Actions, resources, and condition keys for Amazon Inspector
Amazon Inspector (service prefix: inspector) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Inspector
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddAttributesToFindings | Grants permission to assign attributes (key and value pairs) to the findings that are specified by the ARNs of the findings | Write | |||
| CreateAssessmentTarget | Grants permission to create a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup | Write | |||
| CreateAssessmentTemplate | Grants permission to create an assessment template for the assessment target that is specified by the ARN of the assessment target | Write | |||
| CreateExclusionsPreview | Grants permission to start the generation of an exclusions preview for the specified assessment template | Write | |||
| CreateResourceGroup | Grants permission to create a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target | Write | |||
| DeleteAssessmentRun | Grants permission to delete the assessment run that is specified by the ARN of the assessment run | Write | |||
| DeleteAssessmentTarget | Grants permission to delete the assessment target that is specified by the ARN of the assessment target | Write | |||
| DeleteAssessmentTemplate | Grants permission to delete the assessment template that is specified by the ARN of the assessment template | Write | |||
| DescribeAssessmentRuns | Grants permission to describe the assessment runs that are specified by the ARNs of the assessment runs | Read | |||
| DescribeAssessmentTargets | Grants permission to describe the assessment targets that are specified by the ARNs of the assessment targets | Read | |||
| DescribeAssessmentTemplates | Grants permission to describe the assessment templates that are specified by the ARNs of the assessment templates | Read | |||
| DescribeCrossAccountAccessRole | Grants permission to describe the IAM role that enables Amazon Inspector to access your AWS account | Read | |||
| DescribeExclusions | Grants permission to describe the exclusions that are specified by the exclusions' ARNs | Read | |||
| DescribeFindings | Grants permission to describe the findings that are specified by the ARNs of the findings | Read | |||
| DescribeResourceGroups | Grants permission to describe the resource groups that are specified by the ARNs of the resource groups | Read | |||
| DescribeRulesPackages | Grants permission to describe the rules packages that are specified by the ARNs of the rules packages | Read | |||
| GetAssessmentReport | Grants permission to produce an assessment report that includes detailed and comprehensive results of a specified assessment run | Read | |||
| GetExclusionsPreview | Grants permission to retrieve the exclusions preview (a list of ExclusionPreview objects) specified by the preview token | Read | |||
| GetTelemetryMetadata | Grants permission to get information about the data that is collected for the specified assessment run | Read | |||
| ListAssessmentRunAgents | Grants permission to list the agents of the assessment runs that are specified by the ARNs of the assessment runs | List | |||
| ListAssessmentRuns | Grants permission to list the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates | List | |||
| ListAssessmentTargets | Grants permission to list the ARNs of the assessment targets within this AWS account | List | |||
| ListAssessmentTemplates | Grants permission to list the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets | List | |||
| ListEventSubscriptions | Grants permission to list all the event subscriptions for the assessment template that is specified by the ARN of the assessment template | List | |||
| ListExclusions | Grants permission to list exclusions that are generated by the assessment run | List | |||
| ListFindings | Grants permission to list findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs | List | |||
| ListRulesPackages | Grants permission to list all available Amazon Inspector rules packages | List | |||
| ListTagsForResource | Grants permission to list all tags associated with an assessment template | Read | |||
| PreviewAgents | Grants permission to preview the agents installed on the EC2 instances that are part of the specified assessment target | Read | |||
| RegisterCrossAccountAccessRole | Grants permission to register the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action | Write | |||
| RemoveAttributesFromFindings | Grants permission to remove entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists | Write | |||
| SetTagsForResource | Grants permission to set tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template | Tagging | |||
| StartAssessmentRun | Grants permission to start the assessment run specified by the ARN of the assessment template | Write | |||
| StopAssessmentRun | Grants permission to stop the assessment run that is specified by the ARN of the assessment run | Write | |||
| SubscribeToEvent | Grants permission to enable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic | Write | |||
| UnsubscribeFromEvent | Grants permission to disable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic | Write | |||
| UpdateAssessmentTarget | Grants permission to update the assessment target that is specified by the ARN of the assessment target | Write |
Resource types defined by Amazon Inspector
Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon Inspector, specify "Resource": "*" in your policy.
Condition keys for Amazon Inspector
Inspector has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.
