39 actions in the shield service. Select an action to see its access level, resource ARNs, condition keys, and a copy-paste IAM policy.
Grants permission to authorize the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs
Grants permission to authorize the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks
Grants permission to add health-based detection to the Shield Advanced protection for a resource
Grants permission to initialize proactive engagement and set the list of contacts for the DDoS Response Team (DRT) to use
Grants permission to activate DDoS protection service for a given resource ARN
Grants permission to create a grouping of protected resources so they can be handled as a collective
Grants permission to activate subscription
Grants permission to delete an existing protection
Grants permission to remove the specified protection group
Grants permission to deactivate subscription
Grants permission to get attack details. For getting attack details protected by AWS WAF anti-DDoS managed rule group, this action additionally calls wafv2:DescribeTopContributorsByEvent to retrieve application layer attack contributors, which requires to have wafv2:DescribeTopContributorsByEvent permission in IAM policy
Grants permission to get detailed information about the contributors to a specific DDoS attack
Grants permission to describe information about the number and type of attacks AWS Shield has detected in the last year
Grants permission to describe the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation
Grants permission to list the email addresses that the DRT can use to contact you during a suspected attack
Grants permission to get protection details
Grants permission to describe the specification for the specified protection group
Grants permission to get subscription details, such as start time
Grants permission to disable application layer automatic response for Shield Advanced protection for a resource
Grants permission to remove authorization from the DDoS Response Team (DRT) to notify contacts about escalations
Grants permission to remove the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs
Grants permission to remove the DDoS Response team's access to your AWS account
Grants permission to remove health-based detection from the Shield Advanced protection for a resource
Grants permission to enable application layer automatic response for Shield Advanced protection for a resource
Grants permission to authorize the DDoS Response Team (DRT) to use email and phone to notify contacts about escalations
Grants permission to retrieve global threat intelligence data and trends from AWS Shield's threat monitoring systems
Grants permission to get subscription state
Grants permission to list all existing attacks
Grants permission to retrieve a list of mitigation actions that have been applied during DDoS attacks
Grants permission to retrieve the protection groups for the account
Grants permission to list all existing protections
Grants permission to retrieve the resources that are included in the protection group
Grants permission to get information about AWS tags for a specified Amazon Resource Name (ARN) in AWS Shield
Grants permission to add or updates tags for a resource in AWS Shield
Grants permission to remove tags from a resource in AWS Shield
Grants permission to update application layer automatic response for Shield Advanced protection for a resource
Grants permission to update the details of the list of email addresses that the DRT can use to contact you during a suspected attack
Grants permission to update an existing protection group
Grants permission to update the details of an existing subscription