Actions, resources, and condition keys for Amazon Inspector
Amazon Inspector (service prefix: inspector) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Inspector
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddAttributesToFindings | Assigns attributes (key and value pairs) to the findings that are specified by the ARNs of the findings. | Write | |||
| CreateAssessmentTarget | Creates a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup. | Write | |||
| CreateAssessmentTemplate | Creates an assessment template for the assessment target that is specified by the ARN of the assessment target. | Write | |||
| CreateResourceGroup | Creates a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target. | Write | |||
| DeleteAssessmentRun | Deletes the assessment run that is specified by the ARN of the assessment run. | Write | |||
| DeleteAssessmentTarget | Deletes the assessment target that is specified by the ARN of the assessment target. | Write | |||
| DeleteAssessmentTemplate | Deletes the assessment template that is specified by the ARN of the assessment template. | Write | |||
| DescribeAssessmentRuns | Describes the assessment runs that are specified by the ARNs of the assessment runs. | Read | |||
| DescribeAssessmentTargets | Describes the assessment targets that are specified by the ARNs of the assessment targets. | Read | |||
| DescribeAssessmentTemplates | Describes the assessment templates that are specified by the ARNs of the assessment templates. | Read | |||
| DescribeCrossAccountAccessRole | Describes the IAM role that enables Amazon Inspector to access your AWS account. | Read | |||
| DescribeFindings | Describes the findings that are specified by the ARNs of the findings. | Read | |||
| DescribeResourceGroups | Describes the resource groups that are specified by the ARNs of the resource groups. | Read | |||
| DescribeRulesPackages | Describes the rules packages that are specified by the ARNs of the rules packages. | Read | |||
| GetTelemetryMetadata | Information about the data that is collected for the specified assessment run. | Read | |||
| ListAssessmentRunAgents | Lists the agents of the assessment runs that are specified by the ARNs of the assessment runs. | List | |||
| ListAssessmentRuns | Lists the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates. | List | |||
| ListAssessmentTargets | Lists the ARNs of the assessment targets within this AWS account. | List | |||
| ListAssessmentTemplates | Lists the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets. | List | |||
| ListEventSubscriptions | Lists all the event subscriptions for the assessment template that is specified by the ARN of the assessment template. | List | |||
| ListFindings | Lists findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs. | List | |||
| ListRulesPackages | Lists all available Amazon Inspector rules packages. | List | |||
| ListTagsForResource | Lists all tags associated with an assessment template. | List | |||
| PreviewAgents | Previews the agents installed on the EC2 instances that are part of the specified assessment target. | Read | |||
| RegisterCrossAccountAccessRole | Registers the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action. | Write | |||
| RemoveAttributesFromFindings | Removes entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists. | Write | |||
| SetTagsForResource | Sets tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template. | Tagging | |||
| StartAssessmentRun | Starts the assessment run specified by the ARN of the assessment template. | Write | |||
| StopAssessmentRun | Stops the assessment run that is specified by the ARN of the assessment run. | Write | |||
| SubscribeToEvent | Enables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic. | Write | |||
| UnsubscribeFromEvent | Disables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic. | Write | |||
| UpdateAssessmentTarget | Updates the assessment target that is specified by the ARN of the assessment target. | Write |
Resource types defined by Amazon Inspector
Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon Inspector, specify
“Resource”: “*” in your policy.
Condition keys for Amazon Inspector
Inspector has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are
available to all services, see Available keys for conditions.
