diff --git a/policies/AmazonConnectServiceLinkedRolePolicy b/policies/AmazonConnectServiceLinkedRolePolicy index 96662c5b84..00ad738a2d 100644 --- a/policies/AmazonConnectServiceLinkedRolePolicy +++ b/policies/AmazonConnectServiceLinkedRolePolicy @@ -1,7 +1,7 @@ { "PolicyVersion": { - "CreateDate": "2024-11-14T18:06:40Z", - "VersionId": "v20", + "CreateDate": "2024-11-21T23:06:06Z", + "VersionId": "v21", "Document": { "Version": "2012-10-17", "Statement": [ @@ -357,6 +357,17 @@ } }, "Sid": "AllowSocialMessagingOperations" + }, + { + "Action": "mobiletargeting:SendMessages", + "Resource": "arn:aws:mobiletargeting:*:*:apps/*", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "AllowMobileTargetingOperationsForConnect" } ] }, diff --git a/policies/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary b/policies/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary index f4b8fef794..5edf612c61 100644 --- a/policies/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary +++ b/policies/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary @@ -1,7 +1,7 @@ { "PolicyVersion": { - "CreateDate": "2024-05-08T02:03:49Z", - "VersionId": "v4", + "CreateDate": "2024-11-21T23:06:06Z", + "VersionId": "v5", "Document": { "Version": "2012-10-17", "Statement": [ @@ -45,18 +45,20 @@ ], "Resource": [ "arn:aws:sagemaker:*:*:app/*", - "arn:aws:sagemaker:*:*:space/*" + "arn:aws:sagemaker:*:*:space/*", + "arn:aws:sagemaker:*:*:user-profile/*" ], "Effect": "Allow", "Condition": { "StringEquals": { "sagemaker:TaggingAction": [ "CreateApp", - "CreateSpace" + "CreateSpace", + "CreateUserProfile" ] } }, - "Sid": "AllowAddTagsForAppAndSpace" + "Sid": "AllowAddTagsForDomainResources" }, { "Action": [ diff --git a/policies/CloudWatchSyntheticsFullAccess b/policies/CloudWatchSyntheticsFullAccess index 795e059aad..2aba670b30 100644 --- a/policies/CloudWatchSyntheticsFullAccess +++ b/policies/CloudWatchSyntheticsFullAccess @@ -1,7 +1,7 @@ { "PolicyVersion": { - "CreateDate": "2024-10-11T17:07:13Z", - "VersionId": "v10", + "CreateDate": "2024-11-21T22:21:05Z", + "VersionId": "v11", "Document": { "Version": "2012-10-17", "Statement": [ @@ -109,6 +109,25 @@ ], "Effect": "Allow" }, + { + "Action": [ + "logs:GetLogRecord", + "logs:DescribeLogStreams", + "logs:StartQuery", + "logs:GetLogEvents", + "logs:FilterLogEvents", + "logs:GetLogGroupFields" + ], + "Resource": [ + "arn:aws:logs:*:*:log-group:/aws/lambda/cwsyn-*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, { "Action": [ "lambda:CreateFunction", @@ -117,6 +136,7 @@ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration", + "lambda:GetFunction", "lambda:DeleteFunction", "lambda:ListTags", "lambda:TagResource", @@ -136,7 +156,8 @@ "Resource": [ "arn:aws:lambda:*:*:layer:cwsyn-*", "arn:aws:lambda:*:*:layer:Synthetics:*", - "arn:aws:lambda:*:*:layer:Synthetics_Selenium:*" + "arn:aws:lambda:*:*:layer:Synthetics_Selenium:*", + "arn:aws:lambda:*:*:layer:AWS-CW-Synthetics*:*" ], "Effect": "Allow" }, diff --git a/policies/SageMakerStudioProjectProvisioningRolePolicy b/policies/SageMakerStudioProjectProvisioningRolePolicy index 4e406d385c..6ef197b7d0 100644 --- a/policies/SageMakerStudioProjectProvisioningRolePolicy +++ b/policies/SageMakerStudioProjectProvisioningRolePolicy @@ -1,7 +1,7 @@ { "PolicyVersion": { - "CreateDate": "2024-11-20T21:58:39Z", - "VersionId": "v1", + "CreateDate": "2024-11-21T22:36:06Z", + "VersionId": "v2", "Document": { "Version": "2012-10-17", "Statement": [ @@ -212,7 +212,8 @@ "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*", "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*", - "arn:aws:iam::*:role/AmazonBedrockEvaluation*" + "arn:aws:iam::*:role/AmazonBedrockEvaluation*", + "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole" ], "Effect": "Allow", "Condition": { @@ -256,7 +257,8 @@ "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*", "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*", - "arn:aws:iam::*:role/AmazonBedrockEvaluation*" + "arn:aws:iam::*:role/AmazonBedrockEvaluation*", + "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole" ], "Effect": "Allow", "Condition": { @@ -279,7 +281,9 @@ "DomainBucketName", "KmsKeyId", "LogGroupName", - "RoleName" + "RoleName", + "vpcArn", + "CreatedForUseWithSageMakerStudio" ] } }, @@ -406,7 +410,11 @@ "iam:ListPolicyVersions", "iam:DeletePolicyVersion" ], - "Resource": "arn:aws:iam::*:policy/datazone*", + "Resource": [ + "arn:aws:iam::*:policy/datazone*", + "arn:aws:iam::*:policy/connector*", + "arn:aws:iam::*:policy/SageMakerStudioQueryExecutionRolePolicy" + ], "Effect": "Allow", "Condition": { "StringEquals": { @@ -453,7 +461,8 @@ { "Action": "iam:PassRole", "Resource": [ - "arn:aws:iam::*:role/datazone_usr_role_*" + "arn:aws:iam::*:role/datazone_usr_role_*", + "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole" ], "Effect": "Allow", "Condition": { @@ -1070,7 +1079,8 @@ "redshift-serverless:CreateNamespace", "redshift-serverless:CreateWorkgroup", "redshift-serverless:DeleteNamespace", - "redshift-serverless:DeleteWorkgroup" + "redshift-serverless:DeleteWorkgroup", + "redshift-serverless:ListTagsForResource" ], "Resource": [ "arn:aws:redshift-serverless:*:*:namespace/*", @@ -1431,7 +1441,8 @@ "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", - "secretsmanager:UpdateSecret" + "secretsmanager:UpdateSecret", + "secretsmanager:DescribeSecret" ], "Resource": "*", "Effect": "Allow", @@ -1713,6 +1724,9 @@ ], "Effect": "Allow", "Condition": { + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false" + }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } @@ -1724,6 +1738,9 @@ "Resource": "arn:aws:sagemaker:*:*:space/*", "Effect": "Allow", "Condition": { + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false" + }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } @@ -1735,6 +1752,9 @@ "Resource": "arn:aws:sagemaker:*:*:user-profile/*", "Effect": "Allow", "Condition": { + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false" + }, "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } @@ -2226,6 +2246,19 @@ } }, "Sid": "AirflowKmsDescribeKey" + }, + { + "Action": [ + "iam:GetRole" + ], + "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole", + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + }, + "Sid": "GetRolePermissionsForSageMakerStudioQueryExecutionRole" } ] },