AWS Security Agent
(securityagent)
IAM Changes
Services
2025-12-06
2025-12-06
62 new actions, 9 new resources
Additions
Actions
AddArtifact
Description:
Grants permission to add an Artifact for the given Agent Instance
Access:
Write
AddControl
Description:
Grants permission to add a customer managed Control
Access:
Write
BatchDeletePentests
Description:
Grants permission to delete multiple penetration tests in a single request
Access:
Write
BatchGetAgentInstances
Description:
Grants permission to retrieve multiple agent instances in a single request
Access:
Read
BatchGetArtifactMetadata
Description:
Grants permission to retrieve one or more Artifact Metadata records for the given Agent Instance
Access:
Read
BatchGetFindings
Description:
Grants permission to retrieve multiple security testing findings in a single request
Access:
Read
BatchGetPentestJobs
Description:
Grants permission to retrieve multiple security testing jobs in a single request
Access:
Read
BatchGetPentests
Description:
Grants permission to retrieve multiple penetration tests in a single request
Access:
Read
BatchGetSecurityTestContentMetadata
Description:
Grants permission to retrieve multiple security testing contents metadata in a single request
Access:
Read
BatchGetTasks
Description:
Grants permission to retrieve multiple security testing tasks in a single request
Access:
Read
CreateAgentInstance
Description:
Grants permission to create an agent instance record
Access:
Write
CreateApplication
Description:
Grants permission to create a new application
Access:
Write
Dependents:
iam:PassRole
sso:CreateApplication
CreateDocumentReview
Description:
Grants permission to create a document review
Access:
Write
CreateIntegration
Description:
Grants permission to create a security testing integration
Access:
Write
CreateMembership
Description:
Grants permission to add a single member to a agent instance with specified role
Access:
Write
CreateOneTimeLoginSession
Description:
Grants permission to create a one time login session
Access:
Write
CreatePentest
Description:
Grants permission to create a new penetration test configuration
Access:
Write
DeleteAgentInstance
Description:
Grants permission to delete an agent instance record
Access:
Write
DeleteApplication
Description:
Grants permission to delete application
Access:
Write
DeleteArtifact
Description:
Grants permission to delete an Artifact
Access:
Write
DeleteControl
Description:
Grants permission to delete a customer managed Control
Access:
Write
DeleteIntegration
Description:
Grants permission to delete the integration of an application
Access:
Write
DeleteMembership
Description:
Grants permission to remove a single member associated to an agent instance
Access:
Write
DescribeFindings
Description:
Grants permission to retrieve security findings for a penetration test or security testing tasks in a penetration test
Access:
Read
GetApplication
Description:
Grants permission to get application details by application ID
Access:
Read
GetArtifact
Description:
Grants permission to retrieve an Artifact for the given Agent Instance
Access:
Read
GetCodeReviewTask
Description:
Grants permission to retrieve a Code Review Task
Access:
Read
GetControl
Description:
Grants permission to retrieve a Control
Access:
Read
GetDocReviewTask
Description:
Grants permission to retrieve a document review task
Access:
Read
GetDocumentReview
Description:
Grants permission to get the status of the associated agent instance document review
Access:
Read
GetDocumentReviewArtifact
Description:
Grants permission to get document review artifact for a specific document
Access:
Read
GetIntegration
Description:
Grants permission to get the integration metadata by ID
Access:
Read
GetLoginSessionCredentials
Description:
Grants permission to retrieve credentials for a one time login session
Access:
Read
HandleOneTimeLoginSession
Description:
Grants permission to process and invalidate a one time login session
Access:
Write
InitiateProviderRegistration
Description:
Grants permission to initiate the registration of Security Agent App for the given provider (eg: GitHub)
Access:
Write
ListAgentInstanceTasks
Description:
Grants permission to list tasks for a specific agent instance
Access:
List
ListAgentInstances
Description:
Grants permission to list agent instances
Access:
List
ListApplications
Description:
Grants permission to list all applications in the account
Access:
List
ListArtifacts
Description:
Grants permission to list all artifacts for the given project
Access:
List
ListControls
Description:
Grants permission to list all Controls
Access:
List
ListDiscoveredEndpoints
Description:
Grants permission to list discovered endpoints associated with a pentest job with optional URI prefix filtering
Access:
List
ListDocumentReviewComments
Description:
Grants permission to list document review comments
Access:
List
ListDocumentReviews
Description:
Grants permission to list all document reviews for the given project
Access:
List
ListFindings
Description:
Grants permission to list findings with filtering and pagination support
Access:
List
ListIntegratedResources
Description:
Grants permission to list integrated resources for an agent instance
Access:
List
ListIntegrations
Description:
Grants permission to get the integrations owned by the caller's AWS account
Access:
List
ListMemberships
Description:
Grants permission to list all members associated to an agent instance with pagination support
Access:
List
ListPentestJobsForPentest
Description:
Grants permission to list penetration test jobs associated with a penetration test
Access:
List
ListPentests
Description:
Grants permission to list penetration tests with optional filtering by status
Access:
List
ListResourcesFromIntegration
Description:
Grants permission to list resources from Integration
Access:
List
ListTasks
Description:
Grants permission to list security testing tasks associated with a pentest job
Access:
List
StartCodeRemediation
Description:
Grants permission to start code remediation for the findings
Access:
Write
StartPentestExecution
Description:
Grants permission to initiate the execution of a penetration test
Access:
Write
StopPentestExecution
Description:
Grants permission to stop the execution of a running penetration test
Access:
Write
ToggleManagedControl
Description:
Grants permission to toggle the status
Access:
Write
UpdateAgentInstance
Description:
Grants permission to update an agent instance record
Access:
Write
UpdateApplication
Description:
Grants permission to update application configuration
Access:
Write
Dependents:
iam:PassRole
UpdateControl
Description:
Grants permission to update a customer managed Control
Access:
Write
UpdateFinding
Description:
Grants permission to update an existing security finding with new details or status
Access:
Write
UpdateIntegratedResources
Description:
Grants permission to update integrated resources for an agent instance
Access:
Write
UpdatePentest
Description:
Grants permission to update an existing penetration test with new configuration or settings
Access:
Write
VerifyTargetDomain
Description:
Grants permission to verify ownership for a registered target domain in an agent instance
Access:
Write
Resources
Application
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:application/${ApplicationId}
Control
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:control/${ControlId}
Integration
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:integration/${IntegrationId}
AgentInstance
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}
Artifact
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}/artifact/${ArtifactId}
Pentest
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}/pentest/${PentestId}
PentestJob
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}/pentest-job/${JobId}
PentestTask
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}/pentest-task/${TaskId}
Finding
Arn:
arn:${Partition}:securityagent:${Region}:${Account}:agent-instance/${AgentId}/finding/${FindingId}