Change log of AWS IAM permissions

2022-12-03

31 new actions

Additions

Actions

CreateAwsLogSource
- Description: Grants permission to enable any source type in any region for accounts that are either part of a trusted organization or standalone accounts
- Access: Write
- Dependents:
  iam:CreateServiceLinkedRole
  
  kms:CreateGrant
  
  kms:DescribeKey
CreateCustomLogSource
- Description: Grants permission to add a custom source name
- Access: Write
- Dependents:
  glue:CreateCrawler
  
  glue:CreateDatabase
  
  glue:CreateTable
  
  glue:StartCrawlerSchedule
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
  
  kms:CreateGrant
  
  kms:DescribeKey
  
  kms:GenerateDataKey
  
  lakeformation:GrantPermissions
  
  lakeformation:RegisterResource
  
  s3:ListBucket
  
  s3:PutObject
CreateDatalake
- Description: Grants permission to create a new Security Data Lake
- Access: Write
- Dependents:
  events:PutRule
  
  events:PutTargets
  
  iam:CreateServiceLinkedRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
  
  kms:CreateGrant
  
  kms:DescribeKey
  
  lakeformation:GetDataLakeSettings
  
  lakeformation:PutDataLakeSettings
  
  lambda:CreateEventSourceMapping
  
  lambda:CreateFunction
  
  organizations:DescribeOrganization
  
  organizations:ListDelegatedServicesForAccount
  
  s3:CreateBucket
  
  s3:ListBucket
  
  s3:PutBucketPolicy
  
  s3:PutBucketPublicAccessBlock
  
  s3:PutBucketVersioning
  
  sqs:CreateQueue
  
  sqs:GetQueueAttributes
  
  sqs:SetQueueAttributes
CreateDatalakeAutoEnable
- Description: Grants permission to add to the configuration for automatically enabling Amazon Security Lake access for new organization accounts
- Access: Write
CreateDatalakeDelegatedAdmin
- Description: Grants permission to designate the Amazon Security Lake administrator account for the organization
- Access: Write
- Dependents:
  iam:CreateServiceLinkedRole
  
  organizations:DescribeOrganization
  
  organizations:EnableAWSServiceAccess
  
  organizations:ListDelegatedAdministrators
  
  organizations:ListDelegatedServicesForAccount
  
  organizations:RegisterDelegatedAdministrator
CreateDatalakeExceptionsSubscription
- Description: Grants permission to get instant notifications about exceptions by subscribing to the SNS topics for exception notifications
- Access: Write
CreateSubscriber
- Description: Grants permission to create a subscription permission for accounts that are already enabled
- Access: Write
- Dependents:
  iam:CreateRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
  
  lakeformation:GrantPermissions
  
  lakeformation:ListPermissions
  
  lakeformation:RegisterResource
  
  lakeformation:RevokePermissions
  
  ram:GetResourceShareAssociations
  
  ram:GetResourceShares
  
  ram:UpdateResourceShare
  
  s3:PutObject
CreateSubscriptionNotificationConfiguration
- Description: Grants permission to create a webhook invocation to notify a client when there is new data in the Data Lake
- Access: Write
- Dependents:
  events:CreateApiDestination
  
  events:CreateConnection
  
  events:DescribeRule
  
  events:ListApiDestinations
  
  events:ListConnections
  
  events:PutRule
  
  events:PutTargets
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  s3:GetBucketNotification
  
  s3:PutBucketNotification
  
  sqs:CreateQueue
  
  sqs:DeleteQueue
  
  sqs:GetQueueAttributes
  
  sqs:GetQueueUrl
  
  sqs:SetQueueAttributes
DeleteAwsLogSource
- Description: Grants permission to disable any source type in any region for accounts that are either part of a trusted organization or standalone accounts
- Access: Write
DeleteCustomLogSource
- Description: Grants permission to remove a custom source name
- Access: Write
- Dependents:
  glue:StopCrawlerSchedule
DeleteDatalake
- Description: Grants permission to delete all Security Data Lakes
- Access: Write
- Dependents:
  organizations:DescribeOrganization
  
  organizations:ListDelegatedAdministrators
  
  organizations:ListDelegatedServicesForAccount
DeleteDatalakeAutoEnable
- Description: Grants permission to remove from the existing configuration the automatic enabling of Amazon Security Lake access for new organization accounts
- Access: Write
DeleteDatalakeDelegatedAdmin
- Description: Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization
- Access: Write
- Dependents:
  organizations:DeregisterDelegatedAdministrator
  
  organizations:DescribeOrganization
  
  organizations:ListDelegatedServicesForAccount
DeleteDatalakeExceptionsSubscription
- Description: Grants permission to unsubscribe from SNS topics for exception notifications. Also, removes the SNS exception notifications topic
- Access: Write
DeleteSubscriber
- Description: Grants permission to delete the specified subscription permissions for accounts that are already enabled
- Access: Write
- Dependents:
  events:DeleteApiDestination
  
  events:DeleteConnection
  
  events:DeleteRule
  
  events:DescribeRule
  
  events:ListApiDestinations
  
  events:ListTargetsByRule
  
  events:RemoveTargets
  
  iam:DeleteRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:ListRolePolicies
  
  lakeformation:ListPermissions
  
  lakeformation:RevokePermissions
  
  sqs:DeleteQueue
  
  sqs:GetQueueUrl
DeleteSubscriptionNotificationConfiguration
- Description: Grants permission to remove a webhook invocation to notify a client when there is new data in the Data Lake
- Access: Write
- Dependents:
  events:DeleteApiDestination
  
  events:DeleteConnection
  
  events:DeleteRule
  
  events:DescribeRule
  
  events:ListApiDestinations
  
  events:ListTargetsByRule
  
  events:RemoveTargets
  
  iam:DeleteRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:ListRolePolicies
  
  lakeformation:RevokePermissions
  
  sqs:DeleteQueue
  
  sqs:GetQueueUrl
GetDatalake
- Description: Grants permission to get information on the Security Data Lake
- Access: Read
GetDatalakeAutoEnable
- Description: Grants permission to get an organization’s configuration setting for the automatic enabling of Amazon Security Lake access for new organization accounts
- Access: Read
- Dependents:
  organizations:DescribeOrganization
GetDatalakeExceptionsExpiry
- Description: Grants permission to allow user to query what was set as the expiration period for the exception message
- Access: Read
GetDatalakeExceptionsSubscription
- Description: Grants permission to query the protocol and endpoint that were supplied when subscribing to the SNS topics for exception notifications
- Access: Read
GetDatalakeStatus
- Description: Grants permission to get a static snapshot of the Security Data Lake in the current region, including enabled accounts and log sources
- Access: Read
GetSubscriber
- Description: Grants permission to get subscription information for a subscription permission for accounts that are already enabled
- Access: Read
GetSubscriptionNotificationConfiguration
- Description: Grants permission to get information for a webhook invocation to notify a client when there is new data in the Data Lake
- Access: Read
ListDatalakeExceptions
- Description: Grants permission to get the list of all non-retry-able failures
- Access: List
ListLogSources
- Description: Grants permission to show the estate view of enabled accounts with the enabled sources in the enabled regions
- Access: List
ListSubscribers
- Description: Grants permission to list all subscription permissions for accounts that are already enabled
- Access: List
UpdateDatalake
- Description: Grants permission to update a Security Data Lake
- Access: Write
- Dependents:
  events:PutRule
  
  events:PutTargets
  
  iam:CreateServiceLinkedRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
  
  kms:CreateGrant
  
  kms:DescribeKey
  
  lakeformation:GetDataLakeSettings
  
  lakeformation:PutDataLakeSettings
  
  lambda:CreateEventSourceMapping
  
  lambda:CreateFunction
  
  organizations:DescribeOrganization
  
  organizations:ListDelegatedServicesForAccount
  
  s3:CreateBucket
  
  s3:ListBucket
  
  s3:PutBucketPolicy
  
  s3:PutBucketPublicAccessBlock
  
  s3:PutBucketVersioning
  
  sqs:CreateQueue
  
  sqs:GetQueueAttributes
  
  sqs:SetQueueAttributes
UpdateDatalakeExceptionsExpiry
- Description: Grants permission to control the time-to-live (TTL) for the exception message to remain in service cache
- Access: Write
UpdateDatalakeExceptionsSubscription
- Description: Grants permission to update subscriptions to the SNS topics for exception notifications
- Access: Write
UpdateSubscriber
- Description: Grants permission to update subscription information for a subscription permission for accounts that are already enabled
- Access: Write
- Dependents:
  events:CreateApiDestination
  
  events:CreateConnection
  
  events:DescribeRule
  
  events:ListApiDestinations
  
  events:ListConnections
  
  events:PutRule
  
  events:PutTargets
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
UpdateSubscriptionNotificationConfiguration
- Description: Grants permission to update a webhook invocation to notify a client when there is new data in the Data Lake
- Access: Write
- Dependents:
  events:CreateApiDestination
  
  events:CreateConnection
  
  events:DescribeRule
  
  events:ListApiDestinations
  
  events:ListConnections
  
  events:PutRule
  
  events:PutTargets
  
  iam:CreateServiceLinkedRole
  
  iam:DeleteRolePolicy
  
  iam:GetRole
  
  iam:PutRolePolicy
  
  s3:CreateBucket
  
  s3:GetBucketNotification
  
  s3:ListBucket
  
  s3:PutBucketNotification
  
  s3:PutBucketPolicy
  
  s3:PutBucketPublicAccessBlock
  
  s3:PutBucketVersioning
  
  sqs:CreateQueue
  
  sqs:DeleteQueue
  
  sqs:GetQueueAttributes
  
  sqs:GetQueueUrl
  
  sqs:SetQueueAttributes

Amazon Security Lake (securitylake)

Additions