@cloud-copilot/iam-data
Version:
687 lines • 24.7 kB
JSON
{
"aws:requesttag/${tagkey}": {
"key": "aws:RequestTag/${TagKey}",
"description": "Filters access by a tag key and value pair that is allowed in the request",
"type": "String"
},
"aws:resourcetag/${tagkey}": {
"key": "aws:ResourceTag/${TagKey}",
"description": "Filters access by a tag key and value pair of a resource",
"type": "String"
},
"aws:tagkeys": {
"key": "aws:TagKeys",
"description": "Filters access by a list of tag keys that are allowed in the request",
"type": "ArrayOfString"
},
"ec2:acceptervpc": {
"key": "ec2:AccepterVpc",
"description": "Filters access by the ARN of an accepter VPC in a VPC peering connection",
"type": "ARN"
},
"ec2:add/group": {
"key": "ec2:Add/group",
"description": "Filters access by the group being added to a snapshot",
"type": "String"
},
"ec2:add/userid": {
"key": "ec2:Add/userId",
"description": "Filters access by the account id being added to a snapshot",
"type": "String"
},
"ec2:allocationid": {
"key": "ec2:AllocationId",
"description": "Filters access by the allocation ID of the Elastic IP address",
"type": "String"
},
"ec2:associatepublicipaddress": {
"key": "ec2:AssociatePublicIpAddress",
"description": "Filters access by whether the user wants to associate a public IP address with the instance",
"type": "Bool"
},
"ec2:attribute": {
"key": "ec2:Attribute",
"description": "Filters access by an attribute of a resource",
"type": "String"
},
"ec2:attribute/${attributename}": {
"key": "ec2:Attribute/${AttributeName}",
"description": "Filters access by an attribute being set on a resource",
"type": "String"
},
"ec2:authenticationtype": {
"key": "ec2:AuthenticationType",
"description": "Filters access by the authentication type for the VPN tunnel endpoints",
"type": "String"
},
"ec2:authorizedservice": {
"key": "ec2:AuthorizedService",
"description": "Filters access by the AWS service that has permission to use a resource",
"type": "String"
},
"ec2:authorizeduser": {
"key": "ec2:AuthorizedUser",
"description": "Filters access by an IAM principal that has permission to use a resource",
"type": "String"
},
"ec2:autoplacement": {
"key": "ec2:AutoPlacement",
"description": "Filters access by the Auto Placement properties of a Dedicated Host",
"type": "String"
},
"ec2:availabilityzone": {
"key": "ec2:AvailabilityZone",
"description": "Filters access by the name of an Availability Zone in an AWS Region",
"type": "String"
},
"ec2:availabilityzoneid": {
"key": "ec2:AvailabilityZoneId",
"description": "Filters access by the ID of an Availability Zone in an AWS Region",
"type": "String"
},
"ec2:capacityreservationfleet": {
"key": "ec2:CapacityReservationFleet",
"description": "Filters access by the ARN of the Capacity Reservation Fleet",
"type": "ARN"
},
"ec2:clientrootcertificatechainarn": {
"key": "ec2:ClientRootCertificateChainArn",
"description": "Filters access by the ARN of the client root certificate chain",
"type": "ARN"
},
"ec2:cloudwatchloggrouparn": {
"key": "ec2:CloudwatchLogGroupArn",
"description": "Filters access by the ARN of the CloudWatch Logs log group",
"type": "ARN"
},
"ec2:cloudwatchlogstreamarn": {
"key": "ec2:CloudwatchLogStreamArn",
"description": "Filters access by the ARN of the CloudWatch Logs log stream",
"type": "ARN"
},
"ec2:cpuoptionsamdsevsnp": {
"key": "ec2:CpuOptionsAmdSevSnp",
"description": "Filters access by the state of AMD SEV-SNP CPU Options. Currently, only US East (Ohio) and Europe (Ireland) are supported",
"type": "String"
},
"ec2:createaction": {
"key": "ec2:CreateAction",
"description": "Filters access by the name of a resource-creating API action",
"type": "String"
},
"ec2:createdate": {
"key": "ec2:CreateDate",
"description": "Filters access by the date and time at which the Capacity Reservation was created",
"type": "Date"
},
"ec2:dpdtimeoutseconds": {
"key": "ec2:DPDTimeoutSeconds",
"description": "Filters access by the duration after which DPD timeout occurs on a VPN tunnel",
"type": "Numeric"
},
"ec2:destinationcapacityreservationid": {
"key": "ec2:DestinationCapacityReservationId",
"description": "Filters access by the ID of the Capacity Reservation that you want to move capacity into",
"type": "ARN"
},
"ec2:dhcpoptionsid": {
"key": "ec2:DhcpOptionsID",
"description": "Filters access by the ID of a dynamic host configuration protocol (DHCP) options set",
"type": "String"
},
"ec2:directoryarn": {
"key": "ec2:DirectoryArn",
"description": "Filters access by the ARN of the directory",
"type": "ARN"
},
"ec2:domain": {
"key": "ec2:Domain",
"description": "Filters access by the domain of the Elastic IP address",
"type": "String"
},
"ec2:ebsoptimized": {
"key": "ec2:EbsOptimized",
"description": "Filters access by whether the instance is enabled for EBS optimization",
"type": "Bool"
},
"ec2:elasticgputype": {
"key": "ec2:ElasticGpuType",
"description": "Filters access by the type of Elastic Graphics accelerator",
"type": "String"
},
"ec2:encrypted": {
"key": "ec2:Encrypted",
"description": "Filters access by whether the EBS volume is encrypted",
"type": "Bool"
},
"ec2:enddate": {
"key": "ec2:EndDate",
"description": "Filters access by the date and time at which the Capacity Reservation ends",
"type": "Date"
},
"ec2:enddatetype": {
"key": "ec2:EndDateType",
"description": "Filters access by the way in which the Capacity Reservation ends",
"type": "String"
},
"ec2:ephemeralstorage": {
"key": "ec2:EphemeralStorage",
"description": "Filters access by whether the instance is enabled for ephemeral storage",
"type": "Bool"
},
"ec2:fisactionid": {
"key": "ec2:FisActionId",
"description": "Filters access by the ID of an AWS FIS action",
"type": "String"
},
"ec2:fistargetarns": {
"key": "ec2:FisTargetArns",
"description": "Filters access by the ARN of an AWS FIS target",
"type": "ArrayOfARN"
},
"ec2:gatewaytype": {
"key": "ec2:GatewayType",
"description": "Filters access by the gateway type for a VPN endpoint on the AWS side of a VPN connection",
"type": "String"
},
"ec2:hostrecovery": {
"key": "ec2:HostRecovery",
"description": "Filters access by whether host recovery is enabled for a Dedicated Host",
"type": "String"
},
"ec2:ikeversions": {
"key": "ec2:IKEVersions",
"description": "Filters access by the internet key exchange (IKE) versions that are permitted for a VPN tunnel",
"type": "ArrayOfString"
},
"ec2:imageid": {
"key": "ec2:ImageID",
"description": "Filters access by the ID of an image",
"type": "String"
},
"ec2:imagetype": {
"key": "ec2:ImageType",
"description": "Filters access by the type of image (machine, aki, or ari)",
"type": "String"
},
"ec2:insidetunnelcidr": {
"key": "ec2:InsideTunnelCidr",
"description": "Filters access by the range of inside IP addresses for a VPN tunnel",
"type": "String"
},
"ec2:insidetunnelipv6cidr": {
"key": "ec2:InsideTunnelIpv6Cidr",
"description": "Filters access by a range of inside IPv6 addresses for a VPN tunnel",
"type": "String"
},
"ec2:instanceautorecovery": {
"key": "ec2:InstanceAutoRecovery",
"description": "Filters access by whether the instance type supports auto recovery",
"type": "String"
},
"ec2:instancebandwidthweighting": {
"key": "ec2:InstanceBandwidthWeighting",
"description": "Filters access by the bandwidth weighting of an instance",
"type": "String"
},
"ec2:instancecount": {
"key": "ec2:InstanceCount",
"description": "Filters access by the number of instances",
"type": "Numeric"
},
"ec2:instanceid": {
"key": "ec2:InstanceID",
"description": "Filters access by the ID of an instance",
"type": "String"
},
"ec2:instancemarkettype": {
"key": "ec2:InstanceMarketType",
"description": "Filters access by the market or purchasing option of an instance (capacity-block, on-demand, or spot)",
"type": "String"
},
"ec2:instancematchcriteria": {
"key": "ec2:InstanceMatchCriteria",
"description": "Filters access by the type of instance launches that the Capacity Reservation accepts",
"type": "String"
},
"ec2:instancemetadatatags": {
"key": "ec2:InstanceMetadataTags",
"description": "Filters access by whether the instance allows access to instance tags from the instance metadata",
"type": "String"
},
"ec2:instanceplatform": {
"key": "ec2:InstancePlatform",
"description": "Filters access by the type of operating system for which the Capacity Reservation reserves capacity",
"type": "ARN"
},
"ec2:instanceprofile": {
"key": "ec2:InstanceProfile",
"description": "Filters access by the ARN of an instance profile",
"type": "ARN"
},
"ec2:instancetype": {
"key": "ec2:InstanceType",
"description": "Filters access by the type of instance",
"type": "String"
},
"ec2:internetgatewayid": {
"key": "ec2:InternetGatewayID",
"description": "Filters access by the ID of an internet gateway",
"type": "String"
},
"ec2:ipv4ipampoolid": {
"key": "ec2:Ipv4IpamPoolId",
"description": "Filters access by the ID of an IPAM pool provided for IPv4 CIDR block allocation",
"type": "String"
},
"ec2:ipv6ipampoolid": {
"key": "ec2:Ipv6IpamPoolId",
"description": "Filters access by the ID of an IPAM pool provided for IPv6 CIDR block allocation",
"type": "String"
},
"ec2:islaunchtemplateresource": {
"key": "ec2:IsLaunchTemplateResource",
"description": "Filters access by whether users are able to override resources that are specified in the launch template",
"type": "Bool"
},
"ec2:keypairname": {
"key": "ec2:KeyPairName",
"description": "Filters access by the name of a key pair",
"type": "String"
},
"ec2:keypairtype": {
"key": "ec2:KeyPairType",
"description": "Filters access by the type of a key pair",
"type": "String"
},
"ec2:kmskeyid": {
"key": "ec2:KmsKeyId",
"description": "Filters access by the ID of an AWS KMS key provided in the request",
"type": "String"
},
"ec2:launchtemplate": {
"key": "ec2:LaunchTemplate",
"description": "Filters access by the ARN of a launch template",
"type": "ARN"
},
"ec2:location": {
"key": "ec2:Location",
"description": "Filters access by the destination for the snapshot copy",
"type": "String"
},
"ec2:managedresourceoperator": {
"key": "ec2:ManagedResourceOperator",
"description": "Filters access by the presence of an EC2 operator provisioning a managed resource",
"type": "String"
},
"ec2:metadatahttpendpoint": {
"key": "ec2:MetadataHttpEndpoint",
"description": "Filters access by whether the HTTP endpoint is enabled for the instance metadata service",
"type": "String"
},
"ec2:metadatahttpputresponsehoplimit": {
"key": "ec2:MetadataHttpPutResponseHopLimit",
"description": "Filters access by the allowed number of hops when calling the instance metadata service",
"type": "Numeric"
},
"ec2:metadatahttptokens": {
"key": "ec2:MetadataHttpTokens",
"description": "Filters access by whether tokens are required when calling the instance metadata service (optional or required)",
"type": "String"
},
"ec2:networkaclid": {
"key": "ec2:NetworkAclID",
"description": "Filters access by the ID of a network access control list (ACL)",
"type": "String"
},
"ec2:networkinterfaceid": {
"key": "ec2:NetworkInterfaceID",
"description": "Filters access by the ID of an elastic network interface",
"type": "String"
},
"ec2:newinstanceprofile": {
"key": "ec2:NewInstanceProfile",
