Amazon services that work with IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon services that work with IAM

The Amazon services listed below are grouped alphabetically and include information about what IAM features they support:

  • Service – You can choose the name of a service to view the Amazon documentation about IAM authorization and access for that service.

  • Actions – You can specify individual actions in a policy. If the service does not support this feature, then All actions is selected in the visual editor. In a JSON policy document, you must use * in the Action element. For a list of actions in each service, see Actions, Resources, and Condition Keys for Amazon Services.

  • Resource-level permissions – You can use ARNs to specify individual resources in the policy. If the service does not support this feature, then All resources is chosen in the policy visual editor. In a JSON policy document, you must use * in the Resource element. Some actions, such as List* actions, do not support specifying an ARN because they are designed to return multiple resources. If a service supports this feature for some resources but not others, it is indicated by Partial in the table. See the documentation for that service for more information.

  • Resource-based policies – You can attach resource-based policies to a resource within the service. Resource-based policies include a Principal element to specify which IAM identities can access that resource. For more information, see Identity-based policies and resource-based policies.

  • ABAC (authorization based on tags) – To control access based on tags, you provide tag information in the condition element of a policy using the aws:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. If a service supports all three condition keys for every resource type, then the value is Yes for the service. If a service supports all three condition keys for only some resource types, then the value is Partial. For more information about defining permissions based on attributes such as tags, see Define permissions based on attributes with ABAC authorization. To view a tutorial with steps for setting up ABAC, see Use attribute-based access control (ABAC).

  • Temporary credentials – You can use short-term credentials that you obtain when you sign in using IAM Identity Center, switch roles in the console, or that you generate using Amazon STS in the Amazon CLI or Amazon API. You can access services with a No value only while using your long-term IAM user credentials. This includes a user name and password or your user access keys. For more information, see Temporary security credentials in IAM.

  • Service-linked roles – A service-linked role is a special type of service role that gives the service permission to access resources in other services on your behalf. Choose the Yes or Partial link to see the documentation for services that support these roles. This column does not indicate if the service uses standard service roles. For more information, see Service-linked roles.

  • More information – If a service doesn't fully support a feature, you can review the footnotes for an entry to view the limitations and links to related information.

Services that work with IAM

Service Actions Resource-level permissions Resource-based policies ABAC Temporary credentials Service-linked roles
Amazon Account Management Yes Yes No No Yes No
Amazon Activate Console Yes No No No Yes No
Amazon AI Operations Yes Yes No Yes Yes No
Amazon Amplify Admin Yes Yes No No Yes No
Amazon Amplify Yes Yes No Partial Yes No
Amazon Amplify UI Builder Yes Yes No Yes Yes No
Apache Kafka APIs for Amazon MSK clusters Yes Yes No No Yes No
Amazon API Gateway Yes Yes Yes No Yes Yes
Amazon API Gateway Management Yes Yes No Yes Yes No
Amazon API Gateway Management V2 Yes Yes No Yes Yes No
Amazon App Studio Yes No No No Yes No
Amazon App2Container Yes No No No Yes No
Amazon AppConfig Yes Yes No Yes Yes No
Amazon AppFabric Yes Yes No Yes Yes No
Amazon AppFlow Yes Yes No Yes Yes No
Amazon AppIntegrations Yes Yes No Yes Yes Yes
Application Auto Scaling Yes Yes No Yes Yes Yes
Amazon Application Cost Profiler Yes No No No Yes No
Amazon Application Discovery Arsenal Yes No No No Yes No
Amazon Application Discovery Service Yes No No No Yes Yes
Amazon Application Migration Service Yes Yes No Yes Yes Yes
Amazon Application Recovery Controller - Zonal Shift Yes Yes No No Yes No
Amazon Application Transformation Service Yes No No No Yes No

Amazon App Mesh

Yes Yes No Yes Yes Yes

Amazon App Mesh Preview

Yes Yes No No Yes Yes
Amazon App Runner Yes Yes No Yes Yes Yes
Amazon AppStream 2.0 Yes Yes No Yes Yes No
Amazon AppSync Yes Yes No Yes Yes No
Amazon Artifact Yes Yes No No Yes No
Amazon Athena Yes Yes No Yes Yes No
Amazon Audit Manager Yes Yes No Yes Yes Yes
Amazon Aurora DSQL Yes Yes No Yes Yes Yes
Amazon Auto Scaling Yes No No No Yes Yes
Amazon B2B Data Interchange Yes Yes No Yes Yes No
Amazon Backup Yes Yes Yes Yes Yes Yes
Amazon Backup Gateway Yes Yes No Yes Yes No
Amazon Backup storage Yes No No No Yes No
Amazon Batch Yes Partial No Yes Yes Yes
Amazon Bedrock Yes Yes No Yes Yes No
Amazon Billing and Cost Management Yes No No No Yes Yes
Amazon Billing and Cost Management Data Exports Yes Yes No Yes Yes No
Amazon Billing and Cost Management Pricing Calculator Yes Yes No Yes Yes No
Amazon Billing Conductor Yes Yes No Yes Yes No
Amazon Braket Yes Yes No Yes Yes Yes
Amazon Budget Service Yes Yes No No No No
Amazon BugBust Yes Yes No Yes Yes Yes
Amazon Certificate Manager (ACM) Yes Yes No Yes Yes Yes
Amazon Chatbot Yes Yes No No Yes Yes
Amazon Chime Yes Yes No Yes Yes Yes
Amazon Clean Rooms Yes Yes No Yes Yes No
Amazon Clean Rooms ML Yes Yes No Yes Yes No
Amazon Client VPN Yes Yes No No Yes Yes
Amazon Cloud9 Yes Yes Yes Yes Yes Yes
Amazon Web Services Cloud Control API Yes No No No Yes No
Amazon Cloud Directory Yes Yes No No Yes No
Amazon CloudFormation Yes Yes No Yes Yes No

Amazon CloudFront

Yes Yes No Partial Yes Yes
Amazon CloudFront KeyValueStore Yes Yes No No Yes No
Amazon CloudHSM Yes Yes No Yes Yes Yes

Amazon Cloud Map

Yes Yes No Yes Yes No
Amazon CloudSearch Yes Yes No No Yes No
Amazon CloudShell Yes Yes No No Yes No
Amazon CloudTrail Yes Yes Partial (Info) Yes Yes Yes
Amazon CloudTrail Data Yes Yes No Yes Yes No
Amazon CloudWatch Yes Yes No Yes Yes Partial (Info)
Amazon CloudWatch Application Insights Yes No No No Yes No
Amazon CloudWatch Application Signals Yes Yes No Yes Yes No
Amazon CloudWatch Evidently Yes Yes No Yes Yes No
Amazon CloudWatch Internet Monitor Yes Yes No Yes Yes No
Amazon CloudWatch Logs Yes Yes Yes Partial Yes Yes
Amazon CloudWatch Network Monitor Yes Yes No Yes Yes No
Amazon CloudWatch Observability Access Manager Yes Yes No Yes Yes No
Amazon CloudWatch RUM Yes Yes No Yes Yes No
Amazon CloudWatch Synthetics Yes Yes No Yes Yes No
Amazon CodeArtifact Yes Yes Yes Yes Yes No
Amazon CodeBuild Yes Yes Yes (Info) Partial (Info) Yes No
Amazon CodeCatalyst Yes Yes No Yes Yes Yes
Amazon CodeCommit Yes Yes No Yes Yes No
Amazon CodeConnections Yes Yes No Yes Yes No
Amazon CodeDeploy Yes Yes No Yes Yes No
Amazon CodeDeploy secure host commands service Yes No No No Yes No
Amazon CodeGuru Profiler Yes Yes No Yes Yes Yes
Amazon CodeGuru Reviewer Yes Yes No Yes Yes Yes
Amazon CodeGuru Security Yes Yes No Yes Yes No
Amazon CodePipeline Yes Partial No Yes Yes No
AWS CodeStar Yes Partial No Yes Yes No
AWS CodeStar Connections Yes Yes No Yes Yes Yes
AWS CodeStar Notifications Yes Yes No Yes Yes Yes
Amazon CodeWhisperer Yes Yes No Yes Yes Yes
Amazon Cognito Yes Yes No Yes Yes Yes
Amazon Cognito Sync Yes Yes No No Yes Yes
Amazon Cognito user pools Yes Yes No Yes Yes Yes
Amazon Comprehend Yes Yes No Yes Yes No
Amazon Comprehend Medical Yes No No No Yes No
Amazon Compute Optimizer Yes No No No Yes Yes
Amazon Config Yes Partial (Info) No Yes Yes Yes
Amazon Connect Yes Yes No Yes Yes Yes
Amazon Connect Cases Yes Yes No Yes Yes No
Amazon Connect Customer Profiles Yes Yes No Yes Yes Yes
Amazon Connect Outbound Compaigns Yes Yes No Yes Yes No
Amazon Connect Voice ID Yes Yes No Yes Yes No
Amazon Console Mobile Application Yes Yes No No Yes No
Amazon Consolidated Billing Yes No No No Yes No
Amazon Control Catalog Yes Yes No No Yes No
Amazon Control Tower Yes Yes No No Yes No
Amazon Cost and Usage Report Yes Yes No No Yes No
Amazon Cost Explorer Yes Yes No Yes Yes No
Amazon Cost Optimization Hub Yes No No No Yes No
Amazon Customer Verification Service Yes No No No Yes No
Amazon Database Migration Service Yes Yes No (Info) Yes Yes Yes
Database Query Metadata Service Yes No No No Yes No
Amazon Web Services Data Exchange Yes Yes No Yes Yes Yes
Amazon Data Lifecycle Manager Yes Yes No Yes Yes No
Amazon Data Pipeline Yes Yes No Partial Yes No
Amazon DataSync Yes Yes No Yes Yes Yes
Amazon DataZone Yes No No No Yes No
Amazon Deadline Cloud Yes Yes No Yes Yes No
Amazon DeepComposer Yes Yes No Yes Yes No
Amazon DeepRacer Yes Yes No Yes Yes Yes
Amazon Detective Yes Yes No Yes Yes No
Amazon Device Farm Yes Yes No Yes Yes Yes
Amazon DevOps Guru Yes Yes No No Yes Yes
Amazon Diagnostic tools Yes Yes No Yes Yes No
Amazon Direct Connect Yes Yes No Yes Yes Yes
Amazon Directory Service Yes Yes No Yes Yes No
Amazon Directory Service Data Yes Yes No Yes Yes No
Amazon DocumentDB Elastic Clusters Yes Yes No Yes Yes Yes
Amazon DynamoDB Accelerator (DAX) Yes Yes No No Yes Yes
Amazon DynamoDB Yes Yes Yes Yes Yes No
Amazon Elastic Compute Cloud (Amazon EC2) Yes Partial No Yes Yes Partial (Info)
Amazon EC2 Auto Scaling Yes Yes No Yes Yes Yes
EC2 Image Builder Yes Yes No Yes Yes Yes
Amazon EC2 Instance Connect Yes Yes No Yes Yes Yes
Amazon ElastiCache Yes Yes No Yes Yes Yes
Amazon Elastic Beanstalk Yes Partial No Yes Yes Yes
Amazon Elastic Block Store (Amazon EBS) Yes Partial No Yes Yes No
Amazon Elastic Container Registry (Amazon ECR) Yes Yes Yes Yes Yes Yes
Amazon Elastic Container Registry Public (Amazon ECR Public) Yes Yes No Yes Yes No
Amazon Elastic Container Service (Amazon ECS) Yes Partial (Info) No Yes Yes Yes
Amazon Elastic Disaster Recovery Yes Yes No Yes Yes Yes
Amazon Elastic File System (Amazon EFS) Yes Yes Yes Partial Yes Yes
Amazon Elastic Inference Yes Yes No No Yes No
Amazon Elastic Kubernetes Service (Amazon EKS) Yes Yes No Yes Yes Yes
Amazon Elastic Kubernetes Service (Amazon EKS) Auth Yes Yes No No Yes No
Amazon Elastic Load Balancing Yes Partial No Partial Yes Yes
Amazon Elastic Transcoder Yes Yes No No Yes No
Amazon Elemental Appliances and Software Activation Service Yes Yes No Yes Yes No
Amazon Elemental Appliances and Software Yes Yes No Yes Yes No
AWS Elemental MediaConnect Yes Yes No No Yes Yes
AWS Elemental MediaConvert Yes Yes No Yes Yes No
AWS Elemental MediaLive Yes Yes No Yes Yes No
AWS Elemental MediaPackage Yes Yes No Yes Yes Partial (Info)
AWS Elemental MediaPackage V2 Yes Yes No Yes Yes No
AWS Elemental MediaPackage VOD Yes Yes No Yes Yes Partial (Info)
AWS Elemental MediaStore Yes Yes Yes Yes Yes No
AWS Elemental MediaTailor Yes Yes No Yes Yes Yes
Amazon Elemental Support Cases Yes No No No Yes No
Amazon Elemental Support Content Yes No No No Yes No
Amazon EMR Yes Yes No Yes Yes Yes
Amazon EMR on EKS Yes Yes No Yes Yes Yes
Amazon EMR Serverless Yes Yes No Yes Yes Yes
Amazon End User Messaging SMS and Voice V2 Yes Yes No Yes Yes Yes
Amazon End User Messaging Social Yes Yes No Yes Yes Yes
Amazon Entity Resolution Yes Yes No Yes Yes No
Amazon EventBridge Yes Yes Yes Yes Yes No
Amazon EventBridge Pipes Yes Yes No Yes Yes No
Amazon EventBridge Scheduler Yes Yes No Yes Yes No
Amazon EventBridge Schemas Yes Yes Yes Yes Yes No
Amazon Fapiao Management Yes No No No Yes No
Amazon Fault Injection Service Yes Yes No Yes Yes Yes
Amazon FinSpace Yes Yes No Yes Yes Yes
Amazon FinSpace API Yes Yes No No Yes No
Amazon Firewall Manager Yes Yes No Yes Yes Partial
Fleet Hub for Amazon IoT Device Management Yes Yes No Yes Yes No
Amazon Forecast Yes Yes No Yes Yes No
Amazon Fraud Detector Yes Yes No Yes Yes No
FreeRTOS Yes Yes No Yes Yes No
Amazon Free Tier Yes No No No Yes No
Amazon FSx Yes Yes No Yes Yes Yes
Amazon GameLift Yes Yes No Yes Yes No
Amazon Global Accelerator Yes Yes No Yes Yes Yes
Amazon Glue Yes Yes Yes Partial Yes No
Amazon Glue DataBrew Yes Yes No Yes Yes No
Amazon Ground Station Yes Yes No Yes Yes Yes
Amazon Ground Truth Labeling Yes No No No Yes No
Amazon GuardDuty Yes Yes No Yes Yes Yes
Amazon Health APIs And Notifications Yes Yes No No Yes No
Amazon HealthImaging Yes Yes No Yes Yes No
Amazon HealthLake Yes Yes No Yes Yes No
Amazon HealthOmics Yes Yes No Yes Yes No
Amazon IAM Identity Center Yes Yes No Partial Yes Yes
IAM Identity Center Directory Yes No No No Yes No
IAM Identity Center Identity Store Yes Yes No No Yes No
IAM Identity Center OIDC service Yes Yes No No Yes No
Amazon Identity and Access Management (IAM) Yes Yes Partial (Info) Partial (Info) Partial (Info) No
Amazon Identity and Access Management and Access Analyzer Yes Yes No Yes Yes Partial
Amazon Identity and Access Management Roles Anywhere Yes Yes No Yes Yes Yes
Amazon Identity Store Auth Yes No No No Yes No
Amazon Identity Sync Yes Yes No No Yes No
Amazon Import/Export Yes No No No Yes No
Amazon Inspector Yes Yes No Yes Yes Yes
Amazon Inspector Classic Yes No No No Yes Yes
Amazon InspectorScan Yes No No No Yes No
Amazon Interactive Video Service Yes Yes No Yes Yes Yes
Amazon Interactive Video Service Chat Yes Yes No Yes Yes No
Amazon Web Services Invoicing Yes Yes No Yes Yes No
Amazon IoT 1-Click Yes Yes No Yes Yes No
Amazon IoT Analytics Yes Yes No Yes Yes No
Amazon IoT Yes Yes Partial (Info) Yes Yes No
Amazon IoT Core Device Advisor Yes Yes No Yes Yes No
Amazon IoT Device Tester Yes No No No Yes No
Amazon IoT Events Yes Yes No Yes Yes No
Amazon IoT FleetWise Yes Yes No Yes Yes No
Amazon IoT Greengrass Yes Yes No Yes Yes No
Amazon IoT Greengrass V2 Yes Yes No Partial Yes No
Amazon IoT Jobs DataPlane Yes Yes No No Yes No
Amazon IoT SiteWise Yes Yes No Yes Yes Yes
Amazon IoT TwinMaker Yes Yes No Yes Yes Yes
Amazon IoT Wireless Yes Yes No Yes Yes No
Amazon IQ Yes Yes No No Yes Yes
Amazon IQ Permissions Yes Yes No No Yes No
Amazon Kendra Yes Yes No Yes Yes No
Amazon Kendra Intelligent Ranking Yes Yes No Yes Yes No
Amazon Key Management Service (Amazon KMS) Yes Yes Yes Yes Yes Yes
Amazon Keyspaces (for Apache Cassandra) Yes Yes No Yes Yes Yes
Amazon Managed Service for Apache Flink Yes Yes No Yes Yes No
Amazon Managed Service for Apache Flink V2 Yes Yes No Yes Yes No
Amazon Data Firehose Yes Yes No Yes Yes No
Amazon Kinesis Data Streams Yes Yes Yes Yes Yes No
Amazon Kinesis Video Streams Yes Yes No Yes Yes No
Amazon Lake Formation Yes No No No Yes Yes
Amazon Lambda Yes Yes Yes Partial (Info) Yes Partial (Info)
Amazon Launch Wizard Yes No No No Yes No
Amazon Lex Yes Yes No Yes Yes Yes
Amazon Lex V2 Yes Yes Yes Yes Yes Yes
Amazon License Manager Yes Yes No Yes Yes Yes
Amazon License Manager Linux Subscriptions Manager Yes No No No Yes No
Amazon License Manager User Subscriptions Yes No No No Yes Yes
Amazon Lightsail Yes Partial (Info) No Partial (Info) Yes Yes
Amazon Location Service Yes Yes No Yes Yes No
Amazon Location Service Maps Yes Yes No No Yes No
Amazon Location Service Places Yes Yes No No Yes No
Amazon Location Service Routes Yes Yes No No Yes No
Amazon Lookout for Equipment Yes Yes No Yes Yes No
Amazon Lookout for Metrics Yes Yes No Yes Yes No
Amazon Lookout for Vision Yes Yes No Yes Yes No
Amazon Machine Learning Yes Yes No No Yes No
Amazon Macie Yes Yes No Yes Yes Yes
Amazon Mainframe Modernization Yes Yes No Yes Yes Yes
Amazon Mainframe Modernization Application Testing Yes Yes No Yes Yes No
Amazon Managed Blockchain Yes Yes No Yes Yes No
Amazon Managed Blockchain Query Yes No No No Yes No
Amazon Managed Grafana Yes Yes No Yes Yes Yes
Amazon Managed Service for Prometheus Yes Yes No Yes Yes No
Amazon Managed Streaming for Apache Kafka (MSK) Yes Yes Partial (Info) Yes Yes Yes
Amazon Managed Streaming for Kafka Connect Yes Yes No No Yes Yes
Amazon Managed Workflows for Apache Airflow Yes Yes No Yes Yes No
Amazon Web Services Marketplace Yes No No No Yes Yes
Amazon Web Services Marketplace Catalog Yes Yes No Yes Yes No
Amazon Marketplace Commerce Analytics Yes No No No No No
Amazon Web Services Marketplace Deployment Service Yes Yes No Yes Yes No
Amazon Web Services Marketplace Discovery Yes No No No Yes No
Amazon Marketplace Entitlement Service Yes No No No Yes No
Amazon Web Services Marketplace Image Building Service Yes No No No Yes No
Amazon Web Services Marketplace Management Portal Yes No No No Yes No
Amazon Marketplace Metering Service Yes No No No Yes No
Amazon Web Services Marketplace Private Marketplace Yes No No No Yes No
Amazon Web Services Marketplace Procurement Systems Integration Yes No No No Yes No
Amazon Web Services Marketplace Reporting Yes Yes No No Yes No
Amazon Web Services Marketplace Seller Reporting Yes Yes No No Yes No
Amazon Web Services Marketplace Vendor Insights Yes Yes No Yes Yes No
Amazon Mechanical Turk Yes No No No Yes No
Amazon MediaImport Yes No No No No No
Amazon MemoryDB Yes Yes No Yes Yes Yes
Amazon Message Delivery Service Yes No No No Yes No
Amazon Message Gateway Service Yes No No No Yes No
Amazon Microservice Extractor for .NET Yes No No No Yes No
Amazon Migration Acceleration Program Credits Yes Yes No No Yes No
Amazon Migration Hub Yes Yes No No Yes Yes
Amazon Migration Hub Orchestrator Yes Yes No Yes Yes Yes
Amazon Migration Hub Refactor Spaces Yes Yes Yes Yes Yes Yes
Amazon Migration Hub Strategy Recommendations Yes No No No Yes Yes
Amazon Monitron Yes Yes No Yes Yes Yes
Amazon MQ Yes Yes No Yes Yes Yes
Amazon Neptune Yes Yes No No Yes Yes
Amazon Neptune Analytics Yes Yes No Yes Yes No
Amazon Network Firewall Yes Yes No Yes Yes Yes
Network Flow Monitor Yes Yes No Yes Yes No
Amazon Network Manager Yes Yes No Yes Yes Yes (Info)
Amazon Network Manager Chat Yes No No No Yes No
Amazon Nimble Studio Yes Yes No Yes Yes No
Amazon One Enterprise Yes Yes No Yes Yes No
Amazon OpenSearch Service Yes Yes No No Yes No
Amazon OpenSearch Ingestion Yes Yes No Yes Yes Yes
Amazon OpenSearch Serverless Yes Yes No Yes Yes Yes
Amazon OpenSearch Service Yes Yes Yes Yes Yes Yes
Amazon OpsWorks Yes Yes No No Yes No
Amazon OpsWorks Configuration Management Yes Yes No No Yes No
Amazon Organizations Yes Yes Yes Yes No Yes
Amazon Outposts Yes Yes No Yes Yes Yes
Amazon Panorama Yes Yes No Yes Yes Yes
Amazon Parallel Computing Service Yes Yes No Yes Yes Yes
Amazon Partner Central account management Yes No No No Yes No
Amazon Partner Central Selling Yes Yes No No Yes No
Amazon Payment Cryptography Yes Yes No Yes Yes No
Amazon Payments Yes No No No Yes No
Amazon Performance Insights Yes Yes No No Yes No
Amazon Personalize Yes Yes No No Yes No
Amazon Pinpoint Yes Yes No Yes Yes No
Amazon Pinpoint Email Service Yes Yes No Yes Yes No
Amazon Pinpoint SMS and Voice Service Yes No No No Yes No
Amazon Polly Yes Yes No No Yes No
Amazon Price List Yes No No No Yes No
Amazon Private 5G Yes Yes No Yes Yes No
Amazon Private CA Connector for Active Directory Yes Yes No Yes Yes No
Amazon Private CA Connector for SCEP Yes Yes No Yes Yes No
Amazon Private Certificate Authority (Amazon Private CA) Yes Yes Yes Yes Yes No
Amazon PrivateLink Yes No No No Yes No
Amazon Proton Yes Yes No Yes Yes Yes
Amazon Purchase Orders Console Yes Yes No Yes Yes No
Amazon Q Business Yes Yes No Yes Yes Yes
Amazon Q Business Q Apps Yes Yes No No Yes Yes
Amazon Q Developer Yes No No No Yes Yes
Amazon Q in Connect Yes Yes No Yes Yes No
Amazon Quantum Ledger Database (Amazon QLDB) Yes Yes No Yes Yes No
Amazon QuickSight Yes Yes No Yes Yes No
Amazon RDS Data API Yes Yes No No Yes No
Amazon RDS IAM Authentication Yes Yes No No Yes No
Amazon Recycle Bin Yes Yes No Yes Yes No
Amazon Redshift Yes Yes No Yes Yes Yes
Amazon Redshift Data API Yes Yes No No Yes No
Amazon Redshift Serverless Yes Yes Yes Yes Yes No
Amazon Rekognition Yes Yes Partial (Info) Yes Yes No
Amazon Relational Database Service (Amazon RDS) (Info) Yes Yes No Yes Yes Yes
Amazon Web Services re:Post Private Yes Yes No Yes Yes Yes
Amazon Resilience Hub Yes Yes No Yes Yes No
Amazon Resource Access Manager (Amazon RAM) Yes Yes No Yes Yes Yes
Amazon Resource Explorer Yes Yes No Yes Yes Yes
Amazon Resource Groups Yes Yes No Yes Partial (Info) Yes
Amazon Resource Groups Tagging API Yes No No No Yes No
Amazon RHEL Knowledgebase Portal Yes No No No Yes No
Amazon RoboMaker Yes Yes No Yes Yes Yes
Amazon Route 53 Yes Yes No No Yes No
Amazon Route 53 Domains Yes No No No No No
Amazon Route 53 Profiles Yes Yes No Yes Yes No
Amazon Route 53 Recovery Cluster Yes Yes No No Yes No
Amazon Route 53 Recovery Control Config Yes Yes No Yes Yes No
Amazon Route 53 Recovery Readiness Yes Yes No Yes Yes Yes
Amazon Route 53 Resolver Yes Yes No Yes Yes Yes
Amazon S3 Express Yes Yes No No Yes No
Amazon S3 Glacier Yes Yes Yes Yes Yes Partial
Amazon S3 Tables Yes Yes No No Yes No
Amazon SageMaker Yes Yes No Yes Yes Partial (Info)
Amazon SageMaker data science assistant Yes No No No Yes No
Amazon SageMaker geospatial capabilities Yes Yes No Yes Yes No
Amazon SageMaker Ground Truth Synthetic Yes No No No Yes No
Amazon SageMaker with MLflow Yes Yes No No Yes No
Amazon Savings Plans Yes Yes No Yes Yes No
Amazon Secrets Manager Yes Yes Yes Yes Yes No
Amazon Security Hub Yes Yes No Yes Yes Yes
Amazon Security Incident Response Yes Yes No Yes Yes Yes
Amazon Security Lake Yes Yes No No Yes Yes
Amazon Security Token Service (Amazon STS) Yes Partial (Info) No Yes Partial (Info) No
Amazon Serverless Application Repository Yes Yes Yes No Yes No
Amazon Service Catalog Yes Yes No Yes Yes Yes
Service Quotas Yes Yes No Yes Yes No
Amazon Shield Yes Yes No Yes Yes Yes
Amazon Signer Yes Yes Yes Yes Yes No
Amazon Signin Yes No No No Yes No
Amazon SimpleDB Yes Yes No No Yes No
Amazon Simple Email Service ‐ Mail Manager Yes Yes No Yes Yes Yes
Amazon Simple Email Service (Amazon SES) v2 Yes Partial (Info) Yes Yes Partial (Info) Yes
Amazon Simple Notification Service (Amazon SNS) Yes Yes Yes Yes Yes No
Amazon Simple Queue Service (Amazon SQS) Yes Yes Yes Partial Yes No
Amazon Simple Storage Service (Amazon S3) Yes Yes Yes Partial (Info) Yes Partial (Info)
Amazon Simple Storage Service (Amazon S3) Object Lambda Yes Yes No No Yes No
Amazon Simple Storage Service (Amazon S3) on Amazon Outposts Yes Yes Yes No Yes Yes
Amazon Simple Workflow Service (Amazon SWF) Yes Yes No Yes Yes No
Amazon SimSpace Weaver Yes Yes No Yes Yes No
Amazon Site-to-Site VPN Yes Yes No No Yes Yes
Amazon Snowball Yes No No No Yes No
Amazon Snowball Edge Yes No No No Yes No
Amazon Snow Device Management Yes Yes No Yes Yes No
Amazon SQL Workbench Yes Yes No Yes Yes No
Amazon Step Functions Yes Yes No Yes Yes No
Amazon Storage Gateway Yes Yes No Yes Yes No
Amazon Supply Chain Yes Yes No Yes Yes No
Amazon Web Services Support App in Slack Yes No No No Yes No
Amazon Web Services Support Yes No No No Yes Yes
Amazon Web Services Support Plans Yes No No No Yes No
Amazon Web Services Support Recommendations Yes No No No Yes No
Amazon Sustainability Yes No No No Yes No
Amazon Systems Manager Yes Yes Partial Yes Yes Yes
Amazon Systems Manager for SAP Yes Yes No Yes Yes No
Amazon Systems Manager GUI Connect Yes No No No Yes No
Amazon Systems Manager Incident Manager Yes Yes Yes Yes Yes Yes
Amazon Systems Manager Incident Manager Contacts Yes Yes Yes No Yes No
Amazon Systems Manager Quick Setup Yes Yes No Yes Yes No
Tag Editor Yes No No No Yes No
Amazon Tax Settings Yes No No No Yes No
Amazon Telco Network Builder Yes Yes No Yes Yes No
Amazon Textract Yes No No No Yes No
Amazon Timestream Yes Yes No Yes Yes No
Amazon Timestream Influxdb Yes Yes No Yes Yes Yes
Amazon Tiros API (for Reachability Analyzer) Yes No No No No No
Amazon Transcribe Yes Yes No Yes Yes No
Amazon Transfer Family Yes Yes No Yes Yes No
Amazon Translate Yes Yes No Yes Yes No
Amazon Trusted Advisor Partial (Info) Yes No No Partial Yes
Amazon User Notifications Yes Yes No Yes Yes Yes
Amazon User Notifications Contacts Yes Yes No Yes Yes No
Amazon User Subscriptions Yes No No No Yes No
Amazon Verified Access Yes No No No Yes No
Amazon Verified Permissions Yes Yes No No Yes No
Amazon Virtual Private Cloud (Amazon VPC) Yes Partial (Info) Partial (Info) Yes Yes Partial (Info)
Amazon VPC Lattice Yes Yes No Yes Yes No
Amazon VPC Lattice Services Yes Yes No No Yes No
Amazon WAF Yes Yes No Yes Yes Yes
Amazon WAF Classic Yes Yes No Yes Yes Yes
Amazon WAF Regional Yes Yes No Yes Yes Yes
Amazon Well-Architected Tool Yes Yes No Yes Yes No
Amazon Wickr Yes Yes No Yes Yes No
Amazon WorkDocs Yes No No No Yes No
Amazon WorkMail Yes Yes No Yes Yes Yes
Amazon WorkMail Message Flow Yes Yes No No Yes No
Amazon WorkSpaces Yes Yes No Yes Yes No
Amazon WorkSpaces Secure Browser Yes Yes No Yes Yes Yes
Amazon WorkSpaces Thin Client Yes Yes No Yes Yes No
Amazon X-Ray Yes Partial (Info) No Partial (Info) Yes No

More information

Amazon CloudTrail

CloudTrail supports resource-based policies on CloudTrail Lake event data stores, dashboards, and channels used for integrations with event sources outside of Amazon.

Amazon CloudWatch

CloudWatch service-linked roles cannot be created using the Amazon Web Services Management Console, and support only the Alarm Actions feature.

Amazon CodeBuild

CodeBuild supports cross-account resource sharing using Amazon RAM.

CodeBuild supports ABAC for project-based actions.

Amazon Config

Amazon Config supports resource-level permissions for multi-account multi-Region data aggregation and Amazon Config Rules. For a list of supported resources, see the Multi-Account Multi-Region Data Aggregation section and Amazon Config Rules section of the Amazon Config API Guide.

Amazon Database Migration Service

You can create and modify policies that are attached to Amazon KMS encryption keys you create to encrypt data migrated to supported target endpoints. The supported target endpoints include Amazon Redshift and Amazon S3. For more information, see Creating and Using Amazon KMS Keys to Encrypt Amazon Redshift Target Data and Creating Amazon KMS Keys to Encrypt Amazon S3 Target Objects in the Amazon Database Migration Service User Guide.

Amazon Elastic Compute Cloud

Amazon EC2 service-linked roles can be used only for the following features: Spot Instance Requests, Spot Fleet Requests, Amazon EC2 Fleets, and Fast launching for Windows instances.

Amazon Elastic Container Service

Only some Amazon ECS actions support resource-level permissions.

AWS Elemental MediaPackage

MediaPackage supports service-linked roles for publishing customer access logs to CloudWatch but not for other API actions.

Amazon Identity and Access Management

IAM supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role. For more information, see Grant a user permissions to switch roles.

IAM supports tag-based access control for most IAM resources. For more information, see Tags for Amazon Identity and Access Management resources.

Only some of the API actions for IAM can be called with temporary credentials. For more information, see Comparing your API options.

Amazon IoT

Devices connected to Amazon IoT are authenticated by using X.509 certificates or using Amazon Cognito Identities. You can attach Amazon IoT policies to an X.509 certificate or Amazon Cognito Identity to control what the device is authorized to do. For more information, see Security and Identity for Amazon IoT in the Amazon IoT Developer Guide.

Amazon Lambda

Lambda supports attribute-based access control (ABAC) for API actions that use a Lambda function as the required resource. Layers, event source mappings, and code signing config resources are not supported.

Lambda doesn't have service-linked roles, but Lambda@Edge does. For more information, see Service-Linked Roles for Lambda@Edge in the Amazon CloudFront Developer Guide.

Amazon Lightsail

Lightsail partially supports resource-level permissions and ABAC. For more information, see Actions, resources, and condition keys for Amazon Lightsail.

Amazon Managed Streaming for Apache Kafka (MSK)

You can attach a cluster policy to an Amazon MSK cluster that has been configured for multi-VPC connectivity.

Amazon Network Manager

Amazon Cloud WAN also supports service-linked roles. For more information, see Amazon Cloud WAN service-linked roles in the Amazon VPC Amazon Cloud WAN Guide.

Amazon Relational Database Service

Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. You can choose the Aurora MySQL or Aurora PostgreSQL as the DB engine option when setting up new database servers through Amazon RDS. For more information, see Identity and access management for Amazon Aurora in the Amazon Aurora User Guide.

Amazon Rekognition

Resource-based policies are only supported for copying Amazon Rekognition Custom Labels models.

Amazon Resource Groups

Users can assume a role with a policy that allows Resource Groups operations.

Amazon SageMaker

Service-linked roles are currently available for SageMaker Studio and SageMaker training jobs.

Amazon Security Token Service

Amazon STS does not have "resources," but does allow restricting access in a similar way to users. For more information, see Denying Access to Temporary Security Credentials by Name.

Only some of the API operations for Amazon STS support calling with temporary credentials. For more information, see Comparing your API options.

Amazon Simple Email Service

You can only use resource-level permissions in policy statements that refer to actions related to sending email, such as ses:SendEmail or ses:SendRawEmail. For policy statements that refer to any other actions, the Resource element can only contain *.

Only the Amazon SES API supports temporary security credentials. The Amazon SES SMTP interface does not support SMTP credentials that are derived from temporary security credentials.

Amazon Simple Storage Service

Amazon S3 supports tag-based authorization for only object resources.

Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.

Amazon Trusted Advisor

API access to Trusted Advisor is through the Amazon Web Services Support API and is controlled by Amazon Web Services Support IAM policies.

Amazon Virtual Private Cloud

In an IAM user policy, you cannot restrict permissions to a specific Amazon VPC endpoint. Any Action element that includes the ec2:*VpcEndpoint* or ec2:DescribePrefixLists API actions must specify ""Resource": "*"". For more information, see Identity and access management for VPC endpoints and VPC endpoint services in the Amazon PrivateLink Guide.

Amazon VPC supports attaching a single resource policy to a VPC endpoint to restrict what can be accessed through that endpoint. For more information about using resource-based policies to control access to resources from specific Amazon VPC endpoints, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

Amazon VPC doesn't have service-linked roles, but Amazon Transit Gateway does. For more information, see Use service-linked roles for transit gateway in the Amazon VPC Amazon Transit Gateway Guide.

Amazon X-Ray

X-Ray does not support resource-level permissions for all actions.

X-Ray supports tag-based access control for groups and sampling rules.