cdk-iam-floyd 0.710.0 → 0.714.0

package/.claude/settings.local.json

@@ -0,0 +1,30 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(make build)",
+      "Bash(make generate)",
+      "Bash(SERVICE=* make generate)",
+      "Bash(make generate-force)",
+      "Bash(SERVICE=* make generate-force)",
+      "Bash(make index-managed-policies)",
+      "Bash(make package)",
+      "Bash(make cdk)",
+      "Bash(make uncdk)",
+      "Bash(make test)",
+      "Bash(make cdk-test)",
+      "Bash(make cdk-all)",
+      "Bash(make changelog)",
+      "Bash(make stats)",
+      "Bash(make clean)",
+      "Bash(make install)",
+      "Bash(make docs)",
+      "Bash(make test-typescript)",
+      "Bash(make test-typescript-cdk)",
+      "Bash(make regenerate-code-example-results)",
+      "Bash(make eslint)",
+      "Bash(npx tsc:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

package/CLAUDE.md

@@ -0,0 +1,147 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+IAM Floyd is an AWS IAM policy statement generator with a fluent interface. It generates TypeScript classes for all AWS services and their actions, resources, and condition keys from AWS documentation. The project supports both standalone usage (`iam-floyd`) and AWS CDK integration (`cdk-iam-floyd`).
+
+## Core Architecture
+
+### Generated Code Structure
+
+- `lib/generated/policy-statements/` - Contains generated TypeScript classes for each AWS service (400+ services)
+- `lib/generated/index.ts` - Main export file that re-exports all service classes
+- `lib/generated/aws-managed-policies/` - Generated AWS managed policies
+- `lib/shared/` - Core shared classes like `PolicyStatement`, `All`, and `Operator`
+- `lib/collection/` - Predefined policy collections and utilities
+
+### Code Generation Pipeline
+
+The codebase uses a sophisticated generation system:
+
+1. `bin/generate.ts` - Main generation entry point that orchestrates the process
+2. `lib/generator/` - Contains the generation logic that scrapes AWS documentation
+3. Generated files are created in TypeScript and compiled to JavaScript for distribution
+
+### Key Classes
+
+- `PolicyStatement` - Base class for all policy statement builders
+- `All` - Global action provider for cross-service policies
+- Service-specific classes (e.g., `S3`, `EC2`, `Lambda`) - Each AWS service gets its own class with methods for actions, resources, and conditions
+
+## Development Commands
+
+### Building and Compilation
+
+```bash
+# Build the project (compiles TypeScript)
+make build
+# Convert project to CDK-variant
+```
+
+### Code Generation
+
+```bash
+# Generate service classes from AWS documentation
+make generate
+# Force regeneration (ignores time-based cache)
+make generate-force
+# Generate AWS managed policies index
+make index-managed-policies
+```
+
+### Testing
+
+```bash
+# Run main tests
+make test
+# Run CDK-specific tests
+make cdk-test
+# Convert package to CDK variant and run CDK-specific tests
+make cdk-all
+```
+
+### Linting and Code Quality
+
+```bash
+# Run ESLint
+make eslint
+# ESLint is configured with TypeScript, Prettier, and deprecation rules
+```
+
+### Package Management
+
+```bash
+# Create npm package
+make package
+# Clean all generated files and dependencies
+make clean
+# Reinstall dependencies
+make install
+```
+
+### CDK Variant Management
+
+```bash
+# Convert to CDK variant (modifies package.json and lib structure)
+make cdk
+# Revert CDK changes
+make uncdk
+```
+
+## Project Structure Patterns
+
+### Dual Package Strategy
+
+The project maintains two npm packages from a single codebase:
+
+- `iam-floyd` - Standalone IAM policy generator
+- `cdk-iam-floyd` - AWS CDK integration that extends `iam.PolicyStatement`
+
+The `bin/mkcdk.ts` script transforms the codebase between variants by modifying imports and package configuration.
