Amazon Security Lake (securitylake)

2022-12-03

31 new actions

Additions

    Actions
  • CreateAwsLogSource
    • Description:  Grants permission to enable any source type in any region for accounts that are either part of a trusted organization or standalone accounts
    • Access:  Write
    • Dependents: 

      iam:CreateServiceLinkedRole

      kms:CreateGrant

      kms:DescribeKey

  • CreateCustomLogSource
    • Description:  Grants permission to add a custom source name
    • Access:  Write
    • Dependents: 

      glue:CreateCrawler

      glue:CreateDatabase

      glue:CreateTable

      glue:StartCrawlerSchedule

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      kms:CreateGrant

      kms:DescribeKey

      kms:GenerateDataKey

      lakeformation:GrantPermissions

      lakeformation:RegisterResource

      s3:ListBucket

      s3:PutObject

  • CreateDatalake
    • Description:  Grants permission to create a new Security Data Lake
    • Access:  Write
    • Dependents: 

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      kms:CreateGrant

      kms:DescribeKey

      lakeformation:GetDataLakeSettings

      lakeformation:PutDataLakeSettings

      lambda:CreateEventSourceMapping

      lambda:CreateFunction

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount

      s3:CreateBucket

      s3:ListBucket

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      sqs:CreateQueue

      sqs:GetQueueAttributes

      sqs:SetQueueAttributes

  • CreateDatalakeAutoEnable
    • Description:  Grants permission to add to the configuration for automatically enabling Amazon Security Lake access for new organization accounts
    • Access:  Write
  • CreateDatalakeDelegatedAdmin
    • Description:  Grants permission to designate the Amazon Security Lake administrator account for the organization
    • Access:  Write
    • Dependents: 

      iam:CreateServiceLinkedRole

      organizations:DescribeOrganization

      organizations:EnableAWSServiceAccess

      organizations:ListDelegatedAdministrators

      organizations:ListDelegatedServicesForAccount

      organizations:RegisterDelegatedAdministrator

  • CreateDatalakeExceptionsSubscription
    • Description:  Grants permission to get instant notifications about exceptions by subscribing to the SNS topics for exception notifications
    • Access:  Write
  • CreateSubscriber
    • Description:  Grants permission to create a subscription permission for accounts that are already enabled
    • Access:  Write
    • Dependents: 

      iam:CreateRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      lakeformation:GrantPermissions

      lakeformation:ListPermissions

      lakeformation:RegisterResource

      lakeformation:RevokePermissions

      ram:GetResourceShareAssociations

      ram:GetResourceShares

      ram:UpdateResourceShare

      s3:PutObject

  • CreateSubscriptionNotificationConfiguration
    • Description:  Grants permission to create a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Write
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:DeleteRolePolicy

      iam:GetRole

      s3:GetBucketNotification

      s3:PutBucketNotification

      sqs:CreateQueue

      sqs:DeleteQueue

      sqs:GetQueueAttributes

      sqs:GetQueueUrl

      sqs:SetQueueAttributes

  • DeleteAwsLogSource
    • Description:  Grants permission to disable any source type in any region for accounts that are either part of a trusted organization or standalone accounts
    • Access:  Write
  • DeleteCustomLogSource
    • Description:  Grants permission to remove a custom source name
    • Access:  Write
    • Dependents: 

      glue:StopCrawlerSchedule

  • DeleteDatalake
    • Description:  Grants permission to delete all Security Data Lakes
    • Access:  Write
    • Dependents: 

      organizations:DescribeOrganization

      organizations:ListDelegatedAdministrators

      organizations:ListDelegatedServicesForAccount

  • DeleteDatalakeAutoEnable
    • Description:  Grants permission to remove from the existing configuration the automatic enabling of Amazon Security Lake access for new organization accounts
    • Access:  Write
  • DeleteDatalakeDelegatedAdmin
    • Description:  Grants permission to remove the Delegated Administrator account and disable Amazon Security Lake as a service for this organization
    • Access:  Write
    • Dependents: 

      organizations:DeregisterDelegatedAdministrator

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount

  • DeleteDatalakeExceptionsSubscription
    • Description:  Grants permission to unsubscribe from SNS topics for exception notifications. Also, removes the SNS exception notifications topic
    • Access:  Write
  • DeleteSubscriber
    • Description:  Grants permission to delete the specified subscription permissions for accounts that are already enabled
    • Access:  Write
    • Dependents: 

      events:DeleteApiDestination

      events:DeleteConnection

      events:DeleteRule

      events:DescribeRule

      events:ListApiDestinations

      events:ListTargetsByRule

      events:RemoveTargets

      iam:DeleteRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:ListRolePolicies

      lakeformation:ListPermissions

      lakeformation:RevokePermissions

      sqs:DeleteQueue

      sqs:GetQueueUrl

  • DeleteSubscriptionNotificationConfiguration
    • Description:  Grants permission to remove a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Write
    • Dependents: 

      events:DeleteApiDestination

      events:DeleteConnection

      events:DeleteRule

      events:DescribeRule

      events:ListApiDestinations

      events:ListTargetsByRule

      events:RemoveTargets

      iam:DeleteRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:ListRolePolicies

      lakeformation:RevokePermissions

      sqs:DeleteQueue

      sqs:GetQueueUrl

  • GetDatalake
    • Description:  Grants permission to get information on the Security Data Lake
    • Access:  Read
  • GetDatalakeAutoEnable
    • Description:  Grants permission to get an organization’s configuration setting for the automatic enabling of Amazon Security Lake access for new organization accounts
    • Access:  Read
    • Dependents: 

      organizations:DescribeOrganization

  • GetDatalakeExceptionsExpiry
    • Description:  Grants permission to allow user to query what was set as the expiration period for the exception message
    • Access:  Read
  • GetDatalakeExceptionsSubscription
    • Description:  Grants permission to query the protocol and endpoint that were supplied when subscribing to the SNS topics for exception notifications
    • Access:  Read
  • GetDatalakeStatus
    • Description:  Grants permission to get a static snapshot of the Security Data Lake in the current region, including enabled accounts and log sources
    • Access:  Read
  • GetSubscriber
    • Description:  Grants permission to get subscription information for a subscription permission for accounts that are already enabled
    • Access:  Read
  • GetSubscriptionNotificationConfiguration
    • Description:  Grants permission to get information for a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Read
  • ListDatalakeExceptions
    • Description:  Grants permission to get the list of all non-retry-able failures
    • Access:  List
  • ListLogSources
    • Description:  Grants permission to show the estate view of enabled accounts with the enabled sources in the enabled regions
    • Access:  List
  • ListSubscribers
    • Description:  Grants permission to list all subscription permissions for accounts that are already enabled
    • Access:  List
  • UpdateDatalake
    • Description:  Grants permission to update a Security Data Lake
    • Access:  Write
    • Dependents: 

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      kms:CreateGrant

      kms:DescribeKey

      lakeformation:GetDataLakeSettings

      lakeformation:PutDataLakeSettings

      lambda:CreateEventSourceMapping

      lambda:CreateFunction

      organizations:DescribeOrganization

      organizations:ListDelegatedServicesForAccount

      s3:CreateBucket

      s3:ListBucket

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      sqs:CreateQueue

      sqs:GetQueueAttributes

      sqs:SetQueueAttributes

  • UpdateDatalakeExceptionsExpiry
    • Description:  Grants permission to control the time-to-live (TTL) for the exception message to remain in service cache
    • Access:  Write
  • UpdateDatalakeExceptionsSubscription
    • Description:  Grants permission to update subscriptions to the SNS topics for exception notifications
    • Access:  Write
  • UpdateSubscriber
    • Description:  Grants permission to update subscription information for a subscription permission for accounts that are already enabled
    • Access:  Write
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

  • UpdateSubscriptionNotificationConfiguration
    • Description:  Grants permission to update a webhook invocation to notify a client when there is new data in the Data Lake
    • Access:  Write
    • Dependents: 

      events:CreateApiDestination

      events:CreateConnection

      events:DescribeRule

      events:ListApiDestinations

      events:ListConnections

      events:PutRule

      events:PutTargets

      iam:CreateServiceLinkedRole

      iam:DeleteRolePolicy

      iam:GetRole

      iam:PutRolePolicy

      s3:CreateBucket

      s3:GetBucketNotification

      s3:ListBucket

      s3:PutBucketNotification

      s3:PutBucketPolicy

      s3:PutBucketPublicAccessBlock

      s3:PutBucketVersioning

      sqs:CreateQueue

      sqs:DeleteQueue

      sqs:GetQueueAttributes

      sqs:GetQueueUrl

      sqs:SetQueueAttributes