Amazon CodeGuru Security permissions reference

You can use AWS condition keys in your Amazon CodeGuru Security policies to express conditions. For a list, see IAM JSON policy elements reference in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the codeguru-security: prefix followed by the API operation name (for example, codeguru-security:CreateUploadUrl and codeguru-security:CreateScan). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "codeguru-security:CreateUploadUrl", "codeguru-security:CreateScan" ]).

Using wildcard characters

You specify an Amazon Resource Name (ARN), with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, codeguru-security:* specifies all Amazon CodeGuru Security actions and codeguru-security:Get* specifies all Amazon CodeGuru Security actions that begin with the word Get.

You can use the following table as a reference when you are setting up Authenticating with identities in Amazon CodeGuru Security and writing permissions policies that you can attach to an IAM identity (identity-based policies).

Amazon CodeGuru Security API operations and required permissions for actions
Amazon CodeGuru Security API operations	Required permissions (API actions)	Resources
`BatchGetFindings`	`codeguru-security:BatchGetFindings` Required to get multiple findings.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName` (multiple)
`CreateScan`	`codeguru-security:CreateScan` Required to create a CodeGuru Security scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`CreateUploadUrl`	`codeguru-security:CreateUploadUrl` Required to generate a URL used to upload code artifacts.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`GetAccountConfiguration`	`codeguru-security:GetAccountConfiguration` Required to get account level configuration.	`*`
`GetMetricsSummary`	`codeguru-security:GetMetricsSummary` Required to get summary metrics for an account.	`*`
`GetFindings`	`codeguru-security:GetFindings` Required to get findings generated by a scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`GetScan`	`codeguru-security:GetScan` Required to get information about a scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`ListFindingsMetrics`	`codeguru-security:ListFindingsMetrics` Required to list metrics about all findings in an account.	`*`
`ListScans`	`codeguru-security:ListScans` Required to list all scans in an account.	`*`
`ListTagsForResource`	`codeguru-security:ListTagsForResource` Required to list all tags associated with a scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`TagResource`	`codeguru-security:TagResource` Required to add tags to a scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`UntagResource`	`codeguru-security:UntagResource` Required to remove tags from a scan.	`arn:aws:codeguru-security:region-ID:account-ID:scans/ScanName`
`UpdateAccountConfiguration`	`codeguru-security:UpdateAccountConfiguration` Required to update account level configuration.	*

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies

Troubleshooting