@cloud-copilot/iam-data
Version:
617 lines • 18.3 kB
JSON
{
"createawslogsource": {
"name": "CreateAwsLogSource",
"description": "Grants permission to enable any source type in any region for accounts that are either part of a trusted organization or standalone account",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"glue:CreateDatabase",
"glue:CreateTable",
"glue:GetDatabase",
"glue:GetTable",
"iam:CreateServiceLinkedRole",
"kms:CreateGrant",
"kms:DescribeKey"
]
},
"createcustomlogsource": {
"name": "CreateCustomLogSource",
"description": "Grants permission to add a custom source",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"glue:CreateCrawler",
"glue:CreateDatabase",
"glue:CreateTable",
"glue:StartCrawlerSchedule",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKey",
"lakeformation:GrantPermissions",
"lakeformation:RegisterResource",
"s3:ListBucket",
"s3:PutObject"
]
},
"createdatalake": {
"name": "CreateDataLake",
"description": "Grants permission to create a new security data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": [
"events:PutRule",
"events:PutTargets",
"iam:CreateServiceLinkedRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings",
"lambda:AddPermission",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListDelegatedServicesForAccount",
"s3:CreateBucket",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes"
]
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createdatalakeexceptionsubscription": {
"name": "CreateDataLakeExceptionSubscription",
"description": "Grants permission to get instant notifications about exceptions. Subscribes to the SNS topics for exception notifications",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"createdatalakeorganizationconfiguration": {
"name": "CreateDataLakeOrganizationConfiguration",
"description": "Grants permission to automatically enable Amazon Security Lake for new member accounts in your organization",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createsubscriber": {
"name": "CreateSubscriber",
"description": "Grants permission to create a subscriber",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"iam:CreateRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PutRolePolicy",
"lakeformation:GrantPermissions",
"lakeformation:ListPermissions",
"lakeformation:RegisterResource",
"lakeformation:RevokePermissions",
"ram:GetResourceShareAssociations",
"ram:GetResourceShares",
"ram:UpdateResourceShare",
"s3:PutObject"
]
},
"createsubscribernotification": {
"name": "CreateSubscriberNotification",
"description": "Grants permission to create a webhook invocation to notify a client when there is new data in the data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:CreateApiDestination",
"events:CreateConnection",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListConnections",
"events:PutRule",
"events:PutTargets",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PassRole",
"s3:GetBucketNotification",
"s3:PutBucketNotification",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SetQueueAttributes"
]
},
"deleteawslogsource": {
"name": "DeleteAwsLogSource",
"description": "Grants permission to disable any source type in any region for accounts that are part of a trusted organization or standalone accounts",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletecustomlogsource": {
"name": "DeleteCustomLogSource",
"description": "Grants permission to remove a custom source",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"glue:StopCrawlerSchedule"
]
},
"deletedatalake": {
"name": "DeleteDataLake",
"description": "Grants permission to delete security data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"organizations:ListDelegatedServicesForAccount"
]
},
"deletedatalakeexceptionsubscription": {
"name": "DeleteDataLakeExceptionSubscription",
"description": "Grants permission to unsubscribe from SNS topics for exception notifications. Removes exception notifications for the SNS topic",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"deletedatalakeorganizationconfiguration": {
"name": "DeleteDataLakeOrganizationConfiguration",
"description": "Grants permission to remove the automatic enablement of Amazon Security Lake access for new organization accounts",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletesubscriber": {
"name": "DeleteSubscriber",
"description": "Grants permission to delete the specified subscriber",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:DeleteApiDestination",
"events:DeleteConnection",
"events:DeleteRule",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListTargetsByRule",
"events:RemoveTargets",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListRolePolicies",
"lakeformation:ListPermissions",
"lakeformation:RevokePermissions",
"sqs:DeleteQueue",
"sqs:GetQueueUrl"
]
},
"deletesubscribernotification": {
"name": "DeleteSubscriberNotification",
"description": "Grants permission to remove a webhook invocation to notify a client when there is new data in the data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:DeleteApiDestination",
"events:DeleteConnection",
"events:DeleteRule",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListTargetsByRule",
"events:RemoveTargets",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListRolePolicies",
"lakeformation:RevokePermissions",
"sqs:DeleteQueue",
"sqs:GetQueueUrl"
]
},
"deregisterdatalakedelegatedadministrator": {
"name": "DeregisterDataLakeDelegatedAdministrator",