"description": "Filters access by the ARN of the instance profile being attached",
"type": "ARN"
},
"ec2:outpostarn": {
"key": "ec2:OutpostArn",
"description": "Filters access by the ARN of the Outpost",
"type": "ARN"
},
"ec2:owner": {
"key": "ec2:Owner",
"description": "Filters access by the owner of the resource (amazon, aws-marketplace, or an AWS account ID)",
"type": "String"
},
"ec2:parentsnapshot": {
"key": "ec2:ParentSnapshot",
"description": "Filters access by the ARN of the parent snapshot",
"type": "ARN"
},
"ec2:parentvolume": {
"key": "ec2:ParentVolume",
"description": "Filters access by the ARN of the parent volume from which the snapshot was created",
"type": "ARN"
},
"ec2:permission": {
"key": "ec2:Permission",
"description": "Filters access by the type of permission for a resource (INSTANCE-ATTACH or EIP-ASSOCIATE)",
"type": "String"
},
"ec2:phase1dhgroup": {
"key": "ec2:Phase1DHGroup",
"description": "Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 1 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase1encryptionalgorithms": {
"key": "ec2:Phase1EncryptionAlgorithms",
"description": "Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase1integrityalgorithms": {
"key": "ec2:Phase1IntegrityAlgorithms",
"description": "Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 1 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase1lifetimeseconds": {
"key": "ec2:Phase1LifetimeSeconds",
"description": "Filters access by the lifetime in seconds for phase 1 of the IKE negotiations for a VPN tunnel",
"type": "Numeric"
},
"ec2:phase2dhgroup": {
"key": "ec2:Phase2DHGroup",
"description": "Filters access by the Diffie-Hellman group numbers that are permitted for a VPN tunnel for the phase 2 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase2encryptionalgorithms": {
"key": "ec2:Phase2EncryptionAlgorithms",
"description": "Filters access by the encryption algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase2integrityalgorithms": {
"key": "ec2:Phase2IntegrityAlgorithms",
"description": "Filters access by the integrity algorithms that are permitted for a VPN tunnel for the phase 2 IKE negotiations",
"type": "ArrayOfString"
},
"ec2:phase2lifetimeseconds": {
"key": "ec2:Phase2LifetimeSeconds",
"description": "Filters access by the lifetime in seconds for phase 2 of the IKE negotiations for a VPN tunnel",
"type": "Numeric"
},
"ec2:placementgroup": {
"key": "ec2:PlacementGroup",
"description": "Filters access by the ARN of the placement group",
"type": "ARN"
},
"ec2:placementgroupname": {
"key": "ec2:PlacementGroupName",
"description": "Filters access by the name of a placement group",
"type": "String"
},
"ec2:placementgroupstrategy": {
"key": "ec2:PlacementGroupStrategy",
"description": "Filters access by the instance placement strategy used by the placement group (cluster, spread, or partition)",
"type": "String"
},
"ec2:productcode": {
"key": "ec2:ProductCode",
"description": "Filters access by the product code that is associated with the AMI",
"type": "String"
},
"ec2:public": {
"key": "ec2:Public",
"description": "Filters access by whether the image has public launch permissions",
"type": "Bool"
},
"ec2:publicipaddress": {
"key": "ec2:PublicIpAddress",
"description": "Filters access by a public IP address",
"type": "String"
},
"ec2:quantity": {
"key": "ec2:Quantity",
"description": "Filters access by the number of Dedicated Hosts in a request",
"type": "Numeric"
},
"ec2:region": {
"key": "ec2:Region",
"description": "Filters access by the name of the AWS Region",
"type": "String"
},
"ec2:rekeyfuzzpercentage": {
"key": "ec2:RekeyFuzzPercentage",
"description": "Filters access by the percentage of increase of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected for a VPN tunnel",
"type": "Numeric"
},
"ec2:rekeymargintimeseconds": {
"key": "ec2:RekeyMarginTimeSeconds",
"description": "Filters access by the margin time before the phase 2 lifetime expires for a VPN tunnel",
"type": "Numeric"
},
"ec2:remove/group": {
"key": "ec2:Remove/group",
"description": "Filters access by the group being removed from a snapshot",
"type": "String"
},
"ec2:remove/userid": {
"key": "ec2:Remove/userId",
"description": "Filters access by the account id being removed from a snapshot",
"type": "String"
},
"ec2:replaywindowsizepackets": {
"key": "ec2:ReplayWindowSizePackets",
"description": "Filters access by the number of packets in an IKE replay window",
"type": "String"
},
"ec2:requestervpc": {
"key": "ec2:RequesterVpc",
"description": "Filters access by the ARN of a requester VPC in a VPC peering connection",
"type": "ARN"
},
"ec2:reservedinstancesofferingtype": {
"key": "ec2:ReservedInstancesOfferingType",
"description": "Filters access by the payment option of the Reserved Instance offering (No Upfront, Partial Upfront, or All Upfront)",
"type": "String"
},
"ec2:resourcetag/${tagkey}": {
"key": "ec2:ResourceTag/${TagKey}",
"description": "Filters access by a tag key and value pair of a resource",
"type": "String"
},
"ec2:roledelivery": {
"key": "ec2:RoleDelivery",
"description": "Filters access by the version of the instance metadata service for retrieving IAM role credentials for EC2",
"type": "Numeric"
},
"ec2:rootdevicetype": {
"key": "ec2:RootDeviceType",
"description": "Filters access by the root device type of the instance (ebs or instance-store)",
"type": "String"
},
"ec2:routetableid": {
"key": "ec2:RouteTableID",
"description": "Filters access by the ID of a route table",
"type": "String"
},
"ec2:routingtype": {
"key": "ec2:RoutingType",
"description": "Filters access by the routing type for the VPN connection",
"type": "String"
},
"ec2:samlproviderarn": {
"key": "ec2:SamlProviderArn",
"description": "Filters access by the ARN of the IAM SAML identity provider",
"type": "ARN"
},
"ec2:securitygroupid": {
"key": "ec2:SecurityGroupID",
"description": "Filters access by the ID of a security group",
"type": "String"
},
"ec2:servercertificatearn": {
"key": "ec2:ServerCertificateArn",
"description": "Filters access by the ARN of the server certificate",
"type": "ARN"
},
"ec2:snapshotcooloffperiod": {
"key": "ec2:SnapshotCoolOffPeriod",
"description": "Filters access by the compliance mode cooling-off period",
"type": "Numeric"
},
"ec2:snapshotid": {
"key": "ec2:SnapshotID",
"description": "Filters access by the ID of a snapshot",
"type": "String"
},
"ec2:snapshotlockduration": {
"key": "ec2:SnapshotLockDuration",
"description": "Filters access by the snapshot lock duration",
"type": "Numeric"
},
"ec2:snapshottime": {
"key": "ec2:SnapshotTime",
"description": "Filters access by the initiation time of a snapshot",
"type": "String"
},
"ec2:sourceavailabilityzone": {
"key": "ec2:SourceAvailabilityZone",
"description": "Filters access by the name of the Availability Zone from which the request originated",
"type": "String"
},
"ec2:sourcecapacityreservationid": {
"key": "ec2:SourceCapacityReservationId",
"description": "Filters access by the ID of the Capacity Reservation from which you want to move capacity",
"type": "ARN"
},
"ec2:sourceinstancearn": {
"key": "ec2:SourceInstanceARN",
"description": "Filters access by the ARN of the instance from which the request originated",
"type": "ARN"
},
"ec2:sourceoutpostarn": {
"key": "ec2:SourceOutpostArn",
"description": "Filters access by the ARN of the Outpost from which the request originated",
"type": "ARN"
},
"ec2:subnet": {
"key": "ec2:Subnet",
"description": "Filters access by the ARN of the subnet",
"type": "ARN"
},
"ec2:subnetid": {
"key": "ec2:SubnetID",
"description": "Filters access by the ID of a subnet",
"type": "String"
},
"ec2:tenancy": {
"key": "ec2:Tenancy",
"description": "Filters access by the tenancy of the VPC or instance (default, dedicated, or host)",
"type": "String"
},
"ec2:volumeid": {
"key": "ec2:VolumeID",
"description": "Filters access by the ID of a volume",
"type": "String"
},
"ec2:volumeiops": {
"key": "ec2:VolumeIops",
"description": "Filters access by the the number of input/output operations per second (IOPS) provisioned for the volume",
"type": "Numeric"
},
"ec2:volumesize": {
"key": "ec2:VolumeSize",
"description": "Filters access by the size of the volume, in GiB",
"type": "Numeric"
},
"ec2:volumethroughput": {
"key": "ec2:VolumeThroughput",
"description": "Filters access by the throughput of the volume, in MiBps",
"type": "Numeric"
},
"ec2:volumetype": {
"key": "ec2:VolumeType",
"description": "Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard)",
"type": "String"
},
"ec2:vpc": {
"key": "ec2:Vpc",
"description": "Filters access by the ARN of the VPC",
"type": "ARN"
},
"ec2:vpcid": {
"key": "ec2:VpcID",
"description": "Filters access by the ID of a virtual private cloud (VPC)",
"type": "String"
},
"ec2:vpcpeeringconnectionid": {
"key": "ec2:VpcPeeringConnectionID",
"description": "Filters access by the ID of a VPC peering connection",
"type": "String"
},
"ec2:vpceservicename": {
"key": "ec2:VpceServiceName",
"description": "Filters access by the name of the VPC endpoint service",
"type": "String"
},
"ec2:vpceserviceowner": {
"key": "ec2:VpceServiceOwner",
"description": "Filters access by the service owner of the VPC endpoint service (amazon, aws-marketplace, or an AWS account ID)",
"type": "String"
},
"ec2:vpceserviceprivatednsname": {
"key": "ec2:VpceServicePrivateDnsName",
"description": "Filters access by the private DNS name of the VPC endpoint service",
"type": "String"
},
"ec2:transitgatewayattachmentid": {
"key": "ec2:transitGatewayAttachmentId",
"description": "Filters access by the ID of a transit gateway attachment",
"type": "String"
},
"ec2:transitgatewayconnectpeerid": {
"key": "ec2:transitGatewayConnectPeerId",
"description": "Filters access by the ID of a transit gateway connect peer",
"type": "String"
},
"ec2:transitgatewayid": {
"key": "ec2:transitGatewayId",
"description": "Filters access by the ID of a transit gateway",
"type": "String"
},
"ec2:transitgatewaymulticastdomainid": {
"key": "ec2:transitGatewayMulticastDomainId",
"description": "Filters access by the ID of a transit gateway multicast domain",
"type": "String"
},
"ec2:transitgatewaypolicytableid": {
"key": "ec2:transitGatewayPolicyTableId",
"description": "Filters access by the ID of a transit gateway policy table",
"type": "String"
},
"ec2:transitgatewayroutetableannouncementid": {
"key": "ec2:transitGatewayRouteTableAnnouncementId",
"description": "Filters access by the ID of a transit gateway route table announcement",
"type": "String"
},
"ec2:transitgatewayroutetableid": {
"key": "ec2:transitGatewayRouteTableId",
"description": "Filters access by the ID of a transit gateway route table",
"type": "String"
},
"ec2:vpcemultiregion": {
"key": "ec2:vpceMultiRegion",
"description": "Filters access by multi region of the VPC endpoint service",
"type": "String"
},
"ec2:vpceserviceregion": {
"key": "ec2:vpceServiceRegion",
"description": "Filters access by the region of the VPC endpoint service",
"type": "String"
},
"ec2:vpcesupportedregion": {
"key": "ec2:vpceSupportedRegion",
"description": "Filters access by the supported region of the VPC endpoint service",
"type": "String"
}
}