Actions, resources, and condition keys for Amazon Fraud Detector - Service Authorization Reference

Actions, resources, and condition keys for Amazon Fraud Detector

Amazon Fraud Detector (service prefix: frauddetector) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Fraud Detector

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreateVariable Grants permission to create a batch of variables Write

aws:RequestTag/${TagKey}

aws:TagKeys

BatchGetVariable Grants permission to get a batch of variables List

variable*

CancelBatchImportJob Grants permission to cancel the specified batch import job Write

batch-import*

CancelBatchPredictionJob Grants permission to cancel the specified batch prediction job Write

batch-prediction*

CreateBatchImportJob Grants permission to create a batch import job Write

batch-import*

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBatchPredictionJob Grants permission to create a batch prediction job Write

batch-prediction*

detector*

detector-version*

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDetectorVersion Grants permission to create a detector version. The detector version starts in a DRAFT status Write

detector*

external-model

model-version

aws:RequestTag/${TagKey}

aws:TagKeys

CreateList Grants permission to create a list Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModel Grants permission to create a model using the specified model type Write

event-type*

model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelVersion Grants permission to create a version of the model using the specified model type and model id Write

model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRule Grants permission to create a rule for use with the specified detector Write

detector*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateVariable Grants permission to create a variable Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteBatchImportJob Grants permission to delete a batch import job Write

batch-import*

DeleteBatchPredictionJob Grants permission to delete a batch prediction job Write

batch-prediction*

DeleteDetector Grants permission to delete the detector. Before deleting a detector, you must first delete all detector versions and rule versions associated with the detector Write

detector*

DeleteDetectorVersion Grants permission to delete the detector version. You cannot delete detector versions that are in ACTIVE status Write

detector-version*

DeleteEntityType Grants permission to delete an entity type. You cannot delete an entity type that is included in an event type Write

entity-type*

DeleteEvent Grants permission to deletes the specified event Write

event-type*

DeleteEventType Grants permission to delete an event type. You cannot delete an event type that is used in a detector or a model Write

event-type*

DeleteEventsByEventType Grants permission to delete events for the specified event type Write

event-type*

DeleteExternalModel Grants permission to remove a SageMaker model from Amazon Fraud Detector. You can remove an Amazon SageMaker model if it is not associated with a detector version Write

external-model*

DeleteLabel Grants permission to delete a label. You cannot delete labels that are included in an event type in Amazon Fraud Detector. You cannot delete a label assigned to an event ID. You must first delete the relevant event ID Write

label*

DeleteList Grants permission to delete a list Write

list*

aws:ResourceTag/${TagKey}

DeleteModel Grants permission to delete a model. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version Write

model*

DeleteModelVersion Grants permission to delete a model version. You can delete models and model versions in Amazon Fraud Detector, provided that they are not associated with a detector version Write

model-version*

DeleteOutcome Grants permission to delete an outcome. You cannot delete an outcome that is used in a rule version Write

outcome*

DeleteRule Grants permission to delete the rule. You cannot delete a rule if it is used by an ACTIVE or INACTIVE detector version Write

rule*

DeleteVariable Grants permission to delete a variable. You cannot delete variables that are included in an event type in Amazon Fraud Detector Write

variable*

DescribeDetector Grants permission to get all versions for a specified detector Read

detector*

DescribeModelVersions Grants permission to get all of the model versions for the specified model type or for the specified model type and model ID. You can also get details for a single, specified model version Read

model-version

GetBatchImportJobValidationReport [permission only] Grants permission to get the data validation report of a specific batch import job Read

batch-import*

GetBatchImportJobs Grants permission to get all batch import jobs or a specific job if you specify a job ID List

batch-import

GetBatchPredictionJobs Grants permission to get all batch prediction jobs or a specific job if you specify a job ID. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 1 and 50. To get the next page results, provide the pagination token from the GetBatchPredictionJobsResponse as part of your request. A null pagination token fetches the records from the beginning List

batch-prediction

GetDeleteEventsByEventTypeStatus Grants permission to get a specific event type DeleteEventsByEventType API execution status Read

event-type*

GetDetectorVersion Grants permission to get a particular detector version Read

detector-version*

GetDetectors Grants permission to get all detectors or a single detector if a detectorId is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetDetectorsResponse as part of your request. A null pagination token fetches the records from the beginning List

detector

GetEntityTypes Grants permission to get all entity types or a specific entity type if a name is specified. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEntityTypesResponse as part of your request. A null pagination token fetches the records from the beginning List

entity-type

GetEvent Grants permission to get the details of the specified event Read

event-type*

GetEventPrediction Grants permission to evaluate an event against a detector version. If a version ID is not provided, the detector's (ACTIVE) version is used Read

detector*

detector-version*

event-type*

GetEventPredictionMetadata Grants permission to get more details of a particular prediction Read

detector*

detector-version*

event-type*

GetEventTypes Grants permission to get all event types or a specific event type if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request. A null pagination token fetches the records from the beginning List

event-type

GetExternalModels Grants permission to get the details for one or more Amazon SageMaker models that have been imported into the service. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 10 records per page. If you provide a maxResults, the value must be between 5 and 10. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request. A null pagination token fetches the records from the beginning List

external-model

GetKMSEncryptionKey Grants permission to get the encryption key if a Key Management Service (KMS) customer master key (CMK) has been specified to be used to encrypt content in Amazon Fraud Detector Read
GetLabels Grants permission to get all labels or a specific label if name is provided. This is a paginated API. If you provide a null maxResults, this action retrieves a maximum of 50 records per page. If you provide a maxResults, the value must be between 10 and 50. To get the next page results, provide the pagination token from the GetGetLabelsResponse as part of your request. A null pagination token fetches the records from the beginning List

label

GetListElements Grants permission to get elements of a list Read

list*

aws:ResourceTag/${TagKey}

GetListsMetadata Grants permission to get metadata about lists List

list

aws:ResourceTag/${TagKey}

GetModelVersion Grants permission to get the details of the specified model version Read

model-version*

GetModels Grants permission to get one or more models. Gets all models for the AWS account if no model type and no model id provided. Gets all models for the AWS account and model type, if the model type is specified but model id is not provided. Gets a specific model if (model type, model id) tuple is specified List

model

GetOutcomes Grants permission to get one or more outcomes. This is a paginated API. If you provide a null maxResults, this actions retrieves a maximum of 100 records per page. If you provide a maxResults, the value must be between 50 and 100. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request. A null pagination token fetches the records from the beginning List

outcome

GetRules Grants permission to get all rules for a detector (paginated) if ruleId and ruleVersion are not specified. Gets all rules for the detector and the ruleId if present (paginated). Gets a specific rule if both the ruleId and the ruleVersion are specified List

rule

GetVariables Grants permission to get all of the variables or the specific variable. This is a paginated API. Providing null maxSizePerPage results in retrieving maximum of 100 records per page. If you provide maxSizePerPage the value must be between 50 and 100. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request. Null pagination token fetches the records from the beginning List

variable

ListEventPredictions Grants permission to get a list of past predictions List

detector

detector-version

event-type

ListTagsForResource Grants permission to list all tags associated with the resource. This is a paginated API. To get the next page results, provide the pagination token from the response as part of your request. A null pagination token fetches the records from the beginning Read

batch-import

batch-prediction

detector

detector-version

entity-type

event-type

external-model

label

list

model

model-version

outcome

rule

variable

PutDetector Grants permission to create or update a detector Write

detector*

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

PutEntityType Grants permission to create or update an entity type. An entity represents who is performing the event. As part of a fraud prediction, you pass the entity ID to indicate the specific entity who performed the event. An entity type classifies the entity. Example classifications include customer, merchant, or account Write

entity-type*

aws:RequestTag/${TagKey}

aws:TagKeys

PutEventType Grants permission to create or update an event type. An event is a business activity that is evaluated for fraud risk. With Amazon Fraud Detector, you generate fraud predictions for events. An event type defines the structure for an event sent to Amazon Fraud Detector. This includes the variables sent as part of the event, the entity performing the event (such as a customer), and the labels that classify the event. Example event types include online payment transactions, account registrations, and authentications Write

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

PutExternalModel Grants permission to create or update an Amazon SageMaker model endpoint. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables Write

event-type*

external-model*

aws:RequestTag/${TagKey}

aws:TagKeys

PutKMSEncryptionKey Grants permission to specify the Key Management Service (KMS) customer master key (CMK) to be used to encrypt content in Amazon Fraud Detector Write
PutLabel Grants permission to create or update label. A label classifies an event as fraudulent or legitimate. Labels are associated with event types and used to train supervised machine learning models in Amazon Fraud Detector Write

label*

aws:RequestTag/${TagKey}

aws:TagKeys

PutOutcome Grants permission to create or update an outcome Write

outcome*

aws:RequestTag/${TagKey}

aws:TagKeys

SendEvent Grants permission to send event Write

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

TagResource Grants permission to assign tags to a resource Tagging

batch-import

batch-prediction

detector

detector-version

entity-type

event-type

external-model

label

list

model

model-version

outcome

rule

variable

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to remove tags from a resource Tagging

batch-import

batch-prediction

detector

detector-version

entity-type

event-type

external-model

label

list

model

model-version

outcome

rule

variable

aws:TagKeys

UpdateDetectorVersion Grants permission to update a detector version. The detector version attributes that you can update include models, external model endpoints, rules, rule execution mode, and description. You can only update a DRAFT detector version Write

detector*

external-model

model-version

UpdateDetectorVersionMetadata Grants permission to update the detector version's description. You can update the metadata for any detector version (DRAFT, ACTIVE, or INACTIVE) Write

detector-version*

UpdateDetectorVersionStatus Grants permission to update the detector version's status. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE Write

detector-version*

UpdateEventLabel Grants permission to update an existing event record's label value Write

event-type*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateList Grants permission to update a list Write

list*

aws:ResourceTag/${TagKey}

UpdateModel Grants permission to update a model. You can update the description attribute using this action Write

model*

UpdateModelVersion Grants permission to update a model version. Updating a model version retrains an existing model version using updated training data and produces a new minor version of the model. You can update the training data set location and data access role attributes using this action. This action creates and trains a new minor version of the model, for example version 1.01, 1.02, 1.03 Write

model*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateModelVersionStatus Grants permission to update the status of a model version Write

model-version*

UpdateRuleMetadata Grants permission to update a rule's metadata. The description attribute can be updated Write

rule*

UpdateRuleVersion Grants permission to update a rule version resulting in a new rule version. Updates a rule version resulting in a new rule version (version 1, 2, 3 ...) Write

rule*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateVariable Grants permission to update a variable Write

variable*

Resource types defined by Amazon Fraud Detector

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
batch-prediction arn:${Partition}:frauddetector:${Region}:${Account}:batch-prediction/${ResourcePath}

aws:ResourceTag/${TagKey}

detector arn:${Partition}:frauddetector:${Region}:${Account}:detector/${ResourcePath}

aws:ResourceTag/${TagKey}

detector-version arn:${Partition}:frauddetector:${Region}:${Account}:detector-version/${ResourcePath}

aws:ResourceTag/${TagKey}

entity-type arn:${Partition}:frauddetector:${Region}:${Account}:entity-type/${ResourcePath}

aws:ResourceTag/${TagKey}

external-model arn:${Partition}:frauddetector:${Region}:${Account}:external-model/${ResourcePath}

aws:ResourceTag/${TagKey}

event-type arn:${Partition}:frauddetector:${Region}:${Account}:event-type/${ResourcePath}

aws:ResourceTag/${TagKey}

label arn:${Partition}:frauddetector:${Region}:${Account}:label/${ResourcePath}

aws:ResourceTag/${TagKey}

model arn:${Partition}:frauddetector:${Region}:${Account}:model/${ResourcePath}

aws:ResourceTag/${TagKey}

model-version arn:${Partition}:frauddetector:${Region}:${Account}:model-version/${ResourcePath}

aws:ResourceTag/${TagKey}

outcome arn:${Partition}:frauddetector:${Region}:${Account}:outcome/${ResourcePath}

aws:ResourceTag/${TagKey}

rule arn:${Partition}:frauddetector:${Region}:${Account}:rule/${ResourcePath}

aws:ResourceTag/${TagKey}

variable arn:${Partition}:frauddetector:${Region}:${Account}:variable/${ResourcePath}

aws:ResourceTag/${TagKey}

batch-import arn:${Partition}:frauddetector:${Region}:${Account}:batch-import/${ResourcePath}

aws:ResourceTag/${TagKey}

list arn:${Partition}:frauddetector:${Region}:${Account}:list/${ResourcePath}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Fraud Detector

Amazon Fraud Detector defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the tag keys that are passed in the request ArrayOfString