@cloud-copilot/iam-data 0.9.202503281 → 0.9.202504011

package/data/actions/healthlake.json

@@ -228,6 +228,21 @@
     "conditionKeys": [],
     "dependentActions": []
   },
+  "processbundle": {
+    "name": "ProcessBundle",
+    "description": "Grants permission to bundle multiple resource operations",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "datastore",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
   "readresource": {
     "name": "ReadResource",
     "description": "Grants permission to read resource",

package/data/actions/iot.json

@@ -173,8 +173,17 @@
     "name": "AttachThingPrincipal",
     "description": "Grants permission to attach the specified principal to the specified thing",
     "accessLevel": "Write",
-    "resourceTypes": [],
-    "conditionKeys": [],
+    "resourceTypes": [
+      {
+        "name": "cert",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "iot:thingArn"
+    ],
     "dependentActions": []
   },
   "cancelauditmitigationactionstask": {
@@ -2025,8 +2034,17 @@
     "name": "DetachThingPrincipal",
     "description": "Grants permission to detach the specified principal from the specified thing",
     "accessLevel": "Write",
-    "resourceTypes": [],
-    "conditionKeys": [],
+    "resourceTypes": [
+      {
+        "name": "cert",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "iot:thingArn"
+    ],
     "dependentActions": []
   },
   "disabletopicrule": {
@@ -2793,7 +2811,29 @@
     "name": "ListPrincipalThings",
     "description": "Grants permission to list the things associated with the specified principal",
     "accessLevel": "List",
-    "resourceTypes": [],
+    "resourceTypes": [
+      {
+        "name": "cert",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "listprincipalthingsv2": {
+    "name": "ListPrincipalThingsV2",
+    "description": "Grants permission to list the things associated with the specified principal",
+    "accessLevel": "List",
+    "resourceTypes": [
+      {
+        "name": "cert",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
     "conditionKeys": [],
     "dependentActions": []
   },
@@ -3115,7 +3155,29 @@
     "name": "ListThingPrincipals",
     "description": "Grants permission to list the principals associated with the specified thing",
     "accessLevel": "List",
-    "resourceTypes": [],
+    "resourceTypes": [
+      {
+        "name": "thing",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [],
+    "dependentActions": []
+  },
+  "listthingprincipalsv2": {
+    "name": "ListThingPrincipalsV2",
+    "description": "Grants permission to list the principals associated with the specified thing",
+    "accessLevel": "List",
+    "resourceTypes": [
+      {
+        "name": "thing",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
     "conditionKeys": [],
     "dependentActions": []
   },

package/data/actions/rekognition.json

@@ -87,14 +87,7 @@
     "name": "CreateProject",
     "description": "Grants permission to create an Amazon Rekognition Custom Labels project",
     "accessLevel": "Write",
-    "resourceTypes": [
-      {
-        "name": "project",
-        "required": true,
-        "conditionKeys": [],
-        "dependentActions": []
-      }
-    ],
+    "resourceTypes": [],
     "conditionKeys": [
       "aws:RequestTag/${TagKey}",
       "aws:TagKeys"

package/data/actions/s3express.json

@@ -1,4 +1,29 @@
 {
+  "createaccesspoint": {
+    "name": "CreateAccessPoint",
+    "description": "Grants permission to create a new access point",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:LocationName",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "createbucket": {
     "name": "CreateBucket",
     "description": "Grants permission to create a new bucket",
@@ -42,7 +67,80 @@
       "s3express:TlsVersion",
       "s3express:x-amz-content-sha256",
       "s3express:x-amz-server-side-encryption",
-      "s3express:x-amz-server-side-encryption-aws-kms-key-id"
+      "s3express:x-amz-server-side-encryption-aws-kms-key-id",
+      "s3express:AllAccessRestrictedToLocalZoneGroup"
+    ],
+    "dependentActions": []
+  },
+  "deleteaccesspoint": {
+    "name": "DeleteAccessPoint",
+    "description": "Grants permission to delete the access point named in the URI",
+    "accessLevel": "Write",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
+  "deleteaccesspointpolicy": {
+    "name": "DeleteAccessPointPolicy",
+    "description": "Grants permission to delete the policy on a specified access point",
+    "accessLevel": "Permissions management",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
+  "deleteaccesspointscope": {
+    "name": "DeleteAccessPointScope",
+    "description": "Grants permission to delete the scope configuration on a specified access point",
+    "accessLevel": "Permissions management",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
     ],
     "dependentActions": []
   },
@@ -88,6 +186,71 @@
     ],
     "dependentActions": []
   },
+  "getaccesspoint": {
+    "name": "GetAccessPoint",
+    "description": "Grants permission to return configuration information about the specified access point",
+    "accessLevel": "Read",
+    "resourceTypes": [],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
+  "getaccesspointpolicy": {
+    "name": "GetAccessPointPolicy",
+    "description": "Grants permission to return the access point policy associated with the specified access point",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
+  "getaccesspointscope": {
+    "name": "GetAccessPointScope",
+    "description": "Grants permission to return the scope configuration associated with the specified access point",
+    "accessLevel": "Read",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "getbucketpolicy": {
     "name": "GetBucketPolicy",
     "description": "Grants permission to return the policy of the specified bucket",
@@ -151,6 +314,20 @@
     ],
     "dependentActions": []
   },
+  "listaccesspointsfordirectorybuckets": {
+    "name": "ListAccessPointsForDirectoryBuckets",
+    "description": "Grants permission to list access points",
+    "accessLevel": "List",
+    "resourceTypes": [],
+    "conditionKeys": [
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "listallmydirectorybuckets": {
     "name": "ListAllMyDirectoryBuckets",
     "description": "Grants permission to list all directory buckets owned by the authenticated sender of the request",
@@ -165,6 +342,54 @@
     ],
     "dependentActions": []
   },
+  "putaccesspointpolicy": {
+    "name": "PutAccessPointPolicy",
+    "description": "Grants permission to associate an access policy with a specified access point",
+    "accessLevel": "Permissions management",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
+  "putaccesspointscope": {
+    "name": "PutAccessPointScope",
+    "description": "Grants permission to associate an access point with a specified access point scope configuration",
+    "accessLevel": "Permissions management",
+    "resourceTypes": [
+      {
+        "name": "accesspoint",
+        "required": true,
+        "conditionKeys": [],
+        "dependentActions": []
+      }
+    ],
+    "conditionKeys": [
+      "s3express:DataAccessPointAccount",
+      "s3express:DataAccessPointArn",
+      "s3express:AccessPointNetworkOrigin",
+      "s3express:authType",
+      "s3express:ResourceAccount",
+      "s3express:signatureversion",
+      "s3express:TlsVersion",
+      "s3express:x-amz-content-sha256"
+    ],
+    "dependentActions": []
+  },
   "putbucketpolicy": {
     "name": "PutBucketPolicy",
     "description": "Grants permission to add or replace a bucket policy on a bucket",

package/data/actions/wafv2.json

@@ -9,14 +9,23 @@
         "required": true,
         "conditionKeys": [],
         "dependentActions": [
+          "amplify:AssociateWebACL",
           "apigateway:SetWebACL",
           "apprunner:AssociateWebAcl",
           "appsync:SetWebACL",
           "cognito-idp:AssociateWebACL",
           "ec2:AssociateVerifiedAccessInstanceWebAcl",
-          "elasticloadbalancing:SetWebAcl"
+          "elasticloadbalancing:SetWebAcl",
+          "wafv2:GetPermissionPolicy",
+          "wafv2:PutPermissionPolicy"
         ]
       },
+      {
+        "name": "amplify-app",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "apigateway",
         "required": false,
@@ -350,18 +359,26 @@
     "accessLevel": "Write",
     "resourceTypes": [
       {
-        "name": "apigateway",
+        "name": "amplify-app",
         "required": false,
         "conditionKeys": [],
         "dependentActions": [
+          "amplify:DisassociateWebACL",
           "apigateway:SetWebACL",
           "apprunner:DisassociateWebAcl",
           "appsync:SetWebACL",
           "cognito-idp:DisassociateWebACL",
           "ec2:DisassociateVerifiedAccessInstanceWebAcl",
-          "elasticloadbalancing:SetWebAcl"
+          "elasticloadbalancing:SetWebAcl",
+          "wafv2:PutPermissionPolicy"
         ]
       },
+      {
+        "name": "apigateway",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "apprunner",
         "required": false,
@@ -578,12 +595,19 @@
         "required": true,
         "conditionKeys": [],
         "dependentActions": [
+          "amplify:GetWebACLForResource",
           "apprunner:DescribeWebAclForService",
           "cognito-idp:GetWebACLForResource",
           "ec2:GetVerifiedAccessInstanceWebAcl",
           "wafv2:GetWebACL"
         ]
       },
+      {
+        "name": "amplify-app",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "apigateway",
         "required": false,
@@ -700,11 +724,18 @@
         "required": true,
         "conditionKeys": [],
         "dependentActions": [
+          "amplify:ListResourcesForWebACL",
           "apprunner:ListAssociatedServicesForWebAcl",
           "cognito-idp:ListResourcesForWebACL",
           "ec2:DescribeVerifiedAccessInstanceWebAclAssociations"
         ]
       },
+      {
+        "name": "amplify-app",
+        "required": false,
+        "conditionKeys": [],
+        "dependentActions": []
+      },
       {
         "name": "apprunner",
         "required": false,

package/data/conditionKeys/iot.json

@@ -53,5 +53,10 @@
     "key": "iot:TunnelDestinationService",
     "description": "Filters access by a list of destination services for an IoT Tunnel",
     "type": "ArrayOfString"
+  },
+  "iot:thingarn": {
+    "key": "iot:thingArn",
+    "description": "Filters access by the ARN of an IoT Thing",
+    "type": "ARN"
   }
 }

package/data/conditionKeys/s3express.json

@@ -1,14 +1,34 @@
 {
+  "s3express:accesspointnetworkorigin": {
+    "key": "s3express:AccessPointNetworkOrigin",
+    "description": "Filters access by the network origin (Internet or VPC)",
+    "type": "String"
+  },
   "s3express:allaccessrestrictedtolocalzonegroup": {
     "key": "s3express:AllAccessRestrictedToLocalZoneGroup",
-    "description": "Filters all access to the bucket unless the request originates from the AWS Local Zone network border group(s) provided in this condition key",
+    "description": "Filters access by AWS Local Zone network border group(s) provided in this condition key",
+    "type": "String"
+  },
+  "s3express:dataaccesspointaccount": {
+    "key": "s3express:DataAccessPointAccount",
+    "description": "Filters access by the AWS Account ID that owns the access point",
     "type": "String"
   },
+  "s3express:dataaccesspointarn": {
+    "key": "s3express:DataAccessPointArn",
+    "description": "Filters access by an access point Amazon Resource Name (ARN)",
+    "type": "ARN"
+  },
   "s3express:locationname": {
     "key": "s3express:LocationName",
     "description": "Filters access by a specific Availability Zone ID",
     "type": "String"
   },
+  "s3express:permissions": {
+    "key": "s3express:Permissions",
+    "description": "Filters access by the permission requested by Access Point Scope configuration, such as GetObject, PutObject",
+    "type": "ArrayOfString"
+  },
   "s3express:resourceaccount": {
     "key": "s3express:ResourceAccount",
     "description": "Filters access by the resource owner AWS account ID",

package/data/resourceTypes/s3express.json

@@ -2,5 +2,9 @@
   "bucket": {
     "key": "bucket",
     "arn": "arn:${Partition}:s3express:${Region}:${Account}:bucket/${BucketName}"
+  },
+  "accesspoint": {
+    "key": "accesspoint",
+    "arn": "arn:${Partition}:s3express:${Region}:${Account}:accesspoint/${AccessPointName}"
   }
 }

package/data/resourceTypes/wafv2.json

@@ -54,5 +54,9 @@
   "verified-access-instance": {
     "key": "verified-access-instance",
     "arn": "arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}"
+  },
+  "amplify-app": {
+    "key": "amplify-app",
+    "arn": "arn:${Partition}:amplify:${Region}:${Account}:apps/${AppId}"
   }
 }

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@cloud-copilot/iam-data",
-  "version": "0.9.202503281",
+  "version": "0.9.202504011",
   "description": "AWS IAM Data",
   "repository": "github:cloud-copilot/iam-data",
-  "updatedAt": "2025-03-28T04:46:24.551Z",
+  "updatedAt": "2025-04-01T04:48:01.169Z",
   "exports": {
     ".": {
       "import": "./dist/esm/index.js",