock:ServiceTier",
+    "description": "Filters access by the specified ServiceTier",
+    "type": "String"
+  },
   "bedrock:thirdpartyknowledgebasecredentialssecretarn": {
     "key": "bedrock:ThirdPartyKnowledgeBaseCredentialsSecretArn",
     "description": "Filters access by the secretArn containing the credentials of the third party platform",

package/data/conditionKeys/dynamodb.json

@@ -24,6 +24,16 @@
     "description": "Filters access by blocking Transactions APIs calls and allow the non-Transaction APIs calls and vice-versa",
     "type": "String"
   },
+  "dynamodb:firstpartitionkeyvalues": {
+    "key": "dynamodb:FirstPartitionKeyValues",
+    "description": "Filters access by the first partition key of the table",
+    "type": "ArrayOfString"
+  },
+  "dynamodb:fourthpartitionkeyvalues": {
+    "key": "dynamodb:FourthPartitionKeyValues",
+    "description": "Filters access by the forth partition key of the table",
+    "type": "ArrayOfString"
+  },
   "dynamodb:fulltablescan": {
     "key": "dynamodb:FullTableScan",
     "description": "Filters access by blocking full table scan",
@@ -31,7 +41,7 @@
   },
   "dynamodb:leadingkeys": {
     "key": "dynamodb:LeadingKeys",
-    "description": "Filters access by the partition key of the table",
+    "description": "Filters access by the first partition key of the table",
     "type": "ArrayOfString"
   },
   "dynamodb:returnconsumedcapacity": {
@@ -44,9 +54,19 @@
     "description": "Filters access by the ReturnValues parameter of request. Contains one of the following: \"ALL_OLD\", \"UPDATED_OLD\",\"ALL_NEW\",\"UPDATED_NEW\", or \"NONE\"",
     "type": "String"
   },
+  "dynamodb:secondpartitionkeyvalues": {
+    "key": "dynamodb:SecondPartitionKeyValues",
+    "description": "Filters access by the second partition key of the table",
+    "type": "ArrayOfString"
+  },
   "dynamodb:select": {
     "key": "dynamodb:Select",
     "description": "Filters access by the Select parameter of a Query or Scan request",
     "type": "String"
+  },
+  "dynamodb:thirdpartitionkeyvalues": {
+    "key": "dynamodb:ThirdPartitionKeyValues",
+    "description": "Filters access by the third partition key of the table",
+    "type": "ArrayOfString"
   }
 }

package/data/conditionKeys/glue.json

@@ -26,7 +26,7 @@
   },
   "glue:federatedauthorizationsource": {
     "key": "glue:FederatedAuthorizationSource",
-    "description": "Filters access by whether the resource belongs to federarted authorization",
+    "description": "Filters access by whether the resource belongs to federated authorization",
     "type": "String"
   },
   "glue:lakeformationpermissions": {

package/data/conditionKeys/iam.json

@@ -24,6 +24,16 @@
     "description": "Filters access by the resource that the role will be used on behalf of",
     "type": "ARN"
   },
+  "iam:delegationduration": {
+    "key": "iam:DelegationDuration",
+    "description": "Filters access based on the requested delegation duration",
+    "type": "String"
+  },
+  "iam:delegationrequestowner": {
+    "key": "iam:DelegationRequestOwner",
+    "description": "Filters access based on the delegation request owner",
+    "type": "ARN"
+  },
   "iam:fido-fips-140-2-certification": {
     "key": "iam:FIDO-FIPS-140-2-certification",
     "description": "Filters access by the MFA device FIPS-140-2 validation certification level at the time of registration of a FIDO security key",
@@ -39,6 +49,11 @@
     "description": "Filters access by the MFA device FIDO certification level at the time of registration of a FIDO security key",
     "type": "String"
   },
+  "iam:notificationchannel": {
+    "key": "iam:NotificationChannel",
+    "description": "Filters access based on the requested notification channel",
+    "type": "String"
+  },
   "iam:organizationspolicyid": {
     "key": "iam:OrganizationsPolicyId",
     "description": "Filters access by the ID of an AWS Organizations policy",
@@ -78,5 +93,10 @@
     "key": "iam:ServiceSpecificCredentialServiceName",
     "description": "Filters access by the service associated with the credential",
     "type": "String"
+  },
+  "iam:templatearn": {
+    "key": "iam:TemplateArn",
+    "description": "Filters access based on the requested template ARN",
+    "type": "ARN"
   }
 }

