View a markdown version of this page

Actions, resources, and condition keys for Amazon CodeGuru Security - Service Authorization Reference

Actions, resources, and condition keys for Amazon CodeGuru Security

Amazon CodeGuru Security (service prefix: codeguru-security) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon CodeGuru Security

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

BatchGetFindings

codeguru-security:BatchGetFindings

Read

CreateScan

codeguru-security:CreateScan

Write

CreateUploadUrl

codeguru-security:CreateUploadUrl

Write

GetAccountConfiguration

codeguru-security:GetAccountConfiguration

Read

GetFindings

codeguru-security:GetFindings

List

GetMetricsSummary

codeguru-security:GetMetricsSummary

Read

GetScan

codeguru-security:GetScan

Read

ListFindingsMetrics

codeguru-security:ListFindingsMetrics

List

ListScans

codeguru-security:ListScans

List

ListTagsForResource

codeguru-security:ListTagsForResource

Read

TagResource

codeguru-security:TagResource

Tagging, Write

UntagResource

codeguru-security:UntagResource

Tagging, Write

UpdateAccountConfiguration

codeguru-security:UpdateAccountConfiguration

Write

Actions defined by Amazon CodeGuru Security

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

BatchGetFindings

Grants permission to batch retrieve specific findings generated by CodeGuru Security

ScanName*

aws:ResourceTag/${TagKey}

Read

CreateScan

Grants permission to create a CodeGuru Security scan

ScanName*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateUploadUrl

Grants permission to generate a presigned url for uploading code archives

ScanName*

aws:ResourceTag/${TagKey}

Write

GetAccountConfiguration

Grants permission to retrieve the account level configurations

Read

GetFindings

Grants permission to retrieve findings for a scan generated by CodeGuru Security

ScanName*

aws:ResourceTag/${TagKey}

List

GetMetricsSummary

Grants permission to retrieve AWS accout level metrics summary generated by CodeGuru Security

Read

GetScan

Grants permission to retrieve CodeGuru Security scan metadata

ScanName*

aws:ResourceTag/${TagKey}

Read

ListFindingsMetrics

Grants permission to retrieve a list of account level findings metrics within a date range

List

ListScans

Grants permission to retrieve list of CodeGuru Security scan metadata

List

ListTagsForResource

Grants permission to retrieve a list of tags for a scan name ARN

ScanName*

aws:ResourceTag/${TagKey}

Read

TagResource

Grants permission to add tags to a scan name ARN

ScanName*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove tags from a scan name ARN

ScanName*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateAccountConfiguration

Grants permission to update the account level configurations

Write

Permission-only actions for Amazon CodeGuru Security

The following actions are defined by Amazon CodeGuru Security but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

DeleteScansByCategory

Grants permission to delete all the scans and related findings from CodeGuru Security by given category

Write

ListFindings

Grants permission to retrieve findings generated by CodeGuru Security

List

Resource types defined by Amazon CodeGuru Security

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

ScanName

arn:${Partition}:codeguru-security:${Region}:${Account}:scans/${ScanName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon CodeGuru Security

Amazon CodeGuru Security defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString