Actions, resources, and condition keys for Amazon Inspector - Service Authorization Reference

Actions, resources, and condition keys for Amazon Inspector

Amazon Inspector (service prefix: inspector) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Inspector

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddAttributesToFindings Grants permission to assign attributes (key and value pairs) to the findings that are specified by the ARNs of the findings Write
CreateAssessmentTarget Grants permission to create a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup Write
CreateAssessmentTemplate Grants permission to create an assessment template for the assessment target that is specified by the ARN of the assessment target Write
CreateExclusionsPreview Grants permission to start the generation of an exclusions preview for the specified assessment template Write
CreateResourceGroup Grants permission to create a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target Write
DeleteAssessmentRun Grants permission to delete the assessment run that is specified by the ARN of the assessment run Write
DeleteAssessmentTarget Grants permission to delete the assessment target that is specified by the ARN of the assessment target Write
DeleteAssessmentTemplate Grants permission to delete the assessment template that is specified by the ARN of the assessment template Write
DescribeAssessmentRuns Grants permission to describe the assessment runs that are specified by the ARNs of the assessment runs Read
DescribeAssessmentTargets Grants permission to describe the assessment targets that are specified by the ARNs of the assessment targets Read
DescribeAssessmentTemplates Grants permission to describe the assessment templates that are specified by the ARNs of the assessment templates Read
DescribeCrossAccountAccessRole Grants permission to describe the IAM role that enables Amazon Inspector to access your AWS account Read
DescribeExclusions Grants permission to describe the exclusions that are specified by the exclusions' ARNs Read
DescribeFindings Grants permission to describe the findings that are specified by the ARNs of the findings Read
DescribeResourceGroups Grants permission to describe the resource groups that are specified by the ARNs of the resource groups Read
DescribeRulesPackages Grants permission to describe the rules packages that are specified by the ARNs of the rules packages Read
GetAssessmentReport Grants permission to produce an assessment report that includes detailed and comprehensive results of a specified assessment run Read
GetExclusionsPreview Grants permission to retrieve the exclusions preview (a list of ExclusionPreview objects) specified by the preview token Read
GetTelemetryMetadata Grants permission to get information about the data that is collected for the specified assessment run Read
ListAssessmentRunAgents Grants permission to list the agents of the assessment runs that are specified by the ARNs of the assessment runs List
ListAssessmentRuns Grants permission to list the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates List
ListAssessmentTargets Grants permission to list the ARNs of the assessment targets within this AWS account List
ListAssessmentTemplates Grants permission to list the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets List
ListEventSubscriptions Grants permission to list all the event subscriptions for the assessment template that is specified by the ARN of the assessment template List
ListExclusions Grants permission to list exclusions that are generated by the assessment run List
ListFindings Grants permission to list findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs List
ListRulesPackages Grants permission to list all available Amazon Inspector rules packages List
ListTagsForResource Grants permission to list all tags associated with an assessment template Read
PreviewAgents Grants permission to preview the agents installed on the EC2 instances that are part of the specified assessment target Read
RegisterCrossAccountAccessRole Grants permission to register the IAM role that Amazon Inspector uses to list your EC2 instances at the start of the assessment run or when you call the PreviewAgents action Write
RemoveAttributesFromFindings Grants permission to remove entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists Write
SetTagsForResource Grants permission to set tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template Tagging
StartAssessmentRun Grants permission to start the assessment run specified by the ARN of the assessment template Write
StopAssessmentRun Grants permission to stop the assessment run that is specified by the ARN of the assessment run Write
SubscribeToEvent Grants permission to enable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic Write
UnsubscribeFromEvent Grants permission to disable the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic Write
UpdateAssessmentTarget Grants permission to update the assessment target that is specified by the ARN of the assessment target Write

Resource types defined by Amazon Inspector

Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon Inspector, specify “Resource”: “*” in your policy.

Condition keys for Amazon Inspector

Inspector has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.