Permissions for @turbot/aws-shield
Taking a look at permissions and associated grant levels for each permission for Shield:
| Permission | Grant Level | Help |
|---|---|---|
| iam:GetRole | Metadata | |
| iam:ListAttachedRolePolicies | Metadata | |
| iam:PassRole | Admin | |
| s3:GetBucketPolicy | Metadata | |
| shield:AssociateDRTLogBucket | Admin | "Admins can authorize the DDoS Response team to access the specified Amazon S3 bucket containing user's flow logs." |
| shield:AssociateDRTRole | Admin | "Admins can authorize the DDoS Response team using the specified role to access user's AWS account to assist with DDoS attack mitigation during potential attacks." |
| shield:CreateProtection | Admin | |
| shield:CreateSubscription | Admin | |
| shield:DeleteProtection | Admin | |
| shield:DeleteSubscription | Admin | |
| shield:DescribeAttack | Metadata | |
| shield:DescribeDRTAccess | Metadata | |
| shield:DescribeEmergencyContactSettings | Metadata | |
| shield:DescribeProtection | Metadata | |
| shield:DescribeSubscription | Metadata | |
| shield:DisassociateDRTLogBucket | Admin | |
| shield:DisassociateDRTRole | Admin | |
| shield:GetSubscriptionState | Metadata | |
| shield:ListAttacks | Metadata | |
| shield:ListProtections | Metadata | |
| shield:UpdateEmergencyContactSettings | Admin | Admins can update the details of the list of email addresses that the DRT can use to contact you during a suspected attack. |
| shield:UpdateSubscription | Admin |