@cloud-copilot/iam-data 0.15.202512181 → 0.15.202512201

package/data/actions/lambda.json

@@ -28,8 +28,7 @@
     ],
     "conditionKeys": [
       "lambda:Principal",
-      "lambda:FunctionUrlAuthType",
-      "lambda:InvokedViaFunctionUrl"
+      "lambda:FunctionUrlAuthType"
     ],
     "dependentActions": []
   },

package/data/actions/payment-cryptography.json

@@ -1,4 +1,25 @@
 {
+  "addkeyreplicationregions": {
+    "name": "AddKeyReplicationRegions",
+    "description": "Grants permission to add replication regions to an existing AWS Payment Cryptography key",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "alias",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "key",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "createalias": {
     "name": "CreateAlias",
     "description": "Grants permission to create a user-friendly name for a Key",
@@ -87,6 +108,22 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "disabledefaultkeyreplicationregions": {
+    "name": "DisableDefaultKeyReplicationRegions",
+    "description": "Grants permission to disable default key replication regions for account-level replication",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "enabledefaultkeyreplicationregions": {
+    "name": "EnableDefaultKeyReplicationRegions",
+    "description": "Grants permission to enable default key replication regions for account-level replication",
+    "accessLevel": "Write",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "encryptdata": {
     "name": "EncryptData",
     "description": "Grants permission to encrypt plaintext data to ciphertext using symmetric, asymmetric or DUKPT data encryption key",
@@ -231,6 +268,35 @@
     ],
     "dependentActions": []
   },
+  "getcertificatesigningrequest": {
+    "name": "GetCertificateSigningRequest",
+    "description": "Grants permission to return the Certificate Signing Request for a public key from a key of class PUBLIC_KEY",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "alias",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "key",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "getdefaultkeyreplicationregions": {
+    "name": "GetDefaultKeyReplicationRegions",
+    "description": "Grants permission to retrieve the default key replication regions configured at the account level",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "getkey": {
     "name": "GetKey",
     "description": "Grants permission to return the detailed information about the specified key",
@@ -342,6 +408,27 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "removekeyreplicationregions": {
+    "name": "RemoveKeyReplicationRegions",
+    "description": "Grants permission to remove replication regions from an existing AWS Payment Cryptography key",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "alias",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "key",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "restorekey": {
     "name": "RestoreKey",
     "description": "Grants permission to cancel a scheduled key deletion if at any point during the waiting period a Key needs to be revived",
@@ -405,6 +492,27 @@
     ],
     "dependentActions": []
   },
+  "translatekeymaterial": {
+    "name": "TranslateKeyMaterial",
+    "description": "Grants permission to translate wrapping key type for a wrapped key",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "alias",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
+      {
+        "name": "key",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "translatepindata": {
     "name": "TranslatePinData",
     "description": "Grants permission to translate encrypted PIN block from and to ISO 9564 formats 0,1,3,4",

package/data/actions/redshift.json

@@ -1124,7 +1124,14 @@
     "name": "DescribeClusters",
     "description": "Grants permission to describe properties of provisioned clusters",
     "accessLevel": "List",
-    "resourceTypes": [],
+    "resourceTypes": [
+      {
+        "name": "cluster",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
     "conditionKeys": [],
     "dependentActions": []
   },

package/data/actions/servicequotas.json

@@ -220,8 +220,8 @@
   },
   "startquotautilizationreport": {
     "name": "StartQuotaUtilizationReport",
-    "description": "Grants permission to initiate the generattion of a quota Utilization report for your account",
-    "accessLevel": "Write",
+    "description": "Grants permission to query quota utilization and create a report for your account",
+    "accessLevel": "Read",
     "resourceTypes": [],
     "conditionKeys": [],
     "dependentActions": []

package/data/conditionKeys/apigateway.json

@@ -29,6 +29,11 @@
     "description": "Filters access by URI of a Lambda authorizer function. Available during CreateAuthorizer and UpdateAuthorizer. Also available during import and reimport as an ArrayOfString",
     "type": "ArrayOfString"
   },
+  "apigateway:request/cognitouserpoolarn": {
+    "key": "apigateway:Request/CognitoUserPoolArn",
+    "description": "Filters access by a Portal's CognitoUserPoolArn that is passed in the request",
+    "type": "ARN"
+  },
   "apigateway:request/conditionbasepaths": {
     "key": "apigateway:Request/ConditionBasePaths",
     "description": "Filters access by base paths defined on the condition of a routing rule. Available during the CreateRoutingRule and UpdateRoutingRule operations",
@@ -44,6 +49,11 @@
     "description": "Filters access by endpoint type. Available during the CreateDomainName, UpdateDomainName, CreateRestApi, and UpdateRestApi operations",
     "type": "ArrayOfString"
   },
+  "apigateway:request/method": {
+    "key": "apigateway:Request/Method",
+    "description": "Filters access by a ProductRestEndpointPage's HTTP Method that is passed in the request",
+    "type": "String"
+  },
   "apigateway:request/mtlstruststoreuri": {
     "key": "apigateway:Request/MtlsTrustStoreUri",
     "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations",
@@ -54,11 +64,41 @@
     "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during the CreateDomainName and UpdateDomainName operations",
     "type": "String"
   },
+  "apigateway:request/portaldisplayname": {
+    "key": "apigateway:Request/PortalDisplayName",
+    "description": "Filters access by a Portal's Display Name that is passed in the request",
+    "type": "String"
+  },
+  "apigateway:request/portaldomainname": {
+    "key": "apigateway:Request/PortalDomainName",
+    "description": "Filters access by a Portal's vanity domain name that is passed in the request",
+    "type": "String"
+  },
+  "apigateway:request/portalproductdisplayname": {
+    "key": "apigateway:Request/PortalProductDisplayName",
+    "description": "Filters access by a PortalProduct's Display Name that is passed in the request",
+    "type": "String"
+  },
   "apigateway:request/priority": {
     "key": "apigateway:Request/Priority",
     "description": "Filters access by priority of the routing rule. Available during the CreateRoutingRule and UpdateRoutingRule operations",
     "type": "Numeric"
   },
+  "apigateway:request/productpagetitle": {
+    "key": "apigateway:Request/ProductPageTitle",
+    "description": "Filters access by a ProductPage's Title that is passed in the request",
+    "type": "String"
+  },
+  "apigateway:request/productrestendpointpageendpointprefix": {
+    "key": "apigateway:Request/ProductRestEndpointPageEndpointPrefix",
+    "description": "Filters access by a ProductRestEndpointPage's EndpointPrefix that is passed in the request",
+    "type": "String"
+  },
+  "apigateway:request/restapiid": {
+    "key": "apigateway:Request/RestApiId",
+    "description": "Filters access by a ProductRestEndpointPage's Amazon API Gateway API ID that is passed in the request",
+    "type": "String"
+  },
   "apigateway:request/routeauthorizationtype": {
     "key": "apigateway:Request/RouteAuthorizationType",
     "description": "Filters access by authorization type, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the CreateMethod and PutMethod operations Also available as a collection during import",
@@ -74,6 +114,11 @@
     "description": "Filters access by TLS version. Available during the CreateDomain and UpdateDomain operations",
     "type": "ArrayOfString"
   },
+  "apigateway:request/stage": {
+    "key": "apigateway:Request/Stage",
+    "description": "Filters access by a ProductRestEndpointPage's Amazon API Gateway Stage Name that is passed in the request",
+    "type": "String"
+  },
   "apigateway:request/stagename": {
     "key": "apigateway:Request/StageName",
     "description": "Filters access by stage name of the deployment that you attempt to create. Available during the CreateDeployment operation",
@@ -109,6 +154,11 @@
     "description": "Filters access by URI of a Lambda authorizer function. Available during UpdateAuthorizer and DeleteAuthorizer operations. Also available during reimport as an ArrayOfString",
