Identity and access management for Amazon Macie - Amazon Macie

Identity and access management for Amazon Macie

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS resources. IAM enables you to create users and groups under your AWS account. You control the permissions that users have to perform tasks using AWS resources. You can use IAM for no additional charge.

By default, IAM users don't have permissions for Macie resources and operations. To allow IAM users to manage Macie resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions.

When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more information, see Policies and Permissions in the IAM User Guide.

Policy structure

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows.

{ "Statement": [ { "Effect": "effect", "Action": "action", "Resource": "arn", "Condition": { "condition": { "key": "value" } } } ] }

There are various elements that make up a statement:

  • Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action: The action is the specific API action for which you are granting or denying permission.

  • Resource: The resource that's affected by the action. Some API actions allow you to include specific resources in your policy that can be created or modified by the action. To specify a resource in the statement, you need to use its Amazon Resource Name (ARN).

  • Condition: Conditions are optional. They can be used to control when your policy is in effect.

AWS managed policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM user, based on the access that they need. Each policy grants access to all or some of the API actions for Macie.

The following are the AWS managed policies for Macie:

  • AmazonMacieFullAccess – Grants full access to Macie.

  • AmazonMacieServiceRolePolicy – The permissions policy that's used by the service-linked role for Macie.

API actions

In an IAM policy statement, you can specify any API action from any service that supports IAM. For Macie, use the following prefix with the name of the API action: macie2:. For example, macie2:ListFindings.

To specify multiple actions in a single statement, separate them with commas.

"Action": ["macie2:ListFindings", "macie2:CreateFindingsFilter"]

You can also specify multiple actions using wildcards. For example, you can specify all Macie API actions whose name begins with the word "Get".

"Action": "macie2:Get*"

To specify all Macie API actions, use the * wildcard.

"Action": "macie2:*"

For the complete list of API actions for Macie, see Operations in the Amazon Macie API Reference.