AWS managed policies for Amazon Detective
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AmazonDetectiveFullAccess
You can attach the AmazonDetectiveFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow a principal full access to all Amazon Detective actions. You can attach this policy to a principal before they enable Detective for their account. It must also be attached to the role that is used to run the Detective Python scripts to create and manage a behavior graph.
Principals with these permissions can manage member accounts, add tags to their behavior graph, and use Detective for investigation. They can also archive GuardDuty findings. The policy provides permissions that the Detective console needs to display account names for accounts that are in AWS Organizations.
Permissions details
This policy includes the following permissions:
-
detective– Allows principals full access to all Detective actions. -
organizations– Allows principals to retrieve from AWS Organizations information about the accounts in an organization. If an account belongs to an organization, these permissions allow the Detective console to display account names in addition to account numbers. -
guardduty– Allows principals to get and archive GuardDuty findings from within Detective. -
securityhub– Allows principals to get Security Hub findings from within Detective.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "detective:*", "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "guardduty:ArchiveFindings" ], "Resource": "arn:aws:guardduty:*:*:detector/*" }, { "Effect": "Allow", "Action": [ "guardduty:GetFindings", "guardduty:ListDetectors" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "securityHub:GetFindings" ], "Resource": "*" } ] }
AWS managed policy: AmazonDetectiveMemberAccess
You can attach the AmazonDetectiveMemberAccess policy to your IAM
entities.
This policy provides member access to Amazon Detective and scoped access to the console.
With this policy, you can:
-
View invitations to Detective graph membership and accept or reject those invitations.
-
View how your activity in Detective contributes to the cost of using this service on the Usage page.
-
Resign from your membership in a graph.
This policy grants read-only permissions that allow scoped access to the Detective console.
Permissions details
This policy includes the following permissions:
-
detective– Allows member access to Detective.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "detective:AcceptInvitation", "detective:BatchGetMembershipDatasources", "detective:DisassociateMembership", "detective:GetFreeTrialEligibility", "detective:GetPricingInformation", "detective:GetUsageInformation", "detective:ListInvitations", "detective:RejectInvitation" ], "Resource": "*" } ] }
AWS managed policy: AmazonDetectiveInvestigatorAccess
You can attach the AmazonDetectiveInvestigatorAccess policy to your IAM
entities.
This policy provides investigator access to the Detective service and scoped access to the Detective console UI dependencies. This policy grants permissions to enable Detective investigations in Detective for IAM users and IAM roles. You can investigate to identify indicators of compromise such as findings using an investigation report, which provides analysis and insights about security indicators. The report is ranked by severity, which is determined using Detective’s behavioral analysis and machine learning. You can use the report to prioritize remediation of resources.
Permissions details
This policy includes the following permissions:
-
detective– Allows principals investigator access to Detective actions, to enable Detective investigations, and to enable finding groups summary. -
guardduty– Allows principals to get and archive GuardDuty findings from within Detective. -
securityhub– Allows principals to get Security Hub findings from within Detective. -
organizations– Allows principals to retrieve information about the accounts in an organization from AWS Organizations. If an account belongs to an organization, then these permissions allow the Detective console to display account names in addition to account numbers.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DetectivePermissions", "Effect": "Allow", "Action": [ "detective:BatchGetGraphMemberDatasources", "detective:BatchGetMembershipDatasources", "detective:DescribeOrganizationConfiguration", "detective:GetFreeTrialEligibility", "detective:GetGraphIngestState", "detective:GetMembers", "detective:GetPricingInformation", "detective:GetUsageInformation", "detective:ListDatasourcePackages", "detective:ListGraphs", "detective:ListHighDegreeEntities", "detective:ListInvitations", "detective:ListMembers", "detective:ListOrganizationAdminAccount", "detective:ListTagsForResource", "detective:SearchGraph", "detective:StartInvestigation", "detective:GetInvestigation", "detective:ListInvestigations", "detective:UpdateInvestigationState", "detective:ListIndicators", "detective:InvokeAssistant" ], "Resource": "*" }, { "Sid": "OrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }, { "Sid": "GuardDutyPermissions", "Effect": "Allow", "Action": [ "guardduty:ArchiveFindings", "guardduty:GetFindings", "guardduty:ListDetectors" ], "Resource": "*" }, { "Sid": "SecurityHubPermissions", "Effect": "Allow", "Action": [ "securityHub:GetFindings" ], "Resource": "*" } ] }
AWS managed policy: AmazonDetectiveOrganizationsAccess
You can attach the AmazonDetectiveOrganizationsAccess policy to your IAM
entities.
