Actions, resources, and condition keys for AWS Security Agent
AWS Security Agent (service prefix: securityagent) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by AWS Security Agent
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AddArtifact |
Write |
|||
|
BatchCreateSecurityRequirements |
Write |
|||
|
BatchDeleteCodeReviews |
Write |
|||
|
BatchDeletePentests |
Write |
|||
|
BatchDeleteSecurityRequirements |
Write |
|||
|
BatchDeleteThreatModels |
Write |
|||
|
BatchGetAgentSpaces |
Read |
|||
|
BatchGetArtifactMetadata |
Read |
|||
|
BatchGetCodeReviewJobTasks |
Read |
|||
|
BatchGetCodeReviewJobs |
Read |
|||
|
BatchGetCodeReviews |
Read |
|||
|
BatchGetFindings |
Read |
|||
|
BatchGetPentestJobTasks |
Read |
|||
|
BatchGetPentestJobs |
Read |
|||
|
BatchGetPentests |
Read |
|||
|
BatchGetSecurityRequirements |
Read |
|||
|
BatchGetTargetDomains |
Read |
|||
|
BatchGetThreatModelJobTasks |
Read |
|||
|
BatchGetThreatModelJobs |
Read |
|||
|
BatchGetThreatModels |
Read |
|||
|
BatchGetThreats |
Read |
|||
|
BatchUpdateSecurityRequirements |
Write |
|||
|
CreateAgentSpace |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
securityagent.amazonaws.com |
Write |
||
|
CreateApplication |
Write |
|||
Tagging, Write |
||||
iam:PassedToService |
securityagent.amazonaws.com |
Write |
||
|
CreateCodeReview |
Write |
|||
|
CreateIntegration |
Write |
|||
Tagging, Write |
||||
|
CreateMembership |
Write |
|||
|
CreatePentest |
Write |
|||
|
CreatePrivateConnection |
Write |
|||
Tagging, Write |
||||
|
CreateSecurityRequirementPack |
Write |
|||
Tagging, Write |
||||
|
CreateTargetDomain |
Write |
|||
Tagging, Write |
||||
|
CreateThreat |
Write |
|||
|
CreateThreatModel |
Write |
|||
|
DeleteAgentSpace |
Write |
|||
|
DeleteApplication |
Write |
|||
|
DeleteArtifact |
Write |
|||
|
DeleteIntegration |
Write |
|||
|
DeleteMembership |
Write |
|||
|
DeletePrivateConnection |
Write |
|||
|
DeleteSecurityRequirementPack |
Write |
|||
|
DeleteTargetDomain |
Write |
|||
|
DescribePrivateConnection |
Read |
|||
|
GetApplication |
Read |
|||
|
GetArtifact |
Read |
|||
|
GetIntegration |
Read |
|||
|
GetSecurityRequirementPack |
Read |
|||
|
ImportSecurityRequirements |
Write |
|||
|
InitiateProviderRegistration |
Write |
|||
|
ListAgentSpaces |
List |
|||
|
ListApplications |
List |
|||
|
ListArtifacts |
List |
|||
|
ListCodeReviewJobTasks |
List |
|||
|
ListCodeReviewJobsForCodeReview |
List |
|||
|
ListCodeReviews |
List |
|||
|
ListDiscoveredEndpoints |
List |
|||
|
ListFindings |
List |
|||
|
ListIntegratedResources |
List |
|||
|
ListIntegrations |
List |
|||
|
ListMemberships |
List |
|||
|
ListPentestJobTasks |
List |
|||
|
ListPentestJobsForPentest |
List |
|||
|
ListPentests |
List |
|||
|
ListPrivateConnections |
List |
|||
|
ListSecurityRequirementPacks |
List |
|||
|
ListSecurityRequirements |
List |
|||
|
ListTagsForResource |
Read |
|||
|
ListTargetDomains |
List |
|||
|
ListThreatModelJobTasks |
List |
|||
|
ListThreatModelJobs |
List |
|||
|
ListThreatModels |
List |
|||
|
ListThreats |
List |
|||
|
StartCodeRemediation |
Write |
|||
|
StartCodeReviewJob |
Write |
|||
|
StartPentestJob |
Write |
|||
|
StartThreatModelJob |
Write |
|||
|
StopCodeReviewJob |
Write |
|||
|
StopPentestJob |
Write |
|||
|
StopThreatModelJob |
Write |
|||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateAgentSpace |
Write |
|||
iam:PassedToService |
securityagent.amazonaws.com |
Write |
||
|
UpdateApplication |
Write |
|||
iam:PassedToService |
securityagent.amazonaws.com |
Write |
||
|
UpdateCodeReview |
Write |
|||
|
UpdateFinding |
Write |
|||
|
UpdateIntegratedResources |
Write |
|||
|
UpdatePentest |
Write |
|||
|
UpdatePrivateConnectionCertificate |
Write |
|||
|
UpdateSecurityRequirementPack |
Write |
|||
|
UpdateTargetDomain |
Write |
|||
|
UpdateThreat |
Write |
|||
|
UpdateThreatModel |
Write |
|||
|
VerifyTargetDomain |
Write |
Actions defined by AWS Security Agent
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to add an Artifact for the given Agent Space |
Write |
|||
Grants permission to batch create security requirements in a customer managed pack |
Write |
|||
Grants permission to delete multiple code reviews in a single request |
Write |
|||
Grants permission to delete multiple penetration tests in a single request |
Write |
|||
Grants permission to batch delete security requirements from a customer managed pack |
Write |
|||
Grants permission to delete multiple threat models in a single request |
Write |
|||
Grants permission to delete multiple threats |
Write |
|||
Grants permission to retrieve multiple agent spaces in a single request |
