Amazon managed policies for Amazon AppSync
To add permissions to users, groups, and roles, it is easier to use Amazon managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions that they need. To get started quickly, you can use our Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.
Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.
Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.
Amazon managed policy: AWSAppSyncInvokeFullAccess
Use the AWSAppSyncInvokeFullAccess Amazon managed policy to allow your
administrators to access the Amazon AppSync service through the console or
independently.
You can attach the AWSAppSyncInvokeFullAccess policy to your IAM
identities.
Permissions details
This policy includes the following permissions.
-
Amazon AppSync– Allows full administrative access to all resources in Amazon AppSync
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appsync:GraphQL", "appsync:GetGraphqlApi", "appsync:ListGraphqlApis", "appsync:ListApiKeys" ], "Resource": "*" } ] }
Amazon managed policy: AWSAppSyncSchemaAuthor
Use the AWSAppSyncSchemaAuthor Amazon managed policy to allow IAM
users to access to create, update, and query their GraphQL
schemas. For
information about what users can do with these permissions, see Designing GraphQL
APIs.
You can attach the AWSAppSyncSchemaAuthor policy to your IAM
identities.
Permissions details
This policy includes the following permissions.
-
Amazon AppSync– Allows the following actions:-
Creating GraphQL schemas
-
Allowing the creation, modification, and deletion of GraphQL types, resolvers, and functions
-
Evaluating request and response template logic
-
Evaluating code with a runtime and context
-
Sending GraphQL queries to GraphQL APIs
-
Retrieving GraphQL data
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appsync:GraphQL", "appsync:CreateResolver", "appsync:CreateType", "appsync:DeleteResolver", "appsync:DeleteType", "appsync:GetResolver", "appsync:GetType", "appsync:GetDataSource", "appsync:GetSchemaCreationStatus", "appsync:GetIntrospectionSchema", "appsync:GetGraphqlApi", "appsync:ListTypes", "appsync:ListApiKeys", "appsync:ListResolvers", "appsync:ListDataSources", "appsync:ListGraphqlApis", "appsync:StartSchemaCreation", "appsync:UpdateResolver", "appsync:UpdateType", "appsync:TagResource", "appsync:UntagResource", "appsync:ListTagsForResource", "appsync:CreateFunction", "appsync:UpdateFunction", "appsync:GetFunction", "appsync:DeleteFunction", "appsync:ListFunctions", "appsync:ListResolversByFunction", "appsync:EvaluateMappingTemplate", "appsync:EvaluateCode" ], "Resource": "*" } ] }
Amazon managed policy: AWSAppSyncPushToCloudWatchLogs
Amazon AppSync uses Amazon CloudWatch to monitor the performance of your application by generating logs that you can use to troubleshoot and optimize your GraphQL requests. For more information, see Monitoring and logging.
Use the AWSAppSyncPushToCloudWatchLogs Amazon managed policy to allow
Amazon AppSync to push logs to
an
IAM user's CloudWatch account.
You can attach the AWSAppSyncPushToCloudWatchLogs policy to your
IAM identities.
Permissions details
This policy includes the following permissions.
-
CloudWatch Logs– Allows Amazon AppSync to create log groups and streams with specified names. Amazon AppSync pushes log events to the specified log stream.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
Amazon managed policy: AWSAppSyncAdministrator
Use the AWSAppSyncAdministrator Amazon managed policy to allow your
administrators to access
all
of Amazon AppSync
except
for the Amazon console.
You can attach AWSAppSyncAdministrator to your IAM entities.
Amazon AppSync also attaches this policy to a service role that allows it to perform
actions on your
behalf.
Permissions details
This policy includes the following permissions.
-
Amazon AppSync– Allows full administrative access to all resources in Amazon AppSync -
IAM– Allows the following actions:-
Creating service-linked roles to allow Amazon AppSync to analyze resources in other services on your behalf
-
Deleting service-linked roles
-
Passing service-linked roles on to other Amazon services to assume the role later and to perform actions on your behalf
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appsync:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "appsync.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "appsync.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::*:role/aws-service-role/appsync.amazonaws.com/AWSServiceRoleForAppSync*" } ] }
Amazon managed policy: AWSAppSyncServiceRolePolicy
Use the AWSAppSyncServiceRolePolicy Amazon managed policy to
allow
access to Amazon services and resources
that
Amazon AppSync
uses
or
manages.
You can't attach AWSAppSyncServiceRolePolicy to your IAM entities.
This policy is attached to a service-linked role that allows Amazon AppSync to perform
actions on your behalf. For more information, see
Service-linked
roles for Amazon AppSync.
Permissions details
This policy includes the following permissions.
-
X-Ray– Amazon AppSync uses Amazon X-Ray to collect data about requests made within your application. For more information, see Tracing with Amazon X-Ray.This policy allows the following actions:
-
Retrieving sampling rules and their results
-
Sending trace data to the X-Ray daemon
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingTargets", "xray:GetSamplingRules", "xray:GetSamplingStatisticSummaries" ], "Resource": [ "*" ] } ] }
Amazon AppSync updates to Amazon managed policies
View details about updates to Amazon managed policies for Amazon AppSync since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon AppSync Document history page.
| Change | Description | Date |
|---|---|---|
|
AWSAppSyncSchemaAuthor - Update to an existing policy |
Added an |
February 7, 2023 |
|
AWSAppSyncSchemaAuthor - Update to an existing policy |
Added policy actions to allow the list, get, create, update, and delete functions for an API. Added an Added policy actions to allow resource tagging. |
August 25, 2022 |
|
Amazon AppSync started tracking changes |
Amazon AppSync started tracking changes for its Amazon managed policies. |
August 25, 2022 |