Amazon GuardDuty (guardduty)

2025-08-19

10 new actions, 2 new resources | 3 updated actions

Additions

    Actions
  • CreateThreatEntitySet
    • Description:  Grants permission to create GuardDuty ThreatEntitySets, where a ThreatEntitySet consists of known malicious IP addresses and/or domains used by GuardDuty to generate findings
    • Access:  Write
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
    • Dependents: 

      s3:GetObject
  • CreateTrustedEntitySet
    • Description:  Grants permission to create a TrustedEntitySet
    • Access:  Write
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:ResourceTag/${TagKey}

      aws:TagKeys
    • Dependents: 

      s3:GetObject
  • DeleteThreatEntitySet
    • Description:  Grants permission to delete GuardDuty ThreatEntitySets
    • Access:  Write
    • Resources: 

      Name: threatentityset

      Required: Yes

  • DeleteTrustedEntitySet
    • Description:  Grants permission to delete GuardDuty TrustedEntitySets
    • Access:  Write
    • Resources: 

      Name: trustedentityset

      Required: Yes

  • GetThreatEntitySet
    • Description:  Grants permission to retrieve GuardDuty ThreatEntitySets
    • Access:  Read
    • Resources: 

      Name: threatentityset

      Required: Yes

  • GetTrustedEntitySet
    • Description:  Grants permission to retrieve GuardDuty TrustedEntitySets
    • Access:  Read
    • Resources: 

      Name: trustedentityset

      Required: Yes

  • ListThreatEntitySets
    • Description:  Grants permission to retrieve a list of GuardDuty ThreatEntitySets
    • Access:  List
  • ListTrustedEntitySets
    • Description:  Grants permission to retrieve a list of GuardDuty TrustedEntitySets
    • Access:  List
  • UpdateThreatEntitySet
    • Description:  Grants permission to update GuardDuty ThreatEntitySets
    • Access:  Write
    • Resources: 

      Name: threatentityset

      Required: Yes

    • Dependents: 

      s3:GetObject
  • UpdateTrustedEntitySet
    • Description:  Grants permission to update GuardDuty TrustedEntitySets
    • Access:  Write
    • Resources: 

      Name: trustedentityset

      Required: Yes

    • Dependents: 

      s3:GetObject
    Resources
  • trustedentityset
    • Arn:  arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/trustedentityset/${TrustedEntitySetId}
    • Conditions: 

      aws:ResourceTag/${TagKey}
  • threatentityset
    • Arn:  arn:${Partition}:guardduty:${Region}:${Account}:detector/${DetectorId}/threatentityset/${ThreatEntitySetId}
    • Conditions: 

      aws:ResourceTag/${TagKey}

Updates