Read |
|||
Grants permission to retrieve one or more Artifact Metadata records for the given Agent Space |
Read |
|||
Grants permission to retrieve multiple code review job tasks in a single request |
Read |
|||
Grants permission to retrieve multiple code review jobs in a single request |
Read |
|||
Grants permission to retrieve multiple code reviews in a single request |
Read |
|||
Grants permission to retrieve multiple security testing findings in a single request |
Read |
|||
Grants permission to retrieve multiple pentest job contents metadata in a single request |
Read |
|||
Grants permission to retrieve multiple pentest job tasks in a single request |
Read |
|||
Grants permission to retrieve multiple security testing jobs in a single request |
Read |
|||
Grants permission to retrieve multiple penetration tests in a single request |
Read |
|||
Grants permission to retrieve multiple security requirements in a single request |
Read |
|||
Grants permission to retrieve multiple target domains in a single request |
Read |
|||
Grants permission to retrieve multiple tasks for a threat model job in a single request |
Read |
|||
Grants permission to retrieve details for one or more threat model jobs |
Read |
|||
Grants permission to retrieve multiple threat models in a single request |
Read |
|||
Grants permission to retrieve details for one or more threats |
Read |
|||
Grants permission to batch update security requirements within a customer managed pack |
Write |
|||
Grants permission to create an agent space record |
Write |
|||
Grants permission to create a new application |
Write |
|||
Grants permission to create a new code review configuration |
Write |
|||
Grants permission to create a design review |
Write |
|||
Grants permission to create a security testing integration |
Write |
|||
Grants permission to add a single member to a agent space with specified role |
Write |
|||
Grants permission to create a one time login session |
Write |
|||
Grants permission to create a new penetration test configuration |
Write |
|||
Grants permission to create a private connection for VPC Lattice integration |
Write |
|||
Grants permission to add a customer managed Security Requirement |
Write |
|||
Grants permission to create a customer managed security requirement pack |
Write |
|||
Grants permission to create a target domain record |
Write |
|||
Grants permission to create a threat in a threat model |
Write |
|||
Grants permission to create a new threat model configuration |
Write |
|||
Grants permission to delete an agent space record |
Write |
|||
Grants permission to delete application |
Write |
|||
Grants permission to delete an Artifact |
Write |
|||
Grants permission to delete a design review |
Write |
|||
Grants permission to delete the integration of an application |
Write |
|||
Grants permission to remove a single member associated to an agent space |
Write |
|||
Grants permission to delete a private connection |
Write |
|||
Grants permission to delete a customer managed Security Requirement |
Write |
|||
Grants permission to delete a customer managed security requirement pack and all its associated security requirements |
Write |
|||
Grants permission to delete a target domain record |
Write |
|||
Grants permission to describe a private connection |
Read |
|||
Grants permission to get application details by application ID |
Read |
|||
Grants permission to retrieve an Artifact for the given Agent Space |
Read |
|||
Grants permission to get the status of the associated agent space design review |
Read |
|||
Grants permission to get design review artifact for a specific document |
Read |
|||
Grants permission to get feedback for a design review comment |
Read |
|||
Grants permission to get the integration metadata by ID |
Read |
|||
Grants permission to retrieve the provider registration manifest used for browser-based integration registration |
Read |
|||
Grants permission to retrieve a Security Requirement |
Read |
|||
Grants permission to retrieve a security requirement pack |
Read |
|||
Grants permission to handle the provider OAuth registration callback that completes integration setup |
Write |
|||
Grants permission to import security requirements from uploaded documents for a customer managed security requirement pack |
Write |
|||
Grants permission to initiate the registration of Security Agent App for the given provider (eg: GitHub) |
Write |
|||
Grants permission to list agent spaces |
List |
|||
Grants permission to list all applications in the account |
List |
|||
Grants permission to list all artifacts for the given agent space |
List |
|||
Grants permission to list tasks associated with a code review job |
List |
|||
Grants permission to list code review jobs associated with a code review |
List |
|||
Grants permission to list code reviews with optional filtering by status |
List |
|||
Grants permission to list design review comments |
List |
|||
Grants permission to list all design reviews for the given agent space |
List |
|||
Grants permission to list discovered endpoints associated with a pentest job with optional URI prefix filtering |
List |
|||
Grants permission to list findings with filtering and pagination support |
List |
|||
Grants permission to list integrated resources for an agent space |
List |
|||
Grants permission to get the integrations owned by the caller's AWS account |
List |
|||
Grants permission to list all members associated to an agent space with pagination support |
List |
|||
Grants permission to list pentest job tasks associated with a pentest job |
List |
|||
Grants permission to list penetration test jobs associated with a penetration test |
List |
|||
Grants permission to list penetration tests with optional filtering by status |
List |
|||
Grants permission to list private connections in the account |
List |
|||
Grants permission to list resources from Integration |
List |
|||
Grants permission to list all security requirement packs in the account |
List |
|||
Grants permission to list all Security Requirements |
List |
|||
Grants permission to list the tags for a resource |
Read |
|||
Grants permission to list target domains |
List |
|||
Grants permission to list tasks associated with a specific threat model job |
List |
|||
Grants permission to list threat model jobs for a threat model |
List |
|||
Grants permission to list threat models for an agent space |
List |
|||
Grants permission to list threats for a threat model job with filtering and pagination support |
List |
|||
Grants permission to submit feedback for a design review comment |
Write |
|||
Grants permission to start code remediation for the findings |
Write |
|||
Grants permission to initiate the execution of a code review |
Write |
|||
Grants permission to initiate the execution of a penetration test |
Write |
|||
Grants permission to initiate the execution of a threat model job |
Write |
|||
Grants permission to stop the execution of a running code review |
Write |
|||
Grants permission to stop the execution of a running penetration test |
Write |
|||
Grants permission to stop a running threat model job |
Write |
|||
Grants permission to add tags to a resource |
Tagging, Write |
|||
Grants permission to toggle the status of a managed Security Requirement |
Write |
|||
Grants permission to remove tags from a resource |
Tagging, Write |
|||
Grants permission to update an agent space record |
Write |
|||
Grants permission to update application configuration |
Write |
|||
Grants permission to update an existing code review with new configuration or settings |
Write |
|||
Grants permission to update an existing security finding with new details or status |
Write |
|||
Grants permission to update integrated resources for an agent space |
Write |
|||
Grants permission to update an existing penetration test with new configuration or settings |
Write |
|||
Grants permission to update the certificate associated with a private connection |
Write |
|||
Grants permission to update a customer managed Security Requirement |
Write |
|||
Grants permission to update a security requirement pack |
Write |
|||
Grants permission to update a target domain record |
Write |
|||
Grants permission to update a threat |
Write |
|||
Grants permission to update an existing threat model with new configuration |
Write |
|||
Grants permission to verify ownership for a registered target domain |
Write |
Resource types defined by AWS Security Agent
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:securityagent:${Region}:${Account}:agent-space/${AgentId} |
||
arn:${Partition}:securityagent:${Region}:${Account}:application/${ApplicationId} |
||
arn:${Partition}:securityagent:${Region}:${Account}:integration/${IntegrationId} |
||
arn:${Partition}:securityagent:${Region}:${Account}:private-connection/${PrivateConnectionName} |
||
arn:${Partition}:securityagent:${Region}:${Account}:security-requirement-pack/${SecurityRequirementPackId} |
||
arn:${Partition}:securityagent:${Region}:${Account}:target-domain/${TargetDomainId} |
Condition keys for AWS Security Agent
AWS Security Agent defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |