View a markdown version of this page

Actions, resources, and condition keys for AWS Artifact - Service Authorization Reference

Actions, resources, and condition keys for AWS Artifact

AWS Artifact (service prefix: artifact) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Artifact

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateComplianceInquiry

artifact:CreateComplianceInquiry

Write

artifact:TagResource

Tagging, Write

ExportComplianceInquiry

artifact:ExportComplianceInquiry

Read

GetAccountSettings

artifact:GetAccountSettings

Read

GetComplianceInquiryMetadata

artifact:GetComplianceInquiryMetadata

Read

GetReport

artifact:GetReport

Read

GetReportMetadata

artifact:GetReportMetadata

Read

GetTermForReport

artifact:GetTermForReport

Read

ListComplianceInquiries

artifact:ListComplianceInquiries

List

ListComplianceInquiryQueries

artifact:ListComplianceInquiryQueries

List

ListCustomerAgreements

artifact:ListCustomerAgreements

List

ListReportVersions

artifact:ListReportVersions

List

ListReports

artifact:ListReports

List

ListTagsForResource

artifact:ListTagsForResource

Read

PutAccountSettings

artifact:PutAccountSettings

Write

TagResource

artifact:TagResource

Tagging, Write

UntagResource

artifact:UntagResource

Tagging, Write

Actions defined by AWS Artifact

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AcceptAgreement

Grants permission to accept an AWS agreement that has not yet been accepted by the customer account

agreement*

Write

AcceptNdaForAgreement

Grants permission to accept the terms of an NDA Document for a given agreement resource

agreement*

Write

CreateComplianceInquiry

Grants permission to create a compliance inquiry

compliance-inquiry*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

ExportComplianceInquiry

Grants permission to export a compliance inquiry

compliance-inquiry*

aws:ResourceTag/${TagKey}

Read

GetAccountSettings

Grants permission to get the account settings for Artifact

Read

GetAgreement

Grants permission to get an AWS agreement that has not yet been accepted by the customer account

agreement*

Read

GetComplianceInquiryMetadata

Grants permission to get metadata associated with a compliance inquiry

compliance-inquiry*

aws:ResourceTag/${TagKey}

Read

GetCustomerAgreement

Grants permission to get an AWS agreement that has been accepted by the customer account

customer-agreement*

Read

GetNdaForAgreement

Grants permission to retrieve the NDA Document for a given agreement resource

agreement*

Read

GetReport

Grants permission to download a report

report*

artifact:ReportCategory

artifact:ReportSeries

Read

GetReportMetadata

Grants permission to download metadata associated with a report

report*

artifact:ReportCategory

artifact:ReportSeries

Read

GetTermForReport

Grants permission to download a term associated with a report

report*

artifact:ReportCategory

artifact:ReportSeries

Read

ListAgreements

Grants permission to list AWS agreements

List

ListComplianceInquiries

Grants permission to list compliance inquiries submitted by the customer account

List

ListComplianceInquiryQueries

Grants permission to list queries for a compliance inquiry

compliance-inquiry*

aws:ResourceTag/${TagKey}

List

ListCustomerAgreements

Grants permission to list customer-agreement resources that have been accepted by the customer account

List

ListReportVersions

Grants permission to list report versions in your account

List

ListReports

Grants permission to list reports in your account

List

ListTagsForResource

Grants permission to list all tags on an AWS Artifact resource

compliance-inquiry*

aws:ResourceTag/${TagKey}

Read

PutAccountSettings

Grants permission to put account settings for Artifact

Write

TagResource

Grants permission to associate a set of tags with an AWS Artifact resource

compliance-inquiry*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

TerminateAgreement

Grants permission to terminate a customer agreement that was previously accepted by the customer account

customer-agreement*

Write

UntagResource

Grants permission to remove the association of tags from an AWS Artifact resource

compliance-inquiry*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Resource types defined by AWS Artifact

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

agreement

arn:${Partition}:artifact:::agreement/*

compliance-inquiry

arn:${Partition}:artifact:${Region}:${Account}:compliance-inquiry/*

aws:ResourceTag/${TagKey}

customer-agreement

arn:${Partition}:artifact::${Account}:customer-agreement/*

report

arn:${Partition}:artifact:${Region}::report/${ReportId}:${Version}

artifact:ReportCategory

artifact:ReportSeries

Condition keys for AWS Artifact

AWS Artifact defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

artifact:ReportCategory

Filters access by which category reports are associated with

String

artifact:ReportSeries

Filters access by which series reports are associated with

String

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString