Permissions for @turbot/aws-shield
Taking a look at permissions and associated grant levels for each permission for Shield:
Permission | Grant Level | Help |
---|---|---|
iam:GetRole | Metadata | |
iam:ListAttachedRolePolicies | Metadata | |
iam:PassRole | Admin | |
s3:GetBucketPolicy | Metadata | |
shield:AssociateDRTLogBucket | Admin | "Admins can authorize the DDoS Response team to access the specified Amazon S3 bucket containing user's flow logs." |
shield:AssociateDRTRole | Admin | "Admins can authorize the DDoS Response team using the specified role to access user's AWS account to assist with DDoS attack mitigation during potential attacks." |
shield:CreateProtection | Admin | |
shield:CreateSubscription | Admin | |
shield:DeleteProtection | Admin | |
shield:DeleteSubscription | Admin | |
shield:DescribeAttack | Metadata | |
shield:DescribeDRTAccess | Metadata | |
shield:DescribeEmergencyContactSettings | Metadata | |
shield:DescribeProtection | Metadata | |
shield:DescribeSubscription | Metadata | |
shield:DisassociateDRTLogBucket | Admin | |
shield:DisassociateDRTRole | Admin | |
shield:GetSubscriptionState | Metadata | |
shield:ListAttacks | Metadata | |
shield:ListProtections | Metadata | |
shield:UpdateEmergencyContactSettings | Admin | Admins can update the details of the list of email addresses that the DRT can use to contact you during a suspected attack. |
shield:UpdateSubscription | Admin |