View a markdown version of this page

Actions, resources, and condition keys for AWS Firewall Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Firewall Manager

AWS Firewall Manager (service prefix: fms) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Firewall Manager

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateAdminAccount

fms:AssociateAdminAccount

Write

AssociateThirdPartyFirewall

fms:AssociateThirdPartyFirewall

Write

BatchAssociateResource

fms:BatchAssociateResource

Write

BatchDisassociateResource

fms:BatchDisassociateResource

Write

DeleteAppsList

fms:DeleteAppsList

Write

DeleteNotificationChannel

fms:DeleteNotificationChannel

Write

DeletePolicy

fms:DeletePolicy

Write

DeleteProtocolsList

fms:DeleteProtocolsList

Write

DeleteResourceSet

fms:DeleteResourceSet

Write

DisassociateAdminAccount

fms:DisassociateAdminAccount

Write

DisassociateThirdPartyFirewall

fms:DisassociateThirdPartyFirewall

Write

GetAdminAccount

fms:GetAdminAccount

Read

GetAdminScope

fms:GetAdminScope

Read

GetAppsList

fms:GetAppsList

Read

GetComplianceDetail

fms:GetComplianceDetail

Read

GetNotificationChannel

fms:GetNotificationChannel

Read

GetPolicy

fms:GetPolicy

Read

GetProtectionStatus

fms:GetProtectionStatus

Read

GetProtocolsList

fms:GetProtocolsList

Read

GetResourceSet

fms:GetResourceSet

Read

GetThirdPartyFirewallAssociationStatus

fms:GetThirdPartyFirewallAssociationStatus

Read

GetViolationDetails

fms:GetViolationDetails

Read

ListAdminAccountsForOrganization

fms:ListAdminAccountsForOrganization

List

ListAdminsManagingAccount

fms:ListAdminsManagingAccount

List

ListAppsLists

fms:ListAppsLists

List

ListComplianceStatus

fms:ListComplianceStatus

List

ListDiscoveredResources

fms:ListDiscoveredResources

List

ListMemberAccounts

fms:ListMemberAccounts

List

ListPolicies

fms:ListPolicies

List

ListProtocolsLists

fms:ListProtocolsLists

List

ListResourceSetResources

fms:ListResourceSetResources

List

ListResourceSets

fms:ListResourceSets

List

ListTagsForResource

fms:ListTagsForResource

Read

ListThirdPartyFirewallFirewallPolicies

fms:ListThirdPartyFirewallFirewallPolicies

List

PutAdminAccount

fms:PutAdminAccount

Write

PutAppsList

fms:PutAppsList

Write

fms:TagResource

Tagging, Write

PutNotificationChannel

fms:PutNotificationChannel

Write

iam:PassRole

iam:PassedToService

fms.amazonaws.com

Write

PutPolicy

fms:PutPolicy

Write

fms:TagResource

Tagging, Write

PutProtocolsList

fms:PutProtocolsList

Write

fms:TagResource

Tagging, Write

PutResourceSet

fms:PutResourceSet

Write

fms:TagResource

Tagging, Write

TagResource

fms:TagResource

Tagging, Write

UntagResource

fms:UntagResource

Tagging, Write

Actions defined by AWS Firewall Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateAdminAccount

Grants permission to set the AWS Firewall Manager administrator account and enables the service in all organization accounts

Write

AssociateThirdPartyFirewall

Grants permission to set the Firewall Manager administrator as a tenant administrator of a third-party firewall service

Write

BatchAssociateResource

Grants permission to associate resources to an AWS Firewall Manager resource set

resource-set*

aws:ResourceTag/${TagKey}

Write

BatchDisassociateResource

Grants permission to disassociate resources from an AWS Firewall Manager resource set

resource-set*

aws:ResourceTag/${TagKey}

Write

DeleteAppsList

Grants permission to permanently deletes an AWS Firewall Manager applications list

applications-list*

aws:ResourceTag/${TagKey}

Write

DeleteNotificationChannel

Grants permission to delete an AWS Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to notify the FM administrator about major FM events and errors across the organization

Write

DeletePolicy

Grants permission to permanently delete an AWS Firewall Manager policy

policy*

aws:ResourceTag/${TagKey}

Write

DeleteProtocolsList

Grants permission to permanently deletes an AWS Firewall Manager protocols list

protocols-list*

aws:ResourceTag/${TagKey}

Write

DeleteResourceSet

Grants permission to permanently delete an AWS Firewall Manager resource set

resource-set*

aws:ResourceTag/${TagKey}

Write

DisassociateAdminAccount

Grants permission to disassociate the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts

Write

DisassociateThirdPartyFirewall

Grants permission to disassociate a Firewall Manager administrator from a third-party firewall tenant

Write

GetAdminAccount

Grants permission to return the AWS Organizations account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator

Read

GetAdminScope

Grants permission to return information about the specified account's administrative scope

Read

GetAppsList

Grants permission to return information about the specified AWS Firewall Manager applications list

applications-list*

aws:ResourceTag/${TagKey}

Read

GetComplianceDetail

Grants permission to retrieve detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy

policy*

aws:ResourceTag/${TagKey}

Read

GetNotificationChannel

Grants permission to retrieve information about the Amazon Simple Notification Service (SNS) topic that is used to record AWS Firewall Manager SNS logs

Read

GetPolicy

Grants permission to retrieve information about the specified AWS Firewall Manager policy

policy*

aws:ResourceTag/${TagKey}

Read

GetProtectionStatus

Grants permission to retrieve policy-level attack summary information in the event of a potential DDoS attack

policy*

aws:ResourceTag/${TagKey}

Read

GetProtocolsList

Grants permission to return information about the specified AWS Firewall Manager protocols list

protocols-list*

aws:ResourceTag/${TagKey}

Read

GetResourceSet

Grants permission to retrieve information about the specified AWS Firewall Manager resource set

resource-set*

aws:ResourceTag/${TagKey}

Read

GetThirdPartyFirewallAssociationStatus

Grants permission to retrieve the onboarding status of a Firewall Manager administrator account to third-party firewall vendor tenant

Read

GetViolationDetails

Grants permission to retrieve violations for a resource based on the specified AWS Firewall Manager policy and AWS account

policy*

aws:ResourceTag/${TagKey}

Read

ListAdminAccountsForOrganization

Grants permission to return a AdminAccounts object that lists the Firewall Manager administrators within the organization that are onboarded to Firewall Manager by AssociateAdminAccount

List

ListAdminsManagingAccount

Grants permission to list the accounts that are managing the specified AWS Organizations member account

List

ListAppsLists

Grants permission to return an array of AppsListDataSummary objects

List

ListComplianceStatus

Grants permission to retrieve an array of PolicyComplianceStatus objects in the response. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy

policy*

aws:ResourceTag/${TagKey}

List

ListDiscoveredResources

Grants permission to retrieve an array of resources in the organization's accounts that are available to be associated with a resource set

List

ListMemberAccounts

Grants permission to retrieve an array of member account ids if the caller is FMS admin account

List

ListPolicies

Grants permission to retrieve an array of PolicySummary objects in the response

List

ListProtocolsLists

Grants permission to return an array of ProtocolsListDataSummary objects

List

ListResourceSetResources

Grants permission to retrieve an array of resources that are currently associated to a resource set

resource-set*

aws:ResourceTag/${TagKey}

List

ListResourceSets

Grants permission to retrieve an array of ResourceSetSummary objects

List

ListTagsForResource

Grants permission to list Tags for a given resource

policy*

aws:ResourceTag/${TagKey}

Read

ListThirdPartyFirewallFirewallPolicies

Grants permission to retrieve a list of all of the third-party firewall policies that are associated with the third-party firewall administrator's account

List

PutAdminAccount

Grants permission to create or update an Firewall Manager administrator account

Write

PutAppsList

Grants permission to create an AWS Firewall Manager applications list

applications-list*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutNotificationChannel

Grants permission to designate the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager (FM) could use to notify the FM administrator about major FM events and errors across the organization

Write

PutPolicy

Grants permission to create an AWS Firewall Manager policy

policy*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutProtocolsList

Grants permission to creates an AWS Firewall Manager protocols list

protocols-list*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutResourceSet

Grants permission to create an AWS Firewall Manager resource set

resource-set*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

TagResource

Grants permission to add a Tag to a given resource

applications-list

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

policy

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

protocols-list

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

resource-set

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove a Tag from a given resource

applications-list

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

policy

aws:ResourceTag/${TagKey}

aws:TagKeys

protocols-list

aws:ResourceTag/${TagKey}

aws:TagKeys

resource-set

aws:ResourceTag/${TagKey}

aws:TagKeys

Resource types defined by AWS Firewall Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

applications-list

arn:${Partition}:fms:${Region}:${Account}:applications-list/${Id}

aws:ResourceTag/${TagKey}

policy

arn:${Partition}:fms:${Region}:${Account}:policy/${Id}

aws:ResourceTag/${TagKey}

protocols-list

arn:${Partition}:fms:${Region}:${Account}:protocols-list/${Id}

aws:ResourceTag/${TagKey}

resource-set

arn:${Partition}:fms:${Region}:${Account}:resource-set/${Id}

aws:ResourceTag/${TagKey}

Condition keys for AWS Firewall Manager

AWS Firewall Manager defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the the presence of tag keys in the request

ArrayOfString