View a markdown version of this page

Actions, resources, and condition keys for AWS Security Agent - Service Authorization Reference

Actions, resources, and condition keys for AWS Security Agent

AWS Security Agent (service prefix: securityagent) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Security Agent

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AddArtifact

securityagent:AddArtifact

Write

BatchCreateSecurityRequirements

securityagent:BatchCreateSecurityRequirements

Write

BatchDeleteCodeReviews

securityagent:BatchDeleteCodeReviews

Write

BatchDeletePentests

securityagent:BatchDeletePentests

Write

BatchDeleteSecurityRequirements

securityagent:BatchDeleteSecurityRequirements

Write

BatchDeleteThreatModels

securityagent:BatchDeleteThreatModels

Write

BatchGetAgentSpaces

securityagent:BatchGetAgentSpaces

Read

BatchGetArtifactMetadata

securityagent:BatchGetArtifactMetadata

Read

BatchGetCodeReviewJobTasks

securityagent:BatchGetCodeReviewJobTasks

Read

BatchGetCodeReviewJobs

securityagent:BatchGetCodeReviewJobs

Read

BatchGetCodeReviews

securityagent:BatchGetCodeReviews

Read

BatchGetFindings

securityagent:BatchGetFindings

Read

BatchGetPentestJobTasks

securityagent:BatchGetPentestJobTasks

Read

BatchGetPentestJobs

securityagent:BatchGetPentestJobs

Read

BatchGetPentests

securityagent:BatchGetPentests

Read

BatchGetSecurityRequirements

securityagent:BatchGetSecurityRequirements

Read

BatchGetTargetDomains

securityagent:BatchGetTargetDomains

Read

BatchGetThreatModelJobTasks

securityagent:BatchGetThreatModelJobTasks

Read

BatchGetThreatModelJobs

securityagent:BatchGetThreatModelJobs

Read

BatchGetThreatModels

securityagent:BatchGetThreatModels

Read

BatchGetThreats

securityagent:BatchGetThreats

Read

BatchUpdateSecurityRequirements

securityagent:BatchUpdateSecurityRequirements

Write

CreateAgentSpace

securityagent:CreateAgentSpace

Write

securityagent:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

securityagent.amazonaws.com

Write

CreateApplication

securityagent:CreateApplication

Write

securityagent:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

securityagent.amazonaws.com

Write

CreateCodeReview

securityagent:CreateCodeReview

Write

CreateIntegration

securityagent:CreateIntegration

Write

securityagent:TagResource

Tagging, Write

CreateMembership

securityagent:CreateMembership

Write

CreatePentest

securityagent:CreatePentest

Write

CreatePrivateConnection

securityagent:CreatePrivateConnection

Write

securityagent:TagResource

Tagging, Write

CreateSecurityRequirementPack

securityagent:CreateSecurityRequirementPack

Write

securityagent:TagResource

Tagging, Write

CreateTargetDomain

securityagent:CreateTargetDomain

Write

securityagent:TagResource

Tagging, Write

CreateThreat

securityagent:CreateThreat

Write

CreateThreatModel

securityagent:CreateThreatModel

Write

DeleteAgentSpace

securityagent:DeleteAgentSpace

Write

DeleteApplication

securityagent:DeleteApplication

Write

DeleteArtifact

securityagent:DeleteArtifact

Write

DeleteIntegration

securityagent:DeleteIntegration

Write

DeleteMembership

securityagent:DeleteMembership

Write

DeletePrivateConnection

securityagent:DeletePrivateConnection

Write

DeleteSecurityRequirementPack

securityagent:DeleteSecurityRequirementPack

Write

DeleteTargetDomain

securityagent:DeleteTargetDomain

Write

DescribePrivateConnection

securityagent:DescribePrivateConnection

Read

GetApplication

securityagent:GetApplication

Read

GetArtifact

securityagent:GetArtifact

Read

GetIntegration

securityagent:GetIntegration

Read

GetSecurityRequirementPack

securityagent:GetSecurityRequirementPack

Read

ImportSecurityRequirements

securityagent:ImportSecurityRequirements

Write

InitiateProviderRegistration

securityagent:InitiateProviderRegistration

Write

ListAgentSpaces

securityagent:ListAgentSpaces

List

ListApplications

securityagent:ListApplications

List

ListArtifacts

securityagent:ListArtifacts

List

ListCodeReviewJobTasks

securityagent:ListCodeReviewJobTasks

List

ListCodeReviewJobsForCodeReview

securityagent:ListCodeReviewJobsForCodeReview

List

ListCodeReviews

securityagent:ListCodeReviews

List

ListDiscoveredEndpoints

securityagent:ListDiscoveredEndpoints

List

ListFindings

securityagent:ListFindings

List

ListIntegratedResources

securityagent:ListIntegratedResources

List

ListIntegrations

securityagent:ListIntegrations

List

ListMemberships

securityagent:ListMemberships

List

ListPentestJobTasks

securityagent:ListPentestJobTasks

List

ListPentestJobsForPentest

securityagent:ListPentestJobsForPentest

List

ListPentests

securityagent:ListPentests

List

ListPrivateConnections

securityagent:ListPrivateConnections

List

ListSecurityRequirementPacks

securityagent:ListSecurityRequirementPacks

List

ListSecurityRequirements

securityagent:ListSecurityRequirements

List

ListTagsForResource

securityagent:ListTagsForResource

Read

ListTargetDomains

securityagent:ListTargetDomains

List

ListThreatModelJobTasks

securityagent:ListThreatModelJobTasks

List

ListThreatModelJobs

securityagent:ListThreatModelJobs

List

ListThreatModels

securityagent:ListThreatModels

List

ListThreats

securityagent:ListThreats

List

StartCodeRemediation

securityagent:StartCodeRemediation

Write

StartCodeReviewJob

securityagent:StartCodeReviewJob

Write

StartPentestJob

securityagent:StartPentestJob

Write

StartThreatModelJob

securityagent:StartThreatModelJob

Write

StopCodeReviewJob

securityagent:StopCodeReviewJob

Write

StopPentestJob

securityagent:StopPentestJob

Write

StopThreatModelJob

securityagent:StopThreatModelJob

Write

TagResource

securityagent:TagResource

Tagging, Write

UntagResource

securityagent:UntagResource

Tagging, Write

UpdateAgentSpace

securityagent:UpdateAgentSpace

Write

iam:PassRole

iam:PassedToService

securityagent.amazonaws.com

Write

UpdateApplication

securityagent:UpdateApplication

Write

iam:PassRole

iam:PassedToService

securityagent.amazonaws.com

Write

UpdateCodeReview

securityagent:UpdateCodeReview

Write

UpdateFinding

securityagent:UpdateFinding

Write

UpdateIntegratedResources

securityagent:UpdateIntegratedResources

Write

UpdatePentest

securityagent:UpdatePentest

Write

UpdatePrivateConnectionCertificate

securityagent:UpdatePrivateConnectionCertificate

Write

UpdateSecurityRequirementPack

securityagent:UpdateSecurityRequirementPack

Write

UpdateTargetDomain

securityagent:UpdateTargetDomain

Write

UpdateThreat

securityagent:UpdateThreat

Write

UpdateThreatModel

securityagent:UpdateThreatModel

Write

VerifyTargetDomain

securityagent:VerifyTargetDomain

Write

Actions defined by AWS Security Agent

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AddArtifact

Grants permission to add an Artifact for the given Agent Space

AgentSpace*

aws:ResourceTag/${TagKey}

Write

BatchCreateSecurityRequirements

Grants permission to batch create security requirements in a customer managed pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

BatchDeleteCodeReviews

Grants permission to delete multiple code reviews in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Write

BatchDeletePentests

Grants permission to delete multiple penetration tests in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Write

BatchDeleteSecurityRequirements

Grants permission to batch delete security requirements from a customer managed pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

BatchDeleteThreatModels

Grants permission to delete multiple threat models in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Write

BatchDeleteThreats

Grants permission to delete multiple threats

AgentSpace*

aws:ResourceTag/${TagKey}

Write

BatchGetAgentSpaces

Grants permission to retrieve multiple agent spaces in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetArtifactMetadata

Grants permission to retrieve one or more Artifact Metadata records for the given Agent Space

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetCodeReviewJobTasks

Grants permission to retrieve multiple code review job tasks in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetCodeReviewJobs

Grants permission to retrieve multiple code review jobs in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetCodeReviews

Grants permission to retrieve multiple code reviews in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetFindings

Grants permission to retrieve multiple security testing findings in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetPentestJobContentMetadata

Grants permission to retrieve multiple pentest job contents metadata in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetPentestJobTasks

Grants permission to retrieve multiple pentest job tasks in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetPentestJobs

Grants permission to retrieve multiple security testing jobs in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetPentests

Grants permission to retrieve multiple penetration tests in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetSecurityRequirements

Grants permission to retrieve multiple security requirements in a single request

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Read

BatchGetTargetDomains

Grants permission to retrieve multiple target domains in a single request

TargetDomain*

aws:ResourceTag/${TagKey}

Read

BatchGetThreatModelJobTasks

Grants permission to retrieve multiple tasks for a threat model job in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetThreatModelJobs

Grants permission to retrieve details for one or more threat model jobs

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetThreatModels

Grants permission to retrieve multiple threat models in a single request

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchGetThreats

Grants permission to retrieve details for one or more threats

AgentSpace*

aws:ResourceTag/${TagKey}

Read

BatchUpdateSecurityRequirements

Grants permission to batch update security requirements within a customer managed pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

CreateAgentSpace

Grants permission to create an agent space record

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateApplication

Grants permission to create a new application

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateCodeReview

Grants permission to create a new code review configuration

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreateDesignReview

Grants permission to create a design review

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreateIntegration

Grants permission to create a security testing integration

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateMembership

Grants permission to add a single member to a agent space with specified role

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreateOneTimeLoginSession

Grants permission to create a one time login session

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreatePentest

Grants permission to create a new penetration test configuration

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreatePrivateConnection

Grants permission to create a private connection for VPC Lattice integration

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateSecurityRequirement

Grants permission to add a customer managed Security Requirement

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

CreateSecurityRequirementPack

Grants permission to create a customer managed security requirement pack

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateTargetDomain

Grants permission to create a target domain record

Write

CreateThreat

Grants permission to create a threat in a threat model

AgentSpace*

aws:ResourceTag/${TagKey}

Write

CreateThreatModel

Grants permission to create a new threat model configuration

AgentSpace*

aws:ResourceTag/${TagKey}

Write

DeleteAgentSpace

Grants permission to delete an agent space record

AgentSpace*

aws:ResourceTag/${TagKey}

Write

DeleteApplication

Grants permission to delete application

Application*

aws:ResourceTag/${TagKey}

Write

DeleteArtifact

Grants permission to delete an Artifact

AgentSpace*

aws:ResourceTag/${TagKey}

Write

DeleteDesignReview

Grants permission to delete a design review

AgentSpace*

aws:ResourceTag/${TagKey}

Write

DeleteIntegration

Grants permission to delete the integration of an application

Integration*

aws:ResourceTag/${TagKey}

Write

DeleteMembership

Grants permission to remove a single member associated to an agent space

AgentSpace*

aws:ResourceTag/${TagKey}

Write

DeletePrivateConnection

Grants permission to delete a private connection

PrivateConnection*

aws:ResourceTag/${TagKey}

Write

DeleteSecurityRequirement

Grants permission to delete a customer managed Security Requirement

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

DeleteSecurityRequirementPack

Grants permission to delete a customer managed security requirement pack and all its associated security requirements

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

DeleteTargetDomain

Grants permission to delete a target domain record

TargetDomain*

aws:ResourceTag/${TagKey}

Write

DescribePrivateConnection

Grants permission to describe a private connection

PrivateConnection*

aws:ResourceTag/${TagKey}

Read

GetApplication

Grants permission to get application details by application ID

Application*

aws:ResourceTag/${TagKey}

Read

GetArtifact

Grants permission to retrieve an Artifact for the given Agent Space

AgentSpace*

aws:ResourceTag/${TagKey}

Read

GetDesignReview

Grants permission to get the status of the associated agent space design review

AgentSpace*

aws:ResourceTag/${TagKey}

Read

GetDesignReviewArtifact

Grants permission to get design review artifact for a specific document

AgentSpace*

aws:ResourceTag/${TagKey}

Read

GetDesignReviewFeedback

Grants permission to get feedback for a design review comment

AgentSpace*

aws:ResourceTag/${TagKey}

Read

GetIntegration

Grants permission to get the integration metadata by ID

Integration*

aws:ResourceTag/${TagKey}

Read

GetProviderRegistrationManifest

Grants permission to retrieve the provider registration manifest used for browser-based integration registration

Read

GetSecurityRequirement

Grants permission to retrieve a Security Requirement

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Read

GetSecurityRequirementPack

Grants permission to retrieve a security requirement pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Read

HandleProviderRegistrationCallback

Grants permission to handle the provider OAuth registration callback that completes integration setup

Write

ImportSecurityRequirements

Grants permission to import security requirements from uploaded documents for a customer managed security requirement pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

InitiateProviderRegistration

Grants permission to initiate the registration of Security Agent App for the given provider (eg: GitHub)

Write

ListAgentSpaces

Grants permission to list agent spaces

List

ListApplications

Grants permission to list all applications in the account

List

ListArtifacts

Grants permission to list all artifacts for the given agent space

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListCodeReviewJobTasks

Grants permission to list tasks associated with a code review job

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListCodeReviewJobsForCodeReview

Grants permission to list code review jobs associated with a code review

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListCodeReviews

Grants permission to list code reviews with optional filtering by status

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListDesignReviewComments

Grants permission to list design review comments

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListDesignReviews

Grants permission to list all design reviews for the given agent space

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListDiscoveredEndpoints

Grants permission to list discovered endpoints associated with a pentest job with optional URI prefix filtering

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListFindings

Grants permission to list findings with filtering and pagination support

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListIntegratedResources

Grants permission to list integrated resources for an agent space

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListIntegrations

Grants permission to get the integrations owned by the caller's AWS account

List

ListMemberships

Grants permission to list all members associated to an agent space with pagination support

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListPentestJobTasks

Grants permission to list pentest job tasks associated with a pentest job

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListPentestJobsForPentest

Grants permission to list penetration test jobs associated with a penetration test

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListPentests

Grants permission to list penetration tests with optional filtering by status

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListPrivateConnections

Grants permission to list private connections in the account

List

ListResourcesFromIntegration

Grants permission to list resources from Integration

Integration*

aws:ResourceTag/${TagKey}

List

ListSecurityRequirementPacks

Grants permission to list all security requirement packs in the account

List

ListSecurityRequirements

Grants permission to list all Security Requirements

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to list the tags for a resource

AgentSpace

aws:ResourceTag/${TagKey}

Read

Application

aws:ResourceTag/${TagKey}

Integration

aws:ResourceTag/${TagKey}

PrivateConnection

aws:ResourceTag/${TagKey}

SecurityRequirementPack

aws:ResourceTag/${TagKey}

TargetDomain

aws:ResourceTag/${TagKey}

ListTargetDomains

Grants permission to list target domains

List

ListThreatModelJobTasks

Grants permission to list tasks associated with a specific threat model job

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListThreatModelJobs

Grants permission to list threat model jobs for a threat model

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListThreatModels

Grants permission to list threat models for an agent space

AgentSpace*

aws:ResourceTag/${TagKey}

List

ListThreats

Grants permission to list threats for a threat model job with filtering and pagination support

AgentSpace*

aws:ResourceTag/${TagKey}

List

PutDesignReviewFeedback

Grants permission to submit feedback for a design review comment

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StartCodeRemediation

Grants permission to start code remediation for the findings

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StartCodeReviewJob

Grants permission to initiate the execution of a code review

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StartPentestJob

Grants permission to initiate the execution of a penetration test

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StartThreatModelJob

Grants permission to initiate the execution of a threat model job

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StopCodeReviewJob

Grants permission to stop the execution of a running code review

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StopPentestJob

Grants permission to stop the execution of a running penetration test

AgentSpace*

aws:ResourceTag/${TagKey}

Write

StopThreatModelJob

Grants permission to stop a running threat model job

AgentSpace*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to a resource

AgentSpace

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Application

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateConnection

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

SecurityRequirementPack

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

TargetDomain

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

ToggleManagedSecurityRequirement

Grants permission to toggle the status of a managed Security Requirement

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

UntagResource

Grants permission to remove tags from a resource

AgentSpace

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Application

aws:ResourceTag/${TagKey}

aws:TagKeys

Integration

aws:ResourceTag/${TagKey}

aws:TagKeys

PrivateConnection

aws:ResourceTag/${TagKey}

aws:TagKeys

SecurityRequirementPack

aws:ResourceTag/${TagKey}

aws:TagKeys

TargetDomain

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateAgentSpace

Grants permission to update an agent space record

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdateApplication

Grants permission to update application configuration

Application*

aws:ResourceTag/${TagKey}

Write

UpdateCodeReview

Grants permission to update an existing code review with new configuration or settings

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdateFinding

Grants permission to update an existing security finding with new details or status

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdateIntegratedResources

Grants permission to update integrated resources for an agent space

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdatePentest

Grants permission to update an existing penetration test with new configuration or settings

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdatePrivateConnectionCertificate

Grants permission to update the certificate associated with a private connection

PrivateConnection*

aws:ResourceTag/${TagKey}

Write

UpdateSecurityRequirement

Grants permission to update a customer managed Security Requirement

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

UpdateSecurityRequirementPack

Grants permission to update a security requirement pack

SecurityRequirementPack*

aws:ResourceTag/${TagKey}

Write

UpdateTargetDomain

Grants permission to update a target domain record

TargetDomain*

aws:ResourceTag/${TagKey}

Write

UpdateThreat

Grants permission to update a threat

AgentSpace*

aws:ResourceTag/${TagKey}

Write

UpdateThreatModel

Grants permission to update an existing threat model with new configuration

AgentSpace*

aws:ResourceTag/${TagKey}

Write

VerifyTargetDomain

Grants permission to verify ownership for a registered target domain

TargetDomain*

aws:ResourceTag/${TagKey}

Write

Resource types defined by AWS Security Agent

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

AgentSpace

arn:${Partition}:securityagent:${Region}:${Account}:agent-space/${AgentId}

aws:ResourceTag/${TagKey}

Application

arn:${Partition}:securityagent:${Region}:${Account}:application/${ApplicationId}

aws:ResourceTag/${TagKey}

Integration

arn:${Partition}:securityagent:${Region}:${Account}:integration/${IntegrationId}

aws:ResourceTag/${TagKey}

PrivateConnection

arn:${Partition}:securityagent:${Region}:${Account}:private-connection/${PrivateConnectionName}

aws:ResourceTag/${TagKey}

SecurityRequirementPack

arn:${Partition}:securityagent:${Region}:${Account}:security-requirement-pack/${SecurityRequirementPackId}

aws:ResourceTag/${TagKey}

TargetDomain

arn:${Partition}:securityagent:${Region}:${Account}:target-domain/${TargetDomainId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Security Agent

AWS Security Agent defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString