Firewall Manager required permissions for API actions
When you set up Access control
and writing permissions policies that you can attach to an IAM identity (identity-based
policies), use the information in this section as a guide. For each AWS Firewall Manager API
operation, you need to know the actions for which to grant permissions, and the AWS resource
for which you grant the permissions. You specify the actions in the policy's
Action
field, and you specify the resource value in the policy's
Resource
field.
To specify an action, use the fms:
prefix followed by the API operation
name (for example, fms:CreatePolicy
).
This topic only list actions that require explicit resource permissions.
You can use AWS-wide condition keys in your AWS Firewall Manager policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.
To use the following Firewall Manager API actions, you need permissions on the resource:
arn:aws:fms:
. region
:account
:policy/ID
Additionally, to use the Firewall Manager API action PutNotificationChannel
, the
Amazon SNS topic that you specify must allow the Firewall Manager service-linked role to publish
messages to it. The following shows an example SNS topic permission setting:
{ "Sid": "AWSFirewallManagerSNSPolicy", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
account ID
:role/aws-service-role/fms.amazonaws.com/AWSServiceRoleForFMS" }, "Action": "sns:Publish", "Resource": "SNS topic ARN
" }
For more information about Firewall Manager actions and resources, see the AWS Identity and Access Management guide topic Actions Defined by AWS Firewall Manager
For the full list of the API actions available for Firewall Manager, see AWS Firewall Manager API Reference.