This policy grants permission to enable and manage Amazon Detective within an organization. You can enable Detective across the organization and determine the delegated administrator account for Detective.
Permissions details
This policy includes the following permissions:
-
detective– Allows principals access to Detective actions. -
iam– Specifies that a service linked role is created when Detective callsEnableOrganizationAdminAccount. -
organizations– Allows principals to retrieve information about the accounts in an organization from AWS Organizations. If an account belongs to an organization, then these permissions allow the Detective console to display account names in addition to account numbers. Enables the integration of an AWS service, allows register and deregister of the specified member account as a Delegated administrator, and allows principals to retrieve Delegated administrator accounts in other security services like Amazon Detective, Amazon GuardDuty, Amazon Macie, and AWS Security Hub.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "detective:DisableOrganizationAdminAccount", "detective:EnableOrganizationAdminAccount", "detective:ListOrganizationAdminAccount" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "detective.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "detective.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "detective.amazonaws.com", "guardduty.amazonaws.com", "macie.amazonaws.com", "securityhub.amazonaws.com" ] } } } ] }
AWS managed policy: AmazonDetectiveServiceLinkedRole
You can't attach the AmazonDetectiveServiceLinkedRole policy to your IAM
entities. This policy is attached to a service-linked role that allows Detective to perform
actions on your behalf. For more information, see Using service-linked roles for
Detective.
This policy grants administrative permissions that allow the service-linked role to retrieve account information for an organization.
Permissions details
This policy includes the following permissions:
-
organizations– Retrieves account information for an organization.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:ListAccounts" ], "Resource": "*" } ] }
Detective updates to AWS managed policies
View details about updates to AWS managed policies for Detective since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history page.
| Change | Description | Date |
|---|---|---|
|
AmazonDetectiveInvestigatorAccess – Updates to existing policies |
Added Detective investigations and finding groups summary
actions to the These actions allow starting, retrieving, and updating Detective investigations; and obtaining a summary of finding groups from within Detective. |
November 26, 2023 |
|
AmazonDetectiveFullAccess and AmazonDetectiveInvestigatorAccess – Updates to existing policies |
Detective added Security Hub These actions allow getting Security Hub findings from within Detective. |
May 16, 2023 |
|
AmazonDetectiveOrganizationsAccess – New policy |
Detective added This policy grants permission to enable and manage Detective within an organization |
March 02, 2023 |
|
AmazonDetectiveMemberAccess – New policy |
Detective added the This policy provides member access to Detective and scoped access to the console UI dependencies. |
January 17, 2023 |
|
AmazonDetectiveFullAccess – Updates to an existing policy |
Detective added GuardDuty These actions allow getting GuardDuty findings from within Detective. |
January 17, 2023 |
|
AmazonDetectiveInvestigatorAccess – New policy |
Detective added the This policy allows the principal to conduct investigations in Detective. |
January 17, 2023 |
|
AmazonDetectiveServiceLinkedRole – New policy |
Detective added a new policy for its service-linked role. The policy allows the service-linked role to retrieve information about the accounts in an organization. |
December 16, 2021 |
|
Detective started to track changes |
Detective started to track changes for its AWS managed policies. |
May 10, 2021 |
