Permissions for @turbot/aws-config
Taking a look at permissions and associated grant levels for each permission for Config:
Permission | Grant Level | Help |
---|---|---|
config:BatchGetAggregateResourceConfig | Metadata | |
config:BatchGetResourceConfig | Metadata | |
config:DeleteAggregationAuthorization | Admin | It deletes the authorization granted to the specified configuration aggregator account in a specified region. It is a cross-account permission. |
config:DeleteConfigRule | Admin | Admin can delete the specified AWS Config rule and all of its evaluation results. |
config:DeleteConfigurationAggregator | Admin | |
config:DeleteConfigurationRecorder | Admin | Admins manage configuration recorder settings. |
config:DeleteConformancePack | Admin | |
config:DeleteDeliveryChannel | Admin | Admins manage delivery channel settings. |
config:DeleteEvaluationResults | Admin | |
config:DeleteOrganizationConfigRule | Admin | |
config:DeleteOrganizationConformancePack | Admin | |
config:DeletePendingAggregationRequest | Admin | |
config:DeleteRemediationConfiguration | Admin | |
config:DeleteRemediationExceptions | Admin | |
config:DeleteResourceConfig | Admin | |
config:DeleteRetentionConfiguration | Admin | |
config:DeliverConfigSnapshot | Operator | Operators can schedule config snapshot deliveries to S3. |
config:DescribeAggregateComplianceByConfigRules | Metadata | |
config:DescribeAggregationAuthorizations | Metadata | |
config:DescribeComplianceByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
config:DescribeComplianceByResource | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
config:DescribeConfigRuleEvaluationStatus | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
config:DescribeConfigRules | Metadata | Metadata about config rules and resources; allow Metadata to Describe rules. |
config:DescribeConfigurationAggregatorSourcesStatus | Metadata | |
config:DescribeConfigurationAggregators | Metadata | |
config:DescribeConfigurationRecorderStatus | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
config:DescribeConfigurationRecorders | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
config:DescribeConformancePackCompliance | Metadata | |
config:DescribeConformancePackStatus | Metadata | |
config:DescribeConformancePacks | Metadata | |
config:DescribeDeliveryChannelStatus | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
config:DescribeDeliveryChannels | Metadata | Metadata about config settings; allow Metadata to Describe these settings. |
config:DescribeOrganizationConfigRuleStatuses | Metadata | |
config:DescribeOrganizationConfigRules | Metadata | |
config:DescribeOrganizationConformancePackStatuses | Metadata | |
config:DescribeOrganizationConformancePacks | Metadata | |
config:DescribePendingAggregationRequests | Metadata | |
config:DescribeRemediationConfigurations | Metadata | |
config:DescribeRemediationExceptions | Metadata | |
config:DescribeRemediationExecutionStatus | Metadata | |
config:DescribeRetentionConfigurations | Metadata | |
config:GetAggregateComplianceDetailsByConfigRule | Metadata | |
config:GetAggregateConfigRuleComplianceSummary | Metadata | |
config:GetAggregateDiscoveredResourceCounts | Metadata | |
config:GetAggregateResourceConfig | Metadata | |
config:GetComplianceDetailsByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
config:GetComplianceDetailsByResource | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
config:GetComplianceSummaryByConfigRule | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
config:GetComplianceSummaryByResourceType | Metadata | Metadata about config rules and resources; allow Metadata to Get rules. |
config:GetConformancePackComplianceDetails | Metadata | |
config:GetConformancePackComplianceSummary | Metadata | |
config:GetDiscoveredResourceCounts | Metadata | Metadata about the number of each resource type and the total number of resources that AWS Config is recording in this region for your AWS account. |
config:GetOrganizationConfigRuleDetailedStatus | Metadata | |
config:GetOrganizationConformancePackDetailedStatus | Metadata | |
config:GetResourceConfigHistory | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
config:GetResources | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
config:GetTagKeys | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
config:ListAggregateDiscoveredResources | Metadata | |
config:ListDiscoveredResources | Metadata | AWS config is only metadata about resources; allow Metadata to Get data. |
config:ListTagsForResource | Metadata | |
config:PutAggregationAuthorization | Admin | It authorizes the aggregator account and region to collect data from the source account and region. |
config:PutConfigRule | Admin | Admin can add or update an AWS Config rule for evaluating whether your AWS resources comply with desired configurations. |
config:PutConfigurationAggregator | Admin | |
config:PutConfigurationRecorder | Admin | Admins manage config recorder settings. |
config:PutConformancePack | Admin | |
config:PutDeliveryChannel | Admin | Admins manage delivery channel settings. |
config:PutEvaluations | Operator | |
config:PutOrganizationConfigRule | Admin | |
config:PutOrganizationConformancePack | Admin | |
config:PutRemediationConfigurations | Admin | |
config:PutRemediationExceptions | Admin | |
config:PutResourceConfig | Admin | |
config:PutRetentionConfiguration | Admin | Creates and updates the retention configuration with details about retention period that AWS Config stores your historical information. |
config:SelectResourceConfig | Metadata | |
config:StartConfigRulesEvaluation | Operator | Operator can run an on-demand evaluation for the specified Config rules against the last known configuration state of the resources. |
config:StartConfigurationRecorder | Operator | Operators can start config recorders across regions. |
config:StartRemediationExecution | Admin | |
config:StopConfigurationRecorder | Operator | Operators can stop config recorders across regions. |
config:TagResource | Operator | |
config:UntagResource | Operator | |
iam:ListRoles | Metadata | |
iam:PassRole | Admin | "Admins need 'iam:PassRole' to attach the applicable service role for Config settings." |