MemoryDB API permissions: Actions, resources, and conditions reference

When you set up access control and write permissions policies to attach to an IAM policy (either identity-based or resource-based), use the following table as a reference. The table lists each MemoryDB API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a resource value in the policy's Resource field. Unless indicated otherwise, the resource is required. Some fields include both a required resource and optional resources. When there is no resource ARN, the resource in the policy is a wildcard (*).

Note

To specify an action, use the memorydb: prefix followed by the API operation name (for example, memorydb:DescribeClusters).

If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

MemoryDB API and required permissions for actions
MemoryDB API operations	Required permissions (API actions)	Resources
BatchUpdateCluster	`memorydb:BatchUpdateCluster`	Cluster
CopySnapshot	`memorydb:CopySnapshot` `memorydb:TagResource` `s3:GetBucketLocation` `s3:ListAllMyBuckets`	Snapshot (Source, Target) * *
CreateCluster	`memorydb:CreateCluster` `memorydb:TagResource` `s3:GetObject` Note If you use the `SnapshotArns` parameter, each member of the `SnapshotArns` list requires its own `s3:GetObject` permission with the `s3` ARN as its resource.	Parameter group. (Optional) cluster, snapshot, security group Ids and subnet group `arn:aws:s3:::my_bucket/snapshot1.rdb` Where `my_bucket`/`snapshot1` is an S3 bucket and snapshot that you want to create the cluster from.
CreateParameterGroup	`memorydb:CreateParameterGroup` `memorydb:TagResource`	Parameter group
CreateSubnetGroup	`memorydb:CreateSubnetGroup` `memorydb:TagResource`	Subnet group	*
CreateSnapshot	`memorydb:CreateSnapshot` `memorydb:TagResource`	Snapshot, cluster
CreateUser	`memorydb:CreateUser` `memorydb:TagResource`	User
CreateACL	`memorydb:CreateACL` `memorydb:TagResource`	Access Control List (ACL)
UpdateCluster	`memorydb:UpdateCluster`	Cluster
DeleteCluster	`memorydb:DeleteCluster`	Cluster. (Optional) Snapshot
DeleteParameterGroup	`memorydb:DeleteParameterGroup`	Parameter group
DeleteSubnetGroup	`memorydb:DeleteSubnetGroup`	Subnet group
DeleteSnapshot	`memorydb:DeleteSnapshot`	Snapshot
DeleteUser	`memorydb:DeleteUser`	User
DeleteACL	`memorydb:DeleteACL`	ACL
DescribeClusters	`memorydb:DescribeClusters`	Cluster
DescribeEngineVersions	`memorydb:DescribeEngineVersions`	No Resource ARN: *
DescribeParameterGroups	`memorydb:DescribeParameterGroups`	Parameter group
DescribeParameters	`memorydb:DescribeParameters`	Parameter group
DescribeSubnetGroups	`memorydb:DescribeSubnetGroups`	Subnet group	*
DescribeEvents	`memorydb:DescribeEvents`	No Resource ARN: *
DescribeClusters	`memorydb:DescribeClusters`	Cluster
DescribeServiceUpdates	`memorydb:DescribeServiceUpdates`	No Resource ARN: *
DescribeSnapshots	`memorydb:DescribeSnapshots`	Snapshot
DescribeUsers	`memorydb:DescribeUsers`	User
DescribeACLs	`memorydb:DescribeACLs`	ACLs
ListAllowedNodeTypeUpdates	`memorydb:ListAllowedNodeTypeUpdates`	Cluster
ListTags	`memorydb:ListTags`	(Optional) cluster, snapshot
UpdateParameterGroup	`memorydb:UpdateParameterGroup`	Parameter group
UpdateSubnetGroup	`memorydb:UpdateSubnetGroup`	Subnet group
UpdateCluster	`memorydb:UpdateCluster`	cluster. (Optional) Parameter group, Security group
UpdateUser	`memorydb:UpdateUser`	User
UpdateACL	`memorydb:UpdateACL`	ACL
UntagResource	`memorydb:UntagResource`	(Optional) Cluster, snapshot
ResetParameterGroup	`memorydb:ResetParameterGroup`	Parameter group
FailoverShard	`memorydb:FailoverShard`	cluster, shard

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon managed policies

Logging and monitoring