Actions, resources, and condition keys for Amazon Security Lake - Service Authorization Reference

Actions, resources, and condition keys for Amazon Security Lake

Amazon Security Lake (service prefix: securitylake) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Security Lake

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateAwsLogSource Grants permission to enable any source type in any region for accounts that are either part of a trusted organization or standalone accounts Write

glue:CreateDatabase

glue:CreateTable

glue:GetDatabase

glue:GetTable

iam:CreateServiceLinkedRole

kms:CreateGrant

kms:DescribeKey

CreateCustomLogSource Grants permission to add a custom source name Write

glue:CreateCrawler

glue:CreateDatabase

glue:CreateTable

glue:StartCrawlerSchedule

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

kms:GenerateDataKey

lakeformation:GrantPermissions

lakeformation:RegisterResource

s3:ListBucket

s3:PutObject

CreateDatalake Grants permission to create a new Security Data Lake Write

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

lakeformation:GetDataLakeSettings

lakeformation:PutDataLakeSettings

lambda:CreateEventSourceMapping

lambda:CreateFunction

organizations:DescribeOrganization

organizations:ListDelegatedServicesForAccount

s3:CreateBucket

s3:ListBucket

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

sqs:CreateQueue

sqs:GetQueueAttributes

sqs:SetQueueAttributes

CreateDatalakeAutoEnable Grants permission to add to the configuration for automatically enabling Amazon Security Lake access for new organization accounts Write
CreateDatalakeDelegatedAdmin Grants permission to designate the Amazon Security Lake administrator account for the organization Write

iam:CreateServiceLinkedRole

organizations:DescribeOrganization

organizations:EnableAWSServiceAccess

organizations:ListDelegatedAdministrators

organizations:ListDelegatedServicesForAccount

organizations:RegisterDelegatedAdministrator

CreateDatalakeExceptionsSubscription Grants permission to get instant notifications about exceptions by subscribing to the SNS topics for exception notifications Write
CreateSubscriber Grants permission to create a subscription permission for accounts that are already enabled Write

iam:CreateRole

iam:DeleteRolePolicy

iam:GetRole

iam:PutRolePolicy

lakeformation:GrantPermissions

lakeformation:ListPermissions

lakeformation:RegisterResource

lakeformation:RevokePermissions

ram:GetResourceShareAssociations

ram:GetResourceShares

ram:UpdateResourceShare

s3:PutObject

CreateSubscriptionNotificationConfiguration Grants permission to create a webhook invocation to notify a client when there is new data in the Data Lake Write

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

s3:GetBucketNotification

s3:PutBucketNotification

sqs:CreateQueue

sqs:DeleteQueue

sqs:GetQueueAttributes

sqs:GetQueueUrl

sqs:SetQueueAttributes

DeleteAwsLogSource Grants permission to disable any source type in any region for accounts that are either part of a trusted organization or standalone accounts Write
DeleteCustomLogSource Grants permission to remove a custom source name Write

glue:StopCrawlerSchedule

DeleteDatalake Grants permission to delete all Security Data Lakes Write

organizations:DescribeOrganization

organizations:ListDelegatedAdministrators

organizations:ListDelegatedServicesForAccount

DeleteDatalakeAutoEnable Grants permission to remove from the existing configuration the automatic enabling of Amazon Security Lake access for new organization accounts Write
DeleteDatalakeDelegatedAdmin Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization Write

organizations:DeregisterDelegatedAdministrator

organizations:DescribeOrganization

organizations:ListDelegatedServicesForAccount

DeleteDatalakeExceptionsSubscription Grants permission to unsubscribe from SNS topics for exception notifications. Also, removes the SNS exception notifications topic Write
DeleteSubscriber Grants permission to delete the specified subscription permissions for accounts that are already enabled Write

events:DeleteApiDestination

events:DeleteConnection

events:DeleteRule

events:DescribeRule

events:ListApiDestinations

events:ListTargetsByRule

events:RemoveTargets

iam:DeleteRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListRolePolicies

lakeformation:ListPermissions

lakeformation:RevokePermissions

sqs:DeleteQueue

sqs:GetQueueUrl

DeleteSubscriptionNotificationConfiguration Grants permission to remove a webhook invocation to notify a client when there is new data in the Data Lake Write

events:DeleteApiDestination

events:DeleteConnection

events:DeleteRule

events:DescribeRule

events:ListApiDestinations

events:ListTargetsByRule

events:RemoveTargets

iam:DeleteRole

iam:DeleteRolePolicy

iam:GetRole

iam:ListRolePolicies

lakeformation:RevokePermissions

sqs:DeleteQueue

sqs:GetQueueUrl

GetDatalake Grants permission to get information on the Security Data Lake Read
GetDatalakeAutoEnable Grants permission to get an organization’s configuration setting for the automatic enabling of Amazon Security Lake access for new organization accounts Read

organizations:DescribeOrganization

GetDatalakeExceptionsExpiry Grants permission to allow user to query what was set as the expiration period for the exception message Read
GetDatalakeExceptionsSubscription Grants permission to query the protocol and endpoint that were supplied when subscribing to the SNS topics for exception notifications Read
GetDatalakeStatus Grants permission to get a static snapshot of the Security Data Lake in the current region, including enabled accounts and log sources Read
GetSubscriber Grants permission to get subscription information for a subscription permission for accounts that are already enabled Read
GetSubscriptionNotificationConfiguration Grants permission to get information for a webhook invocation to notify a client when there is new data in the Data Lake Read
ListDatalakeExceptions Grants permission to get the list of all non-retry-able failures List
ListLogSources Grants permission to show the estate view of enabled accounts with the enabled sources in the enabled regions List
ListSubscribers Grants permission to list all subscription permissions for accounts that are already enabled List
UpdateDatalake Grants permission to update a Security Data Lake Write

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

lakeformation:GetDataLakeSettings

lakeformation:PutDataLakeSettings

lambda:CreateEventSourceMapping

lambda:CreateFunction

organizations:DescribeOrganization

organizations:ListDelegatedServicesForAccount

s3:CreateBucket

s3:ListBucket

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

sqs:CreateQueue

sqs:GetQueueAttributes

sqs:SetQueueAttributes

UpdateDatalakeExceptionsExpiry Grants permission to control the time-to-live (TTL) for the exception message to remain in service cache Write
UpdateDatalakeExceptionsSubscription Grants permission to update subscriptions to the SNS topics for exception notifications Write
UpdateSubscriber Grants permission to update subscription information for a subscription permission for accounts that are already enabled Write

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:DeleteRolePolicy

iam:GetRole

iam:PutRolePolicy

UpdateSubscriptionNotificationConfiguration Grants permission to update a webhook invocation to notify a client when there is new data in the Data Lake Write

events:CreateApiDestination

events:CreateConnection

events:DescribeRule

events:ListApiDestinations

events:ListConnections

events:PutRule

events:PutTargets

iam:CreateServiceLinkedRole

iam:DeleteRolePolicy

iam:GetRole

iam:PassRole

iam:PutRolePolicy

s3:CreateBucket

s3:GetBucketNotification

s3:ListBucket

s3:PutBucketNotification

s3:PutBucketPolicy

s3:PutBucketPublicAccessBlock

s3:PutBucketVersioning

s3:PutLifecycleConfiguration

sqs:CreateQueue

sqs:DeleteQueue

sqs:GetQueueAttributes

sqs:GetQueueUrl

sqs:SetQueueAttributes

Resource types defined by Amazon Security Lake

Amazon Security Lake does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon Security Lake, specify "Resource": "*" in your policy.

Condition keys for Amazon Security Lake

SecurityLake has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available keys for conditions.