Actions, resources, and condition keys for Amazon Fraud Detector - AWS Identity and Access Management

Actions, resources, and condition keys for Amazon Fraud Detector

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html.

Amazon Fraud Detector (service prefix: frauddetector) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Fraud Detector

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreateVariable Creates a batch of variables. Write

aws:RequestTag/${TagKey}

aws:TagKeys

BatchGetVariable Gets a batch of variables. List

variable

CreateDetectorVersion Creates a detector version. The detector version starts in a DRAFT status. Write

detector*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModel Creates a model using the specified model type. Write

model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelVersion Creates a version of the model using the specified model type and model id. Write

model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRule Creates a rule for use with the specified detector. Write

detector*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateVariable Creates a variable. Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDetector Deletes the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector. Write

detector*

DeleteDetectorVersion Deletes the detector version. You cannot delete detector versions that are in ACTIVE status. Write

detector-version*

DeleteEvent Deletes the specified event. Write
DeleteRule Deletes the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version. Write

rule*

DescribeDetector Gets all versions for a specified detector. Read

detector*

DescribeModelVersions Gets all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version. Read

model-version

GetDetectorVersion Gets a particular detector version. List

detector-version*

GetDetectors Gets all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning. List

detector

GetEntityTypes Gets all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning. List

entity-type

GetEventPrediction Evaluates an event against a detector version. If a version ID is not provided, the detector’s (ACTIVE) version is used. Read
GetEventTypes Gets all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning. List

event-type

GetExternalModels Gets the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning. List

external-model

GetKMSEncryptionKey Gets the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector. Read
GetLabels Gets all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning. List

label

GetModelVersion Gets the details of the specified model version. List

model-version*

GetModels Gets one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified. List

model

GetOutcomes Gets one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning. List

outcome

GetRules Get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified. List

rule

GetVariables Gets all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning. List

variable

ListTagsForResource Lists all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning. List

detector

detector-version

entity-type

event-type

external-model

label

model

model-version

outcome

rule

variable

PutDetector Creates or updates a detector. Write

detector*

aws:RequestTag/${TagKey}

aws:TagKeys

PutEntityType Creates or updates an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account. Write

entity-type*

aws:RequestTag/${TagKey}

aws:TagKeys

PutEventType Creates or updates an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications. Write

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

PutExternalModel Creates or updates an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables. Write

external-model*

aws:RequestTag/${TagKey}

aws:TagKeys

PutKMSEncryptionKey Specifies the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector. Write
PutLabel Creates or updates label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector. Write

label*

aws:RequestTag/${TagKey}

aws:TagKeys

PutOutcome Creates or updates an outcome. Write

outcome*

aws:RequestTag/${TagKey}

aws:TagKeys

TagResource Assigns tags to a resource. Tagging

detector

detector-version

entity-type

event-type

external-model

label

model

model-version

outcome

rule

variable

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Removes tags from a resource. Tagging

detector

detector-version

entity-type

event-type

external-model

label

model

model-version

outcome

rule

variable

aws:TagKeys

aws:RequestTag/${TagKey}

UpdateDetectorVersion Updates a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version. Write

detector*

UpdateDetectorVersionMetadata Updates the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE). Write

detector-version*

UpdateDetectorVersionStatus Updates the detector version’s status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE. Write

detector-version*

UpdateModel Updates a model. You can update the description attribute using this action. Write

model*

UpdateModelVersion Updates a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03. Write

model*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateModelVersionStatus Updates the status of a model version. Write
UpdateRuleMetadata Updates a rule's metadata. The description attribute can be updated. Write

rule*

UpdateRuleVersion Updates a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...). Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateVariable Updates a variable. Write

variable*

Resource types defined by Amazon Fraud Detector

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
detector arn:${Partition}:frauddetector:${Region}:${Account}:detector/${resourcePath}

aws:ResourceTag/${TagKey}

detector-version arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${resourcePath}

aws:ResourceTag/${TagKey}

entity-type arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${resourcePath}

aws:ResourceTag/${TagKey}

external-model arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${resourcePath}

aws:ResourceTag/${TagKey}

event-type arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${resourcePath}

aws:ResourceTag/${TagKey}

label arn:${Partition}:frauddetector:${Region}:${Account}:label/${resourcePath}

aws:ResourceTag/${TagKey}

model arn:${Partition}:frauddetector:${Region}:${Account}:model/${resourcePath}

aws:ResourceTag/${TagKey}

model-version arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${resourcePath}

aws:ResourceTag/${TagKey}

outcome arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${resourcePath}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:frauddetector:${Region}:${Account}:rule/${resourcePath}

aws:ResourceTag/${TagKey}

variable arn:${Partition}:frauddetector:${Region}:${Account}:variable/${resourcePath}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Fraud Detector

Amazon Fraud Detector defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the tag keys that are passed in the request String