From 31670f521ecfac62fc7faf7b16d04dd6499f417d Mon Sep 17 00:00:00 2001 From: Bonnie Keller Date: Sun, 8 Dec 2019 11:14:08 -0800 Subject: [PATCH] Periodic update - 12/08/19-11:14am PT --- doc_source/access-analyzer-archive-rules.md | 58 +++ doc_source/access-analyzer-concepts.md | 11 + doc_source/access-analyzer-eventbridge.md | 129 ++++++ .../access-analyzer-findings-archive.md | 21 + doc_source/access-analyzer-findings-filter.md | 40 ++ .../access-analyzer-findings-remediate.md | 10 + doc_source/access-analyzer-findings-view.md | 54 +++ doc_source/access-analyzer-findings.md | 10 + doc_source/access-analyzer-getting-started.md | 125 ++++++ doc_source/access-analyzer-resources.md | 90 +++++ ...ess-analyzer-using-service-linked-roles.md | 108 +++++ .../access-analyzer-work-with-findings.md | 10 + doc_source/access_policies.md | 2 +- ..._policies_access-advisor-view-data-orgs.md | 8 +- doc_source/access_policies_access-advisor.md | 10 +- .../access_policies_identity-vs-resource.md | 4 +- doc_source/best-practices.md | 2 +- doc_source/cloudtrail-integration.md | 8 +- doc_source/console_account-alias.md | 4 +- doc_source/console_search.md | 6 +- doc_source/getting-started.md | 2 +- doc_source/id_credentials_sts_vpce.md | 6 +- doc_source/id_credentials_temp.md | 2 +- .../id_credentials_temp_enable-regions.md | 2 +- .../id_credentials_temp_related-topics.md | 3 +- .../id_roles_common-scenarios_aws-accounts.md | 2 +- .../id_roles_common-scenarios_third-party.md | 2 +- .../id_roles_compare-resource-policies.md | 36 +- doc_source/id_roles_manage_modify.md | 372 +----------------- doc_source/index.md | 25 ++ doc_source/list_amazonec2imagebuilder.md | 59 +++ doc_source/list_amazoneventbridgeschemas.md | 53 +++ doc_source/list_amazonfrauddetector.md | 65 +++ doc_source/list_amazonkendra.md | 42 ++ doc_source/list_amazonkinesisvideostreams.md | 13 +- doc_source/list_amazonrekognition.md | 2 + doc_source/list_amazons3.md | 22 +- doc_source/list_amazonsagemaker.md | 15 + doc_source/list_awsiotsitewise.md | 22 +- .../list_awsmanagedapachecassandraservice.md | 41 ++ doc_source/list_awssso.md | 26 +- doc_source/list_awsssodirectory.md | 13 + doc_source/list_computeoptimizer.md | 41 ++ doc_source/list_iamaccessanalyzer.md | 52 +++ doc_source/list_networkmanager.md | 56 +++ doc_source/logging-using-cloudtrail.md | 79 ++++ ...ference_aws-services-that-work-with-iam.md | 34 +- ..._policies_actions-resources-contextkeys.md | 8 + .../reference_policies_condition-keys.md | 14 +- .../reference_policies_elements_principal.md | 2 +- .../reference_policies_iam-condition-keys.md | 16 +- doc_source/roles-managingrole-editing-api.md | 143 +++++++ doc_source/roles-managingrole-editing-cli.md | 143 +++++++ .../roles-managingrole-editing-console.md | 160 ++++++++ doc_source/troubleshoot_iam-ec2.md | 12 +- doc_source/tutorial_abac-saml.md | 2 +- .../tutorial_cross-account-with-roles.md | 3 +- doc_source/what-is-access-analyzer.md | 19 + 58 files changed, 1837 insertions(+), 482 deletions(-) create mode 100644 doc_source/access-analyzer-archive-rules.md create mode 100644 doc_source/access-analyzer-concepts.md create mode 100644 doc_source/access-analyzer-eventbridge.md create mode 100644 doc_source/access-analyzer-findings-archive.md create mode 100644 doc_source/access-analyzer-findings-filter.md create mode 100644 doc_source/access-analyzer-findings-remediate.md create mode 100644 doc_source/access-analyzer-findings-view.md create mode 100644 doc_source/access-analyzer-findings.md create mode 100644 doc_source/access-analyzer-getting-started.md create mode 100644 doc_source/access-analyzer-resources.md create mode 100644 doc_source/access-analyzer-using-service-linked-roles.md create mode 100644 doc_source/access-analyzer-work-with-findings.md create mode 100644 doc_source/list_amazonec2imagebuilder.md create mode 100644 doc_source/list_amazoneventbridgeschemas.md create mode 100644 doc_source/list_amazonfrauddetector.md create mode 100644 doc_source/list_amazonkendra.md create mode 100644 doc_source/list_awsmanagedapachecassandraservice.md create mode 100644 doc_source/list_computeoptimizer.md create mode 100644 doc_source/list_iamaccessanalyzer.md create mode 100644 doc_source/list_networkmanager.md create mode 100644 doc_source/logging-using-cloudtrail.md create mode 100644 doc_source/roles-managingrole-editing-api.md create mode 100644 doc_source/roles-managingrole-editing-cli.md create mode 100644 doc_source/roles-managingrole-editing-console.md create mode 100644 doc_source/what-is-access-analyzer.md diff --git a/doc_source/access-analyzer-archive-rules.md b/doc_source/access-analyzer-archive-rules.md new file mode 100644 index 00000000..abdb50b9 --- /dev/null +++ b/doc_source/access-analyzer-archive-rules.md @@ -0,0 +1,58 @@ +# Archive Rules + +Archive rules automatically archive new findings that meet the criteria you define when you create the rule\. For example, you can create an archive rule to automatically archive any findings for a specific S3 bucket that you regularly grant access to\. Or if you grant access to multiple resources to a specific principal, you can create a rule that automatically archives any new finding generated for access granted to that principal\. This lets you focus only on active findings that may indicate a security risk\. + +Use the information provided in the finding details to identify the specific resource and external entity to use when creating or editing a rule\. Wnen you create an archive rule, only new findings that match the rule criteria are automatically archived\. Existing findings are not automatically archived\. + +**Note** +When you create or edit an archive rule, Access Analyzer does not validate the values you include in the filter for the rule\. For example, if you add a rule to match an AWS Account, Access Analyzer accepts any value in the field, even if it is not a valid AWS account number\. + +**To create an archive rule** + +1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. Choose **Access analyzer**, then choose **Archive rules**\. + +1. Choose **Create archive rule**\. + +1. Enter a name for the rule if you want to change the default name\. + +1. In the **Rule** section, under **Criteria**, select a property to match for the rule\. + +1. Choose an operator for the property value, such as **contains**\. + + The operators available depend on the property you choose\. + +1. Optionally, add additional values for the property, or add additional criteria for the rule\. + + To add another value for a criterion, choose **Add another value**\. To add another criterion for the rule, choose the **Add** button\. + +1. When finished added criteria and values, choose **Create archive rule**\. + +For example, to create a rule that automatically archives any findings for S3 buckets: choose **Resource type**, and then choose **is** for the operator\. Next choose **S3 bucket** from the **Select resource type** list, and then choose **Add**\. + +Continue to define criteria to customize the rule as appropriate for your environment, and then choose **Create archive rule**\. + +If you are create a new rule and add multiple criteria, you can remove a single criterion from the rule by choosing **Remove this criterion**\. You can remove a value added for a criterion by choosing **Remove value**\. + +**To edit an archive rule** + +1. Choose name of the rule to edit in the **Name**\. + + You can edit only one archive rule at a time\. + +1. Add new or remove the existing criteria and values for each criterion\. + +1. Choose **Save changes**\. + +**To delete an archive rule** + +1. Select the check box for the rules to delete\. + + You can delete one, many, or all rules at the same time\. + +1. Choose **Delete**\. + +1. Type **delete** in the **Delete archive rule** confirmation dialog, and then choose **Delete**\. + +The rules are deleted only from the analyzer in the current Region\. You must delete archive rules separately for each analyzer that you created in other Regions\. \ No newline at end of file diff --git a/doc_source/access-analyzer-concepts.md b/doc_source/access-analyzer-concepts.md new file mode 100644 index 00000000..8155d537 --- /dev/null +++ b/doc_source/access-analyzer-concepts.md @@ -0,0 +1,11 @@ +# How Access Analyzer Works + +This topic describes the concepts and terms that are used in Access Analyzer to help you become familiar with how Access Analyzer monitors access to your AWS resources\. + +IAM Access Analyzer is built on [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), which translates IAM policies into equivalent logical statements, and runs a suite of general\-purpose and specialized logical solvers \(satisfiability modulo theories\) against the problem\. Access Analyzer applies Zelkova repeatedly to a policy with increasingly specific queries to characterize classes of behaviors the policy allows, based on the content of the policy\. To learn more about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf)\. + +Access Analyzer does not examine access logs to determine whether an external entity accessed a resource within your zone of trust\. It generates a finding when a resource\-based policy allows access to a resource, even if the resource was not accessed by the external entity\. Access Analyzer also does not consider the state of any external accounts when making its determination\. That is, if it indicates that account 11112222333 can access your S3 bucket, it knows nothing about the state of users, roles, service control policies \(SCP\), and other relevant configurations in that account\. This is for customer privacy – Access Analyzer doesn't consider who owns the other account\. It is also for security – if the account is not owned by the Access Analyzer customer, it is still important to know that an external entity could gain access to their resources even if there are currently no principals in the account that could access the resources\. + +Access Analyzer considers only certain IAM condition keys that external users cannot directly influence, or that are otherwise impactful to authorization\. + +Access Analyzer does not currently report findings from AWS service principals or internal service accounts\. In rare cases where Access Analyzer isn't able to fully determine whether a policy statement grants access to an external entity, it errs on the side of declaring a false positive finding\. Access Analyzer is designed to provide a comprehensive view of the resource sharing in your account, and strives to minimize false negatives\. \ No newline at end of file diff --git a/doc_source/access-analyzer-eventbridge.md b/doc_source/access-analyzer-eventbridge.md new file mode 100644 index 00000000..c60ce827 --- /dev/null +++ b/doc_source/access-analyzer-eventbridge.md @@ -0,0 +1,129 @@ +# Monitoring AWS IAM Access Analyzer with Amazon EventBridge + +Use the information in this topic to learn how to monitor Access Analyzer findings with Amazon EventBridge\. EventBridge is the new version of Amazon CloudWatch Events\. + +## Findings Events + +Access Analyzer sends an event to EventBridge for each generated finding, for a change to the status of an existing finding, and when a finding is deleted\. To receive findings and notifications about findings, you must create an event rule in Amazon EventBridge\. When you create an event rule, you can also specify a target action to trigger based on the rule\. For example, you could create an event rule that triggers an Amazon SNS topic when an event for a new finding is received from Access Analyzer\. + +## Event Notification Frequency + +Access Analyzer sends events for new findings and findings with status updates to EventBridge within about an hour from when the event occurs in your account\. Access Analyzer also sends events to EventBridge when a resolved finding is deleted because the retention period has expired\. For findings that are deleted because the analyzer that generated them is deleted, the event is sent to EventBridge approximately 24 hours after the analyzer was deleted\. When a finding is deleted, the finding status is not changed\. Instead, the `isDeleted` attribute is set to `true`\. + +## Example Event + +The following is an example Access Analyzer event sent to EventBridge\. The `id` listed is the ID for the event in EventBridge\. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html)\. + +In the `detail` blob, the values for the `accountId` and `region` attributes refer to the account and Region reported in the finding\. The `isDeleted` attribute indicates whether the event was from the finding being deleted\. + +``` +{ + "version": "0", + "id": "22222222-dcba-4444-dcba-333333333333", + "detail-type": "Access Analyzer Finding", + "source": "aws.access-analyzer", + "account": "111122223333", + "time": "2019-11-21T01:22:33Z", + "region": "us-west-2", + "resources": ["arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer"], + "detail": { + "version": "1.0", + "accountId": "111122223333", + "region": "us-west-2", + "isDeleted": false + } +} +``` + +The following example shows data for an event that is sent to EventBridge from the `GetFinding` operation of the Access Analyzer API\. + +``` +"version": "0", + "id": "22222222-dcba-4444-dcba-333333333333", + "status": "ACTIVE", + "resourceType": "AWS::S3::Bucket", + "resource": "arn:aws:s3:::my-bucket", + "createdAt": "2019-11-20T04:58:50Z", + "analyzedAt": "2019-11-21T01:22:22Z", + "updatedAt": "2019-11-21T01:14:07Z", + "principal": {"AWS": "999988887777"}, + "action": ["s3:GetObject"], + "condition": {}, + "isPublic": false +``` + +Access Analyzer also sends events to EventBridge for error findings\. An error finding is a finding generated when Access Analyzer can't access a resource it tries to analyze\. Events for error findings include an `error` attribute as shown in the following example\. + +``` +"id": "22222222-dcba-4444-dcba-333333333333", +"status": "ACTIVE", +"resourceType": "AWS::S3::Bucket", +"resource": "arn:aws:s3:::my-bucket", +"error": "ACCESS_DENIED", +"createdAt": "2019-10-16T19:21:44.244Z", +"analyzedAt": "2019-10-16T19:21:44.244Z", +"updatedAt": "2019-10-16T19:21:44.244Z" +``` + +## Creating an Event Rule with a Target + +The following procedure describes how to create an event rule using the console\. + +Open the Amazon EventBridge console at [https://console\.aws\.amazon\.com/events/](https://console.aws.amazon.com/events/)\. + +1. Choose **Create rule**\. + +1. Enter a **Name** and, optionally, a **Description**\. + +1. Under **Define pattern** choose **Event pattern**, then choose **Custom pattern**\. + +1. Copy the following example and then paste it into the **Event pattern** box\. + + ``` + { + "source": [ + "aws.access-analyzer" + ], + "detail-type": [ + "Access Analyzer Finding" + ] + } + ``` + +1. Choose **Save**\. + +1. Under **Select targets**, choose a **Target** action for the rule, such as an Amazon SNS topic or AWS Lambda function\. + +1. Choose the specific SNS topic or Lambda function to use when the target is triggered\. + + The target is triggered when an event is received that matches the event pattern defined in the rule\. + +1. Choose **Save** to create the rule\. + +To learn more about creating rules, see [Creating an EventBridge Rule That Triggers on an Event from an AWS Resource](https://docs.aws.amazon.com/eventbridge/latest/userguide/create-eventbridge-rule.html)\. + +### Create a Rule Using the CLI + +1. Use the following to create a rule for Amazon EventBridge using the AWS CLI\. Replace the rule name *TestRule* with the name for your rule\. + + ``` + aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"]}" + ``` + +1. You can customize the rule to trigger target actions only for a subset of generated findings, such as findings with specific attributes\. The following example demonstrates how to create a rule that triggers a target action only for findings with a status of Active\. + + ``` + aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"],\"detail-type\":[\"Access Analyzer Finding\"],\"detail\":{\"status\":[\"ACTIVE\"]}}" + ``` + +1. To define a Lambda function as a target for the rule you created, use the following example command\. Replace the Region and the function name in the ARN as appropriate for your environment\. + + ``` + aws events put-targets --rule TestRule --targets Id=1,Arn=arn:aws:lambda:us-east-1:111122223333:function:MyFunction + ``` + +1. Add the permissions required to invoke the rule target\. The following example demonstrates how to grant permissions to a Lambda function, following the preceding examples\. + + ``` + aws lambda add-permission --function-name MyFunction --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com + ``` \ No newline at end of file diff --git a/doc_source/access-analyzer-findings-archive.md b/doc_source/access-analyzer-findings-archive.md new file mode 100644 index 00000000..ca60785f --- /dev/null +++ b/doc_source/access-analyzer-findings-archive.md @@ -0,0 +1,21 @@ +# Archiving Findings + +When you get a finding for access to a resource that is intentional, such as an IAM role that is used by multiple users for approved workflows, you can archive the finding\. When you archive a finding it is cleared from Active findings list, letting you focus on the findings you need to resolve\. Archived findings aren't deleted\. You can filter the Findings page to display your archived findings, and unarchive them at any time\. + +To archive findings from the **Findings** page + +1. Select the check box next to one or more findings to archive\. + +1. Choose **Archive**\. + + A confirmation is displayed at the top of the screen\. + +To archive findings from the **Findings Details** page\. + +1. Choose the **Finding ID** for the finding to archive\. + +1. Choose **Archive**\. + + A confirmation is displayed at the top of the screen\. + +To unarchive findings, repeat the preceding steps, but choose **Unarchive** instead of **Archive**\. When you unarchive a finding, the status is set to Active\. \ No newline at end of file diff --git a/doc_source/access-analyzer-findings-filter.md b/doc_source/access-analyzer-findings-filter.md new file mode 100644 index 00000000..cfbf918c --- /dev/null +++ b/doc_source/access-analyzer-findings-filter.md @@ -0,0 +1,40 @@ +# Filtering Findings + +The default filtering for the page is to display all active findings\. To view archived findings, choose the **Archived** tab\. When you first start using Access Analyzer, there are no archived findings\. + +Use filters to display only the findings for a specific resource, account, principal, or other value\. To create a filter, select the property to filter on, then choose a property value to filter on\. For example, to create a filter that displays only findings for a specific AWS account, choose **AWS Account** for the property, then enter the account number for the AWS account that you want to view findings for\. + +**To filter the findings displayed** + +1. Choose the **Filter active findings** field\. + +1. Choose the property to use to filter the findings displayed\. + +1. Choose the value to match for the property\. Only findings with that value in the finding are displayed\. + + For example, if you choose **Resource** as the property, type part or all of the name of a bucket, then press Enter\. Only findings for the bucket that matches the filer criteria are displayed\. + +You can add additional properties to further filter the findings displayed\. When you add additional properties, only findings that match all conditions in the filter are displayed\. Defining a filter to display findings that match one property OR another property is not supported\. + +The following properties are available for defining filters: ++ **Resource** – To filter by resource, type all or part of the name of the resource\. ++ **Resource Type** – To filter by resource type, choose the type from the list displayed\. ++ **AWS Account** – To filter by AWS account, type all or part of the 12\-digit AWS account ID of the external AWS account that has access to resources in the current account\. ++ **Canonical User** – To filter by canonical user, type the canonical user ID as defined for S3 buckets\. To learn more, see [AWS Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html)\. ++ **Federated User** – To filter by federated user, type all or part of the ARN of the federated identity\. To learn more, see [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html)\. ++ **Principal ARN** – The ARN of the principal \(IAM user, role, or group\)\. To filter by principal ARN, type all or part of the ARN of the IAM user, role, or group from an external AWS account reported in a finding\. ++ **Principal OrgID** – To filter by Principal OrgID, type all or part of the organization ID associated with the external principals that belong to the AWS organization specified as a condition in the finding\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **Principal Org Paths** – To filter by Principal Org Paths, type all or part of the ID for the AWS organization or organizational unit \(OU\) that allows access to all external principals that are account members of the specified organization or OU as a condition in the policy\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **Source Account** – To filter on source account, type all or part of the AWS account ID associated with the resources, as used in some cross\-service permissions in AWS\. ++ **Source ARN** – To filter by Source ARN, type all or part of the ARN specified as a condition in the finding\. To learn more, see To filter by Principal Org Paths, type all or part of the ID for the AWS organization or organizational unit \(OU\) that allows access to all external principals that are account members of the specified organization or OU as a condition in the policy\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **Source IP** – To filter by Source IP, type all or part of the IP address that allows external entities access to resources in the current account when using the specified IP address\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **Source VPC** – To filter by Source VPC, type all or part of the VPC ID that allows external entities access to resources in the current account when using the specified VPC\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **Source VPCE** – filter by Source VPCE, type all or part of the VPC endpoint ID that allows external entities access to resources in the current account when using the specified VPC endpoint\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **User ID** – To filter by User ID, type all or part of the user ID of the IAM user from an external AWS account who is allowed access to resource in the current account\. To learn more, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)\. ++ **KMS Key ID** – To filter by KMS Key ID, type all or part of the key ID for the KMS key specified as a condition for KMS\-encrypted S3 object access in your current account\. ++ **Google Audience** – To filter by Google Audience, type all or part of the Google application ID specified as a condition for IAM role access in your current account\. To learn more, see [IAM and AWS STS Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html)\. ++ **Cognito Audience** – To filter by Cognito Audience, type all or part of the Amazon Cognito identity pool ID specified as a condition for IAM role access in your current account\. To learn more, see [IAM and AWS STS Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html)\. ++ **Caller Account** – The AWS account ID of the account that owns or contains the calling entity, such as an IAM role, user, or account root user\. This is used by services calling KMS\. To filter by caller account, type all or part of the AWS account ID\. ++ **Facebook App ID** – To filter by Facebook App ID, type all or part of the Facebook application ID \(or site ID\) specified as a condition to allow Login with Facebook federation access to an IAM role in your current account\. To learn more, see [IAM and AWS STS Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html)\. ++ **Amazon App ID** – To filter by Amazon App ID, type all or part of the Amazon application ID \(or site ID\) specified as a condition to allow Login with Amazon federation access to an IAM role in your current account\. To learn more, see [IAM and AWS STS Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html)\. ++ **Lambda Event Source Token** – To filter on Lambda Event Source Token passed in with Alexa integrations, type all or part of the token string\. \ No newline at end of file diff --git a/doc_source/access-analyzer-findings-remediate.md b/doc_source/access-analyzer-findings-remediate.md new file mode 100644 index 00000000..7b23a2db --- /dev/null +++ b/doc_source/access-analyzer-findings-remediate.md @@ -0,0 +1,10 @@ +# Resolving Findings + +To resolve findings generated from access that you did not intend to allow, modify the policy statement to remove the permissions that allow access to the identified resource\. For example, for findings on S3 buckets, use the Amazon S3 console to configure the permissions on the bucket\. For IAM roles, use the IAM console to [modify the trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html#roles-managingrole_edit-trust-policy) for the listed IAM role\. Use the console for the other supported resources to modify the policy statements that resulted in a generated finding\. + +After you make a change to resolve a finding, such as modifying a policy applied to an IAM role, Access Analyzer scans the resource again\. If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to Resolved\. The finding is no longer displayed in the **Active findings** table, and instead is displayed in the **Resolved findings** table\. + +If the changes you made resulted in the resource being shared outside of your zone of trust, but in a different way, such as with a different principal or for a different permission, Access Analyzer generates a new Active finding\. + +**Note** +It may take up to 30 minutes after a policy is modified for Access Analyzer to again analyze the resource and then update the finding\. Resolved findings are deleted 90 after the last update to the finding status\. \ No newline at end of file diff --git a/doc_source/access-analyzer-findings-view.md b/doc_source/access-analyzer-findings-view.md new file mode 100644 index 00000000..5d8092c2 --- /dev/null +++ b/doc_source/access-analyzer-findings-view.md @@ -0,0 +1,54 @@ +# Review Findings + +After you [enable Access Analyzer](access-analyzer-getting-started.md#access-analyzer-enabling), the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional\. You can also review findings to determine common findings for access that is intended, and then [create an archive rule](access-analyzer-archive-rules.md) to automatically archive those findings\. You can also review archived and resolved findings\. + +**To review findings** + +1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. Choose **Access analyzer**\. + +**Note** +Findings are displayed only if you have permission to view findings for the analyzer\. + +All Active findings are displayed for the analyzer\. To view other findings generated by the analyzer, choose the appropriate tab: ++ Choose **Active** to view all active findings that were generated by the analyzer\. ++ Choose **Archived** to view only findings generated by the analyzer that have been archived\. To learn more, see [Archiving Findings](access-analyzer-findings-archive.md)\. ++ Choose **Resolved** to view only findings that were generated by the analyzer that have been resolved\. When you remediate the issue that generated the finding, the finding status is changed to Resolved\. +**Important** +Resolved findings are deleted 90 days after the last update to the finding\. Active and archived findings are not deleted unless you delete the analyzer that generated them\. ++ Choose **All** to view all findings with any status that were generated by the analyzer\. + +The **Findings** page displays the following details about the shared resource and policy statement that generated the finding: + +**Finding ID** +The unique ID assigned to the finding\. Choose the finding ID to display additional details about the resource and policy statement that generated the finding\. + +**Resource** +The type and partial name of the resource that has a policy applied to it that grants access to an external entity not within your zone of trust\. + +**External principal** +The principal, not within your zone of trust, that the analyzed policy grants access to\. Valid values include: ++ **AWS account** –All principals in the listed AWS account with permissions from that account's administrator can access the resource\. ++ **Any principal** – All principals in any AWS account that meet the conditions included in the **Conditions** column have permission to access the resource\. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC can access the resource\. ++ **Canonical user** – All principals in the AWS account with the listed canonical user ID have permission to access the resource\. ++ **IAM role** – The listed IAM role has permission to access the resource\. ++ **IAM user** – The listed IAM user has permission to access the resource\. + +**Condition** +The condition from the policy statement that grants the access\. For example, if the **Condition** field includes **Source VPC**, it means that the resource is shared with a principal that has access to the VPC listed\. Conditions can be global or service\-specific\. [Global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) have the `aws:` prefix\. + +**Access level** +The level of access granted to the external entity by the actions in the resource\-based policy\. View the details of the finding for more information\. Access level values include the following: ++ **List** – Permission to list resources within the service to determine whether an object exists\. Actions with this level of access can list objects but cannot see the contents of a resource\. ++ **Read** – Permission to read but not edit the contents and attributes of resources in the service\. ++ **Write** – Permission to create, delete, or modify resources in the service\. ++ **Permissions** – Permission to grant or modify resource permissions in the service\. ++ **Tagging** – Permission to perform actions that only change the state of resource tags\. + +**Updated** +A timestamp for the most recent update to the finding status, or the time and date at which the finding was generated if no updates have been made\. +It may take up to 30 minutes after a policy is modified for Access Analyzer to again analyze the resource and then update the finding\. + +**Status** +The status of the finding, one of **Active**, **Archived**, or **Resolved**\. \ No newline at end of file diff --git a/doc_source/access-analyzer-findings.md b/doc_source/access-analyzer-findings.md new file mode 100644 index 00000000..5918b32f --- /dev/null +++ b/doc_source/access-analyzer-findings.md @@ -0,0 +1,10 @@ +# Access Analyzer Findings + +Access Analyzer generates a finding for each instance of a resource\-based policy that grants access to a resource in your zone of trust \(your account\) to an external entity\. Any sharing that is within the zone of trust is considered safe, so Access Analyzer doesn't generate a finding\. For example, if you grant permissions to an S3 bucket in your account to another AWS account, Access Analyzer generates a finding\. But if you grant permission to a bucket in your account to an IAM role in your account, Access Analyzer doesn't generate a finding\. + +**Topics** ++ [Working with Findings](access-analyzer-work-with-findings.md) ++ [Review Findings](access-analyzer-findings-view.md) ++ [Filtering Findings](access-analyzer-findings-filter.md) ++ [Archiving Findings](access-analyzer-findings-archive.md) ++ [Resolving Findings](access-analyzer-findings-remediate.md) \ No newline at end of file diff --git a/doc_source/access-analyzer-getting-started.md b/doc_source/access-analyzer-getting-started.md new file mode 100644 index 00000000..b58c3d1b --- /dev/null +++ b/doc_source/access-analyzer-getting-started.md @@ -0,0 +1,125 @@ +# Getting Started with AWS IAM Access Analyzer + +Use the information in this topic to learn about the requirements necessary to use and manage AWS IAM Access Analyzer, and then how to enable Access Analyzer\. To learn more about the service\-linked role for Access Analyzer, see [Using Service\-Linked Roles for AWS IAM Access Analyzer](access-analyzer-using-service-linked-roles.md)\. + +## Permissions Required to Use Access Analyzer + +To successfully configure and use Access Analyzer, the account you use must be granted the required permissions\. To access and use all Access Analyzer features, you can apply the IAMAccessAnalyzerFullAccess managed policy to the account\. The full access policy grants the following permissions: + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "access-analyzer:*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "access-analyzer.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "organizations:DescribeOrganizationalUnit", + "organizations:ListAccounts", + "organizations:ListAccountsForParent", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:ListChildren", + "organizations:ListDelegatedAdministrators", + "organizations:ListOrganizationalUnitsForParent", + "organizations:ListParents", + "organizations:ListRoots" + ], + "Resource": "*" + } + ] +} +``` + +A custom policy for managing Access Analyzer must include the following permissions: ++ access\-analyzer: \* ++ iam:CreateServiceLinkedRole + +To allow read\-only access to Access Analyzer, use the IAMAccessAnalyzerReadOnlyAccess managed policy\. This policy grants the following permissions: + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "access-analyzer:Get*", + "access-analyzer:List*" + ], + "Resource": "*" + } + ] +} +``` + +### Resources Defined by AWS IAM Access Analyzer + +Access Analyzer defines the following resources: + + +| **Resource** | **ARN** | +| --- | --- | +| analyzer | arn:$\{Partition\}:access\-analyzer:$\{Region\}:$\{Account\}:analyzer/$\{analyzerName\} | +| archive\-rule | arn:$\{Partition\}:access\-analyzer:$\{Region\}:$\{Account\}:analyzer/$\{analyzerName\}/archive\-rule/$\{ruleName\} | + +### Required Access Analyzer Service Permissions + +Access Analyzer uses a service\-linked role named `AWSAccessAnalyzerServiceRole` to grant the service read\-only access to analyze AWS resources with resource\-based policies on your behalf\. When you create an analyzer to enable Access Analyzer, the service creates the role your account\. For more information, see [Using Service\-Linked Roles for AWS IAM Access Analyzer](access-analyzer-using-service-linked-roles.md)\. + +**Note** +Access Analyzer is Regional\. You must enable Access Analyzer in each Region independently\. + +In some cases, after you enable Access Analyzer, the **Findings** page loads with no findings\. This might be due to a delay in the console for populating your findings\. You need to manually refresh the browser to view your findings\. If you still don't see any findings, it's because you have no supported resources in your account that can be accessed by an external entity\. If a policy that grants access to an external entity is applied to a resource, Access Analyzer generates a finding\. + +**Note** +It may take up to 30 minutes after a policy is modified for Access Analyzer to analyze the resource and then either generate a new finding or update an existing finding for the access to the resource\. + +## Enabling Access Analyzer + +To enable Access Analyzer in a Region, you must create an analyzer in that Region\. You must create an analyzer in each Region in which you want to monitor access to your resources\. + +**To create an analyzer** + +1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. Choose **Access analyzer**\. + +1. Choose **Create analyzer**\. + +1. On the **Create analyzer** page, confirm that the Region displayed is the Region where you want to enable Access Analyzer\. + +1. Enter a name for the analyzer\. + +1. Optional\. Add any tags that you want to apply to the analyzer\. + +1. Choose **Create Analyzer**\. + +When you create an analyzer to enable Access Analyzer, a service\-linked role named `AWSAccessAnalyzerServiceRole` is created in your account\. + +## Access Analyzer Quotas + +Access Analyzer has the following quotas: + + +| Resource | Default quota | +| --- | --- | +| Maximum analyzers with an account zone of trust | 1 | +| Maximum archive rules per analyzer | 100 | \ No newline at end of file diff --git a/doc_source/access-analyzer-resources.md b/doc_source/access-analyzer-resources.md new file mode 100644 index 00000000..958c4e49 --- /dev/null +++ b/doc_source/access-analyzer-resources.md @@ -0,0 +1,90 @@ +# Supported Resource Types + +Access Analyzer analyzes the resource\-based policies that are applied to AWS resources in the Region where you enabled Access Analyzer\. Only resource\-based policies are analyzed\. Review the information about each resource for details about how Access Analyzer generates findings for each resource type\. + +**Topics** ++ [Amazon Simple Storage Service Buckets](#access-analyzer-s3) ++ [AWS Identity and Access Management Roles](#access-analyzer-iam-role) ++ [AWS Key Management Service Keys](#access-analyzer-kms-key) ++ [AWS Lambda Functions and Layers](#access-analyzer-lambda) ++ [Amazon Simple Queue Service Queues](#access-analyzer-sqs) + +## Amazon Simple Storage Service Buckets + +When Access Analyzer analyzes Amazon S3 buckets, it generates a finding when a bucket policy or ACL applied to a bucket grants access to an external entity\. An external entity is a principal or other entity that you can use to [create a filter](access-analyzer-findings-filter.md) that isn't within your zone of trust\. For example, if a bucket policy grants access to another account or allows public access, Access Analyzer generates a finding\. However, if you enable [Block public access](Amazon Simple Storage Service Developer Guideaccess-control-block-public-access.html) on your bucket, you can block access at the account level or the bucket level\. + +Amazon S3 *block public access* settings override the bucket policies that are applied to the bucket\. Access Analyzer analyzes block public access settings at the bucket level whenever a policy changes\. However, it evaluates the block public access settings at the account level only once every 6 hours\. This means that Access Analyzer might not generate or resolve a finding for public access to a bucket for up to 6 hours\. For example, if you have a bucket policy that allows public access, Access Analyzer generates a finding for that access\. If you then enable block public access to block all public access to the bucket at the account level, Access Analyzer doesn't resolve the finding for the bucket policy for up to 6 hours, even though all public access to the bucket is blocked\. + +## AWS Identity and Access Management Roles + +For IAM roles, Access Analyzer analyzes [trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy)\. In a role trust policy, you define the principals that you trust to assume the role\. A role trust policy is a required resource\-based policy that is attached to a role in IAM\. Access Analyzer generates findings for roles within the zone of trust that can be accessed by an external entity that is outside your zone of trust\. + +**Note** +An IAM role is a global resource\. If a role trust policy grants access to an external entity, Access Analyzer generates a finding in each enabled Region\. + +## AWS Key Management Service Keys + +For AWS KMS customer master keys \(CMKs\), Access Analyzer analyzes the key policies and grants applied to a key\. Access Analyzer generates a finding if a key policy or grant allows an external entity to access the key\. For example, if you use the [kms:CallerAccount](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account) condition key in a policy statement to allow access to all users in a specific AWS account, and you specify an account other than the current account \(in which Access Analyzer is enabled\), Access Analyzer generates a finding\. To learn more about KMS condition keys in IAM policy statements, see [AWS KMS Condition Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys)\. + +When Access Analyzer analyzes a KMS key it reads key metadata, such as the key policy and list of grants\. If the key policy doesn't allow the Access Analyzer role to read the key metadata, an Access Denied error finding is generated\. For example, if the following example policy statement is the only policy applied to a key, it results in an Access Denied error finding in Access Analyzer: + +``` +{ + "Sid": "Allow access for Key Administrators", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/Admin" + }, + "Action": "kms:*", + "Resource": "*" +} +``` + +Because this statement allows only the role named *Admin* from the AWS account 111122223333 to access the key, an Access Denied error finding is generated because Access Analyzer isn't able to fully analyze the key\. An error finding is displayed in red text in the **Findings** table\. The finding looks similar to the following: + +``` +{ + "error": "ACCESS_DENIED", + "id": "12345678-1234-abcd-dcba-111122223333", + "analyzedAt": "2019-09-16T14:24:33.352Z", + "resource": "arn:aws:kms:us-west-2:1234567890:key/1a2b3c4d-5e6f-7a8b-9c0d-1a2b3c4d5e6f7g8a", + "resourceType": "AWS::KMS::Key", + "status": "ACTIVE", + "updatedAt": "2019-09-16T14:24:33.352Z" +} +``` + +When you create a KMS CMK, the permissions granted to access the key depend on how you create the key\. If you receive an Access Denied error finding for a key resource, apply the following policy statement to the resource to grant Access Analyzer permission to access the key\. + +``` +{ + "Sid": "Allow Access Analyzer access to key metadata", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": [ + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:List*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:InvokedBy": "access-analyzer.amazonaws.com" + } + } +}, +``` + +This allows Access Analyzer to read key metadata\. The condition statement, `aws:InvokedBy`, limits the key policy statement to the Access Analyzer service\. Use a similar statement when the Access Analyzer service assumes the role in your account to read key metadata\. + +After you receive an Access Denied finding for a KMS key resource, and then resolve the finding by updating the key policy, the finding is updated to a status of Resolved\. If there are policy statements or key grants that grant permission to the key to an external entity, you might see additional findings for the key resource\. + +## AWS Lambda Functions and Layers + +For AWS Lambda functions, Access Analyzer analyzes policies, including condition statements in a policy, that grant access to the function to an external entity\. Access Analyzer also analyzes permissions granted when using the [AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html) operation of the AWS Lambda API with an `EventSourceToken`\. + +## Amazon Simple Queue Service Queues + +For Amazon SQS queues, Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity access to a queue\. \ No newline at end of file diff --git a/doc_source/access-analyzer-using-service-linked-roles.md b/doc_source/access-analyzer-using-service-linked-roles.md new file mode 100644 index 00000000..90959a18 --- /dev/null +++ b/doc_source/access-analyzer-using-service-linked-roles.md @@ -0,0 +1,108 @@ +# Using Service\-Linked Roles for AWS IAM Access Analyzer + +AWS IAM Access Analyzer uses an IAM [ service\-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role)\. A service\-linked role is a unique type of IAM role that is linked directly to Access Analyzer\. Service\-linked roles are predefined by Access Analyzer and include all the permissions that the feature requires to call other AWS services on your behalf\. + +A service\-linked role makes setting up Access Analyzer easier because you don’t have to manually add the necessary permissions\. Access Analyzer defines the permissions of its service\-linked roles, and unless defined otherwise, only Access Analyzer can assume its roles\. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity\. + +For information about other services that support service\-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service\-Linked Role** column\. Choose a **Yes** with a link to view the service\-linked role documentation for that service\. + +## Service\-Linked Role Permissions for AWS IAM Access Analyzer + +AWS IAM Access Analyzer uses the service\-linked role named **AccessAnalyzerServiceRolePolicy** – Allow Access Analyzer to analyze resource metadata\. + +The AccessAnalyzerServiceRolePolicy service\-linked role trusts the following services to assume the role: ++ `access-analyzer.amazonaws.com` + +The role permissions policy allows Access Analyzer to complete the following actions on the specified resources: + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketPolicyStatus", + "s3:GetAccountPublicAccessBlock", + "s3:ListAllMyBuckets", + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:GetBucketPolicy", + "iam:GetRole", + "iam:ListRoles", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "ec2:DescribeVpcs", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeByoipCidrs", + "ec2:DescribeAddresses", + "lambda:ListFunctions", + "lambda:GetPolicy", + "lambda:ListLayers", + "lambda:ListLayerVersions", + "lambda:GetLayerVersionPolicy", + "sqs:GetQueueAttributes", + "sqs:ListQueues", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:ListDelegatedAdministrators", + "organizations:ListRoots", + "organizations:ListParents", + "organizations:ListChildren", + "organizations:ListOrganizationalUnitsForParent", + "organizations:ListAccountsForParent", + "organizations:ListAccounts", + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "organizations:DescribeOrganizationalUnit" + ], + "Resource": "*" + } + ] +} +``` + +You must configure permissions to allow an IAM entity \(such as a user, group, or role\) to create, edit, or delete a service\-linked role\. For more information, see [Service\-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*\. + +## Creating a Service\-Linked Role for Access Analyzer + +You don't need to manually create a service\-linked role\. When you enable Access Analyzer in the AWS Management Console or the AWS API, Access Analyzer creates the service\-linked role for you\. The same service\-linked role is used in all Regions in which you enable Access Analyzer\. + +**Note** +Access Analyzer is Regional\. You must enable Access Analyzer in each Region independently\. + +If you delete this service\-linked role, Access Analyzer recreates the role when you next create an analyzer\. + +You can also use the IAM console to create a service\-linked role with the **Access Analyzer** use case\. In the AWS CLI or the AWS API, create a service\-linked role with the `access-analyzer.amazonaws.com` service name\. For more information, see [Creating a Service\-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*\. If you delete this service\-linked role, you can use this same process to create the role again\. + +## Editing a Service\-Linked Role for Access Analyzer + +Access Analyzer does not allow you to edit the AWSAccessAnalyzerServiceRole service\-linked role\. After you create a service\-linked role, you cannot change the name of the role because various entities might reference the role\. However, you can edit the description of the role using IAM\. For more information, see [Editing a Service\-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*\. + +## Deleting a Service\-Linked Role for Access Analyzer + +If you no longer need to use a feature or service that requires a service\-linked role, we recommend that you delete that role\. That way you don’t have an unused entity that isn't actively monitored or maintained\. However, you must clean up the resources for your service\-linked role before you can manually delete it\. + +**Note** +If Access Analyzer is using the role when you try to delete the resources, then the deletion might fail\. If that happens, wait for a few minutes and try the operation again\. + +**To delete Access Analyzer resources used by the AWSAccessAnalyzerServiceRole** + +1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the **Access reports** section, under **Access analyzer**, choose **Analyzer details**\. + +1. Choose **Delete**\. + +1. To confirm that you want to delete the analyzer, enter **delete**, and then choose **Delete**\. + +**To manually delete the service\-linked role using IAM** + +Use the IAM console, the AWS CLI, or the AWS API to delete the AWSAccessAnalyzerServiceRole service\-linked role\. For more information, see [Deleting a Service\-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*\. + +## Supported Regions for Access Analyzer Service\-Linked Roles + +Access Analyzer supports using service\-linked roles in all of the Regions where the service is available\. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html)\. \ No newline at end of file diff --git a/doc_source/access-analyzer-work-with-findings.md b/doc_source/access-analyzer-work-with-findings.md new file mode 100644 index 00000000..bcc622a1 --- /dev/null +++ b/doc_source/access-analyzer-work-with-findings.md @@ -0,0 +1,10 @@ +# Working with Findings + +Findings are generated only once for each instance of a resource that is shared outside of your zone of trust\. Each time a resource\-based policy is modified, Access Analyzer analyzes the policy\. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing\. If the access in the first finding is removed, that finding is updated to a status of Resolved\. + +The status of all findings remains Active until you archive them or remove the access that generated the finding\. When you remove the access, the finding status is updated to Resolved\. + +**Note** +It may take up to 30 minutes after a policy is modified for Access Analyzer to analyze the resource and then update the finding\. + +You should review all of the findings in your account to determine whether the sharing is expected and approved\. If the sharing identified in the finding is expected, you can archive the finding\. When you archive a finding, the status is changed to Archived, and the finding is removed from the Active findings list\. The finding is not deleted\. You can view your archived findings at any time\. Work through all of the findings in your account until you have zero active findings\. After you get to zero findings, you know that any new Active findings that are generated are from a recent change in your environment\. \ No newline at end of file diff --git a/doc_source/access_policies.md b/doc_source/access_policies.md index 4e02d799..8c9e23aa 100644 --- a/doc_source/access_policies.md +++ b/doc_source/access_policies.md @@ -32,7 +32,7 @@ To enable cross\-account access, you can specify an entire account or IAM entiti The IAM service supports only one type of resource\-based policy called a role *trust policy*, which is attached to an IAM role\. An IAM role is both an identity and a resource that supports resource\-based policies\. For that reason, you must attach both a trust policy and an identity\-based policy to an IAM role\. Trust policies define which principal entities \(accounts, users, roles, and federated users\) can assume the role\. To learn how IAM roles are different from other resource\-based policies, see [How IAM Roles Differ from Resource\-based Policies](id_roles_compare-resource-policies.md)\. -To see which other services support resource\-based policies, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md)\. To learn more about resource\-based policies, see [Identity\-Based Policies and Resource\-Based Policies](access_policies_identity-vs-resource.md)\. +To see which other services support resource\-based policies, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md)\. To learn more about resource\-based policies, see [Identity\-Based Policies and Resource\-Based Policies](access_policies_identity-vs-resource.md)\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. ### IAM Permissions Boundaries diff --git a/doc_source/access_policies_access-advisor-view-data-orgs.md b/doc_source/access_policies_access-advisor-view-data-orgs.md index 3e38dfe4..69706a61 100644 --- a/doc_source/access_policies_access-advisor-view-data-orgs.md +++ b/doc_source/access_policies_access-advisor-view-data-orgs.md @@ -41,7 +41,7 @@ You can use the IAM console to view service last accessed data for your root, OU 1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. -1. In the navigation pane, expand **AWS Organizations**, and then choose **Organization activity**\. +1. In the navigation pane below the **Access reports** section, choose **Organization activity**\. 1. On the **Organization activity** page, choose **Root**\. @@ -57,7 +57,7 @@ You can use the IAM console to view service last accessed data for your root, OU 1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. -1. In the navigation pane, expand **AWS Organizations**, and then choose **Organization activity**\. +1. In the navigation pane below the **Access reports** section, choose **Organization activity**\. 1. On the **Organization activity** page, expand the structure of your organization\. Then choose the name of the OU or any account that you want to view except the master account\. @@ -73,7 +73,7 @@ You can use the IAM console to view service last accessed data for your root, OU 1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. -1. In the navigation pane, expand **AWS Organizations**, and then choose **Organization activity**\. +1. In the navigation pane below the **Access reports** section, choose **Organization activity**\. 1. On the **Organization activity** page, expand the structure of your organization and choose the name your master account\. @@ -85,7 +85,7 @@ You can use the IAM console to view service last accessed data for your root, OU 1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. -1. In the navigation pane, expand **AWS Organizations**, and then choose **Service control policies \(SCPs\)**\. +1. In the navigation pane below the **Access reports** section, choose **Service control policies \(SCPs\)**\. 1. On the **Service control policies \(SCPs\)** page, view a list of the policies in your organization\. You can view the number of target entities to which each policy is attached\. diff --git a/doc_source/access_policies_access-advisor.md b/doc_source/access_policies_access-advisor.md index 1c99d80e..d8c4537c 100644 --- a/doc_source/access_policies_access-advisor.md +++ b/doc_source/access_policies_access-advisor.md @@ -146,11 +146,11 @@ AWS collects service last accessed data in most Regions\. Data is stored for a m | Asia Pacific \(Hong Kong\) | ap\-east\-1 | April 24, 2019 | | Middle East \(Bahrain\) | me\-south\-1 | July 29, 2019 | | Canada \(Central\) | ca\-central\-1 | October 28, 2017 | -| EU \(Frankfurt\) | eu\-central\-1 | October 1, 2015 | -| EU \(Stockholm\) | eu\-north\-1 | December 12, 2018 | -| EU \(Ireland\) | eu\-west\-1 | October 1, 2015 | -| EU \(London\) | eu\-west\-2 | October 28, 2017 | -| EU \(Paris\) | eu\-west\-3 | December 18, 2017 | +| Europe \(Frankfurt\) | eu\-central\-1 | October 1, 2015 | +| Europe \(Stockholm\) | eu\-north\-1 | December 12, 2018 | +| Europe \(Ireland\) | eu\-west\-1 | October 1, 2015 | +| Europe \(London\) | eu\-west\-2 | October 28, 2017 | +| Europe \(Paris\) | eu\-west\-3 | December 18, 2017 | | South America \(São Paulo\) | sa\-east\-1 | December 11, 2015 | If a Region is not listed in the previous table, then that Region does not yet provide service last accessed data\. \ No newline at end of file diff --git a/doc_source/access_policies_identity-vs-resource.md b/doc_source/access_policies_identity-vs-resource.md index 64cb1765..1c5ebf1c 100644 --- a/doc_source/access_policies_identity-vs-resource.md +++ b/doc_source/access_policies_identity-vs-resource.md @@ -4,7 +4,9 @@ A policy is an object in AWS that, when associated with an identity or resource, **Identity\-based policies** are attached to an IAM user, group, or role\. These policies let you specify what that identity can do \(its permissions\)\. For example, you can attach the policy to the IAM user named John, stating that he is allowed to perform the Amazon EC2 `RunInstances` action\. The policy could further state that John is allowed to get items from an Amazon DynamoDB table named `MyCompany`\. You can also allow John to manage his own IAM security credentials\. Identity\-based policies can be [managed or inline](access_policies_managed-vs-inline.md)\. -**Resource\-based policies** are attached to a resource\. For example, you can attach resource\-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys\. For a list of services that support resource\-based policies, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md)\. With resource\-based policies, you can specify who has access to the resource and what actions they can perform on it\. Resource\-based policies are inline only, not managed\. +**Resource\-based policies** are attached to a resource\. For example, you can attach resource\-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys\. For a list of services that support resource\-based policies, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md)\. + +With resource\-based policies, you can specify who has access to the resource and what actions they can perform on it\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. Resource\-based policies are inline only, not managed\. **Note** *Resource\-based* policies differ from *resource\-level* permissions\. You can attach resource\-based policies directly to a resource, as described in this topic\. Resource\-level permissions refer to the ability to use [ARNs](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) to specify individual resources in a policy\. Resource\-based policies are supported only by some AWS services\. For a list of which services support resource\-based policies and resource\-level permissions, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md)\. diff --git a/doc_source/best-practices.md b/doc_source/best-practices.md index 64059c46..d28047f3 100644 --- a/doc_source/best-practices.md +++ b/doc_source/best-practices.md @@ -162,7 +162,7 @@ For more information, see [Using an IAM Role to Grant Permissions to Application ## Use Roles to Delegate Permissions -Don't share security credentials between accounts to allow users from another AWS account to access resources in your AWS account\. Instead, use IAM roles\. You can define a role that specifies what permissions the IAM users in the other account are allowed\. You can also designate which AWS accounts have the IAM users that are allowed to assume the role\. +Don't share security credentials between accounts to allow users from another AWS account to access resources in your AWS account\. Instead, use IAM roles\. You can define a role that specifies what permissions the IAM users in the other account are allowed\. You can also designate which AWS accounts have the IAM users that are allowed to assume the role\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. For more information, see [Roles Terms and Concepts](id_roles_terms-and-concepts.md)\. diff --git a/doc_source/cloudtrail-integration.md b/doc_source/cloudtrail-integration.md index a094d97a..0be9f7f7 100644 --- a/doc_source/cloudtrail-integration.md +++ b/doc_source/cloudtrail-integration.md @@ -64,7 +64,7 @@ Whether the sign\-in event is considered Regional or global depends on the conso CloudTrail creates separate trails in each Region\. These trails include information for events that occur in those Regions, plus global events and events that are not region\-specific\. Examples include IAM API calls, AWS STS calls to the global endpoint, and AWS sign\-in events\. For example, assume that you have two trails, each in a different Region\. If you then create a new IAM user, the `CreateUser` event is added to the log files in both Regions, creating a duplicate log entry\. -AWS Security Token Service \(STS\) is a global service with a single global endpoint at https://sts\.amazonaws\.com\. Calls to this endpoint are logged as calls to a global service\. However, because this endpoint is physically located in the US East \(N\. Virginia\) Region, your logs list us\-east\-1 as the event Region\. CloudTrail does not write these logs to the US East \(Ohio\) Region unless you choose to include global service logs in that Region\. AWS STS also allows calls to Regional endpoints, such as `sts.eu-central-1.amazonaws.com`\. CloudTrail writes calls to all Regional endpoints to their respective Regions\. For example, calls to `sts.us-east-2.amazonaws.com` are published to the US East \(Ohio\) Region\. Calls to `sts.eu-central-1.amazonaws.com` are published in the EU \(Frankfurt\) Region logs\. +AWS Security Token Service \(STS\) is a global service with a single global endpoint at https://sts\.amazonaws\.com\. Calls to this endpoint are logged as calls to a global service\. However, because this endpoint is physically located in the US East \(N\. Virginia\) Region, your logs list us\-east\-1 as the event Region\. CloudTrail does not write these logs to the US East \(Ohio\) Region unless you choose to include global service logs in that Region\. AWS STS also allows calls to Regional endpoints, such as `sts.eu-central-1.amazonaws.com`\. CloudTrail writes calls to all Regional endpoints to their respective Regions\. For example, calls to `sts.us-east-2.amazonaws.com` are published to the US East \(Ohio\) Region\. Calls to `sts.eu-central-1.amazonaws.com` are published in the Europe \(Frankfurt\) Region logs\. For more information about multiple Regions and AWS STS, see [Managing AWS STS in an AWS Region](id_credentials_temp_enable-regions.md)\. @@ -81,9 +81,9 @@ The following table lists the Regions and how CloudTrail logs AWS STS requests i | US West \(N\. California\) | us\-west\-1 | sts\.us\-west\-1\.amazonaws\.com | Region | | US West \(Oregon\) | us\-west\-2 | sts\.us\-west\-2\.amazonaws\.com | Region | | Canada \(Central\) | ca\-central\-1 | sts\.ca\-central\-1\.amazonaws\.com | Region | -| EU \(Frankfurt\) | eu\-central\-1 | sts\.eu\-central\-1\.amazonaws\.com | Region | -| EU \(Ireland\) | eu\-west\-1 | sts\.eu\-west\-1\.amazonaws\.com | Region | -| EU \(London\) | eu\-west\-2 | sts\.eu\-west\-2\.amazonaws\.com | Region | +| Europe \(Frankfurt\) | eu\-central\-1 | sts\.eu\-central\-1\.amazonaws\.com | Region | +| Europe \(Ireland\) | eu\-west\-1 | sts\.eu\-west\-1\.amazonaws\.com | Region | +| Europe \(London\) | eu\-west\-2 | sts\.eu\-west\-2\.amazonaws\.com | Region | | Asia Pacific \(Tokyo\) | ap\-northeast\-1 | sts\.ap\-northeast\-1\.amazonaws\.com | Region | | Asia Pacific \(Seoul\) | ap\-northeast\-2 | sts\.ap\-northeast\-2\.amazonaws\.com | Region | | Asia Pacific \(Mumbai\) | ap\-south\-1 | sts\.ap\-south\-1\.amazonaws\.com | Region | diff --git a/doc_source/console_account-alias.md b/doc_source/console_account-alias.md index 64e5dee3..b7673683 100644 --- a/doc_source/console_account-alias.md +++ b/doc_source/console_account-alias.md @@ -13,9 +13,7 @@ You can find your account ID in the AWS Management Console, or using the AWS CLI ### Finding your account ID \(Console\) -Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. The account to which you are signed in appears at the top of the navigation pane\. - -![\[Finding your account ID\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/account-id-iam-console.png) + In the navigation bar, choose **Support**, and then **Support Center**\. Your currently signed\-in 12\-digit account number \(ID\) appears in the **Support Center** title bar\. ### Finding your account ID \(AWS CLI\) diff --git a/doc_source/console_search.md b/doc_source/console_search.md index 7f451b34..7474c6db 100644 --- a/doc_source/console_search.md +++ b/doc_source/console_search.md @@ -1,12 +1,14 @@ # IAM Console Search -As you navigate through the IAM Management Console to manage various IAM resources, you often need to locate access keys or browse to the deeply nested IAM resources to find items you need to work with\. A faster option is to use the IAM console search page to locate access keys related to your account, IAM entities \(such as users, groups, roles, identity providers\), policies by name, and more\. +As you navigate through the IAM Management Console to manage various IAM resources, you often need to locate access keys, Or you might need to browse to the deeply nested IAM resources to find what you need\. A faster option is to use the IAM console search page to locate access keys related to your account, IAM entities \(such as users, groups, roles, identity providers\), policies by name, and more\. The IAM console search feature can locate any of the following: + IAM entity names that match your search keywords \(for users, groups, roles, identity providers, and policies\) + AWS documentation topic names that match your search keywords + Tasks that match your search keywords +The IAM console search feature does not return information about IAM Access Analyzer\. + Every line in the search result is an active link\. For example, you can choose the user name in the search result, which takes you to that user's detail page\. Or you can choose an action link, for example **Create user**, to go to the **Create User** page\. **Note** @@ -22,7 +24,7 @@ Use the **Search** page in the IAM console to find items related to that account 1. In the navigation pane, choose **Search**\. -1. In the **Search** box, type your search keyword\(s\)\. +1. In the **Search** box, type your search keywords\. 