Merge pull request #2079 from udondan/iam-updates

udondan · web-flow · commit e017f09f03ad · 2026-05-05T05:10:14.000+02:00
diff --git a/CHANGELOG/v0.784.0.md b/CHANGELOG/v0.784.0.md
@@ -0,0 +1,11 @@
+**New services:**
+
+- application-signals-mcp
+
+**New actions:**
+
+- cloudwatch:CallWithBearerToken
+- securityhub:GenerateRecommendedPolicyV2
+- securityhub:GetRecommendedPolicyV2
+- securityhub:GetUsageV2
+- securityhub:ListAccountUsageV2
diff --git a/README.md b/README.md
@@ -15,10 +15,10 @@
 <!-- stats -->
 Support for:
 
-- 448 Services
-- 20740 Actions
-- 2208 Resource Types
-- 2336 Condition keys
+- 449 Services
+- 20747 Actions
+- 2209 Resource Types
+- 2337 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.783.0
+0.784.0
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -24,7 +24,7 @@
 author = 'Daniel Schroeder'
 
 # The full version, including alpha/beta/rc tags
-release = '0.783.0'
+release = '0.784.0'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/docs/source/index.rst b/docs/source/index.rst
@@ -30,10 +30,10 @@ AWS IAM policy statement generator with fluent interface.
 
 Support for:
 
-- 448 Services
-- 20740 Actions
-- 2208 Resource Types
-- 2336 Condition keys
+- 449 Services
+- 20747 Actions
+- 2209 Resource Types
+- 2337 Condition keys
 
 ..
    /stats
diff --git a/lib/generated/index.ts b/lib/generated/index.ts
@@ -22,6 +22,7 @@ export { Cloudsearch } from './policy-statements/cloudsearch';
 export { Cloudwatch } from './policy-statements/cloudwatch';
 export { Applicationinsights } from './policy-statements/cloudwatchapplicationinsights';
 export { ApplicationSignals } from './policy-statements/cloudwatchapplicationsignals';
+export { ApplicationSignalsMcp } from './policy-statements/cloudwatchapplicationsignalsmcpserver';
 export { Evidently } from './policy-statements/cloudwatchevidently';
 export { Internetmonitor } from './policy-statements/cloudwatchinternetmonitor';
 export { Logs } from './policy-statements/cloudwatchlogs';
diff --git a/lib/generated/policy-statements/cloudwatch.ts b/lib/generated/policy-statements/cloudwatch.ts
@@ -40,6 +40,17 @@ export class Cloudwatch extends PolicyStatement {
     return this.to('BatchGetServiceLevelObjectiveBudgetReport');
   }
 
+  /**
+   * Grants permission to make API calls to CloudWatch using bearer token authentication
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html
+   */
+  public toCallWithBearerToken() {
+    return this.to('CallWithBearerToken');
+  }
+
   /**
    * Grants permission to create a service level objective
    *
@@ -569,6 +580,10 @@ export class Cloudwatch extends PolicyStatement {
    *
    * Access Level: Write
    *
+   * Possible conditions:
+   * - .ifAwsRequestTag()
+   * - .ifAwsTagKeys()
+   *
    * https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutDashboard.html
    */
   public toPutDashboard() {
@@ -774,6 +789,7 @@ export class Cloudwatch extends PolicyStatement {
       'ListManagedInsightRules'
     ],
     Write: [
+      'CallWithBearerToken',
       'CreateServiceLevelObjective',
       'DeleteAlarmMuteRule',
       'DeleteAlarms',
@@ -862,6 +878,9 @@ export class Cloudwatch extends PolicyStatement {
    * @param dashboardName - Identifier for the dashboardName.
    * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
    * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
    */
   public onDashboard(dashboardName: string, account?: string, partition?: string) {
     return this.on(`arn:${ partition ?? this.defaultPartition }:cloudwatch::${ account ?? this.defaultAccount }:dashboard/${ dashboardName }`);
@@ -946,6 +965,7 @@ export class Cloudwatch extends PolicyStatement {
    * - .toListManagedInsightRules()
    * - .toPutAlarmMuteRule()
    * - .toPutCompositeAlarm()
+   * - .toPutDashboard()
    * - .toPutInsightRule()
    * - .toPutManagedInsightRules()
    * - .toPutMetricAlarm()
@@ -968,6 +988,7 @@ export class Cloudwatch extends PolicyStatement {
    * Applies to resource types:
    * - alarm
    * - alarm-mute-rule
+   * - dashboard
    * - insight-rule
    * - metric-stream
    * - slo
@@ -991,6 +1012,7 @@ export class Cloudwatch extends PolicyStatement {
    * - .toListManagedInsightRules()
    * - .toPutAlarmMuteRule()
    * - .toPutCompositeAlarm()
+   * - .toPutDashboard()
    * - .toPutInsightRule()
    * - .toPutManagedInsightRules()
    * - .toPutMetricAlarm()
diff --git a/lib/generated/policy-statements/cloudwatchapplicationsignalsmcpserver.ts b/lib/generated/policy-statements/cloudwatchapplicationsignalsmcpserver.ts
@@ -0,0 +1,82 @@
+import { AccessLevelList } from '../../shared/access-level';
+import { PolicyStatement, Operator } from '../../shared';
+
+/**
+ * Statement provider for service [application-signals-mcp](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationsignalsmcpserver.html).
+ *
+ * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
+ */
+export class ApplicationSignalsMcp extends PolicyStatement {
+  public servicePrefix = 'application-signals-mcp';
+
+  /**
+   * Statement provider for service [application-signals-mcp](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationsignalsmcpserver.html).
+   *
+   * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
+   */
+  constructor(sid?: string) {
+    super(sid);
+  }
+
+  /**
+   * Grants permission to invoke read-only Application Signals MCP tools (list_monitored_services, get_service_detail, query_service_metrics, list_service_operations, get_slo, list_slos, search_transaction_spans, query_sampled_traces, list_slis, get_enablement_guide, list_change_events, list_group_services, audit_group_health, get_group_dependencies, get_group_changes, list_grouping_attribute_definitions, audit_services, audit_slos, audit_service_operations, analyze_canary_failures)
+   *
+   * Access Level: Read
+   *
+   * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals.html
+   */
+  public toCallReadOnlyTool() {
+    return this.to('CallReadOnlyTool');
+  }
+
+  /**
+   * Grants permission to connect to and interact with the Application Signals MCP server (initialize, list tools, list resources, list prompts)
+   *
+   * Access Level: Read
+   *
+   * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals.html
+   */
+  public toInvokeMcp() {
+    return this.to('InvokeMcp');
+  }
+
+  protected accessLevelList: AccessLevelList = {
+    Read: [
+      'CallReadOnlyTool',
+      'InvokeMcp'
+    ]
+  };
+
+  /**
+   * Adds a resource of type mcp-server to the statement
+   *
+   * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals.html
+   *
+   * @param resourceName - Identifier for the resourceName.
+   * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
+   * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
+   * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+   *
+   * Possible conditions:
+   * - .ifAwsResourceTag()
+   */
+  public onMcpServer(resourceName: string, account?: string, region?: string, partition?: string) {
+    return this.on(`arn:${ partition ?? this.defaultPartition }:application-signals-mcp:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:mcp-server/${ resourceName }`);
+  }
+
+  /**
+   * Filters access by tag key-value pairs attached to the resource
+   *
+   * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag
+   *
+   * Applies to resource types:
+   * - mcp-server
+   *
+   * @param tagKey The tag key to check
+   * @param value The value(s) to check
+   * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+   */
+  public ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string) {
+    return this.if(`aws:ResourceTag/${ tagKey }`, value, operator ?? 'StringLike');
+  }
+}
diff --git a/lib/generated/policy-statements/devopsagentservice.ts b/lib/generated/policy-statements/devopsagentservice.ts
@@ -795,7 +795,7 @@ export class Aidevops extends PolicyStatement {
    * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
    */
   public onAssociations(agentSpaceId: string, associationId: string, account?: string, region?: string, partition?: string) {
-    return this.on(`arn:${ partition ?? this.defaultPartition }:aidevops:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:agentspace/${ agentSpaceId }/associations/${ associationId }`);
+    return this.on(`arn:${ partition ?? this.defaultPartition }:aidevops:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:agentspace/${ agentSpaceId }/association/${ associationId }`);
   }
 
   /**
diff --git a/lib/generated/policy-statements/redshift.ts b/lib/generated/policy-statements/redshift.ts
@@ -93,7 +93,7 @@ export class Redshift extends PolicyStatement {
   }
 
   /**
-   * Grants permission to Amazon Redshift to continuously validate that the target data warehouse can receive data replicated from the source ARN
+   * Grants permission to Amazon Redshift to continuously validate that the target namespace can receive data replicated from the source ARN
    *
    * Access Level: Write
    *
@@ -369,7 +369,7 @@ export class Redshift extends PolicyStatement {
   }
 
   /**
-   * Grants permission to the source principal to create an inbound integration for data to be replicated from the source into the target data warehouse
+   * Grants permission to the source principal to create an integration into the namespace of target data warehouse
    *
    * Access Level: Write
    *
diff --git a/lib/generated/policy-statements/securityhub.ts b/lib/generated/policy-statements/securityhub.ts
@@ -675,6 +675,17 @@ export class Securityhub extends PolicyStatement {
     return this.to('EnableSecurityHubV2');
   }
 
+  /**
+   * Grants permission to generate policy recommendations for an OCSF finding
+   *
+   * Access Level: Write
+   *
+   * https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GenerateRecommendedPolicyV2.html
+   */
+  public toGenerateRecommendedPolicyV2() {
+    return this.to('GenerateRecommendedPolicyV2');
+  }
+
   /**
    * Grants permission to retrieve aggregated statistical data about the findings
    *
@@ -906,6 +917,17 @@ export class Securityhub extends PolicyStatement {
     return this.to('GetMembers');
   }
 
+  /**
+   * Grants permission to retrieve policy recommendations for an OCSF finding
+   *
+   * Access Level: Read
+   *
+   * https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetRecommendedPolicyV2.html
+   */
+  public toGetRecommendedPolicyV2() {
+    return this.to('GetRecommendedPolicyV2');
+  }
+
   /**
    * Grants permission to retrieve aggregate statistics about resources
    *
@@ -964,6 +986,17 @@ export class Securityhub extends PolicyStatement {
     return this.to('GetUsage');
   }
 
+  /**
+   * Grants permission to retrieve information about Security Hub usage for an account
+   *
+   * Access Level: Read
+   *
+   * https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetUsageV2.html
+   */
+  public toGetUsageV2() {
+    return this.to('GetUsageV2');
+  }
+
   /**
    * Grants permission to invite other AWS accounts to become Security Hub member accounts
    *
@@ -975,6 +1008,17 @@ export class Securityhub extends PolicyStatement {
     return this.to('InviteMembers');
   }
 
+  /**
+   * Grants permission to retrieve a list of Security Hub usage for accounts in an organization
+   *
+   * Access Level: List
+   *
+   * https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListAccountUsageV2.html
+   */
+  public toListAccountUsageV2() {
+    return this.to('ListAccountUsageV2');
+  }
+
   /**
    * Grants permission to retrieve a list of aggregatorsV2, which configures data aggregation across Regions
    *
@@ -1391,6 +1435,7 @@ export class Securityhub extends PolicyStatement {
       'EnableOrganizationAdminAccount',
       'EnableSecurityHub',
       'EnableSecurityHubV2',
+      'GenerateRecommendedPolicyV2',
       'InviteMembers',
       'StartConfigurationPolicyAssociation',
       'StartConfigurationPolicyDisassociation',
@@ -1443,11 +1488,13 @@ export class Securityhub extends PolicyStatement {
       'GetInvitationsCount',
       'GetMasterAccount',
       'GetMembers',
+      'GetRecommendedPolicyV2',
       'GetResourcesStatisticsV2',
       'GetResourcesTrendsV2',
       'GetResourcesV2',
       'GetSecurityControlDefinition',
       'GetUsage',
+      'GetUsageV2',
       'ListControlEvaluationSummaries',
       'ListTagsForResource',
       'SendFindingEvents',
@@ -1456,6 +1503,7 @@ export class Securityhub extends PolicyStatement {
     List: [
       'GetEnabledStandards',
       'GetInsights',
+      'ListAccountUsageV2',
       'ListAggregatorsV2',
       'ListAutomationRules',
       'ListAutomationRulesV2',
diff --git a/stats/actions/application-signals-mcp b/stats/actions/application-signals-mcp
@@ -0,0 +1,2 @@
+application-signals-mcp:CallReadOnlyTool;Read
+application-signals-mcp:InvokeMcp;Read
diff --git a/stats/actions/cloudwatch b/stats/actions/cloudwatch
@@ -1,5 +1,6 @@
 cloudwatch:BatchGetServiceLevelIndicatorReport;Read
 cloudwatch:BatchGetServiceLevelObjectiveBudgetReport;Read
+cloudwatch:CallWithBearerToken;Write
 cloudwatch:CreateServiceLevelObjective;Write
 cloudwatch:DeleteAlarmMuteRule;Write
 cloudwatch:DeleteAlarms;Write
diff --git a/stats/actions/securityhub b/stats/actions/securityhub
@@ -53,6 +53,7 @@ securityhub:EnableImportFindingsForProduct;Write
 securityhub:EnableOrganizationAdminAccount;Write
 securityhub:EnableSecurityHub;Write
 securityhub:EnableSecurityHubV2;Write
+securityhub:GenerateRecommendedPolicyV2;Write
 securityhub:GetAdhocInsightResults;Read
 securityhub:GetAdministratorAccount;Read
 securityhub:GetAggregatorV2;Read
@@ -74,12 +75,15 @@ securityhub:GetInsights;List
 securityhub:GetInvitationsCount;Read
 securityhub:GetMasterAccount;Read
 securityhub:GetMembers;Read
+securityhub:GetRecommendedPolicyV2;Read
 securityhub:GetResourcesStatisticsV2;Read
 securityhub:GetResourcesTrendsV2;Read
 securityhub:GetResourcesV2;Read
 securityhub:GetSecurityControlDefinition;Read
 securityhub:GetUsage;Read
+securityhub:GetUsageV2;Read
 securityhub:InviteMembers;Write
+securityhub:ListAccountUsageV2;List
 securityhub:ListAggregatorsV2;List
 securityhub:ListAutomationRules;List
 securityhub:ListAutomationRulesV2;List
diff --git a/stats/conditions/application-signals-mcp b/stats/conditions/application-signals-mcp
@@ -0,0 +1 @@
+application-signals-mcp:ResourceTag/${TagKey}
diff --git a/stats/resources/application-signals-mcp b/stats/resources/application-signals-mcp
@@ -0,0 +1 @@
+application-signals-mcp:mcp-server
diff --git a/stats/services b/stats/services
@@ -23,6 +23,7 @@ appfabric
 appflow
 application-autoscaling
 application-signals
+application-signals-mcp
 application-transformation
 applicationinsights
 appmesh

Original file line number	Diff line number	Diff line change
`@@ -795,7 +795,7 @@ export class Aidevops extends PolicyStatement {`
`795`	`795`	* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
`796`	`796`	`*/`
`797`	`797`	`public onAssociations(agentSpaceId: string, associationId: string, account?: string, region?: string, partition?: string) {`
`798`		- return this.on(`arn:${ partition ?? this.defaultPartition }:aidevops:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:agentspace/${ agentSpaceId }/associations/${ associationId }`);
	`798`	+ return this.on(`arn:${ partition ?? this.defaultPartition }:aidevops:${ region ?? this.defaultRegion }:${ account ?? this.defaultAccount }:agentspace/${ agentSpaceId }/association/${ associationId }`);
`799`	`799`	`}`
`800`	`800`
`801`	`801`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ export class Redshift extends PolicyStatement {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`/**`
`96`		`- * Grants permission to Amazon Redshift to continuously validate that the target data warehouse can receive data replicated from the source ARN`
	`96`	`+ * Grants permission to Amazon Redshift to continuously validate that the target namespace can receive data replicated from the source ARN`
`97`	`97`	`*`
`98`	`98`	`* Access Level: Write`
`99`	`99`	`*`
`@@ -369,7 +369,7 @@ export class Redshift extends PolicyStatement {`
`369`	`369`	`}`
`370`	`370`
`371`	`371`	`/**`
`372`		`- * Grants permission to the source principal to create an inbound integration for data to be replicated from the source into the target data warehouse`
	`372`	`+ * Grants permission to the source principal to create an integration into the namespace of target data warehouse`
`373`	`373`	`*`
`374`	`374`	`* Access Level: Write`
`375`	`375`	`*`