View a markdown version of this page

Actions, resources, and condition keys for AWS Audit Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Audit Manager

AWS Audit Manager (service prefix: auditmanager) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Audit Manager

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssociateAssessmentReportEvidenceFolder

auditmanager:AssociateAssessmentReportEvidenceFolder

Write

BatchAssociateAssessmentReportEvidence

auditmanager:BatchAssociateAssessmentReportEvidence

Write

BatchCreateDelegationByAssessment

auditmanager:BatchCreateDelegationByAssessment

Write

BatchDeleteDelegationByAssessment

auditmanager:BatchDeleteDelegationByAssessment

Write

BatchDisassociateAssessmentReportEvidence

auditmanager:BatchDisassociateAssessmentReportEvidence

Write

BatchImportEvidenceToAssessmentControl

auditmanager:BatchImportEvidenceToAssessmentControl

Write

CreateAssessment

auditmanager:CreateAssessment

Write

auditmanager:TagResource

Tagging, Write

CreateAssessmentFramework

auditmanager:CreateAssessmentFramework

Write

auditmanager:TagResource

Tagging, Write

CreateAssessmentReport

auditmanager:CreateAssessmentReport

Write

CreateControl

auditmanager:CreateControl

Write

auditmanager:TagResource

Tagging, Write

DeleteAssessment

auditmanager:DeleteAssessment

Write

DeleteAssessmentFramework

auditmanager:DeleteAssessmentFramework

Write

DeleteAssessmentFrameworkShare

auditmanager:DeleteAssessmentFrameworkShare

Write

DeleteAssessmentReport

auditmanager:DeleteAssessmentReport

Write

DeleteControl

auditmanager:DeleteControl

Write

DeregisterAccount

auditmanager:DeregisterAccount

Write

DeregisterOrganizationAdminAccount

auditmanager:DeregisterOrganizationAdminAccount

Write

DisassociateAssessmentReportEvidenceFolder

auditmanager:DisassociateAssessmentReportEvidenceFolder

Write

GetAccountStatus

auditmanager:GetAccountStatus

Read

GetAssessment

auditmanager:GetAssessment

Read

GetAssessmentFramework

auditmanager:GetAssessmentFramework

Read

GetAssessmentReportUrl

auditmanager:GetAssessmentReportUrl

Read

GetChangeLogs

auditmanager:GetChangeLogs

Read

GetControl

auditmanager:GetControl

Read

GetDelegations

auditmanager:GetDelegations

List

GetEvidence

auditmanager:GetEvidence

Read

GetEvidenceByEvidenceFolder

auditmanager:GetEvidenceByEvidenceFolder

Read

GetEvidenceFileUploadUrl

auditmanager:GetEvidenceFileUploadUrl

Read

GetEvidenceFolder

auditmanager:GetEvidenceFolder

Read

GetEvidenceFoldersByAssessment

auditmanager:GetEvidenceFoldersByAssessment

Read

GetEvidenceFoldersByAssessmentControl

auditmanager:GetEvidenceFoldersByAssessmentControl

Read

GetInsights

auditmanager:GetInsights

Read

GetInsightsByAssessment

auditmanager:GetInsightsByAssessment

Read

GetOrganizationAdminAccount

auditmanager:GetOrganizationAdminAccount

Read

GetServicesInScope

auditmanager:GetServicesInScope

Read

GetSettings

auditmanager:GetSettings

Read

ListAssessmentControlInsightsByControlDomain

auditmanager:ListAssessmentControlInsightsByControlDomain

List

ListAssessmentFrameworkShareRequests

auditmanager:ListAssessmentFrameworkShareRequests

List

ListAssessmentFrameworks

auditmanager:ListAssessmentFrameworks

List

ListAssessmentReports

auditmanager:ListAssessmentReports

List

ListAssessments

auditmanager:ListAssessments

List

ListControlDomainInsights

auditmanager:ListControlDomainInsights

List

ListControlDomainInsightsByAssessment

auditmanager:ListControlDomainInsightsByAssessment

List

ListControlInsightsByControlDomain

auditmanager:ListControlInsightsByControlDomain

List

ListControls

auditmanager:ListControls

List

ListKeywordsForDataSource

auditmanager:ListKeywordsForDataSource

List

ListNotifications

auditmanager:ListNotifications

List

ListTagsForResource

auditmanager:ListTagsForResource

Read

RegisterAccount

auditmanager:RegisterAccount

Write

RegisterOrganizationAdminAccount

auditmanager:RegisterOrganizationAdminAccount

Write

StartAssessmentFrameworkShare

auditmanager:StartAssessmentFrameworkShare

Write

TagResource

auditmanager:TagResource

Tagging, Write

UntagResource

auditmanager:UntagResource

Tagging, Write

UpdateAssessment

auditmanager:UpdateAssessment

Write

UpdateAssessmentControl

auditmanager:UpdateAssessmentControl

Write

UpdateAssessmentControlSetStatus

auditmanager:UpdateAssessmentControlSetStatus

Write

UpdateAssessmentFramework

auditmanager:UpdateAssessmentFramework

Write

UpdateAssessmentFrameworkShare

auditmanager:UpdateAssessmentFrameworkShare

Write

UpdateAssessmentStatus

auditmanager:UpdateAssessmentStatus

Write

UpdateControl

auditmanager:UpdateControl

Write

UpdateSettings

auditmanager:UpdateSettings

Write

ValidateAssessmentReportIntegrity

auditmanager:ValidateAssessmentReportIntegrity

Read

Actions defined by AWS Audit Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateAssessmentReportEvidenceFolder

Grants permission to associate an evidence folder with an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

BatchAssociateAssessmentReportEvidence

Grants permission to associate a list of evidence to an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

BatchCreateDelegationByAssessment

Grants permission to create delegations for an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

assessmentControlSet*

BatchDeleteDelegationByAssessment

Grants permission to delete delegations for an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

assessmentControlSet*

BatchDisassociateAssessmentReportEvidence

Grants permission to disassociate a list of evidence from an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

BatchImportEvidenceToAssessmentControl

Grants permission to import a list of evidence to an assessment control in AWS Audit Manager

assessmentControlSet*

Write

CreateAssessment

Grants permission to create an assessment to be used with AWS Audit Manager

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateAssessmentFramework

Grants permission to create a framework for use in AWS Audit Manager

assessmentFramework*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

control*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateAssessmentReport

Grants permission to create an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

CreateControl

Grants permission to create a control to be used in AWS Audit Manager

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteAssessment

Grants permission to delete an assessment in AWS Audit Manager

assessment*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteAssessmentFramework

Grants permission to delete an assessment framework in AWS Audit Manager

assessmentFramework*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteAssessmentFrameworkShare

Grants permission to delete a share request for a custom framework in AWS Audit Manager

Write

DeleteAssessmentReport

Grants permission to delete an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

DeleteControl

Grants permission to delete a control in AWS Audit Manager

control*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeregisterAccount

Grants permission to deregister an account in AWS Audit Manager

Write

DeregisterOrganizationAdminAccount

Grants permission to deregister the delegated administrator account for AWS Audit Manager

Write

DisassociateAssessmentReportEvidenceFolder

Grants permission to disassociate an evidence folder from an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

GetAccountStatus

Grants permission to get the status of an account in AWS Audit Manager

Read

GetAssessment

Grants permission to get an assessment created in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Read

GetAssessmentFramework

Grants permission to get an assessment framework in AWS Audit Manager

assessmentFramework*

aws:ResourceTag/${TagKey}

Read

GetAssessmentReportUrl

Grants permission to get the URL for an assessment report in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Read

GetChangeLogs

Grants permission to get changelogs for an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Read

GetControl

Grants permission to get a control in AWS Audit Manager

control*

aws:ResourceTag/${TagKey}

Read

GetDelegations

Grants permission to get all delegations in AWS Audit Manager

List

GetEvidence

Grants permission to get evidence from AWS Audit Manager

assessmentControlSet*

Read

GetEvidenceByEvidenceFolder

Grants permission to get all the evidence from an evidence folder in AWS Audit Manager

assessmentControlSet*

Read

GetEvidenceFileUploadUrl

Grants permission to get a presigned Amazon S3 URL that can be used to upload a file as manual evidence

Read

GetEvidenceFolder

Grants permission to get the evidence folder from AWS Audit Manager

assessmentControlSet*

Read

GetEvidenceFoldersByAssessment

Grants permission to get the evidence folders from an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Read

GetEvidenceFoldersByAssessmentControl

Grants permission to get the evidence folders from an assessment control in AWS Audit Manager

assessmentControlSet*

Read

GetInsights

Grants permission to get analytics data for all active assessments

Read

GetInsightsByAssessment

Grants permission to get analytics data for a specific active assessment

Read

GetOrganizationAdminAccount

Grants permission to get the delegated administrator account in AWS Audit Manager

Read

GetServicesInScope

Grants permission to get the services in scope for an assessment in AWS Audit Manager

Read

GetSettings

Grants permission to get all settings configured in AWS Audit Manager

Read

ListAssessmentControlInsightsByControlDomain

Grants permission to list analytics data for controls in a specific control domain and active assessment

List

ListAssessmentFrameworkShareRequests

Grants permission to list all sent or received share requests for custom frameworks in AWS Audit Manager

List

ListAssessmentFrameworks

Grants permission to list all assessment frameworks in AWS Audit Manager

List

ListAssessmentReports

Grants permission to list all assessment reports in AWS Audit Manager

List

ListAssessments

Grants permission to list all assessments in AWS Audit Manager

List

ListControlDomainInsights

Grants permission to list analytics data for control domains across all active assessments

List

ListControlDomainInsightsByAssessment

Grants permission to list analytics data for control domains in a specific active assessment

List

ListControlInsightsByControlDomain

Grants permission to list analytics data for controls in a specific control domain across all active assessments

List

ListControls

Grants permission to list all controls in AWS Audit Manager

List

ListKeywordsForDataSource

Grants permission to list all the data source keywords in AWS Audit Manager

List

ListNotifications

Grants permission to list all notifications in AWS Audit Manager

List

ListTagsForResource

Grants permission to list tags for an AWS Audit Manager resource

assessment

aws:ResourceTag/${TagKey}

Read

control

aws:ResourceTag/${TagKey}

RegisterAccount

Grants permission to register an account in AWS Audit Manager

Write

RegisterOrganizationAdminAccount

Grants permission to register an account within the organization as the delegated administrator for AWS Audit Manager

Write

StartAssessmentFrameworkShare

Grants permission to create a share request for a custom framework in AWS Audit Manager

assessmentFramework*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag an AWS Audit Manager resource

assessment

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

assessmentFramework

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

control

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag an AWS Audit Manager resource

assessment

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

assessmentFramework

aws:ResourceTag/${TagKey}

aws:TagKeys

control

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateAssessment

Grants permission to update an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

UpdateAssessmentControl

Grants permission to update an assessment control in AWS Audit Manager

assessmentControlSet*

Write

UpdateAssessmentControlSetStatus

Grants permission to update the status of an assessment control set in AWS Audit Manager

assessmentControlSet*

Write

UpdateAssessmentFramework

Grants permission to update an assessment framework in AWS Audit Manager

assessmentFramework*

aws:ResourceTag/${TagKey}

Write

control*

aws:ResourceTag/${TagKey}

UpdateAssessmentFrameworkShare

Grants permission to update a share request for a custom framework in AWS Audit Manager

assessmentFramework*

aws:ResourceTag/${TagKey}

Write

UpdateAssessmentStatus

Grants permission to update the status of an assessment in AWS Audit Manager

assessment*

aws:ResourceTag/${TagKey}

Write

UpdateControl

Grants permission to update a control in AWS Audit Manager

control*

aws:ResourceTag/${TagKey}

Write

UpdateSettings

Grants permission to update settings in AWS Audit Manager

Write

ValidateAssessmentReportIntegrity

Grants permission to validate the integrity of an assessment report in AWS Audit Manager

Read

Resource types defined by AWS Audit Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

assessment

arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${AssessmentId}

aws:ResourceTag/${TagKey}

assessmentControlSet

arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${AssessmentId}/controlSet/${ControlSetId}

assessmentFramework

arn:${Partition}:auditmanager:${Region}:${Account}:assessmentFramework/${AssessmentFrameworkId}

aws:ResourceTag/${TagKey}

control

arn:${Partition}:auditmanager:${Region}:${Account}:control/${ControlId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Audit Manager

AWS Audit Manager defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString