Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon services that work with IAM

The Amazon services listed below are grouped by their Amazon product categories and include information about what IAM features they support:

Compute services

¹ Amazon EC2 service-linked roles can be used only for the following features: Spot Instance Requests, Spot Fleet Requests, Amazon EC2 Fleets, and Fast launching for Windows instances.

² Amazon Lambda supports attribute-based access control (ABAC) for API actions that use a Lambda function as the required resource. Layers, event source mappings, and code signing config resources are not supported.

³ Amazon Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

⁴ Amazon Lightsail partially supports resource-level permissions and ABAC. For more information, see Actions, resources, and condition keys for Amazon Lightsail.

Containers services

¹ Only some Amazon ECS actions support resource-level permissions.

Storage services

¹ Amazon S3 supports tag-based authorization for only object resources.

² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.

Database services

¹ Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. You can choose the Aurora MySQL or Aurora PostgreSQL as the DB engine option when setting up new database servers through Amazon RDS. For more information, see Identity and access management for Amazon Aurora in the Amazon Aurora User Guide.

Developer tools services

¹ CodeBuild supports cross-account resource sharing using Amazon RAM.

² CodeBuild supports ABAC for project-based actions.

³ X-Ray does not support resource-level permissions for all actions.

⁴ X-Ray supports tag-based access control for groups and sampling rules.

Security, identity, and compliance services

¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a user permissions to switch roles.

² IAM supports tag-based access control for most IAM resources. For more information, see Tagging IAM resources.

³ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.

⁴ Amazon STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

⁵ Only some of the API operations for Amazon STS support calling with temporary credentials. For more information, see Comparing your API options.

Cryptography and PKI services

Machine learning services

¹ Service-linked roles are currently available for SageMaker Studio and SageMaker training jobs.

Management and governance services

¹ Amazon CloudTrail supports resource-based policies only on CloudTrail channels used for CloudTrail Lake integrations with event sources outside of Amazon.

² Amazon CloudWatch service-linked roles cannot be created using the Amazon Web Services Management Console, and support only the Alarm Actions feature.

³ Amazon Config supports resource-level permissions for multi-account multi-Region data aggregation and Amazon Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and Amazon Config Rules section of Amazon Config API Guide.

⁴ Users can assume a role with a policy that allows Amazon Resource Groups operations.

⁵ API access to Trusted Advisor is through the Amazon Web Services Support API and is controlled by Amazon Web Services Support IAM policies.

Migration and transfer services

¹ You can create and modify policies that are attached to Amazon KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using Amazon KMS Keys to Encrypt Amazon Redshift Target Data and Creating Amazon KMS Keys to Encrypt Amazon S3 Target Objects in the Amazon Database Migration Service User Guide.

Mobile services

Networking and content delivery services

¹ Amazon CloudFront doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

² Amazon Cloud WAN also supports service-linked roles. For more information, see Amazon Cloud WAN service-linked roles in the Amazon VPC Amazon Cloud WAN Guide.

³ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Identity and access management for VPC endpoints and VPC endpoint services in the Amazon PrivateLink Guide.

⁴ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

⁵ Amazon VPC doesn't have service-linked roles, but Amazon Transit Gateway does. For more information, see Use service-linked roles for transit gateway in the Amazon VPC Amazon Transit Gateway Guide.

Media services

¹ MediaPackage supports service-linked roles for publishing customer access logs to CloudWatch but not for other API actions.

Analytics services

Application integration services

Business applications services

Satellite services

Internet of Things services

¹ Devices connected to Amazon IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach Amazon IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for Amazon IoT in the Amazon IoT Developer Guide.

Robotics services

Quantum Computing Services

Blockchain services

Game development services

AR & VR services

Customer enablement services

Customer engagement services

¹ You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

End user computing services

Billing and cost management services

Additional resources