+
+### TypeScript Configuration
+
+- `tsconfig.json` - Main TypeScript configuration with strict settings
+- `tsconfig.main.json` - Production build configuration
+- `tsconfig.test-*.json` - Test-specific configurations
+- Uses SWC for faster compilation via ts-node
+
+### Generated Code Conventions
+
+- All generated classes follow the pattern: `export class ServiceName extends PolicyStatement`
+- Method names correspond to AWS IAM action names (e.g., `getObject()`, `listBuckets()`)
+- Resource and condition methods use fluent interface patterns
+- Generated files include comprehensive JSDoc comments from AWS documentation
+
+## Important Notes
+
+### File Modification Rules
+
+- **Never manually edit files in `lib/generated/`** - These are auto-generated and will be overwritten
+- Generated code is created from AWS documentation and should only be updated via the generation process
+- Manual changes should only be made to files in `lib/shared/`, `lib/collection/`, and core infrastructure
+
+### Code Style
+
+- ESLint enforces strict TypeScript rules with Prettier formatting
+- Single quotes for strings, except in YAML files
+- Comprehensive type checking with `noImplicitAny` and strict null checks
+- Generated files are excluded from linting (`lib/generated/*` in `.eslintrc`)
+
+### Testing Strategy
+
+- Tests are located in the `test/` directory with its own Makefile
+- Supports both unit tests for the main package and CDK integration tests
+- CDK tests include actual deployment and destruction cycles for validation
+
+## Git Commit Conventions
+
+This project follows conventional commit patterns:
+
+- `chore(deps): description` - Dependency updates
+- `feat: description` - New features
+- `fix: description` - Bug fixes
+- `docs: description` - Documentation changes
+- Simple format: "Updates AWS managed policies" for automated policy updates

package/README.md

@@ -16,10 +16,10 @@
 <!-- stats -->
 Support for:
 
-- 421 Services
-- 18549 Actions
-- 1992 Resource Types
-- 1957 Condition keys
+- 429 Services
+- 19150 Actions
+- 2051 Resource Types
+- 2131 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**

package/lib/generated/aws-managed-policies/cdk-iam-floyd.d.ts

@@ -70,8 +70,14 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonAuroraDSQLFullAccess(): aws_iam.IManagedPolicy;
     /** Provides read only access to Aurora DSQL */
     AmazonAuroraDSQLReadOnlyAccess(): aws_iam.IManagedPolicy;
+    /** Provides Bedrock Model inference permission to Bedrock agent core memory */
+    AmazonBedrockAgentCoreMemoryBedrockModelInferenceExecutionRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides full access to Amazon Bedrock as well as limited access to related services that are required by it */
     AmazonBedrockFullAccess(): aws_iam.IManagedPolicy;
+    /** Provides limited access to Amazon Bedrock as well as to related services that are required by it */
+    AmazonBedrockLimitedAccess(): aws_iam.IManagedPolicy;
+    /** Provides limited access to Amazon Bedrock Marketplace as well as to related services that are required by it */
+    AmazonBedrockMarketplaceAccess(): aws_iam.IManagedPolicy;
     /** Provides read only access to Amazon Bedrock */
     AmazonBedrockReadOnly(): aws_iam.IManagedPolicy;
     /** Defines the maximum permissions of IAM roles that Amazon Bedrock Studio creates for operating Amazon Bedrock Studio resources. */
@@ -256,6 +262,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonEC2ContainerServiceRole(): aws_iam.IManagedPolicy;
     /** Provides full access to Amazon EC2 via the AWS Management Console. */
     AmazonEC2FullAccess(): aws_iam.IManagedPolicy;
+    /** Provides read-only access to scan all supported resource types for relevant data when using DescribeImageReferences. */
+    AmazonEC2ImageReferencesAccessPolicy(): aws_iam.IManagedPolicy;
     /** Provides read only access to Amazon EC2 via the AWS Management Console. */
     AmazonEC2ReadOnlyAccess(): aws_iam.IManagedPolicy;
     /** Provides EC2 access to S3 bucket to download revision. This role is needed by the CodeDeploy agent on EC2 instances. */
@@ -276,6 +284,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonECSFullAccess(): aws_iam.IManagedPolicy;
     /** Policy to enable Amazon ECS Compute to manage your EC2 instances and related resources as part of ECS managed instances */
     AmazonECSComputeServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides access to other AWS service resources required to manage load balancers associated with ECS workloads on your behalf. */