package/data/conditionKeys/identitystore.json

@@ -1,7 +1,32 @@
 {
+  "identitystore:groupexternalidissuers": {
+    "key": "identitystore:GroupExternalIdIssuers",
+    "description": "Filters access by Issuer present in ExternalIds for Group resources",
+    "type": "ArrayOfARN"
+  },
+  "identitystore:identitystorearn": {
+    "key": "identitystore:IdentityStoreArn",
+    "description": "Filters access by Identity Store ARN",
+    "type": "ARN"
+  },
+  "identitystore:primaryregion": {
+    "key": "identitystore:PrimaryRegion",
+    "description": "Filters access by Primary Region of Identity Store",
+    "type": "String"
+  },
+  "identitystore:reserveduserid": {
+    "key": "identitystore:ReservedUserId",
+    "description": "Filters access by a previously reserved User ID for CreateUser operation",
+    "type": "String"
+  },
+  "identitystore:userexternalidissuers": {
+    "key": "identitystore:UserExternalIdIssuers",
+    "description": "Filters access by Issuer present in ExternalIds for User resources",
+    "type": "ArrayOfARN"
+  },
   "identitystore:userid": {
     "key": "identitystore:UserId",
-    "description": "Filters access by IAM Identity Center User ID",
+    "description": "Filters access by Identity Store User ID",
     "type": "String"
   }
 }

package/data/conditionKeys/organizations.json

@@ -23,5 +23,15 @@
     "key": "organizations:ServicePrincipal",
     "description": "Filters access by the specified service principal names",
     "type": "String"
+  },
+  "organizations:transferdirection": {
+    "key": "organizations:TransferDirection",
+    "description": "Filters access by the specified responsibility transfer by the direction",
+    "type": "String"
+  },
+  "organizations:transfertype": {
+    "key": "organizations:TransferType",
+    "description": "Filters access by the specified responsibility transfer type names",
+    "type": "String"
   }
 }

package/data/conditionKeys/partnercentral.json

@@ -16,12 +16,17 @@
   },
   "partnercentral:catalog": {
     "key": "partnercentral:Catalog",
-    "description": "Filters access by a specific Catalog. Accepted values: [AWS, Sandbox]",
+    "description": "Filters access by a specific Catalog",
+    "type": "String"
+  },
+  "partnercentral:channelhandshaketype": {
+    "key": "partnercentral:ChannelHandshakeType",
+    "description": "Filters access by channel handshake types",
     "type": "String"
   },
   "partnercentral:relatedentitytype": {
     "key": "partnercentral:RelatedEntityType",
-    "description": "Filters access by entity types for Opportunity association. Accepted values: [Solutions, AwsProducts, AwsMarketplaceOffers]",
+    "description": "Filters access by entity types for Opportunity association",
     "type": "String"
   }
 }

package/data/conditionKeys/pricingplanmanager.json

@@ -0,0 +1 @@
+{}

package/data/conditionKeys/s3.json

@@ -39,6 +39,11 @@
     "description": "Filters access by existing access point tag key and value",
     "type": "String"
   },
+  "s3:buckettag/${tagkey}": {
+    "key": "s3:BucketTag/${TagKey}",
+    "description": "Filters access by the tags associated with the bucket",
+    "type": "String"
+  },
   "s3:dataaccesspointaccount": {
     "key": "s3:DataAccessPointAccount",
     "description": "Filters access by the AWS Account ID that owns the access point",

package/data/conditionKeys/secretsmanager.json

@@ -29,6 +29,11 @@
     "description": "Filters access by the description text in the request",
     "type": "String"
   },
+  "secretsmanager:externalsecretrotationrolearn": {
+    "key": "secretsmanager:ExternalSecretRotationRoleArn",
+    "description": "Filters access by the managed external secret rotation role ARN in the request",
+    "type": "ARN"
+  },
   "secretsmanager:forcedeletewithoutrecovery": {
     "key": "secretsmanager:ForceDeleteWithoutRecovery",
     "description": "Filters access by whether the secret is to be deleted immediately without any recovery window",
@@ -89,6 +94,11 @@
     "description": "Filters access by primary region in which the secret is created if the secret is a multi-Region secret",
     "type": "String"
   },
+  "secretsmanager:type": {
+    "key": "secretsmanager:Type",
+    "description": "Filters access by the managed external secret type in the request",
+    "type": "String"
+  },
   "secretsmanager:versionid": {
     "key": "secretsmanager:VersionId",
     "description": "Filters access by the unique identifier of the version of the secret in the request",
@@ -103,5 +113,10 @@
     "key": "secretsmanager:resource/AllowRotationLambdaArn",
     "description": "Filters access by the ARN of the rotation Lambda function associated with the secret",
     "type": "ARN"
+  },
+  "secretsmanager:resource/type": {
+    "key": "secretsmanager:resource/Type",
+    "description": "Filters access by the managed external secret type associated with the secret",
+    "type": "String"
   }
 }

package/data/conditionPatterns.json

@@ -125,6 +125,7 @@
   },
   "s3": {
     "s3:AccessPointTag/.+?": "s3:AccessPointTag/${TagKey}",
+    "s3:BucketTag/.+?": "s3:BucketTag/${TagKey}",
     "s3:ExistingObjectTag/.+?": "s3:ExistingObjectTag/<key>",
     "s3:RequestObjectTag/.+?": "s3:RequestObjectTag/<key>"
   },