1. Choose a link in the search results list to navigate to the corresponding part of the console or documentation\. diff --git a/doc_source/getting-started.md b/doc_source/getting-started.md index 51d54066..0a1d20dd 100644 --- a/doc_source/getting-started.md +++ b/doc_source/getting-started.md @@ -1,6 +1,6 @@ # Getting Started -This topic shows you how to give access to your AWS resources by creating AWS Identity and Access Management \(IAM\) users under your AWS account\. First, you'll learn about IAM concepts you should understand before you create groups and users, and then you'll walk through how to perform the necessary tasks using the AWS Management Console\. The first task is to set up an administrators group for your AWS account\. Having an administrators group for your AWS account isn't required, but we strongly recommend it\. +This topic shows you how to give access to your AWS resources by creating AWS Identity and Access Management \(IAM\) users in your AWS account\. First, you'll learn about IAM concepts you should understand before you create groups and users, and then you'll walk through how to perform the necessary tasks using the AWS Management Console\. The first task is to set up an administrators group for your AWS account\. Having an administrators group for your AWS account isn't required, but we strongly recommend it\. **Note** This set of documentation deals primarily with the IAM service\. To learn about getting started with AWS and using multiple services to solve a problem such as building and launching your first project, see the [Getting Started Resource Center](https://aws.amazon.com/getting-started/)\. diff --git a/doc_source/id_credentials_sts_vpce.md b/doc_source/id_credentials_sts_vpce.md index 8b665f01..3a44b647 100644 --- a/doc_source/id_credentials_sts_vpce.md +++ b/doc_source/id_credentials_sts_vpce.md @@ -20,9 +20,9 @@ AWS STS currently supports VPC endpoints in the following Regions: + Asia Pacific \(Singapore\) + Asia Pacific \(Sydney\) + Asia Pacific \(Tokyo\) -+ EU \(Frankfurt\) -+ EU \(Ireland\) -+ EU \(London\) ++ Europe \(Frankfurt\) ++ Europe \(Ireland\) ++ Europe \(London\) + South America \(São Paulo\) ## Create a VPC for AWS STS diff --git a/doc_source/id_credentials_temp.md b/doc_source/id_credentials_temp.md index fc7921c1..58b28244 100644 --- a/doc_source/id_credentials_temp.md +++ b/doc_source/id_credentials_temp.md @@ -33,7 +33,7 @@ For mobile applications, we recommend that you use Amazon Cognito\. You can use ### Roles for Cross\-account Access -Many organizations maintain more than one AWS account\. Using roles and cross\-account access, you can define user identities in one account, and use those identities to access AWS resources in other accounts that belong to your organization\. This is known as the *delegation* approach to temporary access\. For more information, see [Creating a Role to Delegate Permissions to an IAM User](id_roles_create_for-user.md)\. +Many organizations maintain more than one AWS account\. Using roles and cross\-account access, you can define user identities in one account, and use those identities to access AWS resources in other accounts that belong to your organization\. This is known as the *delegation* approach to temporary access\. For more information about creating cross\-account roles, see [Creating a Role to Delegate Permissions to an IAM User](id_roles_create_for-user.md)\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. ### Roles for Amazon EC2 diff --git a/doc_source/id_credentials_temp_enable-regions.md b/doc_source/id_credentials_temp_enable-regions.md index 5c155ec2..fd2244fc 100644 --- a/doc_source/id_credentials_temp_enable-regions.md +++ b/doc_source/id_credentials_temp_enable-regions.md @@ -50,7 +50,7 @@ Active Regions are available to everyone that uses temporary credentials in that ## Writing Code to Use AWS STS Regions -After you activate a Region, you can direct AWS STS API calls to that Region\. The following Java code snippet demonstrates how to configure an `AWSSecurityTokenServiceClient` object to make requests to the EU \(Ireland\) \(eu\-west\-1\) Region with the `setEndpoint` method\. +After you activate a Region, you can direct AWS STS API calls to that Region\. The following Java code snippet demonstrates how to configure an `AWSSecurityTokenServiceClient` object to make requests to the Europe \(Ireland\) \(eu\-west\-1\) Region with the `setEndpoint` method\. ``` AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(); diff --git a/doc_source/id_credentials_temp_related-topics.md b/doc_source/id_credentials_temp_related-topics.md index bf154f0b..4764cef8 100644 --- a/doc_source/id_credentials_temp_related-topics.md +++ b/doc_source/id_credentials_temp_related-topics.md @@ -8,4 +8,5 @@ The following scenarios and applications can guide you in using temporary securi For more information on policies and permissions in AWS see the following topics: + [Access Management](access.md) + [Policy Evaluation Logic](reference_policies_evaluation-logic.md)\. -+ [Managing Access Permissions to Your Amazon S3 Resources](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html) in *Amazon Simple Storage Service Developer Guide*\. \ No newline at end of file ++ [Managing Access Permissions to Your Amazon S3 Resources](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html) in *Amazon Simple Storage Service Developer Guide*\. ++ To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. \ No newline at end of file diff --git a/doc_source/id_roles_common-scenarios_aws-accounts.md b/doc_source/id_roles_common-scenarios_aws-accounts.md index 1ce0672e..4cbb6318 100644 --- a/doc_source/id_roles_common-scenarios_aws-accounts.md +++ b/doc_source/id_roles_common-scenarios_aws-accounts.md @@ -12,7 +12,7 @@ Imagine that you have Amazon EC2 instances that are critical to your organizatio We recommend using this approach to enforce the *principle of least privilege*\. That means restricting the use of elevated permissions to only those times when they are needed for specific tasks\. With roles you can help prevent accidental changes to sensitive environments, especially if you combine them with [auditing](cloudtrail-integration.md) to help ensure that roles are only used when needed\. -When you create a role for this purpose, you specify the accounts by ID whose users need access in the `Principal` element of the role's trust policy\. You can then grant specific users in those other accounts permissions to switch to the role\. +When you create a role for this purpose, you specify the accounts by ID whose users need access in the `Principal` element of the role's trust policy\. You can then grant specific users in those other accounts permissions to switch to the role\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. A user in one account can switch to a role in the same or a different account\. While using the role, the user can perform only the actions and access only the resources permitted by the role; their original user permissions are suspended\. When the user exits the role, the original user permissions are restored\. diff --git a/doc_source/id_roles_common-scenarios_third-party.md b/doc_source/id_roles_common-scenarios_third-party.md index cc39decd..cf6b013b 100644 --- a/doc_source/id_roles_common-scenarios_third-party.md +++ b/doc_source/id_roles_common-scenarios_third-party.md @@ -1,6 +1,6 @@ # Providing Access to AWS Accounts Owned by Third Parties -When third parties require access to your organization's AWS resources, you can use roles to delegate access to them\. For example, a third party might provide a service for managing your AWS resources\. With IAM roles, you can grant these third parties access to your AWS resources without sharing your AWS security credentials\. Instead, the third party can access your AWS resources by assuming a role that you create in your AWS account\. +When third parties require access to your organization's AWS resources, you can use roles to delegate access to them\. For example, a third party might provide a service for managing your AWS resources\. With IAM roles, you can grant these third parties access to your AWS resources without sharing your AWS security credentials\. Instead, the third party can access your AWS resources by assuming a role that you create in your AWS account\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. Third parties must provide you with the following information for you to create a role that they can assume: + The third party's AWS account ID\. You specify their AWS account ID as the principal when you define the trust policy for the role\. diff --git a/doc_source/id_roles_compare-resource-policies.md b/doc_source/id_roles_compare-resource-policies.md index bd28e7c2..99e6f43d 100644 --- a/doc_source/id_roles_compare-resource-policies.md +++ b/doc_source/id_roles_compare-resource-policies.md @@ -1,35 +1,41 @@ # How IAM Roles Differ from Resource\-based Policies -For some AWS services, you can grant cross\-account access to your resources\. To do this, you attach a policy directly to the resource that you want to share, instead of using a role as a proxy\. The resource that you want to share must support [resource\-based policies](access_policies_identity-vs-resource.md)\. Unlike a user\-based policy, a resource\-based policy specifies who \(in the form of a list of AWS account ID numbers\) can access that resource\. +For some AWS services, you can grant cross\-account access to your resources\. To do this, you attach a policy directly to the resource that you want to share, instead of using a role as a proxy\. The resource that you want to share must support [resource\-based policies](access_policies_identity-vs-resource.md)\. Unlike an identity\-based policy, a resource\-based policy specifies who \(which principal\) can access that resource\. -Cross\-account access with a resource\-based policy has some advantages over a role\. With a resource that is accessed through a resource\-based policy, the user still works in the trusted account and does not have to give up his or her user permissions in place of the role permissions\. In other words, the user continues to have access to resources in the trusted account at the same time as he or she has access to the resource in the trusting account\. This is useful for tasks such as copying information to or from the shared resource in the other account\. +Cross\-account access with a resource\-based policy has some advantages over cross\-account access with a role\. With a resource that is accessed through a resource\-based policy, the principal still works in the trusted account and does not have to give up his or her permissions to receive the role permissions\. In other words, the principal continues to have access to resources in the trusted account at the same time as he or she has access to the resource in the trusting account\. This is useful for tasks such as copying information to or from the shared resource in the other account\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. -A few of the AWS services that support resource\-based policies are listed here: +The principals that you can specify in a resource based policy include accounts, IAM users, federated users, IAM roles, assumed\-role sessions, or AWS services\. For more information, see [Specifying a Principal](reference_policies_elements_principal.md#Principal_specifying)\. + +The following list includes some of the AWS services that support resource\-based policies\. For a complete list of the growing number of AWS services that support attaching permission policies to resources instead of principals, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes** in the **Resource Based** column\. + **Amazon S3 buckets** – The policy is attached to the bucket, but the policy controls access to both the bucket and the objects in it\. For more information, go to [Access Control](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html) in the *Amazon Simple Storage Service Developer Guide*\. In some cases, it may be best to use roles for cross\-account access to Amazon S3\. For more information, see the [example walkthroughs](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access.html) in the *Amazon Simple Storage Service Developer Guide*\. + **Amazon Simple Notification Service \(Amazon SNS\) topics** – For more information, go to [Managing Access to Your Amazon SNS Topics](https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html) in the *Amazon Simple Notification Service Developer Guide*\. + **Amazon Simple Queue Service \(Amazon SQS\) queues** – For more information, go to [Appendix: The Access Policy Language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/AccessPolicyLanguage.html) in the *Amazon Simple Queue Service Developer Guide*\. -For a complete list of the growing number of AWS services that support attaching permission policies to resources instead of principals, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes** in the **Resource Based** column\. - ## About Delegating AWS Permissions in a Resource\-based Policy -After a resource grants your AWS account permissions as a principal in its resource\-based policy, you can then delegate permissions to specific users or groups under your AWS account\. You attach a policy to the user or group that you want to delegate the permissions to\. Note that you can only delegate permissions equivalent to, or less than, the permissions granted to your account by the resource owning account\. For example, if your account is granted full access to the resources of another AWS account, then you can delegate full access, list access, or any other partial access to users under your AWS account\. If, on the other hand, your account is granted list access only, then you can delegate only list access\. If you try to delegate more permissions than your account has, your users will still have only list access\. This is illustrated in the following figure\. For information about attaching a policy to a user or group, see [Managing IAM Policies](access_policies_manage.md)\. +If a resource grants permissions to principals in your account, you can then delegate those permissions to specific IAM identities\. Identities are users, groups of users, or roles in your account\. You delegeate permissions by attaching a policy to the identity\. You can grant up to the maximum permissions that are allowed by the resource\-owning account\. -![\[Delegating access to an AWS account\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/Delegation.diagram.png) +Assume that a resource\-based policy allows all principals in your account full administrative access to a resource\. Then you can delegate full access, read\-only access, or any other partial access to principals in your AWS account\. Alternatively, if the resource\-based policy allows only list permissions, then you can delegate only list access\. If you try to delegate more permissions than your account has, your principals will still have only list access\. For information about attaching a policy to an IAM identity, see [Managing IAM Policies](access_policies_manage.md)\. -1. Account A gives account B full access to account A's S3 bucket by naming account B as a principal in the policy\. As a result, account B is authorized to perform any action on account A's bucket, and the account B administrator can delegate access to its users in account B\. +For example, assume that you manage `AccountA` and `AccountB`\. In `AccountA`, you have the Amazon S3 bucket named `BucketA`\. You attach a resource\-based policy to `BucketA` that allows all `AccountB` principals full access to objects in your bucket\. They can create, read, or delete any objects in that bucket\. In `AccountB`, you attach a policy to the IAM user named `User2`\. That policy allows the user read\-only access to the objects in `BucketA`\. That means that `User2` can view the objects, but not create, edit, or delete them\. -1. The account B administrator grants user 1 read\-only access to account A's S3 bucket\. User 1 can view the objects in account A's bucket\. The level of access account B can delegate is equivalent to, or less than, the access the account has\. In this case, the full access granted to account B is filtered to read only for user 1\. +![\[Delegating access to an AWS account\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/Delegation.png) -1. The account B administrator does not give access to user 2\. Because users by default do not have any permissions except those that are explicitly granted, user 2 does not have access to account A's Amazon S3 bucket\. +1. `AccountA` gives `AccountB` full access to `BucketA` by naming `AccountB` as a principal in the resource\-based policy\. As a result, `AccountB` is authorized to perform any action on `BucketA`, and the `AccountB` administrator can delegate access to its users in `AccountB`\. -**Important** -In the preceding example, if account B had used wildcards \(\*\) to give user 1 full access to all its resources, user 1 would automatically have access to any resources that account B has access to, including access granted by other accounts to those accounts' resources\. In this case, user 1 would have access to any Account A resources granted to account B, in addition to those explicitly granted to user 1\. -IAM evaluates a user's permissions at the time the user makes a request\. Therefore, if you use wildcards \(\*\) to give users full access to your resources, users are able to access any resources that your AWS account has access to, even resources you add or gain access to after creating the user's policy\. +1. The `AccountB` root user has all of the permissions that are granted to the account\. Therefore, the root user has full access to `BucketA`\. + +1. The `AccountB` administrator does not give access to `User1`\. By default, users do not have any permissions except those that are explicitly granted\. Therefore, `User1` does not have access to `BucketA`\. -For information about permissions, policies, and the permission policy language that you use to write policies, see [Access Management](access.md)\. +1. The `AccountB` administrator grants `User2` read\-only access to `BucketA`\. `User2` can view the objects in the bucket\. The maximum level of access that `AccountB` can delegate is the access level that is granted to the account\. In this case, the resource\-based policy granted full access to `AccountB`, but `User2` is granted only read\-only access\. + +IAM evaluates a principal's permissions at the time the principal makes a request\. Therefore, if you use wildcards \(\*\) to give users full access to your resources, principals can access any resources that your AWS account has access to\. This is true even for resources you add or gain access to after creating the user's policy\. + +In the preceding example, if `AccountB` had attached a policy to `User2` that allowed full access to all resources in all accounts, `User2` would automatically have access to any resources that `AccountB` has access to\. This includes the `BucketA` access and access to any other resources granted by resource\-based policies in `AccountA`\. **Important** -Give access only to entities you trust, and give the minimum amount of access necessary\. Whenever the trusted entity is another AWS account, that account can in turn delegate access to any of its IAM users\. The trusted AWS account can delegate access only to the extent that it has been granted access; it cannot delegate more access than the account itself has been granted\. \ No newline at end of file +Give access only to entities you trust, and give the minimum level of access necessary\. Whenever the trusted entity is another AWS account, that account can in turn delegate access to any of its IAM users\. The trusted AWS account can delegate access only to the extent that it has been granted access; it cannot delegate more access than the account itself has been granted\. + +For information about permissions, policies, and the permission policy language that you use to write policies, see [Access Management](access.md)\. \ No newline at end of file diff --git a/doc_source/id_roles_manage_modify.md b/doc_source/id_roles_manage_modify.md index 64ea8b89..4cea1f67 100644 --- a/doc_source/id_roles_manage_modify.md +++ b/doc_source/id_roles_manage_modify.md @@ -1,375 +1,13 @@ # Modifying a Role -You can change or modify a role in IAM using the following methods: -+ To change who can assume a role, you must modify the role's trust policy\. You cannot modify the trust policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)*\. -**Note** -If a user is listed as the principal in a role's trust policy but cannot assume the role, check the user's [permissions boundary](access_policies_boundaries.md)\. If a permissions boundary is set for the user, then it must allow the `sts:AssumeRole` action\. -+ To change the permissions allowed by the role, modify the role's permissions policy \(or policies\)\. You cannot modify the permissions policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)* in IAM\. You might be able to modify the permissions policy within the service that depends on the role\. To check whether a service supports this feature, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service\-linked roles** column\. Choose a **Yes** with a link to view the service\-linked role documentation for that service\. -+ To change the description of the role, modify the description text\. -+ To change the set of tags on a role, see [Managing Tags on IAM Entities \(Console\)](id_tags.md#id_tags_procs-console)\. -+ To specify the maximum session duration setting for roles that are assumed using the AWS CLI or API, modify the maximum session duration setting's value\. This setting can have a value from 1 hour to 12 hours\. If you do not specify a value, the default maximum of 1 hour is applied\. This setting does not limit sessions assumed by AWS services\. -**Note** -Anyone who assumes the role from the AWS CLI or API can use the `duration-seconds` CLI parameter or the `DurationSeconds` API parameter to request a longer session\. The `MaxSessionDuration` setting determines the maximum duration of the role session that can be requested using the `DurationSeconds` parameter\. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour\. -+ To change the maximum permissions allowed for a role, modify the role's [permissions boundary](access_policies_boundaries.md)\. - -You can use the AWS Management Console, the [AWS Command Line Tools](https://aws.amazon.com/tools/#Command_Line_Tools), the Tools for Windows PowerShell, or the IAM API to make these changes\. +You can use the AWS Management Console, the AWS CLI, or the IAM API to make changes to a role\. **Topics** + [View Role Access](#roles-modify_prerequisites) -+ [Modifying a Role \(Console\)](#roles-managingrole-editing-console) -+ [Modifying a Role \(AWS CLI\)](#roles-managingrole-editing-cli) -+ [Modifying a Role \(AWS API\)](#roles-managingrole-editing-api) ++ [Modifying a Role \(Console\)](roles-managingrole-editing-console.md) ++ [Modifying a Role \(AWS CLI\)](roles-managingrole-editing-cli.md) ++ [Modifying a Role \(AWS API\)](roles-managingrole-editing-api.md) ## View Role Access -Before you change the permissions for a role, you should review its recent service\-level activity\. This is important because you don't want to remove access from a principal \(person or application\) who is using it\. For more information about viewing service last accessed data, see [Refining Permissions Using Service Last Accessed Data](access_policies_access-advisor.md)\. - -## Modifying a Role \(Console\) - -You can use the AWS Management Console to modify a role\. - -**To change who can assume the role \(console\)** - -1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. - -1. In the navigation pane of the IAM console, choose **Roles**\. - -1. In the list of roles in your account, choose the name of the role that you want to modify\. - -1. Choose the **Trust relationships** tab, and then choose **Edit trust relationship**\. - -1. Edit the trust policy as needed\. To add additional principals that can assume the role, specify them in the `Principal` element\. For example, the following policy snippet shows how to reference two AWS accounts in the `Principal` element: - - ``` - "Principal": { - "AWS": [ - "arn:aws:iam::111122223333:root", - "arn:aws:iam::444455556666:root" - ] - }, - ``` - - If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - - The following policy snippet shows how to reference two AWSservices in the `Principal` element: - - ``` - "Principal": { - "Service": [ - "opsworks.amazonaws.com", - "ec2.amazonaws.com" - ] - }, - ``` - -1. When you are finished editing your trust policy, choose **Update Trust Policy** to save your changes\. - - For more information about policy structure and syntax, see [Policies and Permissions](access_policies.md) and the [IAM JSON Policy Elements Reference](reference_policies_elements.md)\. - -**To allow users in a trusted external account to use the role \(console\)** - -For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - -1. Sign in to the trusted external AWS account\. - -1. Decide whether to attach the permissions to a user or to a group\. In the navigation pane of the IAM console, choose **Users** or **Groups** accordingly\. - -1. Choose the name of the user or group to which you want to grant access, and then choose the **Permissions** tab\. - -1. Do one of the following: - + To edit a customer managed policy, choose the name of the policy, choose **Edit policy**, and then choose the **JSON** tab\. You cannot edit an AWS managed policy\. AWS managed policies appear with the AWS icon \(![\[Image NOT FOUND\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_icon.png)\)\. For more information about the difference between AWS managed policies and customer managed policies, see [Managed Policies and Inline Policies](access_policies_managed-vs-inline.md)\. - + To edit an inline policy, choose the arrow next to the name of the policy and choose **Edit policy**\. - -1. In the policy editor, add a new `Statement` element that specifies the following: - - ``` - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::ACCOUNT-ID:role/ROLE-NAME" - } - ``` - - Replace the ARN in the statement with the ARN of the role that the user can assume\. - -1. Follow the prompts on screen to finish editing the policy\. - -**To change the permissions allowed by a role \(console\)** - -1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. - -1. In the navigation pane of the IAM console, choose **Roles**\. - -1. Choose the name of the role that you want to modify, and then choose the **Permissions** tab\. - -1. Do one of the following: - + To edit an existing customer managed policy, choose the name of the policy and then choose **Edit policy**\. -**Note** -You cannot edit an AWS managed policy\. AWS managed policy appear with the AWS icon \(![\[Image NOT FOUND\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_icon.png)\)\. For more information about the difference between AWS managed policies and customer managed policies, see [Managed Policies and Inline Policies](access_policies_managed-vs-inline.md)\. - + To attach an existing managed policy to the role, choose **Add permissions**\. - + To edit an existing inline policy, choose the arrow next to the name of the policy and choose **Edit Policy**\. - + To embed a new inline policy, choose **Add inline policy**\. - -**To change the description of a role \(console\)** - -1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. - -1. In the navigation pane of the IAM console, choose **Roles**\. - -1. Choose the name of the role to modify\. - -1. Next to **Role description** and on the far right, choose **Edit**\. - -1. Type a new description in the box and choose **Save**\. - -**To change the maximum session duration setting for roles that are assumed using the AWS CLI or API \(console\)** - -1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. - -1. In the navigation pane of the IAM console, choose **Roles**\. - -1. Choose the name of the role to modify\. - -1. Next to **Maximum CLI/API session duration** choose a value\. Or choose **Custom duration** and type a value \(in seconds\)\. - -1. Choose **Save**\. - - Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. - -**To change the policy used to set the permissions boundary for a role** - -1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. - -1. In the navigation pane, choose **Roles**\. - -1. Choose the name of the role whose [permissions boundary](access_policies_boundaries.md) you want to change\. - -1. Choose the **Permissions** tab\. If necessary, open the **Permissions boundary** section and then choose **Change boundary**\. - -1. Select the policy that you want to use for the permissions boundary\. - -1. Choose **Change boundary**\. - - Your changes don't take effect until the next time someone assumes this role\. - -## Modifying a Role \(AWS CLI\) - -You can use the AWS Command Line Interface to modify a role\. - -**To change who can assume the role \(AWS CLI\)** - -1. \(Optional\) If you don't know the name of the role that you want to modify, run the following command to list the roles in your account: - + [aws iam list\-roles](https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html) - -1. \(Optional\) To view the current trust policy for a role, run the following command: - + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) - -1. To modify the trusted principals that can access the role, create a text file with the updated trust policy\. You can use any text editor to construct the policy\. - - For example, the following trust policy shows how to reference two AWS accounts in the `Principal` element\. This allows users within two separate AWS accounts to assume this role\. - - ``` - { - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Principal": {"AWS": [ - "arn:aws:iam::111122223333:root", - "arn:aws:iam::444455556666:root" - ]}, - "Action": "sts:AssumeRole" - } - } - ``` - - If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - -1. To use the file that you just created to update the trust policy, run the following command: - + [aws iam update\-assume\-role\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/update-assume-role-policy.html) - -**To allow users in a trusted external account to use the role \(AWS CLI\)** - -For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - -1. Create a JSON file that contains a permissions policy that grants permissions to assume the role\. For example, the following policy contains the minimum necessary permissions: - - ``` - { - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::ACCOUNT-ID-THAT-CONTAINS-ROLE:role/ROLE-NAME" - } - } - ``` - - Replace the ARN in the statement with the ARN of the role that the user can assume\. - -1. Run the following command to upload the JSON file that contains the trust policy to IAM: - + [aws iam create\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html) - - The output of this command includes the ARN of the policy\. Make a note of this ARN because you will need it in a later step\. - -1. Decide which user or group to attach the policy to\. If you don't know the name of the intended user or group, use one of the following commands to list the users or groups in your account: - + [aws iam list\-users](https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html) - + [aws iam list\-groups](https://docs.aws.amazon.com/cli/latest/reference/iam/list-groups.html) - -1. Use one of the following commands to attach the policy that you created in the previous step to the user or group: - + [aws iam attach\-user\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-user-policy.html) - + [aws iam attach\-group\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html) - -**To change the permissions allowed by a role \(AWS CLI\)** - -1. \(Optional\) To view the current permissions associated with a role, run the following commands: - - 1. [aws iam list\-role\-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html) to list inline policies - - 1. [aws iam list\-attached\-role\-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html) to list managed policies - -1. The command to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy\. - - To update a managed policy, run the following command to create a new version of the managed policy: - + [aws iam create\-policy\-version](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy-version.html) - - To update an inline policy, run the following command: - + [aws iam put\-role\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html) - -**To change the managed policy used to set the permissions boundary for a role \(AWS CLI\)** - -1. \(Optional\) To view the current [permissions boundary](access_policies_boundaries.md) for a role, run the following command: - + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) - -1. To use a different managed policy to update the permissions boundary for a role, run the following command: - + [aws iam put\-role\-permissions\-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-permissions-boundary.html) - - A role can have only one managed policy set as a permissions boundary\. If you change the permissions boundary, you change the maximum permissions allowed for a role\. - -**To change the description of a role \(AWS CLI\)** - -1. \(Optional\) To view the current description for a role, run the following command: - + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) - -1. To update a role's description, run the following command with the description parameter: - + [aws iam update\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/update-role.html) - -**To change the maximum session duration setting for roles that are assumed using the AWS CLI \(AWS CLI\)** - -1. \(Optional\) To view the current maximum session duration setting for a role, run the following command: - + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) - -1. To update a role's maximum session duration setting, run the following command with the `max-session-duration` CLI parameter or the `MaxSessionDuration` API parameter: - + [aws iam update\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/update-role.html) - - Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. - -## Modifying a Role \(AWS API\) - -You can use the AWS API to modify a role\. - -**To change who can assume the role \(AWS API\)** - -1. \(Optional\) If you don't know the name of the role that you want to modify, call the following operation to list the roles in your account: - + [ListRoles](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoles.html) - -1. \(Optional\) To view the current trust policy for a role, call the following operation: - + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) - -1. To modify the trusted principals that can access the role, create a text file with the updated trust policy\. You can use any text editor to construct the policy\. - - For example, the following trust policy shows how to reference two AWS accounts in the `Principal` element\. This allows users within two separate AWS accounts to assume this role\. - - ``` - { - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Principal": {"AWS": [ - "arn:aws:iam::111122223333:root", - "arn:aws:iam::444455556666:root" - ]}, - "Action": "sts:AssumeRole" - } - } - ``` - - If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - -1. To use the file that you just created to update the trust policy, call the following operation: - + [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html) - -**To allow users in a trusted external account to use the role \(AWS API\)** - -For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. - -1. Create a JSON file that contains a permissions policy that grants permissions to assume the role\. For example, the following policy contains the minimum necessary permissions: - - ``` - { - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::ACCOUNT-ID-THAT-CONTAINS-ROLE:role/ROLE-NAME" - } - } - ``` - - Replace the ARN in the statement with the ARN of the role that the user can assume\. - -1. Call the following operation to upload the JSON file that contains the trust policy to IAM: - + [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html) - - The output of this operation includes the ARN of the policy\. Make a note of this ARN because you will need it in a later step\. - -1. Decide which user or group to attach the policy to\. If you don't know the name of the intended user or group, call one of the following operations to list the users or groups in your account: - + [ListUsers](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) - + [ListGroups](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroups.html) - -1. Call one of the following operations to attach the policy that you created in the previous step to the user or group: - + API: [AttachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html) - + [AttachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html) - -**To change the permissions allowed by a role \(AWS API\)** - -1. \(Optional\) To view the current permissions associated with a role, call the following operations: - - 1. [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) to list inline policies - - 1. [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html) to list managed policies - -1. The operation to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy\. - - To update a managed policy, call the following operation to create a new version of the managed policy: - + [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html) - - To update an inline policy, call the following operation: - + [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html) - -**To change the managed policy used to set the permissions boundary for a role \(AWS API\)** - -1. \(Optional\) To view the current [permissions boundary](access_policies_boundaries.md) for a role, call the following operation: - + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) - -1. To use a different managed policy to update the permissions boundary for a role, call the following operation: - + [PutRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html) - - A role can have only one managed policy set as a permissions boundary\. If you change the permissions boundary, you change the maximum permissions allowed for a role\. - -**To change the description of a role \(AWS API\)** - -1. \(Optional\) To view the current description for a role, call the following operation: - + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) - -1. To update a role's description, call the following operation with the description parameter: - + [UpdateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html) - -**To change the maximum session duration setting for roles that are assumed using the API \(AWS API\)** - -1. \(Optional\) To view the current maximum session duration setting for a role, call the following operation: - + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) - -1. To update a role's maximum session duration setting, call the following operation with the `max-sessionduration` CLI parameter or the `MaxSessionDuration` API parameter: - + [UpdateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html) - - Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. \ No newline at end of file +Before you change the permissions for a role, you should review its recent service\-level activity\. This is important because you don't want to remove access from a principal \(person or application\) who is using it\. For more information about viewing service last accessed data, see [Refining Permissions Using Service Last Accessed Data](access_policies_access-advisor.md)\. \ No newline at end of file diff --git a/doc_source/index.md b/doc_source/index.md index 4b647c1d..11c3ed5a 100644 --- a/doc_source/index.md +++ b/doc_source/index.md @@ -125,6 +125,9 @@ Amazon's trademarks and trade dress may not be used in + [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md) + [Managing IAM Roles](id_roles_manage.md) + [Modifying a Role](id_roles_manage_modify.md) + + [Modifying a Role (Console)](roles-managingrole-editing-console.md) + + [Modifying a Role (AWS CLI)](roles-managingrole-editing-cli.md) + + [Modifying a Role (AWS API)](roles-managingrole-editing-api.md) + [Deleting Roles or Instance Profiles](id_roles_manage_delete.md) + [How IAM Roles Differ from Resource-based Policies](id_roles_compare-resource-policies.md) + [Tagging IAM Users and Roles](id_tags.md) @@ -231,6 +234,20 @@ Amazon's trademarks and trade dress may not be used in + [Examples of Policy Summaries](access_policies_policy-summary-examples.md) + [Permissions Required to Access IAM Resources](access_permissions-required.md) + [Example Policies for Administering IAM Resources](id_credentials_delegate-permissions_examples.md) ++ [What Is IAM Access Analyzer?](what-is-access-analyzer.md) + + [Supported Resource Types](access-analyzer-resources.md) + + [How Access Analyzer Works](access-analyzer-concepts.md) + + [Getting Started with AWS IAM Access Analyzer](access-analyzer-getting-started.md) + + [Using Service-Linked Roles for AWS IAM Access Analyzer](access-analyzer-using-service-linked-roles.md) + + [Access Analyzer Findings](access-analyzer-findings.md) + + [Working with Findings](access-analyzer-work-with-findings.md) + + [Review Findings](access-analyzer-findings-view.md) + + [Filtering Findings](access-analyzer-findings-filter.md) + + [Archiving Findings](access-analyzer-findings-archive.md) + + [Resolving Findings](access-analyzer-findings-remediate.md) + + [Archive Rules](access-analyzer-archive-rules.md) + + [Monitoring AWS IAM Access Analyzer with Amazon EventBridge](access-analyzer-eventbridge.md) + + [Logging Access Analyzer API Calls with AWS CloudTrail](logging-using-cloudtrail.md) + [Troubleshooting IAM](troubleshoot.md) + [Troubleshooting General Issues](troubleshoot_general.md) + [Troubleshoot IAM Policies](troubleshoot_policies.md) @@ -314,6 +331,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for Amazon Cognito User Pools](list_amazoncognitouserpools.md) + [Actions, Resources, and Condition Keys for Amazon Comprehend](list_amazoncomprehend.md) + [Actions, Resources, and Condition Keys for Comprehend Medical](list_comprehendmedical.md) + + [Actions, Resources, and Condition Keys for Compute Optimizer](list_computeoptimizer.md) + [Actions, Resources, and Condition Keys for AWS Config](list_awsconfig.md) + [Actions, Resources, and Condition Keys for Amazon Connect](list_amazonconnect.md) + [Actions, Resources, and Condition Keys for AWS Cost and Usage Report](list_awscostandusagereport.md) @@ -333,6 +351,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for Amazon DynamoDB Accelerator (DAX)](list_amazondynamodbacceleratordax.md) + [Actions, Resources, and Condition Keys for Amazon EC2](list_amazonec2.md) + [Actions, Resources, and Condition Keys for Amazon EC2 Auto Scaling](list_amazonec2autoscaling.md) + + [Actions, Resources, and Condition Keys for Amazon EC2 Image Builder](list_amazonec2imagebuilder.md) + [Actions, Resources, and Condition Keys for Amazon EC2 Instance Connect](list_amazonec2instanceconnect.md) + [Actions, Resources, and Condition Keys for AWS Elastic Beanstalk](list_awselasticbeanstalk.md) + [Actions, Resources, and Condition Keys for Amazon Elastic Container Registry](list_amazonelasticcontainerregistry.md) @@ -354,8 +373,10 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for AWS Elemental MediaStore](list_awselementalmediastore.md) + [Actions, Resources, and Condition Keys for AWS Elemental MediaTailor](list_awselementalmediatailor.md) + [Actions, Resources, and Condition Keys for Amazon EventBridge](list_amazoneventbridge.md) + + [Actions, Resources, and Condition Keys for Amazon EventBridge Schemas](list_amazoneventbridgeschemas.md) + [Actions, Resources, and Condition Keys for AWS Firewall Manager](list_awsfirewallmanager.md) + [Actions, Resources, and Condition Keys for Amazon Forecast](list_amazonforecast.md) + + [Actions, Resources, and Condition Keys for Amazon Fraud Detector](list_amazonfrauddetector.md) + [Actions, Resources, and Condition Keys for Amazon FreeRTOS](list_amazonfreertos.md) + [Actions, Resources, and Condition Keys for Amazon FSx](list_amazonfsx.md) + [Actions, Resources, and Condition Keys for Amazon GameLift](list_amazongamelift.md) @@ -366,6 +387,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for Amazon GroundTruth Labeling](list_amazongroundtruthlabeling.md) + [Actions, Resources, and Condition Keys for Amazon GuardDuty](list_amazonguardduty.md) + [Actions, Resources, and Condition Keys for AWS Health APIs and Notifications](list_awshealthapisandnotifications.md) + + [Actions, Resources, and Condition Keys for IAM Access Analyzer](list_iamaccessanalyzer.md) + [Actions, Resources, and Condition Keys for Identity And Access Management](list_identityandaccessmanagement.md) + [Actions, Resources, and Condition Keys for AWS Import Export Disk Service](list_awsimportexportdiskservice.md) + [Actions, Resources, and Condition Keys for Amazon Inspector](list_amazoninspector.md) @@ -378,6 +400,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for AWS IoT Things Graph](list_awsiotthingsgraph.md) + [Actions, Resources, and Condition Keys for AWS IQ](list_awsiq.md) + [Actions, Resources, and Condition Keys for AWS IQ Permissions](list_awsiqpermissions.md) + + [Actions, Resources, and Condition Keys for Amazon Kendra](list_amazonkendra.md) + [Actions, Resources, and Condition Keys for AWS Key Management Service](list_awskeymanagementservice.md) + [Actions, Resources, and Condition Keys for Amazon Kinesis](list_amazonkinesis.md) + [Actions, Resources, and Condition Keys for Amazon Kinesis Analytics](list_amazonkinesisanalytics.md) @@ -393,6 +416,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for Amazon Machine Learning](list_amazonmachinelearning.md) + [Actions, Resources, and Condition Keys for Amazon Macie](list_amazonmacie.md) + [Actions, Resources, and Condition Keys for Manage Amazon API Gateway](list_manageamazonapigateway.md) + + [Actions, Resources, and Condition Keys for AWS Managed Apache Cassandra Service](list_awsmanagedapachecassandraservice.md) + [Actions, Resources, and Condition Keys for Amazon Managed Blockchain](list_amazonmanagedblockchain.md) + [Actions, Resources, and Condition Keys for Amazon Managed Streaming for Kafka](list_amazonmanagedstreamingforkafka.md) + [Actions, Resources, and Condition Keys for AWS Marketplace](list_awsmarketplace.md) @@ -409,6 +433,7 @@ Amazon's trademarks and trade dress may not be used in + [Actions, Resources, and Condition Keys for AWS Mobile Hub](list_awsmobilehub.md) + [Actions, Resources, and Condition Keys for Amazon MQ](list_amazonmq.md) + [Actions, Resources, and Condition Keys for Amazon Neptune](list_amazonneptune.md) + + [Actions, Resources, and Condition Keys for Network Manager](list_networkmanager.md) + [Actions, Resources, and Condition Keys for AWS OpsWorks](list_awsopsworks.md) + [Actions, Resources, and Condition Keys for AWS OpsWorks Configuration Management](list_awsopsworksconfigurationmanagement.md) + [Actions, Resources, and Condition Keys for AWS Organizations](list_awsorganizations.md) diff --git a/doc_source/list_amazonec2imagebuilder.md b/doc_source/list_amazonec2imagebuilder.md new file mode 100644 index 00000000..ef03a7ff --- /dev/null +++ b/doc_source/list_amazonec2imagebuilder.md @@ -0,0 +1,59 @@ +# Actions, Resources, and Condition Keys for Amazon EC2 Image Builder + +Amazon EC2 Image Builder \(service prefix: `imagebuilder`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/imagebuilder/latest/userguide/)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam.html) permission policies\. + +**Topics** ++ [Actions Defined by Amazon EC2 Image Builder](#amazonec2imagebuilder-actions-as-permissions) ++ [Resources Defined by Amazon EC2 Image Builder](#amazonec2imagebuilder-resources-for-iam-policies) ++ [Condition Keys for Amazon EC2 Image Builder](#amazonec2imagebuilder-policy-keys) + +## Actions Defined by Amazon EC2 Image Builder + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2imagebuilder.html) + +## Resources Defined by Amazon EC2 Image Builder + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#amazonec2imagebuilder-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ component ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Component.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:component/$\{ComponentName\}/$\{ComponentVersion\}/$\{ComponentBuildVersion\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ componentVersion ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ComponentVersion) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:component/$\{ComponentName\}/$\{ComponentVersion\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ distributionConfiguration ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_DistributionConfiguration.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:distribution\-configuration/$\{DistributionConfigurationName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ image ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_Image.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:image/$\{ImageName\}/$\{ImageVersion\}/$\{ImageBuildVersion\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ imageVersion ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageVersion.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:image/$\{ImageName\}/$\{ImageVersion\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ imageRecipe ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImageRecipe.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:image\-recipe/$\{ImageRecipeName\}/$\{ImageRecipeVersion\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ imagePipeline ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_ImagePipeline.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:image\-pipeline/$\{ImagePipelineName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ infrastructureConfiguration ](https://docs.aws.amazon.com/imagebuilder/latest/APIReference/API_InfrastructureConfiguration.html) | arn:$\{Partition\}:imagebuilder:$\{Region\}:$\{Account\}:infrastructure\-configuration/$\{ResourceId\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonec2imagebuilder-aws_ResourceTag___TagKey_) | +| [ kmsKey ](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) | arn:$\{Partition\}:kms:$\{Region\}:$\{Account\}:key/$\{KeyId\} | | + +## Condition Keys for Amazon EC2 Image Builder + +Amazon EC2 Image Builder defines the following condition keys that can be used in the `Condition` element of an IAM policy\. You can use these keys to further refine the conditions under which the policy statement applies\. For details about the columns in the following table, see [The Condition Keys Table](reference_policies_actions-resources-contextkeys.md#context_keys_table)\. + +To view the global condition keys that are available to all services, see [Available Global Condition Keys](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. + + +**** + +| Condition Keys | Description | Type | +| --- | --- | --- | +| [ aws:RequestTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters actions by the presence of tag key\-value pairs in the request | String | +| [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters actions by tag key\-value pairs attached to the resource | String | +| [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters actions by the presence of tag keys in the request | String | \ No newline at end of file diff --git a/doc_source/list_amazoneventbridgeschemas.md b/doc_source/list_amazoneventbridgeschemas.md new file mode 100644 index 00000000..f4e64276 --- /dev/null +++ b/doc_source/list_amazoneventbridgeschemas.md @@ -0,0 +1,53 @@ +# Actions, Resources, and Condition Keys for Amazon EventBridge Schemas + +Amazon EventBridge Schemas \(service prefix: `schemas`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/eventbridge/latest/userguide/)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/eventbridge/latest/userguide/auth-and-access-control-eventbridge.html) permission policies\. + +**Topics** ++ [Actions Defined by Amazon EventBridge Schemas](#amazoneventbridgeschemas-actions-as-permissions) ++ [Resources Defined by Amazon EventBridge Schemas](#amazoneventbridgeschemas-resources-for-iam-policies) ++ [Condition Keys for Amazon EventBridge Schemas](#amazoneventbridgeschemas-policy-keys) + +## Actions Defined by Amazon EventBridge Schemas + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoneventbridgeschemas.html) + +## Resources Defined by Amazon EventBridge Schemas + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#amazoneventbridgeschemas-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ discoverer ](https://docs.aws.amazon.com/eventbridge/latest/userguide/iam-identity-based-access-control-eventbridge.html) | arn:$\{Partition\}:schemas:$\{Region\}:$\{Account\}:discoverer/$\{DiscovererId\} | [ aws:ResourceTag/$\{TagKey\} ](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_) | +| [ registry ](https://docs.aws.amazon.com/eventbridge/latest/userguide/iam-identity-based-access-control-eventbridge.html) | arn:$\{Partition\}:schemas:$\{Region\}:$\{Account\}:registry/$\{RegistryName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_) | +| [ schema ](https://docs.aws.amazon.com/eventbridge/latest/userguide/iam-identity-based-access-control-eventbridge.html) | arn:$\{Partition\}:schemas:$\{Region\}:$\{Account\}:schema/$\{RegistryName\}/$\{SchemaName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazoneventbridgeschemas-aws_ResourceTag___TagKey_) | + +## Condition Keys for Amazon EventBridge Schemas + +Amazon EventBridge Schemas defines the following condition keys that can be used in the `Condition` element of an IAM policy\. You can use these keys to further refine the conditions under which the policy statement applies\. For details about the columns in the following table, see [The Condition Keys Table](reference_policies_actions-resources-contextkeys.md#context_keys_table)\. + +To view the global condition keys that are available to all services, see [Available Global Condition Keys](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. + + +**** + +| Condition Keys | Description | Type | +| --- | --- | --- | +| [ aws:RequestTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters actions based on the allowed set of values for each of the tags | String | +| [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters actions based on tag\-value associated with the resource | String | +| [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters actions based on the presence of mandatory tags in the request | String | \ No newline at end of file diff --git a/doc_source/list_amazonfrauddetector.md b/doc_source/list_amazonfrauddetector.md new file mode 100644 index 00000000..3b605189 --- /dev/null +++ b/doc_source/list_amazonfrauddetector.md @@ -0,0 +1,65 @@ +# Actions, Resources, and Condition Keys for Amazon Fraud Detector + +Amazon Fraud Detector \(service prefix: `frauddetector`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/frauddetector/latest/ug/what-is-frauddetector.html)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/frauddetector/latest/api/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/IAM/xxx/UserGuide/assets.html) permission policies\. + +**Topics** ++ [Actions Defined by Amazon Fraud Detector](#amazonfrauddetector-actions-as-permissions) ++ [Resources Defined by Amazon Fraud Detector](#amazonfrauddetector-resources-for-iam-policies) ++ [Condition Keys for Amazon Fraud Detector](#amazonfrauddetector-policy-keys) + +## Actions Defined by Amazon Fraud Detector + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** + +| Actions | Description | Access Level | Resource Types \(\*required\) | Condition Keys | Dependent Actions | +| --- | --- | --- | --- | --- | --- | +| [ BatchCreateVariable ](https://docs.aws.amazon.com/frauddetector/latest/api/API_BatchCreateVariable) | Creates a batch of variables\. | Write | | | | +| [ BatchGetVariable ](https://docs.aws.amazon.com/frauddetector/latest/api/API_BatchGetVariable) | Gets a batch of variables\. | List | | | | +| [ CreateDetectorVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_CreateDetectorVersion) | Creates a detector version\. The detector version starts in a DRAFT status\. | Write | | | | +| [ CreateModelVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_CreateModelVersion) | Creates a version of the model using the specified model type\. | Write | | | | +| [ CreateRule ](https://docs.aws.amazon.com/frauddetector/latest/api/API_CreateRule.html) | Creates a rule for use with the specified detector\. | Write | | | | +| [ CreateVariable ](https://docs.aws.amazon.com/frauddetector/latest/api/API_CreateVariable.html) | Creates a variable\. | Write | | | | +| [ DeleteDetectorVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_DeleteDetectorVersion) | Deletes the detector version\. | Write | | | | +| [ DeleteEvent ](https://docs.aws.amazon.com/frauddetector/latest/api/API_DeleteEvent) | Deletes the specified event\. | Write | | | | +| [ DescribeDetector ](https://docs.aws.amazon.com/frauddetector/latest/api/API_DescribeDetector) | Gets all versions for a specified detector\. | Read | | | | +| [ DescribeModelVersions ](https://docs.aws.amazon.com/frauddetector/latest/api/API_DescribeModelVersions) | Gets all of the model versions for the specified model type or for the specified model type and model ID\. You can also get details for a single, specified model version\. | Read | | | | +| [ GetDetectorVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetDetectorVersion) | Gets a particular detector version\. | List | | | | +| [ GetDetectors ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetDetectors) | Gets all of detectors\. This is a paginated API\. If you provide a null maxSizePerPage, this actions retrieves a maximum of 10 records per page\. If you provide a maxSizePerPage, the value must be between 5 and 10\. To get the next page results, provide the pagination token from the GetEventTypesResponse as part of your request\. A null pagination token fetches the records from the beginning\. | List | | | | +| [ GetExternalModels ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetExternalModels) | Gets the details for one or more Amazon SageMaker models that have been imported into the service\. This is a paginated API\. If you provide a null maxSizePerPage, this actions retrieves a maximum of 10 records per page\. If you provide a maxSizePerPage, the value must be between 5 and 10\. To get the next page results, provide the pagination token from the GetExternalModelsResult as part of your request\. A null pagination token fetches the records from the beginning\. | List | | | | +| [ GetModelVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetModelVersion) | Gets a model version\. | List | | | | +| [ GetModels ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetModels) | Gets all of the models for the AWS account, or the specified model type, or gets a single model for the specified model type, model ID combination\. | List | | | | +| [ GetOutcomes ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetOutcomes) | Gets one or more outcomes\. This is a paginated API\. If you provide a null maxSizePerPage, this actions retrieves a maximum of 10 records per page\. If you provide a maxSizePerPage, the value must be between 50 and 100\. To get the next page results, provide the pagination token from the GetOutcomesResult as part of your request\. A null pagination token fetches the records from the beginning\. | List | | | | +| [ GetPrediction ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetPrediction) | Evaluates an event against a detector version\. If a version ID is not provided, the detector’s \(ACTIVE\) version is used\. | Read | | | | +| [ GetRules ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetRules.html) | Gets all rules available for the specified detector\. | List | | | | +| [ GetVariables ](https://docs.aws.amazon.com/frauddetector/latest/api/API_GetVariables) | Gets all of the variables or the specific variable\. This is a paginated API\. Providing null maxSizePerPage results in retrieving maximum of 100 records per page\. If you provide maxSizePerPage the value must be between 50 and 100\. To get the next page result, a provide a pagination token from GetVariablesResult as part of your request\. Null pagination token fetches the records from the beginning\. | List | | | | +| [ PutDetector ](https://docs.aws.amazon.com/frauddetector/latest/api/API_PutDetector.html) | Creates or updates a detector\. | Write | | | | +| [ PutExternalModel ](https://docs.aws.amazon.com/frauddetector/latest/api/API_PutExternalModel.html) | Creates or updates an Amazon SageMaker model endpoint\. You can also use this action to update the configuration of the model endpoint, including the IAM role and/or the mapped variables\. | Write | | | | +| [ PutModel ](https://docs.aws.amazon.com/frauddetector/latest/api/API_PutModel) | Creates or updates a model\. | Write | | | iam:PassRole | +| [ PutOutcome ](https://docs.aws.amazon.com/frauddetector/latest/api/API_PutOutcome.html) | Creates or updates an outcome\. | Write | | | | +| [ UpdateDetectorVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateDetectorVersion) | Updates a detector version\. The detector version attributes that you can update include models, external model endpoints, rules, and description\. You can only update a DRAFT detector version\. | Write | | | | +| [ UpdateDetectorVersionMetadata ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateDetectorVersionMetadata) | Updates the detector version's description\. You can update the metadata for any detector version \(DRAFT, ACTIVE, or INACTIVE\)\. | Write | | | | +| [ UpdateDetectorVersionStatus ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateDetectorVersionStatus) | Updates the detector version’s status\. You can perform the following promotions or demotions using UpdateDetectorVersionStatus: DRAFT to ACTIVE, ACTIVE to INACTIVE, and INACTIVE to ACTIVE\. | Write | | | | +| [ UpdateModelVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateModelVersion) | Updates a model version\. You can update the description and status attributes using this action\. | Write | | | | +| [ UpdateRuleMetadata ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateRuleMetadata.html) | Updates a rule's metadata\. | Write | | | | +| [ UpdateRuleVersion ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateRuleVersion.html) | Updates a rule version resulting in a new rule version\. | Write | | | | +| [ UpdateVariable ](https://docs.aws.amazon.com/frauddetector/latest/api/API_UpdateVariable.html) | Updates a variable\. | Write | | | | + +## Resources Defined by Amazon Fraud Detector + +Amazon Fraud Detector does not support specifying a resource ARN in the `Resource` element of an IAM policy statement\. To allow access to Amazon Fraud Detector, specify `“Resource”: “*”` in your policy\. + +## Condition Keys for Amazon Fraud Detector + +Fraud Detector has no service\-specific context keys that can be used in the `Condition` element of policy statements\. For the list of the global context keys that are available to all services, see [Available Keys for Conditions](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. \ No newline at end of file diff --git a/doc_source/list_amazonkendra.md b/doc_source/list_amazonkendra.md new file mode 100644 index 00000000..29e1e474 --- /dev/null +++ b/doc_source/list_amazonkendra.md @@ -0,0 +1,42 @@ +# Actions, Resources, and Condition Keys for Amazon Kendra + +Amazon Kendra \(service prefix: `kendra`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/kendra/latest/dg/)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kendra/latest/dg/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kendra/latest/dg/auth-and-access-control.html) permission policies\. + +**Topics** ++ [Actions Defined by Amazon Kendra](#amazonkendra-actions-as-permissions) ++ [Resources Defined by Amazon Kendra](#amazonkendra-resources-for-iam-policies) ++ [Condition Keys for Amazon Kendra](#amazonkendra-policy-keys) + +## Actions Defined by Amazon Kendra + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonkendra.html) + +## Resources Defined by Amazon Kendra + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#amazonkendra-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ index ](https://docs.aws.amazon.com/kendra/latest/dg/index.html) | arn:$\{Partition\}:kendra:$\{Region\}:$\{Account\}:index/$\{IndexId\} | | +| [ data\-source ](https://docs.aws.amazon.com/kendra/latest/dg/data-source.html) | arn:$\{Partition\}:kendra:$\{Region\}:$\{Account\}:index/$\{IndexId\}/data\-source/$\{DataSourceId\} | | +| [ faq ](https://docs.aws.amazon.com/kendra/latest/dg/faq.html) | arn:$\{Partition\}:kendra:$\{Region\}:$\{Account\}:index/$\{IndexId\}/faq/$\{FaqId\} | | + +## Condition Keys for Amazon Kendra + +Kendra has no service\-specific context keys that can be used in the `Condition` element of policy statements\. For the list of the global context keys that are available to all services, see [Available Keys for Conditions](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. \ No newline at end of file diff --git a/doc_source/list_amazonkinesisvideostreams.md b/doc_source/list_amazonkinesisvideostreams.md index a738b52d..6db909b1 100644 --- a/doc_source/list_amazonkinesisvideostreams.md +++ b/doc_source/list_amazonkinesisvideostreams.md @@ -3,8 +3,8 @@ Amazon Kinesis Video Streams \(service prefix: `kinesisvideo`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. References: -+ Learn how to [configure this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/)\. -+ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/)\. ++ Learn how to [configure this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/what-is-kinesis-video.html)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_Reference.html)\. + Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-iam.html) permission policies\. **Topics** @@ -33,7 +33,8 @@ The following resource types are defined by this service and can be used in the | Resource Types | ARN | Condition Keys | | --- | --- | --- | -| stream | arn:$\{Partition\}:kinesisvideo:$\{Region\}:$\{Account\}:stream/$\{StreamName\}/$\{CreationTime\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonkinesisvideostreams-aws_ResourceTag___TagKey_) | +| [ stream ](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/how-it-works.html) | arn:$\{Partition\}:kinesisvideo:$\{Region\}:$\{Account\}:stream/$\{StreamName\}/$\{CreationTime\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonkinesisvideostreams-aws_ResourceTag___TagKey_) | +| [ channel ](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/kinesisvideostreams-webrtc-dg/latest/devguide/kvswebrtc-how-it-works.html) | arn:$\{Partition\}:kinesisvideo:$\{Region\}:$\{Account\}:channel/$\{ChannelName\}/$\{CreationTime\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonkinesisvideostreams-aws_ResourceTag___TagKey_) | ## Condition Keys for Amazon Kinesis Video Streams @@ -46,6 +47,6 @@ To view the global condition keys that are available to all services, see [Avail | Condition Keys | Description | Type | | --- | --- | --- | -| aws:RequestTag/$\{TagKey\} | Filters requests based on the allowed set of values for each of the tags | String | -| aws:ResourceTag/$\{TagKey\} | Filters actions based on tag\-value assoicated with the stream\. | String | -| aws:TagKeys | Filters requests based on the presence of mandatory tag keys in the request | String | \ No newline at end of file +| [ aws:RequestTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters requests based on the allowed set of values for each of the tags | String | +| [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters actions based on tag\-value assoicated with the stream\. | String | +| [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters requests based on the presence of mandatory tag keys in the request | String | \ No newline at end of file diff --git a/doc_source/list_amazonrekognition.md b/doc_source/list_amazonrekognition.md index 5a074dab..cf517d70 100644 --- a/doc_source/list_amazonrekognition.md +++ b/doc_source/list_amazonrekognition.md @@ -35,6 +35,8 @@ The following resource types are defined by this service and can be used in the | --- | --- | --- | | [ collection ](https://docs.aws.amazon.com/rekognition/latest/dg/howitworks-collection.html) | arn:$\{Partition\}:rekognition:$\{Region\}:$\{Account\}:collection/$\{CollectionId\} | | | streamprocessor | arn:$\{Partition\}:rekognition:$\{Region\}:$\{Account\}:streamprocessor/$\{StreamprocessorId\} | | +| project | arn:$\{Partition\}:rekognition:$\{Region\}:$\{Account\}:project/$\{ProjectName\}/$\{CreationTimestamp\} | | +| projectversion | arn:$\{Partition\}:rekognition:$\{Region\}:$\{Account\}:project/$\{ProjectName\}/version/$\{VersionName\}/$\{CreationTimestamp\} | | ## Condition Keys for Amazon Rekognition diff --git a/doc_source/list_amazons3.md b/doc_source/list_amazons3.md index b3f2ba27..5e4daf04 100644 --- a/doc_source/list_amazons3.md +++ b/doc_source/list_amazons3.md @@ -33,6 +33,7 @@ The following resource types are defined by this service and can be used in the | Resource Types | ARN | Condition Keys | | --- | --- | --- | +| [ accesspoint ](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html) | arn:$\{Partition\}:s3:$\{Region\}:$\{Account\}:accesspoint/$\{AccessPointName\} | | | [ bucket ](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html) | arn:$\{Partition\}:s3:::$\{BucketName\} | | | [ object ](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html) | arn:$\{Partition\}:s3:::$\{BucketName\}/$\{ObjectName\} | | | [ job ](https://docs.aws.amazon.com/AmazonS3/latest/dev/batch-ops-managing-jobs.html) | arn:$\{Partition\}:s3:$\{Region\}:$\{Account\}:job/$\{JobId\} | | @@ -48,6 +49,9 @@ To view the global condition keys that are available to all services, see [Avail | Condition Keys | Description | Type | | --- | --- | --- | +| [ s3:AccessPointNetworkOrigin ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | The network type from which traffic may be received by the access point involved in the request | String | +| [ s3:DataAccessPointAccount ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | The AWS Account ID of the account that owns the data operations access point involved in the request | String | +| [ s3:DataAccessPointArn ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | The ARN of the data operations access point involved in the request | String | | s3:ExistingJobOperation | | String | | s3:ExistingJobPriority | | Numeric | | [ s3:ExistingObjectTag/ ](https://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html#tagging-and-policies) | Enables you to verify that an existing object tag has the specific tag key and value\. | String | @@ -62,16 +66,16 @@ To view the global condition keys that are available to all services, see [Avail | [ s3:delimiter ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies) | Enables you to require the user to specify the delimiter parameter in the GET Bucket Object versions request\. | String | | [ s3:locationconstraint ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies) | Enables you to restrict the user to creating a bucket in only a specific region\. | String | | [ s3:max\-keys ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies) | Enables you to limit the number of keys Amazon S3 returns in response to ListBucket requests by requiring the user to specify the max\-keys parameter\. | Numeric | -| s3:object\-lock\-legal\-hold | Enables enforcement of the specified object legal hold status | String | -| s3:object\-lock\-mode | Enables enforcement of the specified object retention mode | String | -| s3:object\-lock\-remaining\-retention\-days | Enables enforcement of an object relative to the remaining retention days | String | -| s3:object\-lock\-retain\-until\-date | Enables enforcement of a specific retain\-until\-date | String | +| [ s3:object\-lock\-legal\-hold ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables enforcement of the specified object legal hold status | String | +| [ s3:object\-lock\-mode ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables enforcement of the specified object retention mode | String | +| [ s3:object\-lock\-remaining\-retention\-days ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables enforcement of an object relative to the remaining retention days | String | +| [ s3:object\-lock\-retain\-until\-date ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables enforcement of a specific retain\-until\-date | String | | [ s3:prefix ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies) | Enables you to limit the response of the ListBucket API to key names with specific prefix\. | String | -| s3:signatureage | | Numeric | -| s3:signatureversion | | String | -| s3:versionid | | String | +| [ s3:signatureage ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#AvailableKeys-iamV2) | | Numeric | +| [ s3:signatureversion ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#AvailableKeys-iamV2) | | String | +| [ s3:versionid ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | | String | | [ s3:x\-amz\-acl ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables you to require specific access permissions when uploading an object\. | String | -| s3:x\-amz\-content\-sha256 | | String | +| [ s3:x\-amz\-content\-sha256 ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | | String | | [ s3:x\-amz\-copy\-source ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables you to restrict the copy source to a specific bucket, a specific folder in the bucket, or a specific object in a bucket\. | String | | s3:x\-amz\-grant\-full\-control | | String | | s3:x\-amz\-grant\-read | | String | @@ -80,6 +84,6 @@ To view the global condition keys that are available to all services, see [Avail | s3:x\-amz\-grant\-write\-acp | | String | | [ s3:x\-amz\-metadata\-directive ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables you to enforce certain behavior \(COPY vs\. REPLACE\) when objects are uploaded\. | String | | [ s3:x\-amz\-server\-side\-encryption ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#object-keys-in-amazon-s3-policies) | Enables you to require the user to specify this header in the request to ensure that objects the user uploads are encrypted when they are saved\. | String | -| s3:x\-amz\-server\-side\-encryption\-aws\-kms\-key\-id | | String | +| [ s3:x\-amz\-server\-side\-encryption\-aws\-kms\-key\-id ](https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies) | | String | | s3:x\-amz\-storage\-class | | String | | s3:x\-amz\-website\-redirect\-location | | String | \ No newline at end of file diff --git a/doc_source/list_amazonsagemaker.md b/doc_source/list_amazonsagemaker.md index d43be570..7a8503b9 100644 --- a/doc_source/list_amazonsagemaker.md +++ b/doc_source/list_amazonsagemaker.md @@ -33,13 +33,20 @@ The following resource types are defined by this service and can be used in the | Resource Types | ARN | Condition Keys | | --- | --- | --- | +| human\-loop | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:human\-loop/$\{HumanLoopName\} | | +| flow\-definition | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:flow\-definition/$\{FlowDefinitionName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| human\-task\-ui | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:human\-task\-ui/$\{HumanTaskUiName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | labeling\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:labeling\-job/$\{LabelingJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | workteam | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:workteam/$\{WorkteamName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| domain | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:domain/$\{DomainId\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| user\-profile | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:user\-profile/$\{DomainId\}/$\{UserProfileName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| app | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:app/$\{DomainId\}/$\{UserProfileName\}/$\{AppType\}/$\{AppName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | notebook\-instance | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:notebook\-instance/$\{NotebookInstanceName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | notebook\-instance\-lifecycle\-config | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:notebook\-instance\-lifecycle\-config/$\{NotebookInstanceLifecycleConfigName\} | | | code\-repository | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:code\-repository/$\{CodeRepositoryName\} | | | algorithm | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:algorithm/$\{AlgorithmName\} | | | training\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:training\-job/$\{TrainingJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| processing\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:processing\-job/$\{ProcessingJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | hyper\-parameter\-tuning\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:hyper\-parameter\-tuning\-job/$\{HyperParameterTuningJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | model\-package | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:model\-package/$\{ModelPackageName\} | | | model | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:model/$\{ModelName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | @@ -47,6 +54,11 @@ The following resource types are defined by this service and can be used in the | endpoint | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:endpoint/$\{EndpointName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | transform\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:transform\-job/$\{TransformJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | | compilation\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:compilation\-job/$\{CompilationJobName\} | | +| automl\-job | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:automl\-job/$\{AutoMLJobJobName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| monitoring\-schedule | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:monitoring\-schedule/$\{MonitoringScheduleName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| experiment | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:experiment/$\{ExperimentName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| experiment\-trial | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:experiment\-trial/$\{TrialName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | +| experiment\-trial\-component | arn:$\{Partition\}:sagemaker:$\{Region\}:$\{Account\}:experiment\-trial\-component/$\{TrialComponentName\} | [ aws:ResourceTag/$\{TagKey\} ](#amazonsagemaker-aws_ResourceTag___TagKey_) [ sagemaker:ResourceTag/$\{TagKey\} ](#amazonsagemaker-sagemaker_ResourceTag___TagKey_) | ## Condition Keys for Amazon SageMaker @@ -63,11 +75,14 @@ To view the global condition keys that are available to all services, see [Avail | [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | A tag key and value pair\. | String | | [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The list of all the tag key names associated with the resource in the request\. | String | | [ sagemaker:AcceleratorTypes ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The list of all accelerator types associated with the resource in the request\. | ArrayOfString | +| [ sagemaker:AppNetworkAccess ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | App network access associated with the resource in the request\. | String | | [ sagemaker:DirectInternetAccess ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The direct internet access associated with the resource in the request\. | String | +| [ sagemaker:DomainSharingOutputKmsKey ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The Domain sharing output KMS key associated with the resource in the request\. | ARN | | [ sagemaker:FileSystemAccessMode ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | File system access mode associated with the resource in the request\. | String | | [ sagemaker:FileSystemDirectoryPath ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | File system directory path associated with the resource in the request\. | String | | [ sagemaker:FileSystemId ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | A file system ID associated with the resource in the request\. | String | | [ sagemaker:FileSystemType ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | File system type associated with the resource in the request\. | String | +| [ sagemaker:HomeEfsFileSystemKmsKey ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The KMS Key Id of the EFS File System used for UserProfile home directories, which is associated with the resource in the request\. | ARN | | [ sagemaker:InstanceTypes ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The list of all instance types associated with the resource in the request\. | ArrayOfString | | [ sagemaker:InterContainerTrafficEncryption ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The inter container traffic encryption associated with the resource in the request\. | Bool | | [ sagemaker:MaxRuntimeInSeconds ](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonsagemaker.html#amazonsagemaker-policy-keys) | The max runtime in seconds associated with the resource in the request\. | Numeric | diff --git a/doc_source/list_awsiotsitewise.md b/doc_source/list_awsiotsitewise.md index d670ddd8..49ddd507 100644 --- a/doc_source/list_awsiotsitewise.md +++ b/doc_source/list_awsiotsitewise.md @@ -35,6 +35,7 @@ The following resource types are defined by this service and can be used in the | --- | --- | --- | | [ asset ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Asset.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:asset/$\{AssetId\} | | | [ asset\-template ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_AssetTemplate.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:asset\-template/$\{AssetTemplateId\} | | +| [ asset\-model ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_AssetModel.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:asset\-model/$\{AssetModelId\} | | | [ gateway ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Gateway.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:gateway/$\{GatewayId\} | | | [ group ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Group.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:group/$\{GroupId\} | | | [ measurement ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Measurement.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:measurement/$\{MeasurementId\} | | @@ -42,7 +43,26 @@ The following resource types are defined by this service and can be used in the | [ metric ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Metric.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:metric/$\{MetricId\} | | | [ metric\-type ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_MetricType.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:metric\-type/$\{MetricTypeId\} | | | [ view ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_View.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:view/$\{ViewId\} | | +| [ portal ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Portal.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:portal/$\{PortalId\} | | +| [ project ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Project.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:project/$\{ProjectId\} | | +| [ dashboard ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_Dashboard.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:dashboard/$\{DashboardId\} | [ iotsitewise:project ](#awsiotsitewise-iotsitewise_project) | +| [ accesspolicy ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_AccessPolicy.html) | arn:$\{Partition\}:iotsitewise:$\{Region\}:$\{Account\}:accesspolicy/$\{AccessPolicyId\} | [ iotsitewise:portal ](#awsiotsitewise-iotsitewise_portal) [ iotsitewise:project ](#awsiotsitewise-iotsitewise_project) | ## Condition Keys for AWS IoT SiteWise -IoT SiteWise has no service\-specific context keys that can be used in the `Condition` element of policy statements\. For the list of the global context keys that are available to all services, see [Available Keys for Conditions](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. \ No newline at end of file +AWS IoT SiteWise defines the following condition keys that can be used in the `Condition` element of an IAM policy\. You can use these keys to further refine the conditions under which the policy statement applies\. For details about the columns in the following table, see [The Condition Keys Table](reference_policies_actions-resources-contextkeys.md#context_keys_table)\. + +To view the global condition keys that are available to all services, see [Available Global Condition Keys](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. + + +**** + +| Condition Keys | Description | Type | +| --- | --- | --- | +| [ iotsitewise:assetHierarchyPath ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_assetHierarchyPath.html) | String of asset IDs in the asset hierarchy separated by forward slash\. | String | +| [ iotsitewise:childAssetId ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_childAssetId.html) | ID of an asset being associated as a child to another asset\. | String | +| [ iotsitewise:group ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_GroupId.html) | Group ID\. | String | +| [ iotsitewise:portal ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_PortalId.html) | Portal ID\. | String | +| [ iotsitewise:project ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_ProjectId.html) | Project ID\. | String | +| [ iotsitewise:propertyId ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_PropertyId.html) | Property ID\. | String | +| [ iotsitewise:user ](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_UserId.html) | User ID\. | String | \ No newline at end of file diff --git a/doc_source/list_awsmanagedapachecassandraservice.md b/doc_source/list_awsmanagedapachecassandraservice.md new file mode 100644 index 00000000..c65acb06 --- /dev/null +++ b/doc_source/list_awsmanagedapachecassandraservice.md @@ -0,0 +1,41 @@ +# Actions, Resources, and Condition Keys for AWS Managed Apache Cassandra Service + +AWS Managed Apache Cassandra Service \(service prefix: `cassandra`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/mcs/latest/developerguide/)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/mcs/latest/developerguide/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/mcs/latest/developerguide/assets.html) permission policies\. + +**Topics** ++ [Actions Defined by AWS Managed Apache Cassandra Service](#awsmanagedapachecassandraservice-actions-as-permissions) ++ [Resources Defined by AWS Managed Apache Cassandra Service](#awsmanagedapachecassandraservice-resources-for-iam-policies) ++ [Condition Keys for AWS Managed Apache Cassandra Service](#awsmanagedapachecassandraservice-policy-keys) + +## Actions Defined by AWS Managed Apache Cassandra Service + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsmanagedapachecassandraservice.html) + +## Resources Defined by AWS Managed Apache Cassandra Service + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#awsmanagedapachecassandraservice-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ keyspace ](https://docs.aws.amazon.com/mcs/latest/developerguide/what-is.html) | arn:$\{Partition\}:cassandra:$\{Region\}:$\{Account\}:keyspace/$\{KeyspaceName\} | | +| [ table ](https://docs.aws.amazon.com/mcs/latest/developerguide/what-is.html) | arn:$\{Partition\}:cassandra:$\{Region\}:$\{Account\}:keyspace/$\{KeyspaceName\}/table/$\{tableName\} | | + +## Condition Keys for AWS Managed Apache Cassandra Service + +MCS has no service\-specific context keys that can be used in the `Condition` element of policy statements\. For the list of the global context keys that are available to all services, see [Available Keys for Conditions](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. \ No newline at end of file diff --git a/doc_source/list_awssso.md b/doc_source/list_awssso.md index 214acc13..8a8af88c 100644 --- a/doc_source/list_awssso.md +++ b/doc_source/list_awssso.md @@ -25,58 +25,45 @@ For details about the columns in the following table, see [The Actions Table](re | Actions | Description | Access Level | Resource Types \(\*required\) | Condition Keys | Dependent Actions | | --- | --- | --- | --- | --- | --- | -| [ AddMemberToGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Adds member to the group | Write | | | | | [ AssociateDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Connect a directory to be used by AWS Single Sign\-On | Write | | | | | [ AssociateProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Create an association between a directory user or group and a profile | Write | | | | -| [ CreateAlias ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates an alias for User Pool | Write | | | | | [ CreateApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Add an application instance to AWS Single Sign\-On | Write | | | | | [ CreateApplicationInstanceCertificate ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Add a new certificate for an application instance | Write | | | | -| [ CreateGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creats a group | Write | | | | +| [ CreateManagedApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Add a managed application instance to AWS Single Sign\-On | Write | | | | | [ CreatePermissionSet ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Create a permission set | Write | | | | | [ CreateProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Create a profile for an application instance | Write | | | | | [ CreateTrust ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Create a federation trust in a target account | Write | | | | -| [ CreateUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates a user | Write | | | | | [ DeleteApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete the application instance | Write | | | | | [ DeleteApplicationInstanceCertificate ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete an inactive or expired certificate from the application instance | Write | | | | -| [ DeleteGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes a group | Write | | | | +| [ DeleteManagedApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete the managed application instance | Write | | | | | [ DeletePermissionSet ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete a permission set | Write | | | | | [ DeletePermissionsPolicy ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete the permission policy associated with a permission set | Write | | | | | [ DeleteProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete the profile for an application instance | Write | | | | -| [ DeleteUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes a user | Write | | | | -| [ DescribeGroups ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve groups' information | List | | | | | [ DescribePermissionsPolicies ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all the permissions policies associated with a permission set | Read | | | | -| [ DescribeUsers ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieves users' information | List | | | | -| [ DisableUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deactivates user | Write | | | | | [ DisassociateDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Disassociate a directory to be used by AWS Single Sign\-On | Write | | | | | [ DisassociateProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Disassociate a directory user or group from a profile | Write | | | | -| [ EnableUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Activates user | Write | | | | | [ GetApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve details for an application instance | Read | | | | | [ GetApplicationTemplate ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve application template details | Read | | | | +| [ GetManagedApplicationInstance ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve details for an application instance | Read | | | | | [ GetMfaDeviceManagementForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve Mfa Device Management settings for the directory | Read | | | | | [ GetPermissionSet ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve details of a permission set | Read | | | | | [ GetPermissionsPolicy ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all permission policies associated with a permission set | Read | | | sso:DescribePermissionsPolicies | | [ GetProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve a profile for an application instance | Read | | | | -| [ GetSSOConfiguration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve configuration for the current SSO instance | Read | | | | | [ GetSSOStatus ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Check if AWS Single Sign\-On is enabled | Read | | | | +| [ GetSharedSsoConfiguration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve shared configuration for the current SSO instance | Read | | | | +| [ GetSsoConfiguration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve configuration for the current SSO instance | Read | | | | | [ GetTrust ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve the federation trust in a target account | Read | | | | -| [ GetUserPoolInfo ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve User Pool information | Read | | | | | [ ImportApplicationInstanceServiceProviderMetadata ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the application instance by uploading an application SAML metadata file provided by the service provider | Write | | | | | [ ListApplicationInstanceCertificates ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all of the certificates for a given application instance | Read | | | | | [ ListApplicationInstances ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all application instances | List | | | sso:GetApplicationInstance | | [ ListApplicationTemplates ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all supported application templates | Read | | | sso:GetApplicationTemplate | | [ ListApplications ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all supported applications | Read | | | | | [ ListDirectoryAssociations ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve details about the directory connected to AWS Single Sign\-On | Read | | | | -| [ ListGroupsForUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Lists groups for a user | List | | | | -| [ ListMembersInGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrives all members that are part of the group | List | | | | | [ ListPermissionSets ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all permission sets | Read | | | | | [ ListProfileAssociations ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve the directory user or group associated with the profile | Read | | | | | [ ListProfiles ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve all profiles for an application instance | Read | | | sso:GetProfile | | [ PutMfaDeviceManagementForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Put Mfa Device Management settings for the directory | Write | | | | | [ PutPermissionsPolicy ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Add a policy to a permission set | Write | | | | -| [ RemoveMemberFromGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Removes member that are part of the group | Write | | | | -| [ SearchGroups ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Search for groups within the associated directory | Read | | | | -| [ SearchUsers ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Search for users within the associated directory | Read | | | | -| [ SetTemporaryPassword ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Sets a temporary password for a user | Write | | | | | [ StartSSO ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Initialize AWS Single Sign\-On | Write | | | | | [ UpdateApplicationInstanceActiveCertificate ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Set a certificate as the active one for this application instance | Write | | | | | [ UpdateApplicationInstanceDisplayData ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update display data of an application instance | Write | | | | @@ -86,12 +73,11 @@ For details about the columns in the following table, see [The Actions Table](re | [ UpdateApplicationInstanceServiceProviderConfiguration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update service provider related configuration for the application instance | Write | | | | | [ UpdateApplicationInstanceStatus ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the status of an application instance | Write | | | | | [ UpdateDirectoryAssociation ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the user attribute mappings for your connected directory | Write | | | | -| [ UpdateGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Updates group information | Write | | | | +| [ UpdateManagedApplicationInstanceStatus ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the status of a managed application instance | Write | | | | | [ UpdatePermissionSet ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the permission set\. | Write | | | | | [ UpdateProfile ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the profile for an application instance | Write | | | | | [ UpdateSSOConfiguration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the configuration for the current SSO instance | Write | | | | | [ UpdateTrust ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update the federation trust in a target account | Write | | | | -| [ UpdateUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Updates user information | Write | | | | ## Resources Defined by AWS SSO diff --git a/doc_source/list_awsssodirectory.md b/doc_source/list_awsssodirectory.md index 09e5d2a3..e9f356c5 100644 --- a/doc_source/list_awsssodirectory.md +++ b/doc_source/list_awsssodirectory.md @@ -28,23 +28,36 @@ For details about the columns in the following table, see [The Actions Table](re | [ AddMemberToGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Adds member to the group in the directory that AWS SSO provides by default | Write | | | | | [ CompleteVirtualMfaDeviceRegistration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Completes the creation process of a virtual MFA device | Write | | | | | [ CreateAlias ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates an alias for the directory that AWS SSO provides by default | Write | | | | +| [ CreateBearerToken ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates a bearer token for a given provisioning tenant\. | Write | | | | +| [ CreateExternalIdPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Create an External Identity Provider configuration for the directory | Write | | | | | [ CreateGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates a group in the directory that AWS SSO provides by default | Write | | | | +| [ CreateProvisioningTenant ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates a provisioning tenant for a given directory\. | Write | | | | | [ CreateUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Creates a user in the directory that AWS SSO provides by default | Write | | | | +| [ DeleteBearerToken ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes the bearer token\. | Write | | | | +| [ DeleteExternalIdPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Delete an External Identity Provider configuration associated with the directory | Write | | | | | [ DeleteGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes a group from the directory that AWS SSO provides by default | Write | | | | | [ DeleteMfaDeviceForUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes a MFA device by device name for a given user | Write | | | | +| [ DeleteProvisioningTenant ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes the provisioning tenant\. | Write | | | | | [ DeleteUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deletes a user from the directory that AWS SSO provides by default | Write | | | | | [ DescribeDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve information about the directory that AWS SSO provides by default | Read | | | | | [ DescribeGroups ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieves information about group from the directory that AWS SSO provides by default | List | | | | | [ DescribeUsers ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieves information about user from the directory that AWS SSO provides by default | List | | | | +| [ DisableExternalIdPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Disable authentication of end users with an External Identity Provider | Write | | | | | [ DisableUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Deactivates user in the directory that AWS SSO provides by default | Write | | | | +| [ EnableExternalIdPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Enable authentication of end users with an External Identity Provider | Write | | | | | [ EnableUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Activates user in the directory that AWS SSO provides by default | Write | | | | +| [ GetAWSSPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieve the AWS SSO Service Provider configurations for the directory | Read | | | | +| [ ListBearerTokens ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Lists bearer tokens for a given provisioning tenant\. | List | | | | +| [ ListExternalIdPConfigurationsForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | List all the External Identity Provider configurations created for the directory | List | | | | | [ ListGroupsForUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Lists groups for a user from the directory that AWS SSO provides by default | List | | | | | [ ListMembersInGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Retrieves all members that are part of the group in the directory that AWS SSO provides by default | List | | | | | [ ListMfaDevicesForUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Lists all active MFA devices and their MFA device metadata for a user | List | | | | +| [ ListProvisioningTenants ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Lists provisioning tenants for a given directory\. | List | | | | | [ RemoveMemberFromGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Removes member that are part of the group in the directory that AWS SSO provides by default | Write | | | | | [ SearchGroups ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Search for groups within the associated directory | Read | | | | | [ SearchUsers ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Search for users within the associated directory | Read | | | | | [ StartVirtualMfaDeviceRegistration ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Begins the creation process of virtual mfa device | Write | | | | +| [ UpdateExternalIdPConfigurationForDirectory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Update an External Identity Provider configuration associated with the directory | Write | | | | | [ UpdateGroup ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Updates information about group in the directory that AWS SSO provides by default | Write | | | | | [ UpdatePassword ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Updates password by sending password reset link via email or generating one time password for a user in the directory that AWS SSO provides by default | Write | | | | | [ UpdateUser ](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample) | Updates user information in the directory that AWS SSO provides by default | Write | | | | diff --git a/doc_source/list_computeoptimizer.md b/doc_source/list_computeoptimizer.md new file mode 100644 index 00000000..6a059271 --- /dev/null +++ b/doc_source/list_computeoptimizer.md @@ -0,0 +1,41 @@ +# Actions, Resources, and Condition Keys for Compute Optimizer + +Compute Optimizer \(service prefix: `compute-optimizer`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is.html)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html) permission policies\. + +**Topics** ++ [Actions Defined by Compute Optimizer](#computeoptimizer-actions-as-permissions) ++ [Resources Defined by Compute Optimizer](#computeoptimizer-resources-for-iam-policies) ++ [Condition Keys for Compute Optimizer](#computeoptimizer-policy-keys) + +## Actions Defined by Compute Optimizer + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** + +| Actions | Description | Access Level | Resource Types \(\*required\) | Condition Keys | Dependent Actions | +| --- | --- | --- | --- | --- | --- | +| [ GetAutoScalingGroupRecommendations ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetAutoScalingGroupRecommendations.html) | Grants permission to get recommendations for the provided autoscaling groups\. | List | | | | +| [ GetEC2InstanceRecommendations ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2InstanceRecommendations.html) | Grants permission to get recommendations for the provided EC2 instances\. | List | | | | +| [ GetEC2RecommendationProjectedMetrics ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEC2RecommendationProjectedMetrics.html) | Grants permission to get the recommendation projected metrics of the specified instance\. | List | | | | +| [ GetEnrollmentStatus ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetEnrollmentStatus.html) | Grants permission to get the enrollment status for the specified account\. | List | | | | +| [ GetRecommendationSummaries ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_GetRecommendationSummaries.html) | Grants permission to get the recommendation summaries for the specified account\(s\)\. | List | | | | +| [ UpdateEnrollmentStatus ](https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_UpdateEnrollmentStatus.html) | Grants permission to update the enrollment status\. | Write | | | | + +## Resources Defined by Compute Optimizer + +Compute Optimizer does not support specifying a resource ARN in the `Resource` element of an IAM policy statement\. To allow access to Compute Optimizer, specify `“Resource”: “*”` in your policy\. + +## Condition Keys for Compute Optimizer + +Compute Optimizer has no service\-specific context keys that can be used in the `Condition` element of policy statements\. For the list of the global context keys that are available to all services, see [Available Keys for Conditions](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. \ No newline at end of file diff --git a/doc_source/list_iamaccessanalyzer.md b/doc_source/list_iamaccessanalyzer.md new file mode 100644 index 00000000..b5eabbc9 --- /dev/null +++ b/doc_source/list_iamaccessanalyzer.md @@ -0,0 +1,52 @@ +# Actions, Resources, and Condition Keys for IAM Access Analyzer + +IAM Access Analyzer \(service prefix: `access-analyzer`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-permissions.html) permission policies\. + +**Topics** ++ [Actions Defined by IAM Access Analyzer](#iamaccessanalyzer-actions-as-permissions) ++ [Resources Defined by IAM Access Analyzer](#iamaccessanalyzer-resources-for-iam-policies) ++ [Condition Keys for IAM Access Analyzer](#iamaccessanalyzer-policy-keys) + +## Actions Defined by IAM Access Analyzer + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_iamaccessanalyzer.html) + +## Resources Defined by IAM Access Analyzer + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#iamaccessanalyzer-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ Analyzer ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources) | arn:$\{Partition\}:access\-analyzer:$\{Region\}:$\{Account\}:analyzer/$\{analyzerName\} | [ aws:ResourceTag/$\{TagKey\} ](#iamaccessanalyzer-aws_ResourceTag___TagKey_) | +| [ ArchiveRule ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources) | arn:$\{Partition\}:access\-analyzer:$\{Region\}:$\{Account\}:analyzer/$\{analyzerName\}/archive\-rule/$\{ruleName\} | | + +## Condition Keys for IAM Access Analyzer + +IAM Access Analyzer defines the following condition keys that can be used in the `Condition` element of an IAM policy\. You can use these keys to further refine the conditions under which the policy statement applies\. For details about the columns in the following table, see [The Condition Keys Table](reference_policies_actions-resources-contextkeys.md#context_keys_table)\. + +To view the global condition keys that are available to all services, see [Available Global Condition Keys](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. + + +**** + +| Condition Keys | Description | Type | +| --- | --- | --- | +| [ aws:RequestTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters actions based on the presence of tag key\-value pairs in the request | String | +| [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-resourcetag) | Filters actions based on tag key\-value pairs attached to the resource | String | +| [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-tagkeys) | Filters actions based on the presence of tag keys in the request | String | \ No newline at end of file diff --git a/doc_source/list_networkmanager.md b/doc_source/list_networkmanager.md new file mode 100644 index 00000000..d13d912e --- /dev/null +++ b/doc_source/list_networkmanager.md @@ -0,0 +1,56 @@ +# Actions, Resources, and Condition Keys for Network Manager + +Network Manager \(service prefix: `networkmanager`\) provides the following service\-specific resources, actions, and condition context keys for use in IAM permission policies\. + +References: ++ Learn how to [configure this service](https://docs.aws.amazon.com/vpc/latest/tgw/)\. ++ View a list of the [API operations available for this service](https://docs.aws.amazon.com/networkmanager/latest/APIReference/)\. ++ Learn how to secure this service and its resources by [using IAM](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html) permission policies\. + +**Topics** ++ [Actions Defined by Network Manager](#networkmanager-actions-as-permissions) ++ [Resources Defined by Network Manager](#networkmanager-resources-for-iam-policies) ++ [Condition Keys for Network Manager](#networkmanager-policy-keys) + +## Actions Defined by Network Manager + +You can specify the following actions in the `Action` element of an IAM policy statement\. Use policies to grant permissions to perform an operation in AWS\. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name\. However, in some cases, a single action controls access to more than one operation\. Alternatively, some operations require several different actions\. + +The **Resource** column indicates whether each action supports resource\-level permissions\. If there is no value for this column, you must specify all resources \("\*"\) in the `Resource` element of your policy statement\. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action\. Required resources are indicated in the table with an asterisk \(\*\)\. If you specify a resource\-level permission ARN in a statement using this action, then it must be of this type\. Some actions support multiple resource types\. If the resource type is optional \(not indicated as required\), then you can choose to use one but not the other\. + +For details about the columns in the following table, see [The Actions Table](reference_policies_actions-resources-contextkeys.md#actions_table)\. + + +**** +[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/list_networkmanager.html) + +## Resources Defined by Network Manager + +The following resource types are defined by this service and can be used in the `Resource` element of IAM permission policy statements\. Each action in the [Actions table](#networkmanager-actions-as-permissions) identifies the resource types that can be specified with that action\. A resource type can also define which condition keys you can include in a policy\. These keys are displayed in the last column of the table\. For details about the columns in the following table, see [The Resource Types Table](reference_policies_actions-resources-contextkeys.md#resources_table)\. + + +**** + +| Resource Types | ARN | Condition Keys | +| --- | --- | --- | +| [ global\-network ](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html/) | arn:$\{Partition\}:networkmanager::$\{Account\}:global\-network/$\{ResourceId\} | [ aws:ResourceTag/$\{TagKey\} ](#networkmanager-aws_ResourceTag___TagKey_) | +| [ site ](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html/) | arn:$\{Partition\}:networkmanager::$\{Account\}:site/$\{GlobalNetworkId\}/$\{ResourceId\} | [ aws:ResourceTag/$\{TagKey\} ](#networkmanager-aws_ResourceTag___TagKey_) | +| [ link ](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html/) | arn:$\{Partition\}:networkmanager::$\{Account\}:link/$\{GlobalNetworkId\}/$\{ResourceId\} | [ aws:ResourceTag/$\{TagKey\} ](#networkmanager-aws_ResourceTag___TagKey_) | +| [ device ](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-network-manager.html/) | arn:$\{Partition\}:networkmanager::$\{Account\}:device/$\{GlobalNetworkId\}/$\{ResourceId\} | [ aws:ResourceTag/$\{TagKey\} ](#networkmanager-aws_ResourceTag___TagKey_) | + +## Condition Keys for Network Manager + +Network Manager defines the following condition keys that can be used in the `Condition` element of an IAM policy\. You can use these keys to further refine the conditions under which the policy statement applies\. For details about the columns in the following table, see [The Condition Keys Table](reference_policies_actions-resources-contextkeys.md#context_keys_table)\. + +To view the global condition keys that are available to all services, see [Available Global Condition Keys](reference_policies_condition-keys.html#AvailableKeys) in the *IAM Policy Reference*\. + + +**** + +| Condition Keys | Description | Type | +| --- | --- | --- | +| [ aws:RequestTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | Filters actions based on the presence of tag key\-value pairs in the request | String | +| [ aws:ResourceTag/$\{TagKey\} ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) | Filters actions based on tag key\-value pairs attached to the resource | String | +| [ aws:TagKeys ](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | Filters actions based on the presence of tag keys in the request | String | +| [ networkmanager:cgwArn ](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html) | Controls which customer gateways can be associated or disassociated | String | +| [ networkmanager:tgwArn ](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html) | Controls which transit gateways can be registered or deregistered | String | \ No newline at end of file diff --git a/doc_source/logging-using-cloudtrail.md b/doc_source/logging-using-cloudtrail.md new file mode 100644 index 00000000..7184b2b1 --- /dev/null +++ b/doc_source/logging-using-cloudtrail.md @@ -0,0 +1,79 @@ +# Logging Access Analyzer API Calls with AWS CloudTrail + +Access Analyzer is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Access Analyzer\. CloudTrail captures all API calls for Access Analyzer as events\. The calls captured include calls from the Access Analyzer console and code calls to the Access Analyzer API operations\. + +If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Access Analyzer\. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**\. + +Using the information collected by CloudTrail, you can determine the request that was made to Access Analyzer, the IP address from which the request was made, who made the request, when it was made, and additional details\. + +To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/)\. + +## Access Analyzer Information in CloudTrail + +CloudTrail is enabled on your AWS account when you create the account\. When activity occurs in Access Analyzer, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**\. You can view, search, and download recent events in your AWS account\. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html)\. + +For an ongoing record of events in your AWS account, including events for Access Analyzer, create a trail\. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket\. By default, when you create a trail in the console, the trail applies to all AWS Regions\. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify\. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs\. For more information, see the following: ++ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) ++ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations) ++ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html) ++ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) + +All Access Analyzer actions are logged by CloudTrail and are documented in the [IAM Access Analyzer API Reference](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/)\. For example, calls to the `CreateAnalyzer`, `CreateArchiveRule` and `ListFindings` actions generate entries in the CloudTrail log files\. + +Every event or log entry contains information about who generated the request\. The identity information helps you determine the following: ++ Whether the request was made with root or AWS Identity and Access Management \(IAM\) user credentials\. ++ Whether the request was made with temporary security credentials for a role or federated user\. ++ Whether the request was made by another AWS service\. + +For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)\. + +## Understanding Access Analyzer Log File Entries + +A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify\. CloudTrail log files contain one or more log entries\. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on\. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order\. + +The following example shows a CloudTrail log entry that demonstrates the `CreateAnalyzer` operation made by a user named "Alice" on "June 14, 2018"\. + +``` +{ + "eventVersion": "1.05", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AIDACKCEVSQ6C2EXAMPLE", + "arn": "arn:aws:iam::111122223333:user/Alice", + "accountId": "111122223333", + "accessKeyId": "AKIAI44QH8DHBEXAMPLE", + "sessionContext": { + "attributes": { + "mfaAuthenticated": "false", + "creationDate": "2018-06-14T22:54:20Z" + }, + "sessionIssuer": { + "type": "Role", + "principalId": "AIDACKCEVSQ6C2EXAMPLE", + "arn": "arn:aws:iam::111122223333:user/Alice", + "accountId": "111122223333", + "userName": "Alice" + } + } + }, + "eventTime": "2018-06-14T22:57:36Z", + "eventSource": "access-analyzer.amazonaws.com", + "eventName": "CreateAnalyzer", + "awsRegion": "us-west-2", + "sourceIPAddress": "198.51.100.179", + "userAgent": "aws-cli/1.16.205 Python/2.7.16 Darwin/17.7.0 botocore/1.12.195", + "requestParameters": { + "analyzerName": "test", + "type": "ACCOUNT", + "clientToken": "11111111-abcd-2222-abcd-222222222222" + }, + "responseElements": { + "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/test" + }, + "requestID": "22222222-dcba-4444-dcba-333333333333", + "eventID": "33333333-bcde-5555-bcde-444444444444", + "readOnly": false, + "eventType": "AwsApiCall", + "recipientAccountId": "111122223333" +} +``` \ No newline at end of file diff --git a/doc_source/reference_aws-services-that-work-with-iam.md b/doc_source/reference_aws-services-that-work-with-iam.md index 2d17e80a..b58e3b0d 100644 --- a/doc_source/reference_aws-services-that-work-with-iam.md +++ b/doc_source/reference_aws-services-that-work-with-iam.md @@ -5,7 +5,7 @@ The AWS services listed below are grouped by their [AWS product categories](http + **Actions** – You can specify individual actions in a policy\. If the service does not support this feature, then **All actions** is selected in the [visual editor](access_policies_create.md#access_policies_create-visual-editor)\. In a JSON policy document, you must use `*` in the `Action` element\. For a list of actions in each service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.md)\. + **Resource\-level permissions** – You can use [ARNs](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) to specify individual resources in the policy\. If the service does not support this feature, then **All resources** is chosen in the [policy visual editor](access_policies_create.md#access_policies_create-visual-editor)\. In a JSON policy document, you must use `*` in the `Resource` element\. Some actions, such as `List*` actions, do not support specifying an ARN because they are designed to return multiple resources\. If a service supports this feature for some resources but not others, it is indicated by yellow cells in the table\. See the documentation for that service for more information\. + **Resource\-based policies** – You can attach resource\-based policies to a resource within the service\. Resource\-based policies include a `Principal` element to specify which IAM identities can access that resource\. For more information, see [Identity\-Based Policies and Resource\-Based Policies](access_policies_identity-vs-resource.md)\. -+ **Authorization based on tags** – You can use [resource tags](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html) in the condition of a policy\. For example, you might create a [ policy that allows tag owners full access to Amazon RDS resources](reference_policies_examples_rds_tag-owner.md) that they have tagged\. You do this by using a condition key such as `rds:db-tag/Owner`\. ++ **Authorization based on tags** – You can use [resource tags](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html) in the condition of a policy to control access to a resource in the service\. You do this using the [`aws:ResourceTag`](reference_policies_condition-keys.md#condition-keys-resourcetag) global condition key or service\-specific tags, such as [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-taggingresources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-taggingresources)\. For more information about defining permissions based on attributes such as tags, see [What Is ABAC for AWS?](introduction_attribute-based-access-control.md)\. + **Temporary credentials** – Users signed in with federation, a cross\-account role, or a [service role](id_roles_terms-and-concepts.md#iam-term-service-role) can access the service\. Temporary security credentials are obtained by calling AWS STS API operations like [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)\. For more information, see [Temporary Security Credentials](id_credentials_temp.md)\. + **Service\-linked roles** – A [service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role) gives the service permission to access resources in other services to complete an action on your behalf\. Choose the `Yes` link to see the documentation for services that support these roles\. For more information, see [Using Service\-Linked Roles](using-service-linked-roles.md)\. + **More information** – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information\. @@ -16,12 +16,14 @@ The AWS services listed below are grouped by their [AWS product categories](http | | | | | | | | | --- |--- |--- |--- |--- |--- |--- | | Service | Actions | Resource\-level permissions | Resource\-based policies | Authorization based on tags | Temporary credentials | Service\-linked roles | -| [AWS Batch](https://docs.aws.amazon.com/batch/latest/userguide/IAM_policies.html ) | Yes | [Yes](https://docs.aws.amazon.com/batch/latest/userguide/batch-supported-iam-actions-resources.html) | No | No | Yes | No | +| [AWS Batch](https://docs.aws.amazon.com/batch/latest/userguide/IAM_policies.html) | Yes | [Yes](https://docs.aws.amazon.com/batch/latest/userguide/batch-supported-iam-actions-resources.html) | No | No | Yes | No | +| [Compute Optimizer](https://docs.aws.amazon.com/compute-optimizer/latest/ug/security-iam.html) | Yes | No | No | No | Yes | No | | [Amazon Elastic Compute Cloud \(Amazon EC2\)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html) | Yes | Yes | No | [Yes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources) | Yes | Yes¹ | | [Amazon EC2 Auto Scaling](https://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html) | +| [Amazon EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam.html) | Yes | Yes | No | Yes | Yes | No | | [AWS Elastic Beanstalk](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.html) | Yes | Yes | No | [Yes](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.access-tags.html) | Yes | [Yes](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-service-linked-roles.html) | | [Amazon Elastic Container Registry \(Amazon ECR\)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html) | Yes | Yes | Yes | Yes | Yes | No | -| [Amazon Elastic Container Service \(Amazon ECS\)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide//IAM_policies.html) | Yes | Yes² | No | No | Yes | [Yes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html) | +| [Amazon Elastic Container Service \(Amazon ECS\)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide//IAM_policies.html) | Yes | Yes² | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html) | | [Amazon Elastic Kubernetes Service \(Amazon EKS\)](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon Elastic Inference](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-inference.html) | Yes | Yes | Yes | No | No | No | | [Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/index.html?UsingIAM.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-service-linked-roles.html) | @@ -42,8 +44,8 @@ The AWS services listed below are grouped by their [AWS product categories](http | Service | Actions | Resource\-level permissions | Resource\-based policies | Authorization based on tags | Temporary credentials | Service\-linked roles | | [AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html) | Yes | Yes | Yes | No | Yes | No | | [Amazon Elastic Block Store \(Amazon EBS\)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using .html) | Yes | Yes | No | Yes | Yes | No | -| [Amazon Elastic File System \(Amazon EFS\)](https://docs.aws.amazon.com/efs/latest/ug/auth-and-access-control.html) | Yes | Yes | No | Yes | Yes | No | -| [Amazon FSx](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/;using-service-linked-roles.html) | +| [Amazon Elastic File System \(Amazon EFS\)](https://docs.aws.amazon.com/efs/latest/ug/auth-and-access-control.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/efs/latest/ug/auth-and-access-control.html) | +| [Amazon FSx](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/access-control-overview.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-service-linked-roles.html) | | [Amazon S3 Glacier](https://docs.aws.amazon.com/amazonglacier/latest/dev/auth-and-access-control.html) | Yes | Yes | Yes | Yes | Yes | No | | [AWS Import/Export](https://docs.aws.amazon.com/AWSImportExport/latest/DG/using-iam.html) | Yes | No | No | No | Yes | No | | [AWS Migration Hub](https://docs.aws.amazon.com/server-migration-service/latest/userguide/auth-and-access-control.html) | Yes | Yes | No | No | Yes | No | @@ -62,6 +64,7 @@ The AWS services listed below are grouped by their [AWS product categories](http | Service | Actions | Resource\-level permissions | Resource\-based policies | Authorization based on tags | Temporary credentials | Service\-linked roles | | [Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/UsingIAMWithDDB.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-service-linked-roles.html) | | [Amazon ElastiCache](https://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/IAM.html) | Yes | No¹ | No | No | Yes | [Yes](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/using-service-linked-roles.html) | +| [AWS Managed Apache Cassandra Service \(MCS\)](https://docs.aws.amazon.com/mcs/latest/developerguide/assets.html) | Yes | Yes | No | No | Yes | No | | [Amazon Quantum Ledger Database \(Amazon QLDB\)](https://docs.aws.amazon.com/qldb/latest/developerguide/security-iam.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/redshift/latest/mgmt/using-service-linked-roles.html) | | [Amazon Relational Database Service \(Amazon RDS\)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ServiceLinkedRoles.html) | @@ -96,17 +99,20 @@ The AWS services listed below are grouped by their [AWS product categories](http | [AWS Certificate Manager \(ACM\)](https://docs.aws.amazon.com/acm/latest/userguide/authen-toplevel.html) | Yes | Yes | No | Yes | Yes | No | | [AWS CloudHSM](https://docs.aws.amazon.com/cloudhsm/latest/userguide/prerequisites.html#permissions-for-cloudhsm) | Yes | No | No | No | Yes | Yes | | [AWS CloudHSM Classic](https://docs.aws.amazon.com/cloudhsm/classic/userguide/iam-policy.html) | Yes | No | No | No | No | No | -| [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/resource-permissions/) | Yes | Yes | No | Yes | Yes | No | +| [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/resource-permissions.html) | Yes | Yes | No | Yes | Yes | No | +| [Amazon Detective](https://docs.aws.amazon.com/detective/latest/adminguide/security-iam.html) | Yes | Yes | No | No | Yes | No | | [AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/iam_policy.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/guardduty/latest/ug/using-service-linked-roles.html) | | [AWS Identity and Access Management \(IAM\)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html) | Yes | Yes | Yes¹ | [Yes²](access_iam-tags.md) | Yes³ | No | +| [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-access.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-using-service-linked-roles.html) | | [Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html) | Yes | No | No | No | Yes | [Yes](https://docs.aws.amazon.com/inspector/latest/userguide/inspector_slr.html) | | [AWS Key Management Service \(AWS KMS\)](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) | Yes | Yes | Yes | No | Yes | [Yes](https://docs.aws.amazon.com/kms/latest/developerguide/using-service-linked-roles.html) | | [Amazon Macie ](https://docs.aws.amazon.com/macie/latest/userguide/macie-access-control.html) | Yes | No | No | No | Yes | Yes | | [AWS Resource Access Manager \(AWS RAM\)](https://docs.aws.amazon.com/ram/latest/userguide/control-access.html) | Yes | Yes | No | Yes | Yes | No | | [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) | Yes | Yes | [Yes](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html) | Yes | Yes | No | | [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html) | -| [AWS Single Sign\-On \(AWS SSO\)](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) | Yes | No | No | No | Yes | Yes | +| [AWS Single Sign\-On \(AWS SSO\)](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) | Yes | No | No | No | Yes | [Yes](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-service-linked-roles.html) | +| [AWS SSO Directory](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html) | Yes | No | No | No | Yes | No | | [AWS Security Token Service \(AWS STS\)](https://docs.aws.amazon.com/STS/latest/UsingSTS/TokenPermissions.html) | Yes | Yes⁴ | No | Yes | Yes⁵ | No | | [AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html) | Yes | No | No | No | Yes | No | | [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-auth-and-access-control.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/waf/latest/developerguide/using-service-linked-roles.html) | @@ -130,18 +136,18 @@ The AWS services listed below are grouped by their [AWS product categories](http | [Amazon Comprehend](https://docs.aws.amazon.com/comprehend/latest/dg/auth-and-access-control.html) | Yes | No | No | Yes | Yes | No | | [AWS DeepRacer](https://docs.aws.amazon.com/deepracer/latest/developerguide/deepracer-security.html) | Yes | No | No | No | Yes | [Yes](https://docs.aws.amazon.com/deepracer/latest/developerguide/deepracer-understand-required-permissions-and-iam-roles.html) | | [Forecast](https://docs.aws.amazon.com/forecast/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | Yes | No | +| [Amazon Fraud Detector](https://docs.aws.amazon.com/frauddetector/latest/ug/set-up.html#set-up-iam-admin) | Yes | No | No | No | Yes | No | +| [Amazon Kendra](https://docs.aws.amazon.com/kendra/latest/dg/security-iam.html) | Yes | Yes | No | No | Yes | No | | [Amazon Lex](https://docs.aws.amazon.com/lex/latest/dg/auth-and-access-control.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/lex/latest/dg/howitworks-service-permissions.html) | | [Amazon Machine Learning](https://docs.aws.amazon.com/machine-learning/latest/dg/reference.html#controlling-access-to-amazon-ml-resources-by-using-iam) | Yes | Yes | No | Yes | Yes | No | | [Amazon Personalize](https://docs.aws.amazon.com/personalize/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | Yes | No | | [Amazon Polly](https://docs.aws.amazon.com/polly/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | Yes | No | -| [Amazon Rekognition](https://docs.aws.amazon.com/rekognition/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | No | No | -| [Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | Yes¹ | Yes | No | +| [Amazon Rekognition](https://docs.aws.amazon.com/rekognition/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | Yes | No | +| [Amazon SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon Textract](https://docs.aws.amazon.com/textract/latest/dg/authentication-and-access-control.html) | Yes | Yes | No | No | No | No | | [Amazon Transcribe](https://docs.aws.amazon.com/transcribe/latest/dg/auth-and-access-control.html) | Yes | No | No | No | Yes | No | | [Amazon Translate](https://docs.aws.amazon.com/translate/latest/dg/auth-and-access-control.html) | Yes | No | No | No | Yes | No | -¹ Amazon SageMaker does not support using tag\-based authorization for calls to `InvokeEndpoint`\. - ## Management and Governance Services @@ -155,6 +161,7 @@ The AWS services listed below are grouped by their [AWS product categories](http | [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html) | Yes | Yes | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-service-linked-roles.html)¹ | | [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/EventsPoliciesRolesAccessControl.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon CloudWatch Logs ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/auth-and-access-control-cwl.html) | Yes | Yes | Yes | Yes | Yes | No | +| [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html) | Yes | Yes | No | No | Yes | No | | [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/recommended-iam-permissions-using-aws-config-console-cli.html) | Yes | Yes² | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html) | | [Amazon Data Lifecycle Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html) | Yes | Yes | No | Yes | Yes | No | | [AWS Health](https://docs.aws.amazon.com/health/latest/ug/controlling-access.html) | Yes | No | No | No | Yes | No | @@ -211,6 +218,7 @@ The AWS services listed below are grouped by their [AWS product categories](http | [AWS Cloud Map](https://docs.aws.amazon.com/cloud-map/latest/dg/auth-and-access-control.html) | Yes | Yes | No | No | Yes | No | | [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/using_iam.html) | Yes | Yes | No | [Yes](https://docs.aws.amazon.com/directconnect/latest/UserGuide/using_tags.html) | Yes | No | | [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/auth-and-access-control.html) | Yes | Yes | No | No | Yes | [Yes](https://docs.aws.amazon.com/global-accelerator/latest/dg/using-service-linked-roles.html) | +| [Network Manager](https://docs.aws.amazon.com/vpc/latest/tgw/nm-security-iam.html) | Yes | Yes | Yes | Yes | Yes | [Yes](https://docs.aws.amazon.com/vpc/latest/tgw/nm-service-linked-roles.html) | | [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide//auth-and-access-control.html) | Yes | Yes | No | No | Yes | No | | [Amazon Route 53 Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide//auth-and-access-control.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon Virtual Private Cloud \(Amazon VPC\)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html) | Yes | Yes² | Yes³ | No | Yes | No | @@ -246,6 +254,7 @@ The AWS services listed below are grouped by their [AWS product categories](http | Service | Actions | Resource\-level permissions | Resource\-based policies | Authorization based on tags | Temporary credentials | Service\-linked roles | | [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/access.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon CloudSearch](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/configureaccess.html) | Yes | Yes | No | No | Yes | No | +| [AWS Data Exchange](https://docs.aws.amazon.com/data-exchange/latest/userguide/auth-access.html) | Yes | Yes | No | Yes | Yes | No | | [AWS Data Pipeline](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-concepts-roles.html) | Yes | No | No | Yes | Yes | No | | [Amazon Elasticsearch Service](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies) | Yes | Yes | Yes | No | Yes | [Yes](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/slr-es.html) | | [Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html) | Yes | No | No | Yes | Yes | [Yes](https://docs.aws.amazon.com/emr/latest/ManagementGuide/using-service-linked-roles.html) | @@ -262,6 +271,8 @@ The AWS services listed below are grouped by their [AWS product categories](http | | | | | | | | | --- |--- |--- |--- |--- |--- |--- | | Service | Actions | Resource\-level permissions | Resource\-based policies | Authorization based on tags | Temporary credentials | Service\-linked roles | +| [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/auth-and-access-control-eventbridge.html) | Yes | Yes | No | Yes | Yes | No | +| [Amazon EventBridge Schemas](https://docs.aws.amazon.com/eventbridge/latest/userguide/auth-and-access-control-eventbridge.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon MQ](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-security.html) | Yes | Yes | No | Yes | Yes | No | | [Amazon Simple Notification Service \(Amazon SNS\)](https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html) | Yes | Yes | Yes | No | Yes | No | | [Amazon Simple Queue Service \(Amazon SQS\)](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/UsingIAM.html) | Yes | Yes | Yes | No | Yes | No | @@ -297,6 +308,7 @@ The AWS services listed below are grouped by their [AWS product categories](http | [AWS IoT Events](https://docs.aws.amazon.com/iotevents/latest/developerguide/security-iam.html) | Yes | Yes | No | Yes | Yes | No | | [AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/latest/userguide/gg-ug.html) | Yes | Yes | No | Yes | Yes | No | | [AWS IoT Things Graph](https://docs.aws.amazon.com/thingsgraph/latest/ug/iot-tg-security.html) | Yes | No | No | No | Yes | No | +| [AWS IoT SiteWise](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/set-up-aws-account.html) | Yes | Yes | No | No | Yes | No | ¹ Devices connected to AWS IoT are authenticated by using X\.509 certificates or using Amazon Cognito Identities\. You can attach AWS IoT policies to an X\.509 certificate or Amazon Cognito Identity to control what the device is authorized to do\. For more information, see [Security and Identity for AWS IoT](https://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html) in the *AWS IoT Developer Guide*\. diff --git a/doc_source/reference_policies_actions-resources-contextkeys.md b/doc_source/reference_policies_actions-resources-contextkeys.md index 35e011d8..a3d860ff 100644 --- a/doc_source/reference_policies_actions-resources-contextkeys.md +++ b/doc_source/reference_policies_actions-resources-contextkeys.md @@ -77,6 +77,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [Amazon Cognito User Pools](list_amazoncognitouserpools.md) + [Amazon Comprehend](list_amazoncomprehend.md) + [Comprehend Medical](list_comprehendmedical.md) ++ [Compute Optimizer](list_computeoptimizer.md) + [AWS Config](list_awsconfig.md) + [Amazon Connect](list_amazonconnect.md) + [AWS Cost and Usage Report](list_awscostandusagereport.md) @@ -96,6 +97,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [Amazon DynamoDB Accelerator \(DAX\)](list_amazondynamodbacceleratordax.md) + [Amazon EC2](list_amazonec2.md) + [Amazon EC2 Auto Scaling](list_amazonec2autoscaling.md) ++ [Amazon EC2 Image Builder](list_amazonec2imagebuilder.md) + [Amazon EC2 Instance Connect](list_amazonec2instanceconnect.md) + [AWS Elastic Beanstalk](list_awselasticbeanstalk.md) + [Amazon Elastic Container Registry](list_amazonelasticcontainerregistry.md) @@ -117,8 +119,10 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [AWS Elemental MediaStore](list_awselementalmediastore.md) + [AWS Elemental MediaTailor](list_awselementalmediatailor.md) + [Amazon EventBridge](list_amazoneventbridge.md) ++ [Amazon EventBridge Schemas](list_amazoneventbridgeschemas.md) + [AWS Firewall Manager](list_awsfirewallmanager.md) + [Amazon Forecast](list_amazonforecast.md) ++ [Amazon Fraud Detector](list_amazonfrauddetector.md) + [Amazon FreeRTOS](list_amazonfreertos.md) + [Amazon FSx](list_amazonfsx.md) + [Amazon GameLift](list_amazongamelift.md) @@ -129,6 +133,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [Amazon GroundTruth Labeling](list_amazongroundtruthlabeling.md) + [Amazon GuardDuty](list_amazonguardduty.md) + [AWS Health APIs and Notifications](list_awshealthapisandnotifications.md) ++ [IAM Access Analyzer](list_iamaccessanalyzer.md) + [Identity And Access Management](list_identityandaccessmanagement.md) + [AWS Import Export Disk Service](list_awsimportexportdiskservice.md) + [Amazon Inspector](list_amazoninspector.md) @@ -141,6 +146,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [AWS IoT Things Graph](list_awsiotthingsgraph.md) + [AWS IQ](list_awsiq.md) + [AWS IQ Permissions](list_awsiqpermissions.md) ++ [Amazon Kendra](list_amazonkendra.md) + [AWS Key Management Service](list_awskeymanagementservice.md) + [Amazon Kinesis](list_amazonkinesis.md) + [Amazon Kinesis Analytics](list_amazonkinesisanalytics.md) @@ -156,6 +162,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [Amazon Machine Learning](list_amazonmachinelearning.md) + [Amazon Macie](list_amazonmacie.md) + [Manage Amazon API Gateway](list_manageamazonapigateway.md) ++ [AWS Managed Apache Cassandra Service](list_awsmanagedapachecassandraservice.md) + [Amazon Managed Blockchain](list_amazonmanagedblockchain.md) + [Amazon Managed Streaming for Kafka](list_amazonmanagedstreamingforkafka.md) + [AWS Marketplace](list_awsmarketplace.md) @@ -172,6 +179,7 @@ The **Condition Keys** table lists all of the condition context keys that you ca + [AWS Mobile Hub](list_awsmobilehub.md) + [Amazon MQ](list_amazonmq.md) + [Amazon Neptune](list_amazonneptune.md) ++ [Network Manager](list_networkmanager.md) + [AWS OpsWorks](list_awsopsworks.md) + [AWS OpsWorks Configuration Management](list_awsopsworksconfigurationmanagement.md) + [AWS Organizations](list_awsorganizations.md) diff --git a/doc_source/reference_policies_condition-keys.md b/doc_source/reference_policies_condition-keys.md index 5641e5b9..21e28ca4 100644 --- a/doc_source/reference_policies_condition-keys.md +++ b/doc_source/reference_policies_condition-keys.md @@ -159,7 +159,7 @@ Organization IDs are globally unique but OU IDs and root IDs are unique only wit For example, the following condition returns `true` for principals in accounts that are attached directly to the `ou-jkl0-awsddddd` OU, but not in its child OUs\. ``` -"Condition" : { "ForAnyValues:StringEquals" : { +"Condition" : { "ForAnyValue:StringEquals" : { "aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/"] }} ``` @@ -167,7 +167,7 @@ For example, the following condition returns `true` for principals in accounts t The following condition returns `true` for principals in an account that is attached directly to the OU or any of its child OUs\. When you include a wildcard, you must use the `StringLike` condition operator\. ``` -"Condition" : { "ForAnyValues:StringLike" : { +"Condition" : { "ForAnyValue:StringLike" : { "aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd*"] }} ``` @@ -175,7 +175,7 @@ The following condition returns `true` for principals in an account that is atta The following condition returns `true` for principals in an account that is attached directly to the OU or any of its child OUs\. ``` -"Condition" : { "ForAnyValues:StringLike" : { +"Condition" : { "ForAnyValue:StringLike" : { "aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/*"] }} ``` @@ -183,16 +183,16 @@ The following condition returns `true` for principals in an account that is atta The following condition allows access for every principal in the `o-a1b2c3d4e5` organization, regardless of their parent OU\. ``` -"Condition" : { "ForAnyValues:StringLike" : { +"Condition" : { "ForAnyValue:StringLike" : { "aws:PrincipalOrgPaths":["o-a1b2c3d4e5/*"] }} ``` -`aws:PrincipalOrgPaths` is a multivalued condition key\. Multivalued keys include one or more values in a list format\. The result is a logical `OR`\. When you use multiple values with the `ForAnyValues` condition operator, the principal's path must match one of the paths listed in the policy\. For policies that include multiple values for a single key, you must enclose the conditions within brackets like an array \("Key":\["Value1", "Value2"\]\)\. You should also include these brackets when there is a single value\. For more information about multivalued condition keys, see [Creating a Condition with Multiple Keys or Values](reference_policies_multi-value-conditions.md)\. +`aws:PrincipalOrgPaths` is a multivalued condition key\. Multivalued keys include one or more values in a list format\. The result is a logical `OR`\. When you use multiple values with the `ForAnyValue` condition operator, the principal's path must match one of the paths listed in the policy\. For policies that include multiple values for a single key, you must enclose the conditions within brackets like an array \("Key":\["Value1", "Value2"\]\)\. You should also include these brackets when there is a single value\. For more information about multivalued condition keys, see [Creating a Condition with Multiple Keys or Values](reference_policies_multi-value-conditions.md)\. ``` "Condition": { - "ForAnyValues:StringLike": { + "ForAnyValue:StringLike": { "aws:PrincipalOrgPaths": [ "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-def0-awsbbbbb/*", "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-jkl0-awsddddd/*" @@ -319,7 +319,7 @@ Because you can include multiple tag key\-value pairs in a request, the request Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. Use this key to compare the tag key\-value pair that you specify in the policy with the key\-value pair that is attached to the resource\. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `"Dept"` with the value `"Marketing"`\. For more information, see [Controlling Access to AWS Resources](access_tags.md#access_tags_control-resources)\. -+ **Availability** – This key is included in the request context when the requested resource already has attached tags\. There is one context key for each tag key\-value pair\. ++ **Availability** – This key is included in the request context when the requested resource already has attached tags\. This key is returned only for resources that [support authorization based on tags](reference_aws-services-that-work-with-iam.md)\. There is one context key for each tag key\-value pair\. This context key is formatted `"aws:ResourceTag/tag-key":"tag-value"` where *tag\-key* and *tag\-value* are a tag key and value pair\. diff --git a/doc_source/reference_policies_elements_principal.md b/doc_source/reference_policies_elements_principal.md index 8903399e..5b0c3705 100644 --- a/doc_source/reference_policies_elements_principal.md +++ b/doc_source/reference_policies_elements_principal.md @@ -12,7 +12,7 @@ You can specify any of the following principals in a policy: + Anonymous users \(not recommended\) Use the `Principal` element in these ways: -+ In IAM roles, use the `Principal` element in the role's trust policy to specify who can assume the role\. For cross\-account access, you must specify the 12\-digit identifier of the trusted account\. ++ In IAM roles, use the `Principal` element in the role's trust policy to specify who can assume the role\. For cross\-account access, you must specify the 12\-digit identifier of the trusted account\. To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. **Note** After you create the role, you can change the account to "\*" to allow everyone to assume the role\. If you do this, we strongly recommend that you limit who can access the role through other means, such as a `Condition` element that limits access to only certain IP addresses\. Do not leave your role accessible to everyone\! + In resource\-based policies, use the `Principal` element to specify the accounts or users who are allowed to access the resource\. diff --git a/doc_source/reference_policies_iam-condition-keys.md b/doc_source/reference_policies_iam-condition-keys.md index e9db1eab..416222f6 100644 --- a/doc_source/reference_policies_iam-condition-keys.md +++ b/doc_source/reference_policies_iam-condition-keys.md @@ -135,7 +135,7 @@ If you are working with [SAML\-based federation](https://docs.aws.amazon.com/STS ### SAML Role Trust Policies -In the trust policy of a role, you can include the following keys, which help you establish whether the caller is allowed to assume the role\. Except for `saml:doc`, all the values are derived from the SAML assertion\. Items in the list that are marked with an asterisk \(\*\) are available in the console UI to create conditions\. Items marked with **\[\]** *can* have a value that is a list of the specified type\. +In the trust policy of a role, you can include the following keys, which help you establish whether the caller is allowed to assume the role\. Except for `saml:doc`, all the values are derived from the SAML assertion\. All items in the list are available in the IAM console visual editor when you create or edit a policy with conditions\. Items marked with **\[\]** *can* have a value that is a list of the specified type\. **saml:aud** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. @@ -149,7 +149,7 @@ This is a `commonName` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is an `eduOrg` attribute\. -**saml:doc**\* +**saml:doc** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This represents the principal that was used to assume the role\. The format is *account\-ID*/*provider\-friendly\-name*, such as `123456789012/SAMLProviderName`\. The *account\-ID* value refers to the account that owns the [SAML provider](id_roles_providers_create_saml.md)\. @@ -161,7 +161,7 @@ This is an `eduPerson` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is an `eduPerson` attribute\. -**saml:edupersonentitlement**\[\]\* +**saml:edupersonentitlement**\[\] Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is an `eduPerson` attribute\. @@ -169,7 +169,7 @@ This is an `eduPerson` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is an `eduPerson` attribute\. -**saml:edupersonorgdn**\* +**saml:edupersonorgdn** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is an `eduPerson` attribute\. @@ -221,7 +221,7 @@ This is an `eduOrg` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is a `givenName` attribute\. -**saml:iss**\* +**saml:iss** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. The issuer, which is represented by a URN\. @@ -233,7 +233,7 @@ This is a `mail` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is a `name` attribute\. -**saml:namequalifier**\* +**saml:namequalifier** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. A hash value based on the friendly name of the SAML provider\. The value is the concatenation of the following values, in order and separated by a '/' character: @@ -252,11 +252,11 @@ This is an `organizationStatus` attribute\. Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is a `primaryGroupSID` attribute\. -**saml:sub**\* +**saml:sub** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization \(for example, `_cbb88bf52c2510eabe00c1642d4643f41430fe25e3`\)\. -**saml:sub\_type**\* +**saml:sub\_type** Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String)\. This key can have the value `persistent`, `transient`, or consist of the full `Format` URI from the `Subject` and `NameID` elements used in your SAML assertion\. A value of `persistent` indicates that the value in `saml:sub` is the same for a user between sessions\. If the value is `transient`, the user has a different `saml:sub` value for each session\. For information about the `NameID` element's `Format` attribute, see [Configuring SAML Assertions for the Authentication Response](id_roles_providers_create_saml_assertions.md)\. diff --git a/doc_source/roles-managingrole-editing-api.md b/doc_source/roles-managingrole-editing-api.md new file mode 100644 index 00000000..ee949227 --- /dev/null +++ b/doc_source/roles-managingrole-editing-api.md @@ -0,0 +1,143 @@ +# Modifying a Role \(AWS API\) + +You can use the AWS API to modify a role\. To change the set of tags on a role, see [Managing Tags on IAM Entities \(Console\)](id_tags.md#id_tags_procs-console)\. + +**Topics** ++ [Modifying a Role Trust Policy \(AWS API\)](#roles-managingrole_edit-trust-policy-api) ++ [Modifying a Role Permissions Policy \(AWS API\)](#roles-modify_permissions-policy-api) ++ [Modifying a Role Description \(AWS API\)](#roles-modify_description-api) ++ [Modifying a Role Maximum Session Duration \(AWS API\)](#roles-modify_max-session-duration-api) ++ [Modifying a Role Permissions Boundary \(AWS API\)](#roles-modify_permissions-boundary-api) + +## Modifying a Role Trust Policy \(AWS API\) + +To change who can assume a role, you must modify the role's trust policy\. You cannot modify the trust policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)*\. + +**Note** +If a user is listed as the principal in a role's trust policy but cannot assume the role, check the user's [permissions boundary](access_policies_boundaries.md)\. If a permissions boundary is set for the user, then it must allow the `sts:AssumeRole` action\. + +**To modify a role trust policy \(AWS API\)** + +1. \(Optional\) If you don't know the name of the role that you want to modify, call the following operation to list the roles in your account: + + [ListRoles](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoles.html) + +1. \(Optional\) To view the current trust policy for a role, call the following operation: + + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) + +1. To modify the trusted principals that can access the role, create a text file with the updated trust policy\. You can use any text editor to construct the policy\. + + For example, the following trust policy shows how to reference two AWS accounts in the `Principal` element\. This allows users within two separate AWS accounts to assume this role\. + + ``` + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Principal": {"AWS": [ + "arn:aws:iam::111122223333:root", + "arn:aws:iam::444455556666:root" + ]}, + "Action": "sts:AssumeRole" + } + } + ``` + + If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + +1. To use the file that you just created to update the trust policy, call the following operation: + + [UpdateAssumeRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html) + +**To allow users in a trusted external account to use the role \(AWS API\)** + +For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + +1. Create a JSON file that contains a permissions policy that grants permissions to assume the role\. For example, the following policy contains the minimum necessary permissions: + + ``` + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT-ID-THAT-CONTAINS-ROLE:role/ROLE-NAME" + } + } + ``` + + Replace the ARN in the statement with the ARN of the role that the user can assume\. + +1. Call the following operation to upload the JSON file that contains the trust policy to IAM: + + [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html) + + The output of this operation includes the ARN of the policy\. Make a note of this ARN because you will need it in a later step\. + +1. Decide which user or group to attach the policy to\. If you don't know the name of the intended user or group, call one of the following operations to list the users or groups in your account: + + [ListUsers](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) + + [ListGroups](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroups.html) + +1. Call one of the following operations to attach the policy that you created in the previous step to the user or group: + + API: [AttachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html) + + [AttachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html) + +## Modifying a Role Permissions Policy \(AWS API\) + +To change the permissions allowed by the role, modify the role's permissions policy \(or policies\)\. You cannot modify the permissions policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)* in IAM\. You might be able to modify the permissions policy within the service that depends on the role\. To check whether a service supports this feature, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service\-linked roles** column\. Choose a **Yes** with a link to view the service\-linked role documentation for that service\. + +**To change the permissions allowed by a role \(AWS API\)** + +1. \(Optional\) To view the current permissions associated with a role, call the following operations: + + 1. [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) to list inline policies + + 1. [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html) to list managed policies + +1. The operation to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy\. + + To update a managed policy, call the following operation to create a new version of the managed policy: + + [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html) + + To update an inline policy, call the following operation: + + [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html) + +## Modifying a Role Description \(AWS API\) + +To change the description of the role, modify the description text\. + +**To change the description of a role \(AWS API\)** + +1. \(Optional\) To view the current description for a role, call the following operation: + + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) + +1. To update a role's description, call the following operation with the description parameter: + + [UpdateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html) + +## Modifying a Role Maximum Session Duration \(AWS API\) + +To specify the maximum session duration setting for roles that are assumed using the AWS CLI or API, modify the maximum session duration setting's value\. This setting can have a value from 1 hour to 12 hours\. If you do not specify a value, the default maximum of 1 hour is applied\. This setting does not limit sessions assumed by AWS services\. + +**Note** +Anyone who assumes the role from the AWS CLI or API can use the `duration-seconds` CLI parameter or the `DurationSeconds` API parameter to request a longer session\. The `MaxSessionDuration` setting determines the maximum duration of the role session that can be requested using the `DurationSeconds` parameter\. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour\. + +**To change the maximum session duration setting for roles that are assumed using the API \(AWS API\)** + +1. \(Optional\) To view the current maximum session duration setting for a role, call the following operation: + + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) + +1. To update a role's maximum session duration setting, call the following operation with the `max-sessionduration` CLI parameter or the `MaxSessionDuration` API parameter: + + [UpdateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html) + + Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. + +## Modifying a Role Permissions Boundary \(AWS API\) + +To change the maximum permissions allowed for a role, modify the role's [permissions boundary](access_policies_boundaries.md)\. + +**To change the managed policy used to set the permissions boundary for a role \(AWS API\)** + +1. \(Optional\) To view the current [permissions boundary](access_policies_boundaries.md) for a role, call the following operation: + + [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) + +1. To use a different managed policy to update the permissions boundary for a role, call the following operation: + + [PutRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html) + + A role can have only one managed policy set as a permissions boundary\. If you change the permissions boundary, you change the maximum permissions allowed for a role\. \ No newline at end of file diff --git a/doc_source/roles-managingrole-editing-cli.md b/doc_source/roles-managingrole-editing-cli.md new file mode 100644 index 00000000..62409121 --- /dev/null +++ b/doc_source/roles-managingrole-editing-cli.md @@ -0,0 +1,143 @@ +# Modifying a Role \(AWS CLI\) + +You can use the AWS Command Line Interface to modify a role\. To change the set of tags on a role, see [Managing Tags on IAM Entities \(Console\)](id_tags.md#id_tags_procs-console)\. + +**Topics** ++ [Modifying a Role Trust Policy \(AWS CLI\)](#roles-managingrole_edit-trust-policy-cli) ++ [Modifying a Role Permissions Policy \(AWS CLI\)](#roles-modify_permissions-policy-cli) ++ [Modifying a Role Description \(AWS CLI\)](#roles-modify_description-cli) ++ [Modifying a Role Maximum Session Duration \(AWS CLI\)](#roles-modify_max-session-duration-cli) ++ [Modifying a Role Permissions Boundary \(AWS CLI\)](#roles-modify_permissions-boundary-cli) + +## Modifying a Role Trust Policy \(AWS CLI\) + +To change who can assume a role, you must modify the role's trust policy\. You cannot modify the trust policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)*\. + +**Note** +If a user is listed as the principal in a role's trust policy but cannot assume the role, check the user's [permissions boundary](access_policies_boundaries.md)\. If a permissions boundary is set for the user, then it must allow the `sts:AssumeRole` action\. + +**To modify a role trust policy \(AWS CLI\)** + +1. \(Optional\) If you don't know the name of the role that you want to modify, run the following command to list the roles in your account: + + [aws iam list\-roles](https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html) + +1. \(Optional\) To view the current trust policy for a role, run the following command: + + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) + +1. To modify the trusted principals that can access the role, create a text file with the updated trust policy\. You can use any text editor to construct the policy\. + + For example, the following trust policy shows how to reference two AWS accounts in the `Principal` element\. This allows users within two separate AWS accounts to assume this role\. + + ``` + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Principal": {"AWS": [ + "arn:aws:iam::111122223333:root", + "arn:aws:iam::444455556666:root" + ]}, + "Action": "sts:AssumeRole" + } + } + ``` + + If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + +1. To use the file that you just created to update the trust policy, run the following command: + + [aws iam update\-assume\-role\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/update-assume-role-policy.html) + +**To allow users in a trusted external account to use the role \(AWS CLI\)** + +For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + +1. Create a JSON file that contains a permissions policy that grants permissions to assume the role\. For example, the following policy contains the minimum necessary permissions: + + ``` + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT-ID-THAT-CONTAINS-ROLE:role/ROLE-NAME" + } + } + ``` + + Replace the ARN in the statement with the ARN of the role that the user can assume\. + +1. Run the following command to upload the JSON file that contains the trust policy to IAM: + + [aws iam create\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html) + + The output of this command includes the ARN of the policy\. Make a note of this ARN because you will need it in a later step\. + +1. Decide which user or group to attach the policy to\. If you don't know the name of the intended user or group, use one of the following commands to list the users or groups in your account: + + [aws iam list\-users](https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html) + + [aws iam list\-groups](https://docs.aws.amazon.com/cli/latest/reference/iam/list-groups.html) + +1. Use one of the following commands to attach the policy that you created in the previous step to the user or group: + + [aws iam attach\-user\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-user-policy.html) + + [aws iam attach\-group\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html) + +## Modifying a Role Permissions Policy \(AWS CLI\) + +To change the permissions allowed by the role, modify the role's permissions policy \(or policies\)\. You cannot modify the permissions policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)* in IAM\. You might be able to modify the permissions policy within the service that depends on the role\. To check whether a service supports this feature, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service\-linked roles** column\. Choose a **Yes** with a link to view the service\-linked role documentation for that service\. + +**To change the permissions allowed by a role \(AWS CLI\)** + +1. \(Optional\) To view the current permissions associated with a role, run the following commands: + + 1. [aws iam list\-role\-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html) to list inline policies + + 1. [aws iam list\-attached\-role\-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html) to list managed policies + +1. The command to update permissions for the role differs depending on whether you are updating a managed policy or an inline policy\. + + To update a managed policy, run the following command to create a new version of the managed policy: + + [aws iam create\-policy\-version](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy-version.html) + + To update an inline policy, run the following command: + + [aws iam put\-role\-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html) + +## Modifying a Role Description \(AWS CLI\) + +To change the description of the role, modify the description text\. + +**To change the description of a role \(AWS CLI\)** + +1. \(Optional\) To view the current description for a role, run the following command: + + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) + +1. To update a role's description, run the following command with the description parameter: + + [aws iam update\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/update-role.html) + +## Modifying a Role Maximum Session Duration \(AWS CLI\) + +To specify the maximum session duration setting for roles that are assumed using the AWS CLI or API, modify the maximum session duration setting's value\. This setting can have a value from 1 hour to 12 hours\. If you do not specify a value, the default maximum of 1 hour is applied\. This setting does not limit sessions assumed by AWS services\. + +**Note** +Anyone who assumes the role from the AWS CLI or API can use the `duration-seconds` CLI parameter or the `DurationSeconds` API parameter to request a longer session\. The `MaxSessionDuration` setting determines the maximum duration of the role session that can be requested using the `DurationSeconds` parameter\. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour\. + +**To change the maximum session duration setting for roles that are assumed using the AWS CLI \(AWS CLI\)** + +1. \(Optional\) To view the current maximum session duration setting for a role, run the following command: + + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) + +1. To update a role's maximum session duration setting, run the following command with the `max-sessionduration` CLI parameter or the `MaxSessionDuration` API parameter: + + [aws iam update\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/update-role.html) + + Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. + +## Modifying a Role Permissions Boundary \(AWS CLI\) + +To change the maximum permissions allowed for a role, modify the role's [permissions boundary](access_policies_boundaries.md)\. + +**To change the managed policy used to set the permissions boundary for a role \(AWS CLI\)** + +1. \(Optional\) To view the current [permissions boundary](access_policies_boundaries.md) for a role, run the following command: + + [aws iam get\-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) + +1. To use a different managed policy to update the permissions boundary for a role, run the following command: + + [aws iam put\-role\-permissions\-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-permissions-boundary.html) + + A role can have only one managed policy set as a permissions boundary\. If you change the permissions boundary, you change the maximum permissions allowed for a role\. \ No newline at end of file diff --git a/doc_source/roles-managingrole-editing-console.md b/doc_source/roles-managingrole-editing-console.md new file mode 100644 index 00000000..8489f96e --- /dev/null +++ b/doc_source/roles-managingrole-editing-console.md @@ -0,0 +1,160 @@ +# Modifying a Role \(Console\) + +You can use the AWS Management Console to modify a role\. To change the set of tags on a role, see [Managing Tags on IAM Entities \(Console\)](id_tags.md#id_tags_procs-console)\. + +**Topics** ++ [Modifying a Role Trust Policy \(Console\)](#roles-managingrole_edit-trust-policy) ++ [Modifying a Role Permissions Policy \(Console\)](#roles-modify_permissions-policy) ++ [Modifying a Role Description \(Console\)](#roles-modify_description) ++ [Modifying a Role Maximum Session Duration \(Console\)](#roles-modify_max-session-duration) ++ [Modifying a Role Permissions Boundary \(Console\)](#roles-modify_permissions-boundary) + +## Modifying a Role Trust Policy \(Console\) + +To change who can assume a role, you must modify the role's trust policy\. You cannot modify the trust policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)*\. + +**Note** +If a user is listed as the principal in a role's trust policy but cannot assume the role, check the user's [permissions boundary](access_policies_boundaries.md)\. If a permissions boundary is set for the user, then it must allow the `sts:AssumeRole` action\. + +**To modify a role trust policy \(console\)** + +1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the navigation pane of the IAM console, choose **Roles**\. + +1. In the list of roles in your account, choose the name of the role that you want to modify\. + +1. Choose the **Trust relationships** tab, and then choose **Edit trust relationship**\. + +1. Edit the trust policy as needed\. To add additional principals that can assume the role, specify them in the `Principal` element\. For example, the following policy snippet shows how to reference two AWS accounts in the `Principal` element: + + ``` + "Principal": { + "AWS": [ + "arn:aws:iam::111122223333:root", + "arn:aws:iam::444455556666:root" + ] + }, + ``` + + If you specify a principal in another account, adding an account to the trust policy of a role is only half of establishing the cross\-account trust relationship\. By default, no users in the trusted accounts can assume the role\. The administrator for the newly trusted account must grant the users the permission to assume the role\. To do that, the administrator must create or edit a policy that is attached to the user to allow the user access to the `sts:AssumeRole` action\. For more information, see the following procedure or [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + + The following policy snippet shows how to reference two AWSservices in the `Principal` element: + + ``` + "Principal": { + "Service": [ + "opsworks.amazonaws.com", + "ec2.amazonaws.com" + ] + }, + ``` + +1. When you are finished editing your trust policy, choose **Update Trust Policy** to save your changes\. + + For more information about policy structure and syntax, see [Policies and Permissions](access_policies.md) and the [IAM JSON Policy Elements Reference](reference_policies_elements.md)\. + +**To allow users in a trusted external account to use the role \(console\)** + +For more information and detail about this procedure, see [Granting a User Permissions to Switch Roles](id_roles_use_permissions-to-switch.md)\. + +1. Sign in to the trusted external AWS account\. + +1. Decide whether to attach the permissions to a user or to a group\. In the navigation pane of the IAM console, choose **Users** or **Groups** accordingly\. + +1. Choose the name of the user or group to which you want to grant access, and then choose the **Permissions** tab\. + +1. Do one of the following: + + To edit a customer managed policy, choose the name of the policy, choose **Edit policy**, and then choose the **JSON** tab\. You cannot edit an AWS managed policy\. AWS managed policies appear with the AWS icon \(![\[Image NOT FOUND\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_icon.png)\)\. For more information about the difference between AWS managed policies and customer managed policies, see [Managed Policies and Inline Policies](access_policies_managed-vs-inline.md)\. + + To edit an inline policy, choose the arrow next to the name of the policy and choose **Edit policy**\. + +1. In the policy editor, add a new `Statement` element that specifies the following: + + ``` + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT-ID:role/ROLE-NAME" + } + ``` + + Replace the ARN in the statement with the ARN of the role that the user can assume\. + +1. Follow the prompts on screen to finish editing the policy\. + +## Modifying a Role Permissions Policy \(Console\) + +To change the permissions allowed by the role, modify the role's permissions policy \(or policies\)\. You cannot modify the permissions policy for a *[service\-linked role](id_roles_terms-and-concepts.md#iam-term-service-linked-role)* in IAM\. You might be able to modify the permissions policy within the service that depends on the role\. To check whether a service supports this feature, see [AWS Services That Work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service\-linked roles** column\. Choose a **Yes** with a link to view the service\-linked role documentation for that service\. + +**To change the permissions allowed by a role \(console\)** + +1. Open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the navigation pane of the IAM console, choose **Roles**\. + +1. Choose the name of the role that you want to modify, and then choose the **Permissions** tab\. + +1. Do one of the following: + + To edit an existing customer managed policy, choose the name of the policy and then choose **Edit policy**\. +**Note** +You cannot edit an AWS managed policy\. AWS managed policy appear with the AWS icon \(![\[Image NOT FOUND\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_icon.png)\)\. For more information about the difference between AWS managed policies and customer managed policies, see [Managed Policies and Inline Policies](access_policies_managed-vs-inline.md)\. + + To attach an existing managed policy to the role, choose **Add permissions**\. + + To edit an existing inline policy, choose the arrow next to the name of the policy and choose **Edit Policy**\. + + To embed a new inline policy, choose **Add inline policy**\. + +## Modifying a Role Description \(Console\) + +To change the description of the role, modify the description text\. + +**To change the description of a role \(console\)** + +1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the navigation pane of the IAM console, choose **Roles**\. + +1. Choose the name of the role to modify\. + +1. Next to **Role description** and on the far right, choose **Edit**\. + +1. Type a new description in the box and choose **Save**\. + +## Modifying a Role Maximum Session Duration \(Console\) + +To specify the maximum session duration setting for roles that are assumed using the AWS CLI or API, modify the maximum session duration setting's value\. This setting can have a value from 1 hour to 12 hours\. If you do not specify a value, the default maximum of 1 hour is applied\. This setting does not limit sessions assumed by AWS services\. + +**Note** +Anyone who assumes the role from the AWS CLI or API can use the `duration-seconds` CLI parameter or the `DurationSeconds` API parameter to request a longer session\. The `MaxSessionDuration` setting determines the maximum duration of the role session that can be requested using the `DurationSeconds` parameter\. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour\. + +**To change the maximum session duration setting for roles that are assumed using the AWS CLI or API \(console\)** + +1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the navigation pane of the IAM console, choose **Roles**\. + +1. Choose the name of the role to modify\. + +1. Next to **Maximum CLI/API session duration** choose a value\. Or choose **Custom duration** and type a value \(in seconds\)\. + +1. Choose **Save**\. + + Your changes don't take effect until the next time someone assumes this role\. To learn how to revoke existing sessions for this role, see [Revoking IAM Role Temporary Security Credentials](id_roles_use_revoke-sessions.md)\. + +## Modifying a Role Permissions Boundary \(Console\) + +To change the maximum permissions allowed for a role, modify the role's [permissions boundary](access_policies_boundaries.md)\. + +**To change the policy used to set the permissions boundary for a role** + +1. Sign in to the AWS Management Console and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. + +1. In the navigation pane, choose **Roles**\. + +1. Choose the name of the role whose [permissions boundary](access_policies_boundaries.md) you want to change\. + +1. Choose the **Permissions** tab\. If necessary, open the **Permissions boundary** section and then choose **Change boundary**\. + +1. Select the policy that you want to use for the permissions boundary\. + +1. Choose **Change boundary**\. + + Your changes don't take effect until the next time someone assumes this role\. \ No newline at end of file diff --git a/doc_source/troubleshoot_iam-ec2.md b/doc_source/troubleshoot_iam-ec2.md index 226f7b47..4ff0721d 100644 --- a/doc_source/troubleshoot_iam-ec2.md +++ b/doc_source/troubleshoot_iam-ec2.md @@ -45,13 +45,15 @@ For more information about the permissions necessary to work with roles, see "Ho ## I Can't Access the Temporary Security Credentials on My EC2 Instance -Check the following: +To access temporary security credentials on your EC2 instance, you must first use the IAM console to create a role\. Then you launch an EC2 instance that uses that role and examine the running instance\. For more information, see **How Do I Get Started?** in [Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances](id_roles_use_switch-role-ec2.md)\. + +If you still can't access your temporary security credentials on your EC2 instance, check the following: + Can you access another part of the instance metadata service \(IMDS\)? If not, check that you have no firewall rules blocking access to requests to the IMDS\. ``` [ec2-user@domU-12-31-39-0A-8D-DE ~]$ GET http://169.254.169.254/latest/meta-data/hostname; echo ``` -+ Does the `iam` subtree of the IMDS exist? If not, verify that your instance has an IAM instance profile associated with it by calling `ec2:DescribeInstances`\. ++ Does the `iam` subtree of the IMDS exist? If not, verify that your instance has an IAM instance profile associated with it by calling the EC2 `DescribeInstances` API operation or using the aws ec2 `describe-instances` CLI command\. ``` [ec2-user@domU-12-31-39-0A-8D-DE ~]$ GET http://169.254.169.254/latest/meta-data/iam; echo @@ -64,7 +66,7 @@ Check the following: ## What Do the Errors from the `info` Document in the IAM Subtree Mean? -### The `iam/info` Document Iindicates `"Code":"InstanceProfileNotFound"` +### The `iam/info` Document Iindicates `"Code":"InstanceProfileNotFound"` Your IAM instance profile has been deleted and Amazon EC2 can no longer provide credentials to your instance\. You must attach a valid instance profile to your Amazon EC2 instance\. @@ -78,11 +80,11 @@ If an instance profile with that name exists, check that the instance profile wa If the IDs are different, then the instance profile attached to your instances is no longer valid\. You must attach a valid instance profile to the instance\. -### The `iam/info` Document Indicates a Success but Indicates `"Message":"Instance Profile does not contain a role..."` +### The `iam/info` Document Indicates a Success but Indicates `"Message":"Instance Profile does not contain a role..."` The role has been removed from the instance profile by the IAM `RemoveRoleFromInstanceProfile` action\. You can use the IAM `AddRoleToInstanceProfile` action to attach a role to the instance profile\. Your application will need to wait until the next scheduled refresh to access the credentials for the role\. -### The `iam/security-credentials/[role-name]` Document Indicates `"Code":"AssumeRoleUnauthorizedAccess"` +### The `iam/security-credentials/[role-name]` Document Indicates `"Code":"AssumeRoleUnauthorizedAccess"` Amazon EC2 does not have permission to assume the role\. Permission to assume the role is controlled by the trust policy attached to the role, like the example that follows\. Use the IAM `UpdateAssumeRolePolicy` API to update the trust policy\. diff --git a/doc_source/tutorial_abac-saml.md b/doc_source/tutorial_abac-saml.md index 2e2d2bfc..5cbbcecf 100644 --- a/doc_source/tutorial_abac-saml.md +++ b/doc_source/tutorial_abac-saml.md @@ -32,7 +32,7 @@ When you use the ABAC tutorial for SAML, you must perform additional steps to cr Create a single role that trusts your SAML identity provider and the `test-session-tags` user that you created in step 1\. The ABAC tutorial uses separate roles with different role tags\. Because you are passing session tags from your SAML IdP, you need only one role\. To learn how to create a SAML\-based role, see [Creating a Role for SAML 2\.0 Federation \(Console\)](id_roles_create_for-idp_saml.md)\. -Name the role `access-session-tags`\. Attach the `access-same-project-team` permissions policy to the role\. Edit the role trust policy to use the following policy\. For detailed instructions on how to edit the trust relationship of a role, see [Modifying a Role \(Console\)](id_roles_manage_modify.md#roles-managingrole-editing-console)\. +Name the role `access-session-tags`\. Attach the `access-same-project-team` permissions policy to the role\. Edit the role trust policy to use the following policy\. For detailed instructions on how to edit the trust relationship of a role, see [Modifying a Role \(Console\)](roles-managingrole-editing-console.md)\. The following role trust policy allows your SAML identity provider and the `test-session-tags` user to assume the role\. When they assume the role, they must pass the three specified session tags\. The `sts:TagSession` action is required to allow passing session tags\. diff --git a/doc_source/tutorial_cross-account-with-roles.md b/doc_source/tutorial_cross-account-with-roles.md index 3e139b20..44103c59 100644 --- a/doc_source/tutorial_cross-account-with-roles.md +++ b/doc_source/tutorial_cross-account-with-roles.md @@ -46,7 +46,7 @@ Before you can create a role, you need the account ID of the Development AWS acc 1. Sign in to the AWS Management Console as an administrator of the Development account, and open the IAM console at [https://console\.aws\.amazon\.com/iam/](https://console.aws.amazon.com/iam/)\. -1. In navigation bar, choose **Support**, and then **Support Center**\. The **Account Number** is in the upper right corner immediately below the **Support** menu\. The account ID is a 12\-digit number\. For this scenario, we pretend the Development account ID is 111111111111\. However, you should use a valid account ID if you are reconstructing the scenario in your test environment\. +1. In the navigation bar, choose **Support**, and then **Support Center**\. Your currently signed\-in 12\-digit account number \(ID\) appears in the **Support Center** title bar\. For this scenario, we pretend the Development account ID is 111111111111\. However, you should use a valid account ID if you are reconstructing the scenario in your test environment\. **To create a role in the Production account that can be used by the Development account** @@ -337,6 +337,7 @@ For a code example \(using Python\), see [Switching to an IAM Role \(AWS API\)]( ## Related Resources + For more information about IAM users and groups, see [Identities \(Users, Groups, and Roles\)](id.md) \. + For more information about Amazon S3 buckets, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html) in the *Amazon Simple Storage Service Getting Started Guide*\. ++ To learn whether principals in accounts outside of your zone of trust \(trusted organization, OU, or account\) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)\. ## Summary diff --git a/doc_source/what-is-access-analyzer.md b/doc_source/what-is-access-analyzer.md new file mode 100644 index 00000000..2971e68c --- /dev/null +++ b/doc_source/what-is-access-analyzer.md @@ -0,0 +1,19 @@ +# What Is IAM Access Analyzer? + +IAM Access Analyzer informs you which resources in your account that you are sharing with external principals\. It does this by using logic\-based reasoning to analyze resource\-based policies in your AWS environment\. An external entity can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, an anonymous user, or other entity that you can use to [create a filter](access-analyzer-findings-filter.md)\. For more information, see [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)\. + +When you enable Access Analyzer, you create an analyzer for your account\. Your account is the zone of trust for the analyzer\. The analyzer monitors all of the supported resources within your zone of trust\. Any access to resources by principals that are within your zone of trust is considered trusted\. Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your account\. After the first analysis, Access Analyzer analyzes these policies once every 24 hours\. If a new policy is added, or an existing policy is changed, Access Analyzer analyzes the new or updated policy within about 30 minutes\. + +When analyzing the policies, if Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding\. Each finding includes details about the resource, the external entity that has access to it, and the permissions granted so that you can take appropriate action\. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve\. When you add a policy to a resource, or update an existing policy, Access Analyzer analyzes the policy\. Access Analyzer also analyzes all resource\-based policies every 24 hours\. + +On rare occasions under certain conditions, Access Analyzer is not notified that a policy was added or updated\. When this happens, Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours\. If you want to confirm that a change you make to a policy resolves an access issue reported in a finding, you can rescan the resource reported in a finding\. To learn more, see [Resolving Findings](access-analyzer-findings-remediate.md)\. + +**Important** +Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in\. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources\. + +Access Analyzer analyzes the following resource types: ++ [Amazon Simple Storage Service Buckets](access-analyzer-resources.md#access-analyzer-s3) ++ [AWS Identity and Access Management Roles](access-analyzer-resources.md#access-analyzer-iam-role) ++ [AWS Key Management Service Keys](access-analyzer-resources.md#access-analyzer-kms-key) ++ [AWS Lambda Functions and Layers](access-analyzer-resources.md#access-analyzer-lambda) ++ [Amazon Simple Queue Service Queues](access-analyzer-resources.md#access-analyzer-sqs) \ No newline at end of file