+    AmazonECSInfrastructureRolePolicyForLoadBalancers(): aws_iam.IManagedPolicy;
     /** Provides administrative access to Private Certificate Authority, AWS Secrets Manager and other AWS Services required to manage ECS Service Connect TLS features on your behalf. */
     AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity(): aws_iam.IManagedPolicy;
     /** Provides access to other AWS service resources required to manage volumes associated with ECS workloads on your behalf. */
@@ -298,6 +308,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonEKSComputePolicy(): aws_iam.IManagedPolicy;
     /** This policy allows Amazon EKS to manage AWS resources for EKS connector */
     AmazonEKSConnectorServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides read only access to view the dashboard in the Amazon EKS console. The dashboard aggregates information about multiple clusters and related resources using AWS Organizations. */
+    AmazonEKSDashboardConsoleReadOnly(): aws_iam.IManagedPolicy;
     /** This policy enables the Amazon EKS Dashboard to access and display organization-wide information. The policy allows the EKS Dashboard service to gather information about your AWS Organizations structure and accounts. */
     AmazonEKSDashboardServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides access to other AWS service resources that are required to run Amazon EKS pods on AWS Fargate */
@@ -476,6 +488,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonInspector2AgentlessServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides full access to Amazon Inspector and access to other related services such as organizations. */
     AmazonInspector2FullAccess(): aws_iam.IManagedPolicy;
+    /** Provides full access to Amazon Inspector and access to other related services such as organizations with restrictive organizational access. */
+    AmazonInspector2FullAccessV2(): aws_iam.IManagedPolicy;
     /** This is a managed policy that customer should attach to their roles to communicate with inspector service for CIS scans */
     AmazonInspector2ManagedCisPolicy(): aws_iam.IManagedPolicy;
     /** Provides read only access to the Amazon inspector2 service and relevant support services */
@@ -780,6 +794,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonS3ReadOnlyAccess(): aws_iam.IManagedPolicy;
     /** Provides full access to all S3 table buckets. */
     AmazonS3TablesFullAccess(): aws_iam.IManagedPolicy;
+    /** This managed policy grants AWS Lake Formation permissions to act on all table buckets, namespaces, and tables within the account. */
+    AmazonS3TablesLakeFormationServiceRole(): aws_iam.IManagedPolicy;
     /** Provides read only access to all S3 table buckets. */
     AmazonS3TablesReadOnlyAccess(): aws_iam.IManagedPolicy;
     /** Service role policy used by the AWS Service Catalog service to provision products from Amazon SageMaker portfolio of products. Grants permissions to a set of related services including CodePipeline, CodeBuild, CodeCommit, Glue, CloudFormation, etc,. */
@@ -816,8 +832,12 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AmazonSageMakerGeospatialFullAccess(): aws_iam.IManagedPolicy;
     /** Provides access to AWS services that are required to run SageMaker GroundTruth Labeling job */
     AmazonSageMakerGroundTruthExecution(): aws_iam.IManagedPolicy;
+    /** This policy provides administrative privileges required for setting up SageMaker HyperPod observability. It enables access to Amazon Managed Prometheus, Amazon Managed Grafana and EKS Addons. The policy also includes broad access to Grafana HTTP APIs through ServiceAccountTokens across all Amazon Managed Grafana workspaces in your account. */
+    AmazonSageMakerHyperPodObservabilityAdminAccess(): aws_iam.IManagedPolicy;
     /** This policy grants permissions to Amazon SageMaker HyperPod to related AWS services such as Amazon EKS, Amazon CloudWatch etc. */
     AmazonSageMakerHyperPodServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** This policy provides administrative permissions required to set up the SageMaker HyperPod training operator. It enables access to Amazon SageMaker HyperPod and EKS add-ons. The policy includes permissions to describe the SageMaker HyperPod resources in your account. */
+    AmazonSageMakerHyperPodTrainingOperatorAccess(): aws_iam.IManagedPolicy;
     /** Provides access to create Amazon Augmented AI FlowDefinition resources against any Workteam. */
     AmazonSageMakerMechanicalTurkAccess(): aws_iam.IManagedPolicy;
     /** This AWS managed policy grants permissions needed to use all Amazon SageMaker Governance features. The policy also provides select access to related services (e.g., S3, KMS). */
@@ -1184,6 +1204,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSBatchServiceEventTargetRole(): aws_iam.IManagedPolicy;
     /** Policy for AWS Batch service role which allows access to related services including EC2, Autoscaling, EC2 Container service and Cloudwatch Logs. */
     AWSBatchServiceRole(): aws_iam.IManagedPolicy;
+    /** Provides access for AWS Batch to queue and manage Amazon SageMaker workloads */
+    AWSBatchServiceRolePolicyForSageMaker(): aws_iam.IManagedPolicy;
     /** A service linked role to provide Billing and Cost Management Data Exports access to AWS service data for exporting the data to a target location, such as Amazon S3, on behalf of a customer. */
     AWSBCMDataExportsServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Use the AWSBillingConductorFullAccess managed policy to allow complete access to AWS Billing Conductor (ABC) console and APIs. This policy allows users to list, create and delete ABC resources. */
@@ -1192,6 +1214,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSBillingConductorReadOnlyAccess(): aws_iam.IManagedPolicy;
     /** Allows users to view bills on the Billing Console. */
     AWSBillingReadOnlyAccess(): aws_iam.IManagedPolicy;
+    /** Allows billing service to validate access to billing view data for derived billing views */
+    AWSBillingServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** This policy gives permissions to control AWS resources. For example, to start and stop EC2 or RDS instances by executing AWS Systems Manager (SSM) scripts. */
     AWSBudgetsActionsRolePolicyForResourceAdministrationWithSSM(): aws_iam.IManagedPolicy;
     /** Provides full access to AWS Budgets Actions including using Budgets Actions to control states of running AWS resources via AWS Management Console */
@@ -1428,6 +1452,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSDirectoryServiceFullAccess(): aws_iam.IManagedPolicy;
     /** Provides read only access to AWS Directory Service. */
     AWSDirectoryServiceReadOnlyAccess(): aws_iam.IManagedPolicy;
+    /** Policy for the Directory Service Service Linked Role */
+    AWSDirectoryServiceServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides write access to AWS resources required for AWS Discovery Continuous Export */
     AWSDiscoveryContinuousExportFirehosePolicy(): aws_iam.IManagedPolicy;
     /** Allows DMS Fleet Advisor to manage CloudWatch metrics on your behalf. */
@@ -1792,6 +1818,10 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSManagedServicesSelfServiceReportingServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Allows AWS Managed Services to manage deployment toolkit on your behalf. */
     AWSManagedServicesDeploymentToolkitPolicy(): aws_iam.IManagedPolicy;
+    /** Provides full access to configure and customize the AWS Management Console */
+    AWSManagementConsoleAdministratorAccess(): aws_iam.IManagedPolicy;
+    /** Grants access to essential AWS Management Console features and user experience (UX) capabilities for non-administrative users. */
+    AWSManagementConsoleBasicUserAccess(): aws_iam.IManagedPolicy;
     /** Allows AWS Marketplace to copy your Amazon Machine Images (AMIs) in order to list them on AWS Marketplace */
     AWSMarketplaceAmiIngestion(): aws_iam.IManagedPolicy;
     /** Allows AWS Marketplace to create and manage seller deployment parameters for the products that you subscribe to on AWS Marketplace. */
@@ -1878,20 +1908,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSNetworkManagerServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides access to manage AWS Config Configuration Recorder, manage AWS Config Configuration Aggregator, create AWS Config Service Linked Role for Configuration Recorder functionality, consume recorder configuration data, and read AWS Organizations data for organizational features. */
     AWSObservabilityAdminServiceRolePolicy(): aws_iam.IManagedPolicy;
-    /** Provides full access to AWS OpsWorks. */
-    AWSOpsWorksFullAccess(): aws_iam.IManagedPolicy;
-    /** Enables OpsWorks instances with the CWLogs integration enabled to ship logs and create required log groups */
-    AWSOpsWorksCloudWatchLogs(): aws_iam.IManagedPolicy;
-    /** Provides S3 access for instances launched by OpsWorks CM. */
-    AWSOpsWorksCMInstanceProfileRole(): aws_iam.IManagedPolicy;