     "type": "ArrayOfString"
   },
+  "apigateway:resource/cognitouserpoolarn": {
+    "key": "apigateway:Resource/CognitoUserPoolArn",
+    "description": "Filters access by a Portal's CognitoUserPoolArn associated with the resource",
+    "type": "ARN"
+  },
   "apigateway:resource/conditionbasepaths": {
     "key": "apigateway:Resource/ConditionBasePaths",
     "description": "Filters access by base paths defined on the condition of the existing routing rule. Available during the UpdateRoutingRule and DeleteRoutingRule operations",
@@ -124,6 +174,11 @@
     "description": "Filters access by endpoint type. Available during the UpdateDomainName, DeleteDomainName, UpdateRestApi, and DeleteRestApi operations",
     "type": "ArrayOfString"
   },
+  "apigateway:resource/method": {
+    "key": "apigateway:Resource/Method",
+    "description": "Filters access by a ProductRestEndpointPage's HTTP Method associated with the resource",
+    "type": "String"
+  },
   "apigateway:resource/mtlstruststoreuri": {
     "key": "apigateway:Resource/MtlsTrustStoreUri",
     "description": "Filters access by URI of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations",
@@ -134,11 +189,46 @@
     "description": "Filters access by version of the truststore used for mutual TLS authentication. Available during UpdateDomainName and DeleteDomainName operations",
     "type": "String"
   },
+  "apigateway:resource/portaldisplayname": {
+    "key": "apigateway:Resource/PortalDisplayName",
+    "description": "Filters access by a Portal's Display Name associated with the resource",
+    "type": "String"
+  },
+  "apigateway:resource/portaldomainname": {
+    "key": "apigateway:Resource/PortalDomainName",
+    "description": "Filters access by a Portal's vanity domain name associated with the resource",
+    "type": "String"
+  },
+  "apigateway:resource/portalproductdisplayname": {
+    "key": "apigateway:Resource/PortalProductDisplayName",
+    "description": "Filters access by a PortalProduct's Display Name associated with the resource",
+    "type": "String"
+  },
+  "apigateway:resource/portalpublishstatus": {
+    "key": "apigateway:Resource/PortalPublishStatus",
+    "description": "Filters access by a Portal's published status associated with the resource",
+    "type": "String"
+  },
   "apigateway:resource/priority": {
     "key": "apigateway:Resource/Priority",
     "description": "Filters access by priority of the existing routing rule. Available during the UpdateRoutingRule and DeleteRoutingRule operations",
     "type": "Numeric"
   },
+  "apigateway:resource/productpagetitle": {
+    "key": "apigateway:Resource/ProductPageTitle",
+    "description": "Filters access by a ProductPage's Title associated with the resource",
+    "type": "String"
+  },
+  "apigateway:resource/productrestendpointpageendpointprefix": {
+    "key": "apigateway:Resource/ProductRestEndpointPageEndpointPrefix",
+    "description": "Filters access by a ProductRestEndpointPage's EndpointPrefix associated with the resource",
+    "type": "String"
+  },
+  "apigateway:resource/restapiid": {
+    "key": "apigateway:Resource/RestApiId",
+    "description": "Filters access by a ProductRestEndpointPage's Amazon API Gateway API ID associated with the resource",
+    "type": "String"
+  },
   "apigateway:resource/routeauthorizationtype": {
     "key": "apigateway:Resource/RouteAuthorizationType",
     "description": "Filters access by authorization type of the existing Method resource, for example NONE, AWS_IAM, CUSTOM, JWT, COGNITO_USER_POOLS. Available during the PutMethod and DeleteMethod operations. Also available as a collection during reimport",
@@ -154,6 +244,11 @@
     "description": "Filters access by TLS version. Available during UpdateDomain and DeleteDomain operations",
     "type": "ArrayOfString"
   },
+  "apigateway:resource/stage": {
+    "key": "apigateway:Resource/Stage",
+    "description": "Filters access by a ProductRestEndpointPage's Amazon API Gateway Stage Name associated with the resource",
+    "type": "String"
+  },
   "aws:requesttag/${tagkey}": {
     "key": "aws:RequestTag/${TagKey}",
     "description": "Filters access by the tag key-value pairs in the request",

package/data/conditionKeys/ec2.json

@@ -99,6 +99,11 @@
     "description": "Filters access by the ARN of the CloudWatch Logs log stream",
     "type": "ARN"
   },
+  "ec2:commitmentduration": {
+    "key": "ec2:CommitmentDuration",
+    "description": "Filters access by commitment duration of the Capacity Reservation",
+    "type": "Numeric"
+  },
   "ec2:cpuoptionsamdsevsnp": {
     "key": "ec2:CpuOptionsAmdSevSnp",
     "description": "Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported",
@@ -269,6 +274,21 @@
     "description": "Filters access by the ID of an internet gateway",
     "type": "String"
   },
+  "ec2:interruptiblecapacityreservationid": {
+    "key": "ec2:InterruptibleCapacityReservationId",
+    "description": "Filters access by the ID of an interruptible Capacity Reservation",
+    "type": "String"
+  },
+  "ec2:interruptiontype": {
+    "key": "ec2:InterruptionType",
+    "description": "Filters access by the type of interruption",
+    "type": "String"
+  },
+  "ec2:ipamprefixlistresolvertargetid": {
+    "key": "ec2:IpamPrefixListResolverTargetId",
+    "description": "Filters access by the IPAM prefix list resolver target ID that is syncing CIDRs to a managed prefix list",
+    "type": "String"
+  },
   "ec2:ipv4ipampoolid": {
     "key": "ec2:Ipv4IpamPoolId",
     "description": "Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation",
@@ -279,6 +299,11 @@
     "description": "Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation",
     "type": "String"
   },
+  "ec2:isinterruptible": {
+    "key": "ec2:IsInterruptible",
+    "description": "Filters access by whether Capacity Reservations are interruptible",
+    "type": "Bool"
+  },
   "ec2:islaunchtemplateresource": {
     "key": "ec2:IsLaunchTemplateResource",
     "description": "Filters access by whether users are able to override resources that are specified in the launch template",
@@ -574,6 +599,11 @@
     "description": "Filters access by the ID of a subnet",
     "type": "String"
   },
+  "ec2:targetinstancecount": {
+    "key": "ec2:TargetInstanceCount",
+    "description": "Filters access by the number of instances the interruptible Capacity Reservation is assigned",
+    "type": "Numeric"
+  },
   "ec2:tenancy": {
     "key": "ec2:Tenancy",
     "description": "Filters access by the tenancy of the VPC or instance (default, dedicated, or host)",
@@ -629,6 +659,16 @@
     "description": "Filters access by multi region of the VPC endpoint service",
     "type": "String"
   },
+  "ec2:vpceprivatednspreference": {
+    "key": "ec2:VpcePrivateDnsPreference",
+    "description": "Filters access by the private DNS preference",
+    "type": "String"
+  },
+  "ec2:vpceprivatednsspecifieddomains": {
+    "key": "ec2:VpcePrivateDnsSpecifiedDomains",
+    "description": "Filters access by the private DNS domains",
+    "type": "ArrayOfString"
+  },
   "ec2:vpceservicename": {
     "key": "ec2:VpceServiceName",
     "description": "Filters access by the name of the VPC endpoint service",
@@ -669,6 +709,11 @@
     "description": "Filters access by the ID of a transit gateway",
     "type": "String"
   },
+  "ec2:transitgatewaymeteringpolicyid": {
+    "key": "ec2:transitGatewayMeteringPolicyId",
+    "description": "Filters access by the ID of a metering policy id",
+    "type": "String"
+  },
   "ec2:transitgatewaymulticastdomainid": {
     "key": "ec2:transitGatewayMulticastDomainId",
     "description": "Filters access by the ID of a transit gateway multicast domain",

package/data/resourceTypes/apigateway.json

@@ -254,6 +254,44 @@
       "aws:ResourceTag/${TagKey}"
     ]
   },
+  "portal": {
+    "key": "Portal",
+    "arn": "arn:${Partition}:apigateway:${Region}:${Account}:/portals/${PortalId}",
+    "conditionKeys": [
+      "apigateway:Resource/CognitoUserPoolArn",
+      "apigateway:Resource/PortalDisplayName",
+      "apigateway:Resource/PortalDomainName",
+      "apigateway:Resource/PortalPublishStatus",
+      "aws:ResourceTag/${TagKey}"
+    ]
+  },
+  "portalproduct": {
+    "key": "PortalProduct",
+    "arn": "arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}",
+    "conditionKeys": [
+      "apigateway:Resource/PortalProductDisplayName",
+      "aws:ResourceTag/${TagKey}"
+    ]
+  },
+  "productpage": {
+    "key": "ProductPage",
+    "arn": "arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}/productpages/${ProductPageId}",
+    "conditionKeys": [
+      "apigateway:Resource/ProductPageTitle",
+      "aws:ResourceTag/${TagKey}"
+    ]
+  },
+  "productrestendpointpage": {
+    "key": "ProductRestEndpointPage",
+    "arn": "arn:${Partition}:apigateway:${Region}:${Account}:/portalproducts/${PortalProductId}/productrestendpointpages/${ProductRestEndpointPageId}",
+    "conditionKeys": [
+      "apigateway:Resource/Method",
+      "apigateway:Resource/ProductRestEndpointPageEndpointPrefix",
+      "apigateway:Resource/RestApiId",
+      "apigateway:Resource/Stage",
+      "aws:ResourceTag/${TagKey}"
+    ]
+  },
   "account": {
     "key": "Account",
     "arn": "arn:${Partition}:apigateway:${Region}::/account"

package/data/resourceTypes/ec2.json

@@ -66,6 +66,7 @@
       "ec2:AvailabilityZone",
       "ec2:AvailabilityZoneId",
       "ec2:CapacityReservationFleet",
+      "ec2:CommitmentDuration",
       "ec2:CreateDate",
       "ec2:DestinationCapacityReservationId",
       "ec2:EbsOptimized",
@@ -76,6 +77,9 @@
       "ec2:InstanceMatchCriteria",
       "ec2:InstancePlatform",
       "ec2:InstanceType",
+      "ec2:InterruptibleCapacityReservationId",
+      "ec2:InterruptionType",
+      "ec2:IsInterruptible",
       "ec2:IsLaunchTemplateResource",
       "ec2:LaunchTemplate",
       "ec2:OutpostArn",
@@ -83,6 +87,7 @@
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}",
       "ec2:SourceCapacityReservationId",
+      "ec2:TargetInstanceCount",
       "ec2:Tenancy"
     ]
   },
@@ -419,6 +424,19 @@
       "ec2:ResourceTag/${TagKey}"
     ]
   },
+  "ipam-policy": {
+    "key": "ipam-policy",
+    "arn": "arn:${Partition}:ec2::${Account}:ipam-policy/${IpamPolicyId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
   "ipam-pool": {
     "key": "ipam-pool",
     "arn": "arn:${Partition}:ec2::${Account}:ipam-pool/${IpamPoolId}",
@@ -432,6 +450,32 @@
       "ec2:ResourceTag/${TagKey}"
     ]
   },
+  "ipam-prefix-list-resolver": {
+    "key": "ipam-prefix-list-resolver",
+    "arn": "arn:${Partition}:ec2::${Account}:ipam-prefix-list-resolver/${IpamPrefixListResolverId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
+  "ipam-prefix-list-resolver-target": {
+    "key": "ipam-prefix-list-resolver-target",
+    "arn": "arn:${Partition}:ec2::${Account}:ipam-prefix-list-resolver-target/${IpamPrefixListResolverTargetId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
   "ipam-resource-discovery-association": {
     "key": "ipam-resource-discovery-association",
     "arn": "arn:${Partition}:ec2::${Account}:ipam-resource-discovery-association/${IpamResourceDiscoveryAssociationId}",
@@ -623,7 +667,8 @@
       "aws:ResourceTag/${TagKey}",
       "aws:TagKeys",
       "ec2:Region",
-      "ec2:ResourceTag/${TagKey}"
+      "ec2:ResourceTag/${TagKey}",
+      "ec2:Vpc"
     ]
   },
   "network-acl": {
@@ -742,6 +787,7 @@
       "aws:TagKeys",
       "ec2:Attribute",
       "ec2:Attribute/${AttributeName}",
+      "ec2:IpamPrefixListResolverTargetId",
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}"
     ]
@@ -1036,6 +1082,19 @@
       "ec2:transitGatewayId"
     ]
   },
+  "transit-gateway-metering-policy": {
+    "key": "transit-gateway-metering-policy",
+    "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-metering-policy/${TransitGatewayMeteringPolicyId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}",
+      "ec2:transitGatewayMeteringPolicyId"
+    ]
+  },
   "transit-gateway-multicast-domain": {
     "key": "transit-gateway-multicast-domain",
     "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}",
@@ -1200,6 +1259,18 @@
       "ec2:ResourceTag/${TagKey}"
     ]
   },
+  "vpc-encryption-control": {
+    "key": "vpc-encryption-control",
+    "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-encryption-control/${VpcEncryptionControlId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Attribute/${AttributeName}",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
   "vpc-endpoint-connection": {
     "key": "vpc-endpoint-connection",
     "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-connection/${VpcEndpointConnectionId}",
@@ -1223,6 +1294,8 @@
       "ec2:Region",
       "ec2:ResourceTag/${TagKey}",
       "ec2:VpceMultiRegion",
+      "ec2:VpcePrivateDnsPreference",
+      "ec2:VpcePrivateDnsSpecifiedDomains",
       "ec2:VpceServiceName",
       "ec2:VpceServiceOwner",
       "ec2:VpceServiceRegion"
@@ -1300,6 +1373,17 @@
       "ec2:VpcPeeringConnectionID"
     ]
   },
+  "vpn-concentrator": {
+    "key": "vpn-concentrator",
+    "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-concentrator/${VpnConcentratorId}",
+    "conditionKeys": [
+      "aws:RequestTag/${TagKey}",
+      "aws:ResourceTag/${TagKey}",
+      "aws:TagKeys",
+      "ec2:Region",
+      "ec2:ResourceTag/${TagKey}"
+    ]
+  },
   "vpn-connection-device-type": {
     "key": "vpn-connection-device-type",
     "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-connection-device-type/${VpnConnectionDeviceTypeId}",

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@cloud-copilot/iam-data",
-  "version": "0.15.202512181",
+  "version": "0.15.202512201",
   "description": "AWS IAM Data",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/cloud-copilot/iam-data.git"
   },
-  "updatedAt": "2025-12-18T04:58:53.334Z",
+  "updatedAt": "2025-12-20T04:52:14.248Z",
   "exports": {
     ".": {
       "import": "./dist/esm/index.js",