Actions, resources, and condition keys for AWS Resilience Hub - Service Authorization Reference

Actions, resources, and condition keys for AWS Resilience Hub

AWS Resilience Hub (service prefix: resiliencehub) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Resilience Hub

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptResourceGroupingRecommendations Grants permission to accept resource grouping recommendations Write

application*

AddDraftAppVersionResourceMappings Grants permission to add draft application version resource mappings Write

application*

cloudformation:DescribeStacks

cloudformation:ListStackResources

resource-groups:GetGroup

resource-groups:ListGroupResources

servicecatalog:GetApplication

servicecatalog:ListAssociatedResources

BatchUpdateRecommendationStatus Grants permission to include or exclude one or more operational recommendations Write

application*

CreateApp Grants permission to create application Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

CreateAppVersionAppComponent Grants permission to create application app component Write

application*

CreateAppVersionResource Grants permission to create application resource Write

application*

CreateRecommendationTemplate Grants permission to create recommendation template Write

application*

s3:CreateBucket

s3:ListBucket

s3:PutObject

aws:RequestTag/${TagKey}

aws:TagKeys

CreateResiliencyPolicy Grants permission to create resiliency policy Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteApp Grants permission to batch delete application Write

application*

DeleteAppAssessment Grants permission to batch delete application assessment Write

application*

DeleteAppInputSource Grants permission to remove application input source Write

application*

DeleteAppVersionAppComponent Grants permission to delete application app component Write

application*

DeleteAppVersionResource Grants permission to delete application resource Write

application*

DeleteRecommendationTemplate Grants permission to batch delete recommendation template Write

application*

DeleteResiliencyPolicy Grants permission to batch delete resiliency policy Write

resiliency-policy*

DescribeApp Grants permission to describe application Read

application*

DescribeAppAssessment Grants permission to describe application assessment Read

application*

DescribeAppVersion Grants permission to describe application version Read

application*

DescribeAppVersionAppComponent Grants permission to describe application version app component Read

application*

DescribeAppVersionResource Grants permission to describe application version resource Read

application*

DescribeAppVersionResourcesResolutionStatus Grants permission to describe application resolution Read

application*

DescribeAppVersionTemplate Grants permission to describe application version template Read

application*

DescribeDraftAppVersionResourcesImportStatus Grants permission to describe draft application version resources import status Read

application*

DescribeMetricsExport Grants permission to describe metrics export Read
DescribeResiliencyPolicy Grants permission to describe resiliency policy Read

resiliency-policy*

DescribeResourceGroupingRecommendationTask Grants permission to describe the latest status of the grouping recommendation process Read

application*

ImportResourcesToDraftAppVersion Grants permission to import resources to draft application version Write

application*

cloudformation:DescribeStacks

cloudformation:ListStackResources

resource-groups:GetGroup

resource-groups:ListGroupResources

servicecatalog:GetApplication

servicecatalog:ListAssociatedResources

ListAlarmRecommendations Grants permission to list alarm recommendation List

application*

ListAppAssessmentComplianceDrifts Grants permission to list compliance drifts that were detected while running an assessment List

application*

ListAppAssessmentResourceDrifts Grants permission to list resource drifts that were detected while running an assessment List

application*

ListAppAssessments Grants permission to list application assessment List
ListAppComponentCompliances Grants permission to list app component compliances List

application*

ListAppComponentRecommendations Grants permission to list app component recommendations List

application*

ListAppInputSources Grants permission to list application input sources List

application*

ListAppVersionAppComponents Grants permission to list application version app components List

application*

ListAppVersionResourceMappings Grants permission to application version resource mappings List

application*

ListAppVersionResources Grants permission to list application resources List

application*

ListAppVersions Grants permission to list application version List

application*

ListApps Grants permission to list applications List
ListMetrics Grants permission to list metrics List
ListRecommendationTemplates Grants permission to list recommendation templates List

application*

ListResiliencyPolicies Grants permission to list resiliency policies List
ListResourceGroupingRecommendations Grants permission to list resource grouping recommendations List

application*

ListSopRecommendations Grants permission to list SOP recommendations List

application*

ListSuggestedResiliencyPolicies Grants permission to list suggested resiliency policies List
ListTagsForResource Grants permission to list tags for a resource Read
ListTestRecommendations Grants permission to list test recommendations List

application*

ListUnsupportedAppVersionResources Grants permission to list unsupported application version resources List

application*

PublishAppVersion Grants permission to publish application version Write

application*

PutDraftAppVersionTemplate Grants permission to put draft application version template Write

application*

RejectResourceGroupingRecommendations Grants permission to reject resource grouping recommendations Write

application*

RemoveDraftAppVersionResourceMappings Grants permission to remove draft application version mappings Write

application*

ResolveAppVersionResources Grants permission to resolve application version resources Write

application*

cloudformation:DescribeStacks

cloudformation:ListStackResources

resource-groups:GetGroup

resource-groups:ListGroupResources

servicecatalog:GetApplication

servicecatalog:ListAssociatedResources

StartAppAssessment Grants permission to create application assessment Write

application*

cloudformation:DescribeStacks

cloudformation:ListStackResources

cloudwatch:DescribeAlarms

cloudwatch:GetMetricData

cloudwatch:GetMetricStatistics

cloudwatch:PutMetricData

ec2:DescribeRegions

fis:GetExperimentTemplate

fis:ListExperimentTemplates

fis:ListExperiments

resource-groups:GetGroup

resource-groups:ListGroupResources

servicecatalog:GetApplication

servicecatalog:ListAssociatedResources

ssm:GetParametersByPath

aws:RequestTag/${TagKey}

aws:TagKeys

StartMetricsExport Grants permission to start the metrics export Write
StartResourceGroupingRecommendationTask Grants permission to start the grouping recommendation generation process Write

application*

TagResource Grants permission to assign a resource tag Tagging

app-assessment

application

recommendation-template

resiliency-policy

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a resource Tagging

app-assessment

application

recommendation-template

resiliency-policy

aws:TagKeys

UpdateApp Grants permission to update application Write

application*

iam:PassRole

UpdateAppVersion Grants permission to update application version Write

application*

UpdateAppVersionAppComponent Grants permission to update application app component Write

application*

UpdateAppVersionResource Grants permission to update application resource Write

application*

UpdateResiliencyPolicy Grants permission to update resiliency policy Write

resiliency-policy*

Resource types defined by AWS Resilience Hub

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
resiliency-policy arn:${Partition}:resiliencehub:${Region}:${Account}:resiliency-policy/${ResiliencyPolicyId}

aws:ResourceTag/${TagKey}

application arn:${Partition}:resiliencehub:${Region}:${Account}:app/${AppId}

aws:ResourceTag/${TagKey}

app-assessment arn:${Partition}:resiliencehub:${Region}:${Account}:app-assessment/${AppAssessmentId}

aws:ResourceTag/${TagKey}

recommendation-template arn:${Partition}:resiliencehub:${Region}:${Account}:recommendation-template/${RecommendationTemplateId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Resilience Hub

AWS Resilience Hub defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString