cdk-iam-floyd
Version:
AWS IAM policy statement generator with fluent interface for AWS CDK
403 lines (402 loc) • 14.8 kB
TypeScript
import { AccessLevelList } from '../../shared/access-level';
import { PolicyStatement, Operator } from '../../shared';
import { aws_iam as iam } from "aws-cdk-lib";
/**
* Statement provider for service [detective](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html).
*
* @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
*/
export declare class Detective extends PolicyStatement {
servicePrefix: string;
/**
* Grants permission to accept an invitation to become a member of a behavior graph
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_AcceptInvitation.html
*/
toAcceptInvitation(): this;
/**
* Grants permission to retrieve the datasource package history for the specified member accounts in a behavior graph managed by this account
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_BatchGetGraphMemberDatasources.html
*/
toBatchGetGraphMemberDatasources(): this;
/**
* Grants permission to retrieve the datasource package history of the caller account for the specified graphs
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_BatchGetMembershipDatasources.html
*/
toBatchGetMembershipDatasources(): this;
/**
* Grants permission to create a behavior graph and begin to aggregate security information
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsTagKeys()
* - .ifAwsRequestTag()
* - .ifAwsResourceTag()
*
* Dependent actions:
* - detective:TagResource
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateGraph.html
*/
toCreateGraph(): this;
/**
* Grants permission to request the membership of one or more accounts in a behavior graph managed by this account
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateMembers.html
*/
toCreateMembers(): this;
/**
* Grants permission to delete a behavior graph and stop aggregating security information
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html
*/
toDeleteGraph(): this;
/**
* Grants permission to remove member accounts from a behavior graph managed by this account
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteMembers.html
*/
toDeleteMembers(): this;
/**
* Grants permission to view the current configuration related to the Amazon Detective integration with AWS Organizations
*
* Access Level: Read
*
* Dependent actions:
* - organizations:DescribeOrganization
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_DescribeOrganizationConfiguration.html
*/
toDescribeOrganizationConfiguration(): this;
/**
* Grants permission to remove the Amazon Detective delegated administrator account for an organization
*
* Access Level: Write
*
* Dependent actions:
* - organizations:DescribeOrganization
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_DisableOrganizationAdminAccount.html
*/
toDisableOrganizationAdminAccount(): this;
/**
* Grants permission to remove the association of this account with a behavior graph
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_DisassociateMembership.html
*/
toDisassociateMembership(): this;
/**
* Grants permission to designate the Amazon Detective delegated administrator account for an organization
*
* Access Level: Write
*
* Dependent actions:
* - iam:CreateServiceLinkedRole
* - organizations:DescribeOrganization
* - organizations:EnableAWSServiceAccess
* - organizations:RegisterDelegatedAdministrator
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_EnableOrganizationAdminAccount.html
*/
toEnableOrganizationAdminAccount(): this;
/**
* Grants permission to retrieve a behavior graph's eligibility for a free trial period
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/adminguide/free-trial-overview.html
*/
toGetFreeTrialEligibility(): this;
/**
* Grants permission to retrieve the data ingestion state of a behavior graph
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/adminguide/detective-source-data-about.html
*/
toGetGraphIngestState(): this;
/**
* Grants permission to get an investigation's status and metadata
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_GetInvestigation.html
*/
toGetInvestigation(): this;
/**
* Grants permission to retrieve details on specified members of a behavior graph
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_GetMembers.html
*/
toGetMembers(): this;
/**
* Grants permission to retrieve information about Amazon Detective's pricing
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/adminguide/usage-projected-cost-calculation.html
*/
toGetPricingInformation(): this;
/**
* Grants permission to list usage information of a behavior graph
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/adminguide/tracking-usage-logging.html
*/
toGetUsageInformation(): this;
/**
* Grants permission to invoke Detective's Assistant
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/userguide/finding-groups-summary.html
*/
toInvokeAssistant(): this;
/**
* Grants permission to list a graph's datasource package ingest states and timestamps for the most recent state changes in a behavior graph managed by this account
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListDatasourcePackages.html
*/
toListDatasourcePackages(): this;
/**
* Grants permission to list behavior graphs managed by this account
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html
*/
toListGraphs(): this;
/**
* Grants permission to retrieve high volume entities whose relationships cannot be stored by Detective
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/userguide/high-volume-entities.html
*/
toListHighDegreeEntities(): this;
/**
* Grants permission to list the indicators of an investigation
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListIndicators.html
*/
toListIndicators(): this;
/**
* Grants permission to list the investigations of a behavior graph
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListInvestigations.html
*/
toListInvestigations(): this;
/**
* Grants permission to retrieve details on the behavior graphs to which this account has been invited to join
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListInvitations.html
*/
toListInvitations(): this;
/**
* Grants permission to retrieve details on all members of a behavior graph
*
* Access Level: List
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListMembers.html
*/
toListMembers(): this;
/**
* Grants permission to view the current Amazon Detective delegated administrator account for an organization
*
* Access Level: List
*
* Dependent actions:
* - organizations:DescribeOrganization
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListOrganizationAdminAccounts.html
*/
toListOrganizationAdminAccount(): this;
/**
* Grants permission to list the tag values that are assigned to a behavior graph
*
* Access Level: List
*
* Possible conditions:
* - .ifAwsResourceTag()
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_ListTagsForResource.html
*/
toListTagsForResource(): this;
/**
* Grants permission to reject an invitation to become a member of a behavior graph
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_RejectInvitation.html
*/
toRejectInvitation(): this;
/**
* Grants permission to search the data stored in a behavior graph
*
* Access Level: Read
*
* https://docs.aws.amazon.com/detective/latest/userguide/detective-search.html
*/
toSearchGraph(): this;
/**
* Grants permission to start investigations
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_StartInvestigation.html
*/
toStartInvestigation(): this;
/**
* Grants permission to start data ingest for a member account that has a status of ACCEPTED_BUT_DISABLED
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_StartMonitoringMember.html
*/
toStartMonitoringMember(): this;
/**
* Grants permission to assign tag values to a behavior graph
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
* - .ifAwsRequestTag()
* - .ifAwsResourceTag()
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_TagResource.html
*/
toTagResource(): this;
/**
* Grants permission to remove tag values from a behavior graph
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_UntagResource.html
*/
toUntagResource(): this;
/**
* Grants permission to enable or disable datasource package(s) in a behavior graph managed by this account
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_UpdateDatasourcePackages.html
*/
toUpdateDatasourcePackages(): this;
/**
* Grants permission to update an investigation's state and metadata
*
* Access Level: Write
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_UpdateInvestigationState.html
*/
toUpdateInvestigationState(): this;
/**
* Grants permission to update the current configuration related to the Amazon Detective integration with AWS Organizations
*
* Access Level: Write
*
* Dependent actions:
* - organizations:DescribeOrganization
*
* https://docs.aws.amazon.com/detective/latest/APIReference/API_UpdateOrganizationConfiguration.html
*/
toUpdateOrganizationConfiguration(): this;
protected accessLevelList: AccessLevelList;
/**
* Adds a resource of type Graph to the statement
*
* https://docs.aws.amazon.com/detective/latest/adminguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
*
* @param resourceId - Identifier for the resourceId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onGraph(resourceId: string, account?: string, region?: string, partition?: string): this;
/**
* Filters access by specifying the tags that are passed in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag
*
* Applies to actions:
* - .toCreateGraph()
* - .toTagResource()
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this;
/**
* Filters access by specifying the tags associated with the resource
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag
*
* Applies to actions:
* - .toCreateGraph()
* - .toListTagsForResource()
* - .toTagResource()
*
* Applies to resource types:
* - Graph
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this;
/**
* Filters access by specifying the tag keys that are passed in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys
*
* Applies to actions:
* - .toCreateGraph()
* - .toTagResource()
* - .toUntagResource()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsTagKeys(value: string | string[], operator?: Operator | string): this;
/**
* Statement provider for service [detective](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html).
*
*/
constructor(props?: iam.PolicyStatementProps);
}