Actions, resources, and condition keys for AWS Systems Manager Incident Manager - Service Authorization Reference

Actions, resources, and condition keys for AWS Systems Manager Incident Manager

AWS Systems Manager Incident Manager (service prefix: ssm-incidents) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Systems Manager Incident Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateReplicationSet Grants permission to create a replication set Write

iam:CreateServiceLinkedRole

CreateResponsePlan Grants permission to create a response plan Write

aws:TagKeys

aws:RequestTag/${TagKey}

iam:PassRole

ssm-incidents:TagResource

CreateTimelineEvent Grants permission to create a timeline event for an incident record Write

incident-record*

response-plan*

DeleteIncidentRecord Grants permission to delete an incident record Write

incident-record*

DeleteReplicationSet Grants permission to delete a replication set Write

replication-set*

DeleteResourcePolicy Grants permission to delete resource policy from a response plan Permissions management

response-plan*

DeleteResponsePlan Grants permission to delete a response plan Write

response-plan*

DeleteTimelineEvent Grants permission to delete a timeline event Write

incident-record*

GetIncidentRecord Grants permission to view the contents of an incident record Read

incident-record*

response-plan*

GetReplicationSet Grants permission to view the replication set Read

replication-set*

GetResourcePolicies Grants permission to view resource policies of a response plan Read

response-plan*

GetResponsePlan Grants permission to view the contents of a specified response plan Read

response-plan*

GetTimelineEvent Grants permission to view a timeline event Read

incident-record*

response-plan*

ListIncidentRecords Grants permission to list the contents of all incident records List
ListRelatedItems Grants permission to list related items of an incident records List

incident-record*

response-plan*

ListReplicationSets Grants permission to list all replication sets List
ListResponsePlans Grants permission to list all response plans List
ListTagsForResource Grants permission to view a list of resource tags for a specified resource Read

incident-record

response-plan

ListTimelineEvents Grants permission to list all timeline events for an incident record List

incident-record*

response-plan*

PutResourcePolicy Grants permission to put resource policy on a response plan Permissions management

response-plan*

StartIncident Grants permission to start a new incident using a response plan Write

response-plan*

TagResource Grants permission to add tags to a response plan Tagging

incident-record

response-plan

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to remove tags from a response plan Tagging

incident-record

response-plan

aws:TagKeys

UpdateDeletionProtection Grants permission to update replication set deletion protection Write

replication-set*

UpdateIncidentRecord Grants permission to update the contents of an incident record Write

incident-record*

response-plan*

UpdateRelatedItems Grants permission to update related items of an incident record Write

incident-record*

response-plan*

UpdateReplicationSet Grants permission to update a replication set Write

replication-set*

UpdateResponsePlan Grants permission to update the contents of a response plan Write

response-plan*

iam:PassRole

ssm-incidents:TagResource

aws:TagKeys

aws:RequestTag/${TagKey}

UpdateTimelineEvent Grants permission to update a timeline event Write

incident-record*

response-plan*

Resource types defined by AWS Systems Manager Incident Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
response-plan arn:${Partition}:ssm-incidents::${Account}:response-plan/${ResponsePlan}

aws:ResourceTag/${TagKey}

incident-record arn:${Partition}:ssm-incidents::${Account}:incident-record/${ResponsePlan}/${IncidentRecord}

aws:ResourceTag/${TagKey}

replication-set arn:${Partition}:ssm-incidents::${Account}:replication-set/${ReplicationSet}

Condition keys for AWS Systems Manager Incident Manager

AWS Systems Manager Incident Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString