Permissions for @turbot/aws-config
Taking a look at permissions and associated grant levels for each permission for Config:
| Permission | Grant Level | Help |
|---|---|---|
| config:BatchGetAggregateResourceConfig | Metadata | |
| config:BatchGetResourceConfig | Metadata | |
| config:DeleteAggregationAuthorization | Admin | It deletes the authorization granted to the specified configuration aggregator account in a specified region. It is a cross-account permission. |
| config:DeleteConfigRule | Admin | Admin can delete the specified AWS Config rule and all of its evaluation results. |
| config:DeleteConfigurationAggregator | Admin | |
| config:DeleteConfigurationRecorder | Admin | Admins manage configuration recorder settings. |
| config:DeleteConformancePack | Admin | |
| config:DeleteDeliveryChannel | Admin | Admins manage delivery channel settings. |
| config:DeleteEvaluationResults | Admin | |
| config:DeleteOrganizationConfigRule | Admin | |
| config:DeleteOrganizationConformancePack | Admin | |
| config:DeletePendingAggregationRequest | Admin | |
| config:DeleteRemediationConfiguration | Admin | |
| config:DeleteRemediationExceptions | Admin | |
| config:DeleteResourceConfig | Admin | |
| config:DeleteRetentionConfiguration | Admin | |
| config:DeliverConfigSnapshot | Operator | Operators can schedule config snapshot deliveries to S3. |
| config:DescribeAggregateComplianceByConfigRules | Metadata | |
| config:DescribeAggregationAuthorizations | Metadata | |
| config:DescribeComplianceByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
| config:DescribeComplianceByResource | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
| config:DescribeConfigRuleEvaluationStatus | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
| config:DescribeConfigRules | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
| config:DescribeConfigurationAggregatorSourcesStatus | Metadata | |
| config:DescribeConfigurationAggregators | Metadata | |
| config:DescribeConfigurationRecorderStatus | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
| config:DescribeConfigurationRecorders | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
| config:DescribeConformancePackCompliance | Metadata | |
| config:DescribeConformancePackStatus | Metadata | |
| config:DescribeConformancePacks | Metadata | |
| config:DescribeDeliveryChannelStatus | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
| config:DescribeDeliveryChannels | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
| config:DescribeOrganizationConfigRuleStatuses | Metadata | |
| config:DescribeOrganizationConfigRules | Metadata | |
| config:DescribeOrganizationConformancePackStatuses | Metadata | |
| config:DescribeOrganizationConformancePacks | Metadata | |
| config:DescribePendingAggregationRequests | Metadata | |
| config:DescribeRemediationConfigurations | Metadata | |
| config:DescribeRemediationExceptions | Metadata | |
| config:DescribeRemediationExecutionStatus | Metadata | |
| config:DescribeRetentionConfigurations | Metadata | |
| config:GetAggregateComplianceDetailsByConfigRule | Metadata | |
| config:GetAggregateConfigRuleComplianceSummary | Metadata | |
| config:GetAggregateDiscoveredResourceCounts | Metadata | |
| config:GetAggregateResourceConfig | Metadata | |
| config:GetComplianceDetailsByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
| config:GetComplianceDetailsByResource | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
| config:GetComplianceSummaryByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
| config:GetComplianceSummaryByResourceType | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
| config:GetConformancePackComplianceDetails | Metadata | |
| config:GetConformancePackComplianceSummary | Metadata | |
| config:GetDiscoveredResourceCounts | Metadata | Metadata about the number of each resource type and the total number of resources that AWS Config is recording in this region for your AWS account. |
| config:GetOrganizationConfigRuleDetailedStatus | Metadata | |
| config:GetOrganizationConformancePackDetailedStatus | Metadata | |
| config:GetResourceConfigHistory | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
| config:GetResources | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
| config:GetTagKeys | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
| config:ListAggregateDiscoveredResources | Metadata | |
| config:ListDiscoveredResources | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
| config:ListTagsForResource | Metadata | |
| config:PutAggregationAuthorization | Admin | It authorizes the aggregator account and region to collect data from the source account and region. |
| config:PutConfigRule | Admin | Admin can add or update an AWS Config rule for evaluating whether your AWS resources comply with desired configurations. |
| config:PutConfigurationAggregator | Admin | |
| config:PutConfigurationRecorder | Admin | Admins manage config recorder settings. |
| config:PutConformancePack | Admin | |
| config:PutDeliveryChannel | Admin | Admins manage delivery channel settings. |
| config:PutEvaluations | Operator | |
| config:PutOrganizationConfigRule | Admin | |
| config:PutOrganizationConformancePack | Admin | |
| config:PutRemediationConfigurations | Admin | |
| config:PutRemediationExceptions | Admin | |
| config:PutResourceConfig | Admin | |
| config:PutRetentionConfiguration | Admin | Creates and updates the retention configuration with details about retention period that AWS Config stores your historical information. |
| config:SelectResourceConfig | Metadata | |
| config:StartConfigRulesEvaluation | Operator | Operator can run an on-demand evaluation for the specified Config rules against the last known configuration state of the resources. |
| config:StartConfigurationRecorder | Operator | Operators can start config recorders across regions. |
| config:StartRemediationExecution | Admin | |
| config:StopConfigurationRecorder | Operator | Operators can stop config recorders across regions. |
| config:TagResource | Operator | |
| config:UntagResource | Operator | |
| iam:ListRoles | Metadata | |
| iam:PassRole | Admin | "Admins need 'iam:PassRole' to attach the applicable service role for Config settings." |