Actions, resources, and condition keys for Amazon Fraud Detector
Amazon Fraud Detector (service prefix: frauddetector) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Fraud Detector
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| BatchCreateVariable | Grants permission to create a batch of variables | Write | |||
| BatchGetVariable | Grants permission to get a batch of variables | List | |||
| CancelBatchImportJob | Grants permission to cancel the specified batch import job | Write | |||
| CancelBatchPredictionJob | Grants permission to cancel the specified batch prediction job | Write | |||
| CreateBatchImportJob | Grants permission to create a batch import job | Write | |||
| CreateBatchPredictionJob | Grants permission to create a batch prediction job | Write | |||
| CreateDetectorVersion | Grants permission to create a detector version. The detector version starts in a DRAFT status | Write | |||
| CreateList | Grants permission to create a list | Write | |||
| CreateModel | Grants permission to create a model using the specified model type | Write | |||
| CreateModelVersion | Grants permission to create a version of the model using the specified model type and model id | Write | |||
| CreateRule | Grants permission to create a rule for use with the specified detector | Write | |||
| CreateVariable | Grants permission to create a variable | Write | |||
| DeleteBatchImportJob | Grants permission to delete a batch import job | Write | |||
| DeleteBatchPredictionJob | Grants permission to delete a batch prediction job | Write | |||
| DeleteDetector | Grants permission to delete the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector | Write | |||
| DeleteDetectorVersion | Grants permission to delete the detector version. You cannot delete detector versions that are in ACTIVE status | Write | |||
| DeleteEntityType | Grants permission to delete an entity type. You cannot delete an entity type that is included in an event type | Write | |||
| DeleteEvent | Grants permission to deletes the specified event | Write | |||
| DeleteEventType | Grants permission to delete an event type. You cannot delete an event type that is used in a detector or a model | Write | |||
| DeleteEventsByEventType | Grants permission to delete events for the specified event type | Write | |||
| DeleteExternalModel | Grants permission to remove a SageMaker model from Amazon Fraud Detector. You can remove an Amazon SageMaker model if it is not associated with a detector version | Write | |||
| DeleteLabel | Grants permission to delete a label. You cannot delete labels that are included in an event type in Amazon Fraud Detector. You cannot delete a label assigned to an event ID. You must first delete the relevant event ID | Write | |||
| DeleteList | Grants permission to delete a list | Write | |||
| DeleteModel | Grants permission to delete a model. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version | Write | |||
| DeleteModelVersion | Grants permission to delete a model version. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version | Write | |||
| DeleteOutcome | Grants permission to delete an outcome. You cannot delete an outcome that is used in a rule version | Write | |||
| DeleteRule | Grants permission to delete the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version | Write | |||
| DeleteVariable | Grants permission to delete a variable. You cannot delete variables that are included in an event type in Amazon Fraud Detector | Write | |||
| DescribeDetector | Grants permission to get all versions for a specified detector | Read | |||
| DescribeModelVersions | Grants permission to get all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version | Read | |||
| GetBatchImportJobValidationReport [permission only] | Grants permission to get the data validation report of a specific batch import job | Read | |||
| GetBatchImportJobs | Grants permission to get all batch import jobs or a specific job if you specify a job ID | List | |||
| GetBatchPredictionJobs | Grants permission to get all batch prediction jobs or a specific job if you specify a job ID. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 1 and 50. To get the next page results, provide the pagination token from the GetBatchPredictionJobsResponse as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetDeleteEventsByEventTypeStatus | Grants permission to get a specific event type DeleteEventsByEventType API execution status | Read | |||
| GetDetectorVersion | Grants permission to get a particular detector version | Read | |||
| GetDetectors | Grants permission to get all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetEntityTypes | Grants permission to get all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetEvent | Grants permission to get the details of the specified event | Read | |||
| GetEventPrediction | Grants permission to evaluate an event against a detector version. If a version ID is not provided, the detector’s (ACTIVE) version is used | Read | |||
| GetEventPredictionMetadata | Grants permission to get more details of a particular prediction | Read | |||
| GetEventTypes | Grants permission to get all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetExternalModels | Grants permission to get the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetKMSEncryptionKey | Grants permission to get the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector | Read | |||
| GetLabels | Grants permission to get all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetListElements | Grants permission to get elements of a list | Read | |||
| GetListsMetadata | Grants permission to get metadata about lists | List | |||
| GetModelVersion | Grants permission to get the details of the specified model version | Read | |||
| GetModels | Grants permission to get one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified | List | |||
| GetOutcomes | Grants permission to get one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning | List | |||
| GetRules | Grants permission to get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified | List | |||
| GetVariables | Grants permission to get all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning | List | |||
| ListEventPredictions | Grants permission to get a list of past predictions | List | |||
| ListTagsForResource | Grants permission to list all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning | Read | |||
| PutDetector | Grants permission to create or update a detector | Write | |||
| PutEntityType | Grants permission to create or update an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account | Write | |||
| PutEventType | Grants permission to create or update an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications | Write | |||
| PutExternalModel | Grants permission to create or update an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables | Write | |||
| PutKMSEncryptionKey | Grants permission to specify the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector | Write | |||
| PutLabel | Grants permission to create or update label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector | Write | |||
| PutOutcome | Grants permission to create or update an outcome | Write | |||
| SendEvent | Grants permission to send event | Write | |||
| TagResource | Grants permission to assign tags to a resource | Tagging | |||
| UntagResource | Grants permission to remove tags from a resource | Tagging | |||
| UpdateDetectorVersion | Grants permission to update a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version | Write | |||
| UpdateDetectorVersionMetadata | Grants permission to update the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE) | Write | |||
| UpdateDetectorVersionStatus | Grants permission to update the detector version’s status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE | Write | |||
| UpdateEventLabel | Grants permission to update an existing event record's label value | Write | |||
| UpdateList | Grants permission to update a list | Write | |||
| UpdateModel | Grants permission to update a model. You can update the description attribute using this action | Write | |||
| UpdateModelVersion | Grants permission to update a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03 | Write | |||
| UpdateModelVersionStatus | Grants permission to update the status of a model version | Write | |||
| UpdateRuleMetadata | Grants permission to update a rule's metadata. The description attribute can be updated | Write | |||
| UpdateRuleVersion | Grants permission to update a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...) | Write | |||
| UpdateVariable | Grants permission to update a variable | Write |
Resource types defined by Amazon Fraud Detector
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| batch-prediction |
arn:${Partition}:frauddetector:${Region}:${Account}:batch-prediction/${ResourcePath}
|
|
| detector |
arn:${Partition}:frauddetector:${Region}:${Account}:detector/${ResourcePath}
|
|
| detector-version |
arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${ResourcePath}
|
|
| entity-type |
arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${ResourcePath}
|
|
| external-model |
arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${ResourcePath}
|
|
| event-type |
arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${ResourcePath}
|
|
| label |
arn:${Partition}:frauddetector:${Region}:${Account}:label/${ResourcePath}
|
|
| model |
arn:${Partition}:frauddetector:${Region}:${Account}:model/${ResourcePath}
|
|
| model-version |
arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${ResourcePath}
|
|
| outcome |
arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${ResourcePath}
|
|
| rule |
arn:${Partition}:frauddetector:${Region}:${Account}:rule/${ResourcePath}
|
|
| variable |
arn:${Partition}:frauddetector:${Region}:${Account}:variable/${ResourcePath}
|
|
| batch-import |
arn:${Partition}:frauddetector:${Region}:${Account}:batch-import/${ResourcePath}
|
|
| list |
arn:${Partition}:frauddetector:${Region}:${Account}:list/${ResourcePath}
|
Condition keys for Amazon Fraud Detector
Amazon Fraud Detector defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters actions based on the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters actions based on the tags associated with the resource | String |
| aws:TagKeys | Filters actions based on the tag keys that are passed in the request | ArrayOfString |
