View a markdown version of this page

Actions, resources, and condition keys for Amazon Fraud Detector - Service Authorization Reference

Actions, resources, and condition keys for Amazon Fraud Detector

Amazon Fraud Detector (service prefix: frauddetector) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Fraud Detector

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

BatchCreateVariable

frauddetector:BatchCreateVariable

Write

frauddetector:TagResource

Tagging, Write

BatchGetVariable

frauddetector:BatchGetVariable

List

CancelBatchImportJob

frauddetector:CancelBatchImportJob

Write

CancelBatchPredictionJob

frauddetector:CancelBatchPredictionJob

Write

CreateBatchImportJob

frauddetector:CreateBatchImportJob

Write

frauddetector:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

frauddetector.amazonaws.com

Write

CreateBatchPredictionJob

frauddetector:CreateBatchPredictionJob

Write

frauddetector:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

frauddetector.amazonaws.com

Write

CreateDetectorVersion

frauddetector:CreateDetectorVersion

Write

frauddetector:TagResource

Tagging, Write

CreateList

frauddetector:CreateList

Write

frauddetector:TagResource

Tagging, Write

CreateModel

frauddetector:CreateModel

Write

frauddetector:TagResource

Tagging, Write

CreateModelVersion

frauddetector:CreateModelVersion

Write

frauddetector:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

frauddetector.amazonaws.com

Write

CreateRule

frauddetector:CreateRule

Write

frauddetector:TagResource

Tagging, Write

CreateVariable

frauddetector:CreateVariable

Write

frauddetector:TagResource

Tagging, Write

DeleteBatchImportJob

frauddetector:DeleteBatchImportJob

Write

DeleteBatchPredictionJob

frauddetector:DeleteBatchPredictionJob

Write

DeleteDetector

frauddetector:DeleteDetector

Write

DeleteDetectorVersion

frauddetector:DeleteDetectorVersion

Write

DeleteEntityType

frauddetector:DeleteEntityType

Write

DeleteEvent

frauddetector:DeleteEvent

Write

DeleteEventType

frauddetector:DeleteEventType

Write

DeleteEventsByEventType

frauddetector:DeleteEventsByEventType

Write

DeleteExternalModel

frauddetector:DeleteExternalModel

Write

DeleteLabel

frauddetector:DeleteLabel

Write

DeleteList

frauddetector:DeleteList

Write

DeleteModel

frauddetector:DeleteModel

Write

DeleteModelVersion

frauddetector:DeleteModelVersion

Write

DeleteOutcome

frauddetector:DeleteOutcome

Write

DeleteRule

frauddetector:DeleteRule

Write

DeleteVariable

frauddetector:DeleteVariable

Write

DescribeDetector

frauddetector:DescribeDetector

Read

DescribeModelVersions

frauddetector:DescribeModelVersions

Read

GetBatchImportJobs

frauddetector:GetBatchImportJobs

List

GetBatchPredictionJobs

frauddetector:GetBatchPredictionJobs

List

GetDeleteEventsByEventTypeStatus

frauddetector:GetDeleteEventsByEventTypeStatus

Read

GetDetectorVersion

frauddetector:GetDetectorVersion

Read

GetDetectors

frauddetector:GetDetectors

List

GetEntityTypes

frauddetector:GetEntityTypes

List

GetEvent

frauddetector:GetEvent

Read

GetEventPrediction

frauddetector:GetEventPrediction

Read

GetEventPredictionMetadata

frauddetector:GetEventPredictionMetadata

Read

GetEventTypes

frauddetector:GetEventTypes

List

GetExternalModels

frauddetector:GetExternalModels

List

GetKMSEncryptionKey

frauddetector:GetKMSEncryptionKey

Read

GetLabels

frauddetector:GetLabels

List

GetListElements

frauddetector:GetListElements

Read

GetListsMetadata

frauddetector:GetListsMetadata

List

GetModelVersion

frauddetector:GetModelVersion

Read

GetModels

frauddetector:GetModels

List

GetOutcomes

frauddetector:GetOutcomes

List

GetRules

frauddetector:GetRules

List

GetVariables

frauddetector:GetVariables

List

ListEventPredictions

frauddetector:ListEventPredictions

List

ListTagsForResource

frauddetector:ListTagsForResource

Read

PutDetector

frauddetector:PutDetector

Write

frauddetector:TagResource

Tagging, Write

PutEntityType

frauddetector:PutEntityType

Write

frauddetector:TagResource

Tagging, Write

PutEventType

frauddetector:PutEventType

Write

frauddetector:TagResource

Tagging, Write

PutExternalModel

frauddetector:PutExternalModel

Write

frauddetector:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

frauddetector.amazonaws.com

Write

PutLabel

frauddetector:PutLabel

Write

frauddetector:TagResource

Tagging, Write

PutOutcome

frauddetector:PutOutcome

Write

frauddetector:TagResource

Tagging, Write

SendEvent

frauddetector:SendEvent

Write

TagResource

frauddetector:TagResource

Tagging, Write

UntagResource

frauddetector:UntagResource

Tagging, Write

UpdateDetectorVersion

frauddetector:UpdateDetectorVersion

Write

UpdateDetectorVersionMetadata

frauddetector:UpdateDetectorVersionMetadata

Write

UpdateDetectorVersionStatus

frauddetector:UpdateDetectorVersionStatus

Write

UpdateEventLabel

frauddetector:UpdateEventLabel

Write

UpdateList

frauddetector:UpdateList

Write

UpdateModel

frauddetector:UpdateModel

Write

UpdateModelVersionStatus

frauddetector:UpdateModelVersionStatus

Write

UpdateRuleMetadata

frauddetector:UpdateRuleMetadata

Write

UpdateRuleVersion

frauddetector:TagResource

Tagging, Write

frauddetector:UpdateRuleVersion

Write

UpdateVariable

frauddetector:UpdateVariable

Write

Actions defined by Amazon Fraud Detector

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

BatchCreateVariable

Grants permission to create a batch of variables

aws:RequestTag/${TagKey}

aws:TagKeys

Write

BatchGetVariable

Grants permission to get a batch of variables

variable*

aws:ResourceTag/${TagKey}

List

CancelBatchImportJob

Grants permission to cancel the specified batch import job

batch-import*

aws:ResourceTag/${TagKey}

Write

CancelBatchPredictionJob

Grants permission to cancel the specified batch prediction job

batch-prediction*

aws:ResourceTag/${TagKey}

Write

CreateBatchImportJob

Grants permission to create a batch import job

batch-import*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateBatchPredictionJob

Grants permission to create a batch prediction job

batch-prediction*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

detector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

detector-version*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateDetectorVersion

Grants permission to create a detector version. The detector version starts in a DRAFT status

detector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

external-model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

model-version

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateList

Grants permission to create a list

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateModel

Grants permission to create a model using the specified model type

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

model*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

CreateModelVersion

Grants permission to create a version of the model using the specified model type and model id

model*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateRule

Grants permission to create a rule for use with the specified detector

detector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateVariable

Grants permission to create a variable

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteBatchImportJob

Grants permission to delete a batch import job

batch-import*

aws:ResourceTag/${TagKey}

Write

DeleteBatchPredictionJob

Grants permission to delete a batch prediction job

batch-prediction*

aws:ResourceTag/${TagKey}

Write

DeleteDetector

Grants permission to delete the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector

detector*

aws:ResourceTag/${TagKey}

Write

DeleteDetectorVersion

Grants permission to delete the detector version. You cannot delete detector versions that are in ACTIVE status

detector-version*

aws:ResourceTag/${TagKey}

Write

DeleteEntityType

Grants permission to delete an entity type. You cannot delete an entity type that is included in an event type

entity-type*

aws:ResourceTag/${TagKey}

Write

DeleteEvent

Grants permission to deletes the specified event

event-type*

aws:ResourceTag/${TagKey}

Write

DeleteEventType

Grants permission to delete an event type. You cannot delete an event type that is used in a detector or a model

event-type*

aws:ResourceTag/${TagKey}

Write

DeleteEventsByEventType

Grants permission to delete events for the specified event type

event-type*

aws:ResourceTag/${TagKey}

Write

DeleteExternalModel

Grants permission to remove a SageMaker model from Amazon Fraud Detector. You can remove an Amazon SageMaker model if it is not associated with a detector version

external-model*

aws:ResourceTag/${TagKey}

Write

DeleteLabel

Grants permission to delete a label. You cannot delete labels that are included in an event type in Amazon Fraud Detector. You cannot delete a label assigned to an event ID. You must first delete the relevant event ID

label*

aws:ResourceTag/${TagKey}

Write

DeleteList

Grants permission to delete a list

list*

aws:ResourceTag/${TagKey}

Write

DeleteModel

Grants permission to delete a model. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version

model*

aws:ResourceTag/${TagKey}

Write

DeleteModelVersion

Grants permission to delete a model version. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version

model-version*

aws:ResourceTag/${TagKey}

Write

DeleteOutcome

Grants permission to delete an outcome. You cannot delete an outcome that is used in a rule version

outcome*

aws:ResourceTag/${TagKey}

Write

DeleteRule

Grants permission to delete the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version

rule*

aws:ResourceTag/${TagKey}

Write

DeleteVariable

Grants permission to delete a variable. You cannot delete variables that are included in an event type in Amazon Fraud Detector

variable*

aws:ResourceTag/${TagKey}

Write

DescribeDetector

Grants permission to get all versions for a specified detector

detector*

aws:ResourceTag/${TagKey}

Read

DescribeModelVersions

Grants permission to get all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version

model-version

aws:ResourceTag/${TagKey}

Read

GetBatchImportJobs

Grants permission to get all batch import jobs or a specific job if you specify a job ID

batch-import

aws:ResourceTag/${TagKey}

List

GetBatchPredictionJobs

Grants permission to get all batch prediction jobs or a specific job if you specify a job ID. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 1 and 50. To get the next page results, provide the pagination token from the GetBatchPredictionJobsResponse as part of your request. A null pagination token fetches the records from the beginning

batch-prediction

aws:ResourceTag/${TagKey}

List

GetDeleteEventsByEventTypeStatus

Grants permission to get a specific event type DeleteEventsByEventType API execution status

event-type*

aws:ResourceTag/${TagKey}

Read

GetDetectorVersion

Grants permission to get a particular detector version

detector-version*

aws:ResourceTag/${TagKey}

Read

GetDetectors

Grants permission to get all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning

detector

aws:ResourceTag/${TagKey}

List

GetEntityTypes

Grants permission to get all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning

entity-type

aws:ResourceTag/${TagKey}

List

GetEvent

Grants permission to get the details of the specified event

event-type*

aws:ResourceTag/${TagKey}

Read

GetEventPrediction

Grants permission to evaluate an event against a detector version. If a version ID is not provided, the detector's (ACTIVE) version is used

detector*

aws:ResourceTag/${TagKey}

Read

detector-version*

aws:ResourceTag/${TagKey}

event-type*

aws:ResourceTag/${TagKey}

GetEventPredictionMetadata

Grants permission to get more details of a particular prediction

detector*

aws:ResourceTag/${TagKey}

Read

detector-version*

aws:ResourceTag/${TagKey}

event-type*

aws:ResourceTag/${TagKey}

GetEventTypes

Grants permission to get all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning

event-type

aws:ResourceTag/${TagKey}

List

GetExternalModels

Grants permission to get the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning

external-model

aws:ResourceTag/${TagKey}

List

GetKMSEncryptionKey

Grants permission to get the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector

Read

GetLabels

Grants permission to get all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning

label

aws:ResourceTag/${TagKey}

List

GetListElements

Grants permission to get elements of a list

list*

aws:ResourceTag/${TagKey}

Read

GetListsMetadata

Grants permission to get metadata about lists

list

aws:ResourceTag/${TagKey}

List

GetModelVersion

Grants permission to get the details of the specified model version

model-version*

aws:ResourceTag/${TagKey}

Read

GetModels

Grants permission to get one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified

model

aws:ResourceTag/${TagKey}

List

GetOutcomes

Grants permission to get one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning

outcome

aws:ResourceTag/${TagKey}

List

GetRules

Grants permission to get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified

rule

aws:ResourceTag/${TagKey}

List

GetVariables

Grants permission to get all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning

variable

aws:ResourceTag/${TagKey}

List

ListEventPredictions

Grants permission to get a list of past predictions

detector

aws:ResourceTag/${TagKey}

List

detector-version

aws:ResourceTag/${TagKey}

event-type

aws:ResourceTag/${TagKey}

ListTagsForResource

Grants permission to list all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning

batch-import

aws:ResourceTag/${TagKey}

Read

batch-prediction

aws:ResourceTag/${TagKey}

detector

aws:ResourceTag/${TagKey}

detector-version

aws:ResourceTag/${TagKey}

entity-type

aws:ResourceTag/${TagKey}

event-type

aws:ResourceTag/${TagKey}

external-model

aws:ResourceTag/${TagKey}

label

aws:ResourceTag/${TagKey}

list

aws:ResourceTag/${TagKey}

model

aws:ResourceTag/${TagKey}

model-version

aws:ResourceTag/${TagKey}

outcome

aws:ResourceTag/${TagKey}

rule

aws:ResourceTag/${TagKey}

variable

aws:ResourceTag/${TagKey}

PutDetector

Grants permission to create or update a detector

detector*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PutEntityType

Grants permission to create or update an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account

entity-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutEventType

Grants permission to create or update an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutExternalModel

Grants permission to create or update an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

external-model*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PutKMSEncryptionKey

Grants permission to specify the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector

Write

PutLabel

Grants permission to create or update label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector

label*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

PutOutcome

Grants permission to create or update an outcome

outcome*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

SendEvent

Grants permission to send event

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

TagResource

Grants permission to assign tags to a resource

batch-import

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

batch-prediction

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

detector

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

detector-version

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

entity-type

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

event-type

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

external-model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

label

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

list

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

model

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

model-version

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

outcome

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

rule

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

variable

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

variable

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from a resource

batch-import

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

batch-prediction

aws:ResourceTag/${TagKey}

aws:TagKeys

detector

aws:ResourceTag/${TagKey}

aws:TagKeys

detector-version

aws:ResourceTag/${TagKey}

aws:TagKeys

entity-type

aws:ResourceTag/${TagKey}

aws:TagKeys

event-type

aws:ResourceTag/${TagKey}

aws:TagKeys

external-model

aws:ResourceTag/${TagKey}

aws:TagKeys

label

aws:ResourceTag/${TagKey}

aws:TagKeys

list

aws:ResourceTag/${TagKey}

aws:TagKeys

model

aws:ResourceTag/${TagKey}

aws:TagKeys

model-version

aws:ResourceTag/${TagKey}

aws:TagKeys

outcome

aws:ResourceTag/${TagKey}

aws:TagKeys

rule

aws:ResourceTag/${TagKey}

aws:TagKeys

variable

aws:ResourceTag/${TagKey}

aws:TagKeys

variable

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateDetectorVersion

Grants permission to update a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version

detector*

aws:ResourceTag/${TagKey}

Write

external-model

aws:ResourceTag/${TagKey}

model-version

aws:ResourceTag/${TagKey}

UpdateDetectorVersionMetadata

Grants permission to update the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE)

detector-version*

aws:ResourceTag/${TagKey}

Write

UpdateDetectorVersionStatus

Grants permission to update the detector version's status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE

detector-version*

aws:ResourceTag/${TagKey}

Write

UpdateEventLabel

Grants permission to update an existing event record's label value

event-type*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateList

Grants permission to update a list

list*

aws:ResourceTag/${TagKey}

Write

UpdateModel

Grants permission to update a model. You can update the description attribute using this action

model*

aws:ResourceTag/${TagKey}

Write

UpdateModelVersion

Grants permission to update a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03

model*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateModelVersionStatus

Grants permission to update the status of a model version

model-version*

aws:ResourceTag/${TagKey}

Write

UpdateRuleMetadata

Grants permission to update a rule's metadata. The description attribute can be updated

rule*

aws:ResourceTag/${TagKey}

Write

UpdateRuleVersion

Grants permission to update a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...)

rule*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

UpdateVariable

Grants permission to update a variable

variable*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon Fraud Detector

The following actions are defined by Amazon Fraud Detector but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

GetBatchImportJobValidationReport

Grants permission to get the data validation report of a specific batch import job

batch-import*

aws:ResourceTag/${TagKey}

Read

Resource types defined by Amazon Fraud Detector

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

batch-import

arn:${Partition}:frauddetector:${Region}:${Account}:batch-import/${ResourcePath}

aws:ResourceTag/${TagKey}

batch-prediction

arn:${Partition}:frauddetector:${Region}:${Account}:batch-prediction/${ResourcePath}

aws:ResourceTag/${TagKey}

detector

arn:${Partition}:frauddetector:${Region}:${Account}:detector/${ResourcePath}

aws:ResourceTag/${TagKey}

detector-version

arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${ResourcePath}

aws:ResourceTag/${TagKey}

entity-type

arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${ResourcePath}

aws:ResourceTag/${TagKey}

event-type

arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${ResourcePath}

aws:ResourceTag/${TagKey}

external-model

arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${ResourcePath}

aws:ResourceTag/${TagKey}

label

arn:${Partition}:frauddetector:${Region}:${Account}:label/${ResourcePath}

aws:ResourceTag/${TagKey}

list

arn:${Partition}:frauddetector:${Region}:${Account}:list/${ResourcePath}

aws:ResourceTag/${TagKey}

model

arn:${Partition}:frauddetector:${Region}:${Account}:model/${ResourcePath}

aws:ResourceTag/${TagKey}

model-version

arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${ResourcePath}

aws:ResourceTag/${TagKey}

outcome

arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${ResourcePath}

aws:ResourceTag/${TagKey}

rule

arn:${Partition}:frauddetector:${Region}:${Account}:rule/${ResourcePath}

aws:ResourceTag/${TagKey}

variable

arn:${Partition}:frauddetector:${Region}:${Account}:variable/${ResourcePath}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Fraud Detector

Amazon Fraud Detector defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters actions based on the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters actions based on the tags associated with the resource

String

aws:TagKeys

Filters actions based on the tag keys that are passed in the request

ArrayOfString