Actions, resources, and condition keys for Amazon Inspector
Amazon Inspector (service prefix: inspector) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon Inspector
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AddAttributesToFindings |
Write |
|||
|
CreateAssessmentTarget |
Write |
|||
|
CreateAssessmentTemplate |
Write |
|||
|
CreateExclusionsPreview |
Write |
|||
|
CreateResourceGroup |
Write |
|||
|
DeleteAssessmentRun |
Write |
|||
|
DeleteAssessmentTarget |
Write |
|||
|
DeleteAssessmentTemplate |
Write |
|||
|
DescribeAssessmentRuns |
Read |
|||
|
DescribeAssessmentTargets |
Read |
|||
|
DescribeAssessmentTemplates |
Read |
|||
|
DescribeCrossAccountAccessRole |
Read |
|||
|
DescribeExclusions |
Read |
|||
|
DescribeFindings |
Read |
|||
|
DescribeResourceGroups |
Read |
|||
|
DescribeRulesPackages |
Read |
|||
|
GetAssessmentReport |
Read |
|||
|
GetExclusionsPreview |
Read |
|||
|
GetTelemetryMetadata |
Read |
|||
|
ListAssessmentRunAgents |
List |
|||
|
ListAssessmentRuns |
List |
|||
|
ListAssessmentTargets |
List |
|||
|
ListAssessmentTemplates |
List |
|||
|
ListEventSubscriptions |
List |
|||
|
ListExclusions |
List |
|||
|
ListFindings |
List |
|||
|
ListRulesPackages |
List |
|||
|
ListTagsForResource |
Read |
|||
|
PreviewAgents |
Read |
|||
|
RegisterCrossAccountAccessRole |
Write |
|||
iam:PassedToService |
inspector.amazonaws.com |
Write |
||
|
RemoveAttributesFromFindings |
Write |
|||
|
SetTagsForResource |
Tagging, Write |
|||
|
StartAssessmentRun |
Write |
|||
|
StopAssessmentRun |
Write |
|||
|
SubscribeToEvent |
Write |
|||
|
UnsubscribeFromEvent |
Write |
|||
|
UpdateAssessmentTarget |
Write |
Actions defined by Amazon Inspector
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to assign attributes (key and value pairs) to the findings that are specified by the ARNs of the findings |
Write |
|||
Grants permission to create a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup |
Write |
|||
Grants permission to create an assessment template for the assessment target that is specified by the ARN of the assessment target |
Write |
|||
Grants permission to start the generation of an exclusions preview for the specified assessment template |
Write |
|||
Grants permission to create a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target |
Write |
|||
Grants permission to delete the assessment run that is specified by the ARN of the assessment run |
Write |
|||
Grants permission to delete the assessment target that is specified by the ARN of the assessment target |
Write |
|||
Grants permission to delete the assessment template that is specified by the ARN of the assessment template |
Write |
|||
Grants permission to describe the assessment runs that are specified by the ARNs of the assessment runs |
Read |
|||
Grants permission to describe the assessment targets that are specified by the ARNs of the assessment targets |
Read |
|||
Grants permission to describe the assessment templates that are specified by the ARNs of the assessment templates |
Read |
|||
Grants permission to describe the IAM role that enables Amazon Inspector to access your AWS account |
Read |
|||
Grants permission to describe the exclusions that are specified by the exclusions' ARNs |
Read |
|||
Grants permission to describe the findings that are specified by the ARNs of the findings |
Read |
|||
Grants permission to describe the resource groups that are specified by the ARNs of the resource groups |
Read |
|||
Grants permission to describe the rules packages that are specified by the ARNs of the rules packages |
Read |
|||
Grants permission to produce an assessment report that includes detailed and comprehensive results of a specified assessment run |
Read |
|||
Grants permission to retrieve the exclusions preview (a list of ExclusionPreview objects) specified by the preview token |
Read |
|||
Grants permission to get information about the data that is collected for the specified assessment run |
Read |
|||
Grants permission to list the agents of the assessment runs that are specified by the ARNs of the assessment runs |
List |
|||
Grants permission to list the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates |
List |
|||
Grants permission to list the ARNs of the assessment targets within this AWS account |
List |
|||
Grants permission to list the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets |
List |
|||
Grants permission to list all the event subscriptions for the assessment template that is specified by the ARN of the assessment template |
List |
|||
Grants permission to list exclusions that are generated by the assessment run |
List |
|||
Grants permission to list findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs |
List |
|||
Grants permission to list all available Amazon Inspector rules packages |
List |
|||
Grants permission to list all tags associated with an assessment template |
Read |
|||
Grants permission to preview the agents installed on the EC2 instances that are part of the specified assessment target |
Read |
|||
Grants permission to register the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action |
Write |
|||
Grants permission to remove entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists |
Write |
|||
Grants permission to set tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template |
Tagging, Write |
|||
Grants permission to start the assessment run specified by the ARN of the assessment template |
Write |
|||
Grants permission to stop the assessment run that is specified by the ARN of the assessment run |
Write |
|||
Grants permission to enable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic |
Write |
|||
Grants permission to disable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic |
Write |
|||
Grants permission to update the assessment target that is specified by the ARN of the assessment target |
Write |
Resource types defined by Amazon Inspector
Amazon Inspector does not support specifying a resource ARN in the
Resource element of an IAM policy statement.
Condition keys for Amazon Inspector
Amazon Inspector has no service-specific condition keys that can be used in the
Condition element of policy statements.