Amazon services that work with IAM
The Amazon services listed below are grouped by their Amazon product categories
-
Service – You can choose the name of a service to view the Amazon documentation about IAM authorization and access for that service.
-
Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use
*
in theAction
element. For a list of actions in each service, see Actions, Resources, and Condition Keys for Amazon Services. -
Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use
*
in theResource
element. Some actions, such asList*
actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by Partial in the table. See the documentation for that service for more information. -
Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a
Principal
element to specify which IAM identities can access that resource. For more information, see Identity-based policies and resource-based policies. -
ABAC (authorization based on tags) – To control access based on tags, you provide tag information in the condition element of a policy using the
aws:ResourceTag/
,key-name
aws:RequestTag/
, orkey-name
aws:TagKeys
condition keys. If a service supports all three condition keys for every resource type, then the value is Yes for the service. If a service supports all three condition keys for only some resource types, then the value is Partial. For more information about defining permissions based on attributes such as tags, see What is ABAC for Amazon?. To view a tutorial with steps for setting up ABAC, see Use attribute-based access control (ABAC). -
Temporary credentials – You can use short-term credentials that you obtain when you sign in using IAM Identity Center, switch roles in the console, or that you generate using Amazon STS in the Amazon CLI or Amazon API. You can access services with a No value only while using your long-term IAM user credentials. This includes a user name and password or your user access keys. For more information, see Temporary security credentials in IAM.
-
Service-linked roles – A service-linked role is a special type of service role that gives the service permission to access resources in other services on your behalf. Choose the
Yes
link to see the documentation for services that support these roles. This column does not indicate if the service uses standard service roles. For more information, see Using service-linked roles. -
More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.
Compute services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon App Runner | ||||||
Amazon Batch | ||||||
Amazon Elastic Compute Cloud (Amazon EC2) | ||||||
Amazon EC2 Auto Scaling | ||||||
EC2 Image Builder | ||||||
Amazon EC2 Instance Connect | ||||||
Amazon Elastic Beanstalk | ||||||
Amazon Elastic Inference | ||||||
Amazon Elastic Load Balancing | ||||||
Amazon Lambda | ||||||
Amazon Lightsail |
||||||
Amazon Outposts | ||||||
Amazon Recycle Bin | ||||||
Amazon Serverless Application Repository | ||||||
Amazon SimSpace Weaver |
¹ Amazon EC2 service-linked roles can be used only for the following features: Spot Instance Requests, Spot Fleet Requests, Amazon EC2 Fleets, and Fast launching for Windows instances.
² Amazon Lambda supports attribute-based access control (ABAC) for API actions that use a Lambda function as the required resource. Layers, event source mappings, and code signing config resources are not supported.
³ Amazon Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.
⁴ Amazon Lightsail partially supports resource-level permissions and ABAC. For more information, see Actions, resources, and condition keys for Amazon Lightsail.
Containers services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon App2Container | ||||||
Amazon App Runner | ||||||
Amazon Elastic Container Registry (Amazon ECR) | ||||||
Amazon Elastic Container Registry Public (Amazon ECR Public) | ||||||
Amazon Elastic Container Service (Amazon ECS) | ||||||
Amazon Elastic Kubernetes Service (Amazon EKS) |
¹ Only some Amazon ECS actions support resource-level permissions.
Storage services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Backup | ||||||
Amazon Backup Gateway | ||||||
Amazon Backup storage | ||||||
Amazon Elastic Block Store (Amazon EBS) | ||||||
Amazon Elastic Disaster Recovery | ||||||
Amazon Elastic File System (Amazon EFS) | ||||||
Amazon FSx | ||||||
Amazon Import/Export | ||||||
Amazon S3 Glacier | ||||||
Amazon Simple Storage Service (Amazon S3) | ||||||
Amazon Simple Storage Service (Amazon S3) on Amazon Outposts | ||||||
Amazon Simple Storage Service (Amazon S3) Object Lambda | ||||||
Amazon Snow Device Management | ||||||
Amazon Snowball | ||||||
Amazon Snowball Edge | ||||||
Amazon Storage Gateway |
¹ Amazon S3 supports tag-based authorization for only object resources.
² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.
Database services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Database Query Metadata Service | ||||||
Amazon DocumentDB Elastic Clusters | ||||||
Amazon DynamoDB | ||||||
Amazon DynamoDB Accelerator (DAX) | ||||||
Amazon ElastiCache | ||||||
Amazon Keyspaces (for Apache Cassandra) | ||||||
Amazon MediaImport | ||||||
Amazon MemoryDB for Redis | ||||||
Amazon Neptune | ||||||
Amazon Performance Insights | ||||||
Amazon Quantum Ledger Database (Amazon QLDB) | ||||||
Amazon Redshift | ||||||
Amazon Redshift Data API | ||||||
Amazon Redshift Serverless | ||||||
Amazon Relational Database Service (Amazon RDS)¹ | ||||||
Amazon RDS Data API | ||||||
Amazon RDS IAM Authentication | ||||||
Amazon SimpleDB | ||||||
Amazon SQL Workbench | ||||||
Amazon Timestream |
¹ Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. You can choose the Aurora MySQL or Aurora PostgreSQL as the DB engine option when setting up new database servers through Amazon RDS. For more information, see Identity and access management for Amazon Aurora in the Amazon Aurora User Guide.
Developer tools services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Cloud9 | ||||||
Amazon Web Services Cloud Control API | ||||||
Amazon CloudShell | ||||||
Amazon CodeArtifact | ||||||
Amazon CodeBuild | ||||||
Amazon CodeCatalyst | ||||||
Amazon CodeCommit | ||||||
Amazon CodeDeploy | ||||||
Amazon CodeDeploy secure host commands service | ||||||
Amazon CodePipeline | ||||||
AWS CodeStar | ||||||
AWS CodeStar Connections | ||||||
AWS CodeStar Notifications | ||||||
Amazon CodeWhisperer | ||||||
Amazon Fault Injection Simulator | ||||||
Amazon Microservice Extractor for .NET | ||||||
Amazon X-Ray |
¹ CodeBuild supports cross-account resource sharing using Amazon RAM.
² CodeBuild supports ABAC for project-based actions.
³ X-Ray does not support resource-level permissions for all actions.
⁴ X-Ray supports tag-based access control for groups and sampling rules.
Security, identity, and compliance services
¹ IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Granting a user permissions to switch roles.
² IAM supports tag-based access control for most IAM resources. For more information, see Tagging IAM resources.
³ Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.
⁴ Amazon STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.
⁵ Only some of the API operations for Amazon STS support calling with temporary credentials. For more information, see Comparing your API options.
Cryptography and PKI services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Certificate Manager (ACM) | ||||||
Amazon Private Certificate Authority (Amazon Private CA) | ||||||
Amazon CloudHSM | ||||||
Amazon Key Management Service (Amazon KMS) | ||||||
Amazon Signer |
Machine learning services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon BugBust | ||||||
Amazon CodeGuru Profiler | ||||||
Amazon CodeGuru Reviewer | ||||||
Amazon Comprehend | ||||||
Amazon Comprehend Medical | ||||||
Amazon DeepComposer | ||||||
Amazon DeepLens | ||||||
Amazon DeepRacer | ||||||
Amazon DevOps Guru | ||||||
Amazon Forecast | ||||||
Amazon Fraud Detector | ||||||
Ground Truth Labeling | ||||||
Amazon HealthLake | ||||||
Amazon Kendra | ||||||
Amazon Kendra Intelligent Ranking | ||||||
Amazon Lex | ||||||
Amazon Lex V2 | ||||||
Amazon Lookout for Equipment | ||||||
Amazon Lookout for Metrics | ||||||
Amazon Lookout for Vision | ||||||
Amazon Machine Learning | ||||||
Amazon Monitron | ||||||
Amazon Omics | ||||||
Amazon Panorama | ||||||
Amazon Personalize | ||||||
Amazon Polly | ||||||
Amazon Rekognition | ||||||
Amazon SageMaker | ||||||
Amazon SageMaker geospatial capabilities | ||||||
Amazon SageMaker Ground Truth Synthetic | ||||||
Amazon Textract | ||||||
Amazon Transcribe | ||||||
Amazon Translate |
¹ Service-linked roles are currently available for SageMaker Studio and SageMaker training jobs.
Management and governance services
¹ Amazon CloudTrail supports resource-based policies only on CloudTrail channels used for CloudTrail Lake integrations with event sources outside of Amazon.
² Amazon CloudWatch service-linked roles cannot be created using the Amazon Web Services Management Console, and support only the Alarm Actions feature.
³ Amazon Config supports resource-level permissions for multi-account multi-Region data aggregation and Amazon Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and Amazon Config Rules section of Amazon Config API Guide.
⁴ Users can assume a role with a policy that allows Amazon Resource Groups operations.
⁵ API access to Trusted Advisor is through the Amazon Web Services Support API and is controlled by Amazon Web Services Support IAM policies.
Migration and transfer services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Application Discovery Service | ||||||
Amazon Application Discovery Arsenal | ||||||
Amazon Application Migration Service | ||||||
Amazon Connector Service | ||||||
Amazon Transfer Family | ||||||
Amazon Database Migration Service | ||||||
Amazon DataSync | ||||||
Amazon Mainframe Modernization | ||||||
Amazon Migration Hub | ||||||
Amazon Migration Hub Orchestrator | ||||||
Amazon Migration Hub Refactor Spaces | ||||||
Amazon Migration Hub Strategy Recommendations | ||||||
Amazon Server Migration Service |
¹ You can create and modify policies that are attached to Amazon KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using Amazon KMS Keys to Encrypt Amazon Redshift Target Data and Creating Amazon KMS Keys to Encrypt Amazon S3 Target Objects in the Amazon Database Migration Service User Guide.
Mobile services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Amplify | ||||||
Amazon Amplify Admin | ||||||
Amazon Amplify UI Builder | ||||||
Amazon AppSync | ||||||
Amazon Device Farm | ||||||
Amazon Location Service |
Networking and content delivery services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon API Gateway | ||||||
Amazon API Gateway Management | ||||||
Amazon API Gateway Management V2 | ||||||
Amazon Client VPN | ||||||
Amazon Direct Connect | ||||||
Amazon Global Accelerator | ||||||
Amazon Network Manager | ||||||
Amazon Private 5G | ||||||
Amazon Route 53 | ||||||
Amazon Route 53 Application Recovery Controller - Zonal Shift | ||||||
Amazon Route 53 Domains | ||||||
Amazon Route 53 Recovery Cluster | ||||||
Amazon Route 53 Recovery Control Config | ||||||
Amazon Route 53 Recovery Readiness | ||||||
Amazon Route 53 Resolver | ||||||
Amazon Site-to-Site VPN | ||||||
Amazon Tiros API (for Reachability Analyzer) | ||||||
Amazon Virtual Private Cloud (Amazon VPC) | ||||||
Amazon VPC Lattice |
||||||
Amazon VPC Lattice Services |
¹ Amazon CloudFront doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.
² Amazon Cloud WAN also supports service-linked roles. For more information, see Amazon Cloud WAN service-linked roles in the Amazon VPC Amazon Cloud WAN Guide.
³ In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC
endpoint. Any Action
element that includes the ec2:*VpcEndpoint*
or
ec2:DescribePrefixLists
API actions must specify ""Resource":
"*"
". For more information, see Identity and access management for VPC
endpoints and VPC endpoint services in the
Amazon PrivateLink Guide.
⁴ Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.
⁵ Amazon VPC doesn't have service-linked roles, but Amazon Transit Gateway does. For more information, see Use service-linked roles for transit gateway in the Amazon VPC Amazon Transit Gateway Guide.
Media services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Elastic Transcoder | ||||||
Amazon Elemental Appliances and Software | ||||||
Amazon Elemental Appliances and Software Activation Service | ||||||
AWS Elemental MediaConnect | ||||||
AWS Elemental MediaConvert | ||||||
AWS Elemental MediaLive | ||||||
AWS Elemental MediaPackage | ||||||
AWS Elemental MediaPackage VOD | ||||||
AWS Elemental MediaStore | ||||||
AWS Elemental MediaTailor | ||||||
Amazon Elemental Support Cases | ||||||
Amazon Elemental Support Content | ||||||
Amazon Interactive Video Service | ||||||
Amazon Interactive Video Service Chat | ||||||
Amazon Kinesis Video Streams | ||||||
Amazon Nimble Studio |
¹ MediaPackage supports service-linked roles for publishing customer access logs to CloudWatch but not for other API actions.
Analytics services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Athena | ||||||
Amazon Clean Rooms | ||||||
Amazon CloudSearch | ||||||
Amazon Data Exchange | ||||||
Amazon Data Pipeline | ||||||
Amazon DataZone | ||||||
Amazon DataZone Control | ||||||
Amazon OpenSearch Service | ||||||
Amazon OpenSearch Serverless | ||||||
Amazon EMR | ||||||
Amazon EMR on EKS | ||||||
Amazon EMR Serverless | ||||||
Amazon FinSpace | ||||||
Amazon FinSpace API | ||||||
Amazon Glue | ||||||
Amazon Glue DataBrew | ||||||
Amazon Kinesis Data Analytics | ||||||
Amazon Kinesis Data Analytics V2 | ||||||
Amazon Kinesis Data Firehose | ||||||
Amazon Kinesis Data Streams | ||||||
Amazon Lake Formation | ||||||
Amazon Managed Streaming for Apache Kafka (MSK) | ||||||
Amazon Managed Streaming for Kafka Connect | ||||||
Apache Kafka APIs for Amazon MSK clusters | ||||||
Amazon Managed Workflows for Apache Airflow | ||||||
Amazon QuickSight |
Application integration services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon AppFlow | ||||||
Amazon EventBridge | ||||||
Amazon EventBridge Pipes | ||||||
Amazon EventBridge Scheduler | ||||||
Amazon EventBridge Schemas | ||||||
Amazon MQ | ||||||
Amazon Simple Notification Service (Amazon SNS) | ||||||
Amazon Simple Queue Service (Amazon SQS) | ||||||
Amazon Step Functions | ||||||
Amazon Simple Workflow Service (Amazon SWF) |
Business applications services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Alexa for Business | ||||||
Amazon Chime | ||||||
Amazon Honeycode | ||||||
Amazon Supply Chain | ||||||
Amazon WorkMail | ||||||
Amazon WorkMail Message Flow |
Satellite services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Ground Station |
Internet of Things services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
FreeRTOS | ||||||
Amazon IoT | ||||||
Amazon IoT 1-Click | ||||||
Amazon IoT Analytics | ||||||
Amazon IoT Core Device Advisor | ||||||
Amazon IoT Device Tester | ||||||
Amazon IoT Events | ||||||
Fleet Hub for Amazon IoT Device Management | ||||||
Amazon IoT FleetWise | ||||||
Amazon IoT Greengrass | ||||||
Amazon IoT Greengrass V2 | ||||||
Amazon IoT Jobs DataPlane | ||||||
Amazon IoT RoboRunner | ||||||
Amazon IoT SiteWise | ||||||
Amazon IoT TwinMaker | ||||||
Amazon IoT Wireless |
¹ Devices connected to Amazon IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach Amazon IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for Amazon IoT in the Amazon IoT Developer Guide.
Robotics services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon RoboMaker |
Quantum Computing Services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Braket |
Blockchain services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Managed Blockchain |
Game development services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon GameLift | ||||||
Amazon GameSparks |
AR & VR services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Sumerian |
Customer enablement services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon IQ | ||||||
Amazon IQ Permissions | ||||||
Amazon Web Services Support | ||||||
Amazon Web Services Support App in Slack | ||||||
Amazon Web Services Support Plans |
Customer engagement services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon AppIntegrations | ||||||
Amazon Connect | ||||||
Amazon Connect Cases | ||||||
Amazon Connect Customer Profiles | ||||||
Amazon Connect High-volume outbound communications | ||||||
Amazon Connect Voice ID | ||||||
Amazon Connect Wisdom | ||||||
Amazon Pinpoint | ||||||
Amazon Pinpoint Email Service | ||||||
Amazon Pinpoint SMS and Voice Service | ||||||
Amazon Pinpoint SMS and Voice Service v2 | ||||||
Amazon Simple Email Service (Amazon SES) v2 |
¹ You can only use resource-level permissions in policy statements that refer to
actions related to sending email, such as ses:SendEmail
or
ses:SendRawEmail
. For policy statements that refer to any other actions, the
Resource element can only contain *
.
² Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.
End user computing services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon AppStream 2.0 | ||||||
Amazon WAM | ||||||
Amazon Wickr | ||||||
Amazon WorkDocs | ||||||
Amazon WorkSpaces | ||||||
Amazon WorkSpaces Application Manager | ||||||
Amazon WorkSpaces Web |
Billing and cost management services
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon Application Cost Profiler Service | ||||||
Amazon Billing and Cost Management | ||||||
Amazon Billing Conductor | ||||||
Amazon CloudAssist service read write permissions | ||||||
Amazon Consolidated Billing | ||||||
Amazon Cost and Usage Report | ||||||
Amazon Cost Explorer | ||||||
Amazon Fapiao Management | ||||||
Amazon Free Tier | ||||||
Amazon Invoicing Service | ||||||
Amazon Payments | ||||||
Amazon Price List | ||||||
Amazon Purchase Orders Console | ||||||
Amazon Savings Plans | ||||||
Amazon Sustainability | ||||||
Amazon Tax Settings |
Additional resources
Service | Actions | Resource-level permissions | Resource-based policies | ABAC | Temporary credentials | Service-linked roles |
---|---|---|---|---|---|---|
Amazon
Activate |
||||||
Amazon Budget Service | ||||||
Amazon Web Services Marketplace | ||||||
Amazon Web Services Marketplace Catalog | ||||||
Amazon Marketplace Commerce Analytics | ||||||
Amazon Web Services Marketplace Discovery | ||||||
Amazon Web Services Marketplace Management Portal | ||||||
Amazon Marketplace Metering Service | ||||||
Amazon Web Services Marketplace Private Marketplace | ||||||
Amazon Web Services Marketplace Seller Reporting | ||||||
Amazon Web Services Marketplace Vendor Insights | ||||||
Amazon Mechanical Turk |