Actions, resources, and condition keys for AWS Systems Manager Incident Manager

AWS Systems Manager Incident Manager (service prefix: ssm-incidents) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by AWS Systems Manager Incident Manager
Resource types defined by AWS Systems Manager Incident Manager
Condition keys for AWS Systems Manager Incident Manager

Actions defined by AWS Systems Manager Incident Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
CreateReplicationSet	Grants permission to create a replication set	Write			iam:CreateServiceLinkedRole
CreateResponsePlan	Grants permission to create a response plan	Write		aws:TagKeys aws:RequestTag/${TagKey}	iam:PassRole ssm-incidents:TagResource
CreateTimelineEvent	Grants permission to create a timeline event for an incident record	Write	incident-record*
CreateTimelineEvent		Write	response-plan*
DeleteIncidentRecord	Grants permission to delete an incident record	Write	incident-record*
DeleteReplicationSet	Grants permission to delete a replication set	Write	replication-set*
DeleteResourcePolicy	Grants permission to delete resource policy from a response plan	Permissions management	response-plan*
DeleteResponsePlan	Grants permission to delete a response plan	Write	response-plan*
DeleteTimelineEvent	Grants permission to delete a timeline event	Write	incident-record*
GetIncidentRecord	Grants permission to view the contents of an incident record	Read	incident-record*
GetIncidentRecord		Read	response-plan*
GetReplicationSet	Grants permission to view the replication set	Read	replication-set*
GetResourcePolicies	Grants permission to view resource policies of a response plan	Read	response-plan*
GetResponsePlan	Grants permission to view the contents of a specified response plan	Read	response-plan*
GetTimelineEvent	Grants permission to view a timeline event	Read	incident-record*
GetTimelineEvent	Grants permission to view a timeline event	Read	response-plan*
ListIncidentRecords	Grants permission to list the contents of all incident records	List
ListRelatedItems	Grants permission to list related items of an incident records	List	incident-record*
ListRelatedItems		List	response-plan*
ListReplicationSets	Grants permission to list all replication sets	List
ListResponsePlans	Grants permission to list all response plans	List
ListTagsForResource	Grants permission to view a list of resource tags for a specified resource	Read	incident-record
ListTagsForResource		Read	response-plan
ListTimelineEvents	Grants permission to list all timeline events for an incident record	List	incident-record*
ListTimelineEvents		List	response-plan*
PutResourcePolicy	Grants permission to put resource policy on a response plan	Permissions management	response-plan*
StartIncident	Grants permission to start a new incident using a response plan	Write	response-plan*
TagResource	Grants permission to add tags to a response plan	Tagging	incident-record
			response-plan
				aws:TagKeys aws:RequestTag/${TagKey}
UntagResource	Grants permission to remove tags from a response plan	Tagging	incident-record
			response-plan
				aws:TagKeys
UpdateDeletionProtection	Grants permission to update replication set deletion protection	Write	replication-set*
UpdateIncidentRecord	Grants permission to update the contents of an incident record	Write	incident-record*
UpdateIncidentRecord		Write	response-plan*
UpdateRelatedItems	Grants permission to update related items of an incident record	Write	incident-record*
UpdateRelatedItems		Write	response-plan*
UpdateReplicationSet	Grants permission to update a replication set	Write	replication-set*
UpdateResponsePlan	Grants permission to update the contents of a response plan	Write	response-plan*		iam:PassRole ssm-incidents:TagResource
UpdateResponsePlan	Grants permission to update the contents of a response plan	Write		aws:TagKeys aws:RequestTag/${TagKey}
UpdateTimelineEvent	Grants permission to update a timeline event	Write	incident-record*
UpdateTimelineEvent	Grants permission to update a timeline event	Write	response-plan*

Resource types defined by AWS Systems Manager Incident Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
response-plan	`arn:${Partition}:ssm-incidents::${Account}:response-plan/${ResponsePlan}`	aws:ResourceTag/${TagKey}
incident-record	`arn:${Partition}:ssm-incidents::${Account}:incident-record/${ResponsePlan}/${IncidentRecord}`	aws:ResourceTag/${TagKey}
replication-set	`arn:${Partition}:ssm-incidents::${Account}:replication-set/${ReplicationSet}`

Condition keys for AWS Systems Manager Incident Manager

AWS Systems Manager Incident Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the tags that are passed in the request	String
aws:ResourceTag/${TagKey}	Filters access by the tags associated with the resource	String
aws:TagKeys	Filters access by the tag keys that are passed in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Systems Manager GUI Connect

AWS Systems Manager Incident Manager Contacts