View a markdown version of this page

Actions, resources, and condition keys for AWS Shield - Service Authorization Reference

Actions, resources, and condition keys for AWS Shield

AWS Shield (service prefix: shield) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Shield

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateDRTLogBucket

shield:AssociateDRTLogBucket

Write

AssociateDRTRole

shield:AssociateDRTRole

Write

iam:PassRole

iam:PassedToService

drt.shield.amazonaws.com

Write

AssociateHealthCheck

shield:AssociateHealthCheck

Write

AssociateProactiveEngagementDetails

shield:AssociateProactiveEngagementDetails

Write

CreateProtection

shield:CreateProtection

Write

shield:TagResource

Tagging, Write

CreateProtectionGroup

shield:CreateProtectionGroup

Write

shield:TagResource

Tagging, Write

CreateSubscription

shield:CreateSubscription

Write

DeleteProtection

shield:DeleteProtection

Write

DeleteProtectionGroup

shield:DeleteProtectionGroup

Write

DeleteSubscription

shield:DeleteSubscription

Write

DescribeAttack

shield:DescribeAttack

Read

shield:DescribeProtectionGroup

Read

DescribeAttackStatistics

shield:DescribeAttackStatistics

Read

DescribeDRTAccess

shield:DescribeDRTAccess

Read

DescribeEmergencyContactSettings

shield:DescribeEmergencyContactSettings

Read

DescribeProtection

shield:DescribeProtection

Read

DescribeProtectionGroup

shield:DescribeProtectionGroup

Read

DescribeSubscription

shield:DescribeSubscription

Read

DisableApplicationLayerAutomaticResponse

shield:DisableApplicationLayerAutomaticResponse

Write

DisableProactiveEngagement

shield:DisableProactiveEngagement

Write

DisassociateDRTLogBucket

shield:DisassociateDRTLogBucket

Write

DisassociateDRTRole

shield:DisassociateDRTRole

Write

DisassociateHealthCheck

shield:DisassociateHealthCheck

Write

EnableApplicationLayerAutomaticResponse

shield:EnableApplicationLayerAutomaticResponse

Write

EnableProactiveEngagement

shield:EnableProactiveEngagement

Write

GetSubscriptionState

shield:GetSubscriptionState

Read

ListAttacks

shield:ListAttacks

List

ListProtectionGroups

shield:ListProtectionGroups

List

ListProtections

shield:ListProtections

List

ListResourcesInProtectionGroup

shield:ListResourcesInProtectionGroup

List

ListTagsForResource

shield:ListTagsForResource

Read

TagResource

shield:TagResource

Tagging, Write

UntagResource

shield:UntagResource

Tagging, Write

UpdateApplicationLayerAutomaticResponse

shield:UpdateApplicationLayerAutomaticResponse

Write

UpdateEmergencyContactSettings

shield:UpdateEmergencyContactSettings

Write

UpdateProtectionGroup

shield:UpdateProtectionGroup

Write

UpdateSubscription

shield:UpdateSubscription

Write

Actions defined by AWS Shield

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateDRTLogBucket

Grants permission to authorize the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs

Write

AssociateDRTRole

Grants permission to authorize the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks

Write

AssociateHealthCheck

Grants permission to add health-based detection to the Shield Advanced protection for a resource

protection*

aws:ResourceTag/${TagKey}

Write

AssociateProactiveEngagementDetails

Grants permission to initialize proactive engagement and set the list of contacts for the DDoS Response Team (DRT) to use

Write

CreateProtection

Grants permission to activate DDoS protection service for a given resource ARN

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateProtectionGroup

Grants permission to create a grouping of protected resources so they can be handled as a collective

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateSubscription

Grants permission to activate subscription

Write

DeleteProtection

Grants permission to delete an existing protection

protection*

aws:ResourceTag/${TagKey}

Write

DeleteProtectionGroup

Grants permission to remove the specified protection group

protection-group*

aws:ResourceTag/${TagKey}

Write

DeleteSubscription

Grants permission to deactivate subscription

Write

DescribeAttack

Grants permission to get attack details. For getting attack details protected by AWS WAF anti-DDoS managed rule group, this action additionally calls wafv2:DescribeTopContributorsByEvent to retrieve application layer attack contributors, which requires to have wafv2:DescribeTopContributorsByEvent permission in IAM policy

attack*

Read

DescribeAttackStatistics

Grants permission to describe information about the number and type of attacks AWS Shield has detected in the last year

Read

DescribeDRTAccess

Grants permission to describe the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation

Read

DescribeEmergencyContactSettings

Grants permission to list the email addresses that the DRT can use to contact you during a suspected attack

Read

DescribeProtection

Grants permission to get protection details

protection*

aws:ResourceTag/${TagKey}

Read

DescribeProtectionGroup

Grants permission to describe the specification for the specified protection group

protection-group*

aws:ResourceTag/${TagKey}

Read

DescribeSubscription

Grants permission to get subscription details, such as start time

Read

DisableApplicationLayerAutomaticResponse

Grants permission to disable application layer automatic response for Shield Advanced protection for a resource

Write

DisableProactiveEngagement

Grants permission to remove authorization from the DDoS Response Team (DRT) to notify contacts about escalations

Write

DisassociateDRTLogBucket

Grants permission to remove the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs

Write

DisassociateDRTRole

Grants permission to remove the DDoS Response team's access to your AWS account

Write

DisassociateHealthCheck

Grants permission to remove health-based detection from the Shield Advanced protection for a resource

protection*

aws:ResourceTag/${TagKey}

Write

EnableApplicationLayerAutomaticResponse

Grants permission to enable application layer automatic response for Shield Advanced protection for a resource

Write

EnableProactiveEngagement

Grants permission to authorize the DDoS Response Team (DRT) to use email and phone to notify contacts about escalations

Write

GetSubscriptionState

Grants permission to get subscription state

Read

ListAttacks

Grants permission to list all existing attacks

List

ListProtectionGroups

Grants permission to retrieve the protection groups for the account

List

ListProtections

Grants permission to list all existing protections

List

ListResourcesInProtectionGroup

Grants permission to retrieve the resources that are included in the protection group

protection-group*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to get information about AWS tags for a specified Amazon Resource Name (ARN) in AWS Shield

protection

aws:ResourceTag/${TagKey}

Read

protection-group

aws:ResourceTag/${TagKey}

TagResource

Grants permission to add or updates tags for a resource in AWS Shield

protection

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

protection-group

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from a resource in AWS Shield

protection

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

protection-group

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateApplicationLayerAutomaticResponse

Grants permission to update application layer automatic response for Shield Advanced protection for a resource

Write

UpdateEmergencyContactSettings

Grants permission to update the details of the list of email addresses that the DRT can use to contact you during a suspected attack

Write

UpdateProtectionGroup

Grants permission to update an existing protection group

protection-group*

aws:ResourceTag/${TagKey}

Write

UpdateSubscription

Grants permission to update the details of an existing subscription

Write

Permission-only actions for AWS Shield

The following actions are defined by AWS Shield but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

DescribeAttackContributors

Grants permission to get detailed information about the contributors to a specific DDoS attack

attack*

Read

protection-group

aws:ResourceTag/${TagKey}

GetGlobalThreatData

Grants permission to retrieve global threat intelligence data and trends from AWS Shield's threat monitoring systems

Read

ListMitigations

Grants permission to retrieve a list of mitigation actions that have been applied during DDoS attacks

attack*

List

Resource types defined by AWS Shield

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

attack

arn:${Partition}:shield::${Account}:attack/${Id}

protection

arn:${Partition}:shield::${Account}:protection/${Id}

aws:ResourceTag/${TagKey}

protection-group

arn:${Partition}:shield::${Account}:protection-group/${Id}

aws:ResourceTag/${TagKey}

Condition keys for AWS Shield

AWS Shield defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters actions based on the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters actions based on tag key-value pairs attached to the resource

String

aws:TagKeys

Filters actions based on the presence of tag keys in the request

ArrayOfString