"description": "Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"organizations:DeregisterDelegatedAdministrator",
"organizations:DescribeOrganization",
"organizations:ListDelegatedServicesForAccount"
]
},
"getdatalakeexceptionsubscription": {
"name": "GetDataLakeExceptionSubscription",
"description": "Grants permission to query the protocol and endpoint that were provided when subscribing to SNS topics for exception notifications",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getdatalakeorganizationconfiguration": {
"name": "GetDataLakeOrganizationConfiguration",
"description": "Grants permission to get an organization's configuration setting for automatically enabling Amazon Security Lake access for new organization accounts",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"organizations:DescribeOrganization"
]
},
"getdatalakesources": {
"name": "GetDataLakeSources",
"description": "Grants permission to get a static snapshot of the security data lake in the current region. The snapshot includes enabled accounts and log sources",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getsubscriber": {
"name": "GetSubscriber",
"description": "Grants permission to get information about subscriber that is already created",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"listdatalakeexceptions": {
"name": "ListDataLakeExceptions",
"description": "Grants permission to get the list of all non-retryable failures",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listdatalakes": {
"name": "ListDataLakes",
"description": "Grants permission to list information about the security data lakes",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listlogsources": {
"name": "ListLogSources",
"description": "Grants permission to view the enabled accounts. You can view the enabled sources in the enabled regions",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listsubscribers": {
"name": "ListSubscribers",
"description": "Grants permission to list all subscribers",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listtagsforresource": {
"name": "ListTagsForResource",
"description": "Grants permission to list all tags for the resource",
"accessLevel": "List",
"resourceTypes": [
{
"name": "data-lake",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "subscriber",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"registerdatalakedelegatedadministrator": {
"name": "RegisterDataLakeDelegatedAdministrator",
"description": "Grants permission to designate an account as the Amazon Security Lake administrator account for the organization",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"iam:CreateServiceLinkedRole",
"organizations:DescribeOrganization",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:ListDelegatedServicesForAccount",
"organizations:RegisterDelegatedAdministrator"
]
},
"tagresource": {
"name": "TagResource",
"description": "Grants permission to add tags to the resource",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "data-lake",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "subscriber",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"untagresource": {
"name": "UntagResource",
"description": "Grants permission to remove tags from the resource",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "data-lake",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "subscriber",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:TagKeys"
],
"dependentActions": []
},
"updatedatalake": {
"name": "UpdateDataLake",
"description": "Grants permission to update a security data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "data-lake",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:PutRule",
"events:PutTargets",
"iam:CreateServiceLinkedRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:PutRolePolicy",
"kms:CreateGrant",
"kms:DescribeKey",
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings",
"lambda:AddPermission",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"organizations:DescribeOrganization",
"organizations:ListDelegatedServicesForAccount",
"s3:CreateBucket",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes"
]
},
"updatedatalakeexceptionsubscription": {
"name": "UpdateDataLakeExceptionSubscription",
"description": "Grants permission to update subscriptions to the SNS topics for exception notifications",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"updatesubscriber": {
"name": "UpdateSubscriber",
"description": "Grants permission to update subscriber",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:CreateApiDestination",
"events:CreateConnection",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListConnections",
"events:PutRule",
"events:PutTargets",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PutRolePolicy"
]
},
"updatesubscribernotification": {
"name": "UpdateSubscriberNotification",
"description": "Grants permission to update a webhook invocation to notify a client when there is new data in the data lake",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "subscriber",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"events:CreateApiDestination",
"events:CreateConnection",
"events:DescribeRule",
"events:ListApiDestinations",
"events:ListConnections",
"events:PutRule",
"events:PutTargets",
"iam:CreateServiceLinkedRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"s3:CreateBucket",
"s3:GetBucketNotification",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutLifecycleConfiguration",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SetQueueAttributes"
]
}
}