Actions, resources, and condition keys for Amazon Security Lake - Service Authorization Reference

Actions, resources, and condition keys for Amazon Security Lake

Amazon Security Lake (service prefix: securitylake) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Security Lake

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateAwsLogSource Grants permission to enable any source type in any region for accounts that are either part of a trusted organization or standalone account Write

data-lake*

glue:CreateDatabase

glue:CreateTable

glue:GetDatabase

glue:GetTable

iam:CreateServiceLinkedRole

kms:CreateGrant

kms:DescribeKey

CreateCustomLogSource Grants permission to add a custom source Write

data-lake*

glue:CreateCrawler

glue:CreateDatabase

glue:CreateTable

glue:StartCrawlerSchedule

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

kms:GenerateDataKey

lakeformation:GrantPermissions

lakeformation:RegisterResource

s3:ListBucket

s3:PutObject

CreateDataLake Grants permission to create a new security data lake Write

data-lake*

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListAttachedRolePolicies

iam:PassRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

lakeformation:GetDataLakeSettings

lakeformation:PutDataLakeSettings

lambda:AddPermission

lambda:CreateEventSourceMapping

lambda:CreateFunction

organizations:DescribeOrganization

organizations:ListAccounts

organizations:ListDelegatedServicesForAccount

s3:CreateBucket

s3:GetObject

s3:GetObjectVersion

s3:ListBucket

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

sqs:CreateQueue

sqs:GetQueueAttributes

sqs:SetQueueAttributes

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataLakeExceptionSubscription Grants permission to get instant notifications about exceptions. Subscribes to the SNS topics for exception notifications Write
CreateDataLakeOrganizationConfiguration Grants permission to automatically enable Amazon Security Lake for new member accounts in your organization Write

data-lake*

CreateSubscriber Grants permission to create a subscriber Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:CreateRole

iam:DeleteRolePolicy

iam:GetRole

iam:PutRolePolicy

lakeformation:GrantPermissions

lakeformation:ListPermissions

lakeformation:RegisterResource

lakeformation:RevokePermissions

ram:GetResourceShareAssociations

ram:GetResourceShares

ram:UpdateResourceShare

s3:PutObject

CreateSubscriberNotification Grants permission to create a webhook invocation to notify a client when there is new data in the data lake Write

subscriber*

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

s3:GetBucketNotification

s3:PutBucketNotification

sqs:CreateQueue

sqs:DeleteQueue

sqs:GetQueueAttributes

sqs:GetQueueUrl

sqs:SetQueueAttributes

DeleteAwsLogSource Grants permission to disable any source type in any region for accounts that are part of a trusted organization or standalone accounts Write

data-lake*

DeleteCustomLogSource Grants permission to remove a custom source Write

data-lake*

glue:StopCrawlerSchedule

DeleteDataLake Grants permission to delete security data lake Write

data-lake*

organizations:DescribeOrganization

organizations:ListDelegatedAdministrators

organizations:ListDelegatedServicesForAccount

DeleteDataLakeExceptionSubscription Grants permission to unsubscribe from SNS topics for exception notifications. Removes exception notifications for the SNS topic Write
DeleteDataLakeOrganizationConfiguration Grants permission to remove the automatic enablement of Amazon Security Lake access for new organization accounts Write

data-lake*

DeleteSubscriber Grants permission to delete the specified subscriber Write

subscriber*

events:DeleteApiDestination

events:DeleteConnection

events:DeleteRule

events:DescribeRule

events:ListApiDestinations

events:ListTargetsByRule

events:RemoveTargets

iam:DeleteRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListRolePolicies

lakeformation:ListPermissions

lakeformation:RevokePermissions

sqs:DeleteQueue

sqs:GetQueueUrl

DeleteSubscriberNotification Grants permission to remove a webhook invocation to notify a client when there is new data in the data lake Write

subscriber*

events:DeleteApiDestination

events:DeleteConnection

events:DeleteRule

events:DescribeRule

events:ListApiDestinations

events:ListTargetsByRule

events:RemoveTargets

iam:DeleteRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListRolePolicies

lakeformation:RevokePermissions

sqs:DeleteQueue

sqs:GetQueueUrl

DeregisterDataLakeDelegatedAdministrator Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization Write

organizations:DeregisterDelegatedAdministrator

organizations:DescribeOrganization

organizations:ListDelegatedServicesForAccount

GetDataLakeExceptionSubscription Grants permission to query the protocol and endpoint that were provided when subscribing to SNS topics for exception notifications Read
GetDataLakeOrganizationConfiguration Grants permission to get an organization's configuration setting for automatically enabling Amazon Security Lake access for new organization accounts Read

data-lake*

organizations:DescribeOrganization

GetDataLakeSources Grants permission to get a static snapshot of the security data lake in the current region. The snapshot includes enabled accounts and log sources Read

data-lake*

GetSubscriber Grants permission to get information about subscriber that is already created Read

subscriber*

ListDataLakeExceptions Grants permission to get the list of all non-retryable failures List
ListDataLakes Grants permission to list information about the security data lakes List
ListLogSources Grants permission to view the enabled accounts. You can view the enabled sources in the enabled regions List
ListSubscribers Grants permission to list all subscribers List
ListTagsForResource Grants permission to list all tags for the resource List

data-lake

subscriber

RegisterDataLakeDelegatedAdministrator Grants permission to designate an account as the Amazon Security Lake administrator account for the organization Write

iam:CreateServiceLinkedRole

organizations:DescribeOrganization

organizations:EnableAWSServiceAccess

organizations:ListDelegatedAdministrators

organizations:ListDelegatedServicesForAccount

organizations:RegisterDelegatedAdministrator

TagResource Grants permission to add tags to the resource Tagging

data-lake

subscriber

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from the resource Tagging

data-lake

subscriber

aws:TagKeys

UpdateDataLake Grants permission to update a security data lake Write

data-lake*

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListAttachedRolePolicies

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

lakeformation:GetDataLakeSettings

lakeformation:PutDataLakeSettings

lambda:AddPermission

lambda:CreateEventSourceMapping

lambda:CreateFunction

organizations:DescribeOrganization

organizations:ListDelegatedServicesForAccount

s3:CreateBucket

s3:GetObject

s3:GetObjectVersion

s3:ListBucket

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

sqs:CreateQueue

sqs:GetQueueAttributes

sqs:SetQueueAttributes

UpdateDataLakeExceptionSubscription Grants permission to update subscriptions to the SNS topics for exception notifications Write
UpdateSubscriber Grants permission to update subscriber Write

subscriber*

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:DeleteRolePolicy

iam:GetRole

iam:PutRolePolicy

UpdateSubscriberNotification Grants permission to update a webhook invocation to notify a client when there is new data in the data lake Write

subscriber*

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

iam:PutRolePolicy

s3:CreateBucket

s3:GetBucketNotification

s3:ListBucket

s3:PutBucketNotification

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

s3:PutLifecycleConfiguration

sqs:CreateQueue

sqs:DeleteQueue

sqs:GetQueueAttributes

sqs:GetQueueUrl

sqs:SetQueueAttributes

Resource types defined by Amazon Security Lake

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
data-lake arn:${Partition}:securitylake:${Region}:${Account}:data-lake/default

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

subscriber arn:${Partition}:securitylake:${Region}:${Account}:subscriber/${SubscriberId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Security Lake

Amazon Security Lake defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by a tag key and value pair of a resource String
aws:TagKeys Filters access by tag keys that are passed in the request ArrayOfString