-    /** Service Role Policy to be used for Creating OpsWorks CM servers. */
-    AWSOpsWorksCMServiceRole(): aws_iam.IManagedPolicy;
-    /** Provides access for an Amazon EC2 instance to register with an AWS OpsWorks stack. */
-    AWSOpsWorksInstanceRegistration(): aws_iam.IManagedPolicy;
-    /** Policy to enable registration of EC2 instances via the OpsWorks CLI */
-    AWSOpsWorksRegisterCLIEC2(): aws_iam.IManagedPolicy;
-    /** Policy to enable registration of On-Premises instances via the OpsWorks CLI */
-    AWSOpsWorksRegisterCLIOnPremises(): aws_iam.IManagedPolicy;
+    /** Provides access to manage AWS Config recorder resource and telemetry settings on AWS resources including logs, metrics. */
+    AWSObservabilityAdminTelemetryEnablementServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides full access to AWS Organizations. */
     AWSOrganizationsFullAccess(): aws_iam.IManagedPolicy;
     /** Provides read-only access to AWS Organizations. */
@@ -1926,6 +1944,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy(): aws_iam.IManagedPolicy;
     /** This policy can be used to grant read-only access to APIs that can read service metadata for services in your AWS account. You can use this policy to provide your partners in the Partner-Led Support Program with access to the services specified in the permissions details section below. */
     AWSPartnerLedSupportReadOnlyAccess(): aws_iam.IManagedPolicy;
+    /** Grants permission to AWS PCS compute nodes to connect to AWS PCS clusters. */
+    AWSPCSComputeNodePolicy(): aws_iam.IManagedPolicy;
     /** Grants permissions to PCS to manage resources on your behalf. */
     AWSPCSServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides full access to AWS Price List Service. */
@@ -2000,6 +2020,10 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSQuickSetupSSMLifecycleManagementExecutionPolicy(): aws_iam.IManagedPolicy;
     /** This policy grants permissions that allow Systems Manager to create prerequisites such as IAM roles required for Systems Manager onboarding. */
     AWSQuickSetupSSMManageResourcesExecutionPolicy(): aws_iam.IManagedPolicy;
+    /** This policy grants permissions that allow principals to run the AWSQuickSetupType-StartSSMAssociations Automation runbook, which starts State Manager Associations. */
+    AWSQuickSetupStartSSMAssociationsExecutionPolicy(): aws_iam.IManagedPolicy;
+    /** The managed policy AWSQuickSetupStartStopInstancesExecutionPolicy provides permissions for Quick Setup to start and stop Amazon EC2 instances on a schedule. This policy is used with the Quick Setup scheduler configuration type. */
+    AWSQuickSetupStartStopInstancesExecutionPolicy(): aws_iam.IManagedPolicy;
     /** Provides the set of permissions required to perform QuickSight Asset Bundle Export Operations */
     AWSQuickSightAssetBundleExportPolicy(): aws_iam.IManagedPolicy;
     /** Provides the set of permissions required to perform QuickSight Asset Bundle Import Operations */
@@ -2064,6 +2088,10 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSRoboMakerServicePolicy(): aws_iam.IManagedPolicy;
     /** RoboMaker service policy */
     AWSRoboMakerServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides all permissions to IAM Roles Anywhere resources, including but not limited to: CreateProfile, DeleteTrustAnchor, DisableCRL, ResetNotificationSettings. */
+    AWSRolesAnywhereFullAccess(): aws_iam.IManagedPolicy;
+    /** Provides read-only permissions to IAM Roles Anywhere resources, including but not limited to: GetTrustAnchor, ListProfiles, GetCRL. There will be no other permissions for other services included in this policy. */
+    AWSRolesAnywhereReadOnly(): aws_iam.IManagedPolicy;
     /** Allows IAM Roles Anywhere to publish service/usage metrics to CloudWatch and check the status of Private Certificate Authorities on your behalf. */
     AWSRolesAnywhereServicePolicy(): aws_iam.IManagedPolicy;
     /** Allow Amazon S3 on Outposts service to manage EC2 network resources on your behalf. */
@@ -2248,6 +2276,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSTransferLoggingAccess(): aws_iam.IManagedPolicy;
     /** Provide readonly access to AWS Transfer services. */
     AWSTransferReadOnlyAccess(): aws_iam.IManagedPolicy;
+    /** Enables the AWS Transform service to deploy transformed .NET applications by creating and managing AWS resources. This policy grants permissions to provision infrastructure, manage compute resources, and configure deployment settings across various AWS services. */
+    AWSTransformApplicationDeploymentPolicy(): aws_iam.IManagedPolicy;
     /** Provides full access to AWS Trusted Advisor Priority. This policy also enables the user to add Trusted Advisor as a trusted service with AWS Organizations and to specify delegated administrator accounts for Trusted Advisor Priority. */
     AWSTrustedAdvisorPriorityFullAccess(): aws_iam.IManagedPolicy;
     /** Provides read-only access to AWS Trusted Advisor Priority. This includes permission to view the delegated administrator accounts. */
@@ -2300,10 +2330,16 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     AWSXrayWriteOnlyAccess(): aws_iam.IManagedPolicy;
     /** Provides administrative access for ARC zonal shift practice runs, and access to CloudWatch alarm statuses to monitor practice runs. */
     AWSZonalAutoshiftPracticeRunSLRPolicy(): aws_iam.IManagedPolicy;
+    /** Provides read-only access to the APIs needed to support zone-group access-management for organizations. */
+    AWSZoneGroupAccessManagementServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides access for the AWS Batch service to manage the required resources, including Amazon EC2 and Amazon ECS resources. */
     BatchServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides full access to Bedrock AgentCore as well as limited access to related services */
+    BedrockAgentCoreFullAccess(): aws_iam.IManagedPolicy;
     /** Grants permissions for billing and cost management. This includes viewing account usage and viewing and modifying budgets and payment methods. */
     Billing(): aws_iam.IManagedPolicy;
+    /** Allows Budgets to verify access to Billing Views shared across account boundaries. */
+    BudgetsServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Amazon Certificate Manager Service Role Policy */
     CertificateManagerServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Policy to enable AWS Client VPN to manage your Client VPN endpoint connections. */
@@ -2530,6 +2566,8 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     KafkaConnectServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** IAM service linked role policy for Kafka. */
     KafkaServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Grants the required permissions to Amazon Keyspaces for Change Data Capture */
+    KeyspacesCDCServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Permissions required by Keyspaces for cross-region data replication */
     KeyspacesReplicationServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Policy to grant temporary data access to Lake Formation resources */
@@ -2554,6 +2592,10 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     MigrationHubSMSAccessServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Policy for AWS Monitron service linked role granting access to required customer resources. */
     MonitronServiceRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides full access to Multi-party approval. This policy also includes related permissions to AWS Organizations and AWS IAM Identity for managing approval teams and identity sources. */
+    MultiPartyApprovalFullAccess(): aws_iam.IManagedPolicy;
+    /** Provides read-only access to Multi-party approval. This policy also includes related read permission to AWS Organizations and AWS IAM Identity for approval teams and identity sources. */
+    MultiPartyApprovalReadOnlyAccess(): aws_iam.IManagedPolicy;
     /** Provides full access to manage Amazon Neptune using the AWS Console. Note this policy also grants full access to publish on all SNS topics within the account, permissions to create and edit Amazon EC2 instances and VPC configurations, permissions to view and list keys on Amazon KMS, and full access to Amazon RDS. For more information, see https://aws.amazon.com/neptune/faqs/. */
     NeptuneConsoleFullAccess(): aws_iam.IManagedPolicy;
     /** Provides full access to Amazon Neptune. Note this policy also grants full access to publish on all SNS topics within the account and full access to Amazon RDS. For more information, see https://aws.amazon.com/neptune/faqs/. */
@@ -2616,6 +2658,10 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     ROSAManageSubscription(): aws_iam.IManagedPolicy;
     /** Allows Red Hat OpenShift Service on AWS (ROSA) to manage cluster EC2 instances as worker nodes, including permission to configure security groups and tag instances and volumes. This policy also allows for the use of EC2 instances with disk encryption provided by AWS Key Management Service (KMS) keys. */
     ROSANodePoolManagementPolicy(): aws_iam.IManagedPolicy;
+    /** Allows the Red Hat OpenShift Service on AWS (ROSA) installer to configure VPC Endpoints and Security Groups. Intended to be used on a shared VPC. */
+    ROSASharedVPCEndpointPolicy(): aws_iam.IManagedPolicy;
+    /** Allows the Red Hat OpenShift Service on AWS (ROSA) installer to configure Route53 records. Intended to be used on a shared VPC. */
+    ROSASharedVPCRoute53Policy(): aws_iam.IManagedPolicy;
     /** Provides ROSA site reliability engineering (SRE) the permissions needed to initially observe, diagnose, and support AWS resources associated with Red Hat OpenShift Service on AWS (ROSA) clusters, including the ability to change ROSA cluster node state. */
     ROSASRESupportPolicy(): aws_iam.IManagedPolicy;
     /** Allows Red Hat OpenShift Service on AWS (ROSA) worker nodes in your account read-only access to Amazon EC2 instances and AWS Regions for compute node lifecycle management. */
@@ -2628,6 +2674,14 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     S3StorageLensServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides access required to unlock a S3 bucket policy using the Security Token Service (STS) AssumeRoot API. Use this managed policy only with the STS AssumeRoot action. */
     S3UnlockBucketPolicy(): aws_iam.IManagedPolicy;
+    /** Provides initial administrative and individual setup privileges for Amazon SageMaker Unified Studio via the AWS Management Console and SDK. Allows launching of SageMaker Unified Studio Portal. */
+    SageMakerStudioAdminIAMConsolePolicy(): aws_iam.IManagedPolicy;
+    /** Administrative execution policy for using IAM roles with SageMaker Unified Studio. Allows admins to provision, manage and access resources in your account (excluding access to data resources) for IAM-based usage of SageMaker Unified Studio. */
+    SageMakerStudioAdminIAMDefaultExecutionPolicy(): aws_iam.IManagedPolicy;
+    /** Administrative execution policy for using IAM roles with SageMaker Unified Studio. Allows admins to provision, manage and access resources in the local account (including broad access to all APIs in data services like S3, Glue, CloudWatch Logs, and others) for IAM-based usage of SageMaker Unified Studio. */
+    SageMakerStudioAdminIAMPermissiveExecutionPolicy(): aws_iam.IManagedPolicy;
+    /** This IAM policy grants an IAM role full access to AWS Glue Data Catalog (metadata) and Amazon S3 (actual data) for data lake operations, with access scoped by account, and role tags. */
+    SageMakerStudioAdminProjectUserRolePolicy(): aws_iam.IManagedPolicy;
     /** Allows Amazon Bedrock Agents to access Amazon Bedrock models and other resources attached to an agent in SageMaker Studio. */
     SageMakerStudioBedrockAgentServiceRolePolicy(): aws_iam.IManagedPolicy;
     /** Provides access to an Amazon Bedrock chat agent app's configuration and Amazon Bedrock agent in SageMaker Studio. */
@@ -2664,6 +2718,12 @@ export declare class AwsManagedPolicy extends AwsManagedPolicyStatic {
     SageMakerStudioProjectUserRolePolicy(): aws_iam.IManagedPolicy;
     /** Amazon SageMaker Studio uses this policy when running query executions on federated connections. */
     SageMakerStudioQueryExecutionRolePolicy(): aws_iam.IManagedPolicy;
+    /** Provides individual setup privileges for Amazon SageMaker Unified Studio via the AWS Management Console and SDK. Allows launching of SageMaker Unified Studio Portal. */
+    SageMakerStudioUserIAMConsolePolicy(): aws_iam.IManagedPolicy;
+    /** Execution policy for using IAM roles with SageMaker Unified Studio. Allows users to access resources in the local account (excluding access to data resources) for IAM-based usage of SageMaker Unified Studio. */
+    SageMakerStudioUserIAMDefaultExecutionPolicy(): aws_iam.IManagedPolicy;
+    /** Execution policy for using IAM roles with SageMaker Unified Studio. Allows users to access resources in your account (including broad access to all APIs in data services like S3, Glue, CloudWatch Logs, and others) for IAM-based usage of SageMaker Unified Studio. */
+    SageMakerStudioUserIAMPermissiveExecutionPolicy(): aws_iam.IManagedPolicy;
     /** Provides read/write access to AWS Secrets Manager via the AWS Management Console. Note: this exludes IAM actions, so combine with IAMFullAccess if rotation configuration is required. */
     SecretsManagerReadWrite(): aws_iam.IManagedPolicy;
     /** The security audit template grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account. */