Services and resource types that support enforcement - Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Services and resource types that support enforcement

The following services and resource types support enforcement with tag policies:

Service name Resource type JSON syntax

Amazon API Gateway

  • API keys

  • Domain names

  • REST API operations

  • Stages

  • "apigateway:apikeys"

  • "apigateway:domainnames"

  • "apigateway:restapis"

  • "apigateway:restapis/stages"

Amazon Amplify

  • Component

  • Theme

  • "amplifyuibuilder:app/environment/components"

  • "amplifyuibuilder:app/environment/themes"

Amazon AppConfig

  • Application

  • Configuration Profile

  • Deployment

  • Deployment Strategy

  • Environment

  • "appconfig:application"

  • "appconfig:application/configurationprofile"

  • "appconfig:application/environment/deployment"

  • "appconfig:deploymentstrategy"

  • "appconfig:application/environment"

Amazon App Mesh

  • All

  • Gateway route

  • Mesh

  • Route

  • Virtual gateway

  • Virtual node

  • Virtual router

  • Virtual service

  • "appmesh:*"

  • "appmesh:mesh/virtualGateway/gatewayRoute"

  • "appmesh:mesh"

  • "appmesh:mesh/virtualRouter/route"

  • "appmesh:mesh/virtualGateway"

  • "appmesh:mesh/virtualNode"

  • "appmesh:mesh/virtualRouter"

  • "appmesh:mesh/virtualService"

Amazon Athena

  • All

  • Workgroup

  • "athena:*"

  • "athena:workgroup"
Amazon Audit Manager

  • Assessment

  • Assessment Framework

  • Control

  • "auditmanager:assessment"

  • "auditmanager:assessmentFramework"

  • "auditmanager:control"
Amazon Backup

  • Backup plan

  • Vault

  • Gateway

  • Hyper Visor

  • VM

  • "backup:backup-plan"

  • "backup:backup-vault"

  • "backup-gateway:gateway"

  • "backup-gateway:hypervisor"

  • "backup-gateway:vm"
Amazon Batch

  • Job

  • Job Definition

  • Job Queue

  • "batch:job"

  • "batch:job-definition"

  • "batch:job-queue"
Amazon BugBust

  • Event

  • "bugbust:event"

Amazon Certificate Manager

  • All

  • Certificates

  • Private Certificate Authority

  • "acm:*"

  • "acm:certificate"

  • "acm-pca:certificate-authority"

Amazon Chime

  • Application Instance

  • Channel

  • Media Pipeline

  • Meeting

  • SIP Media Applications

  • User Application Instance

  • Voice Connector

  • "chime:app-instance"

  • "chime:app-instance/channel"

  • "chime:media-pipeline"

  • "chime:meeting"

  • "chime:sma"

  • "chime:app-instance/user"

  • "chime:vc"

Amazon Clean Rooms

  • Collaboration

  • Configured Table

  • Membership

  • Configured Table Association

  • "cleanrooms:collaboration"

  • "cleanrooms:configuredtable"

  • "cleanrooms:membership"

  • "cleanrooms:membership/configuredtableassociation"
Amazon Cloud9

  • Environment

  • "cloud9:environment"

Amazon CloudFront

  • All

  • Distribution

  • Streaming distribution

  • "cloudfront:*"

  • "cloudfront:distribution"

  • "cloudfront:streaming-distribution"

Amazon CloudTrail

  • All

  • Trail

  • "cloudtrail:*"

  • "cloudtrail:trail"

Amazon CloudWatch

  • All

  • Alarm

  • Contributor Insights Rule

  • Metric Stream

  • "cloudwatch:*"

  • "cloudwatch:alarm"

  • "cloudwatch:insight-rule"

  • "cloudwatch:metric-stream"

Amazon CloudWatch Internet Monitor

  • Monitor

  • "internetmonitor:monitor"
Amazon CloudWatch Logs

  • Destination

  • Log group

  • "logs:destination"

  • "logs:log-group"
Amazon CloudWatch Observability Access Manager

  • Link

  • Sink

  • "oam:link"

  • "oam:sink"

Amazon CodeBuild

  • All

  • Project

  • "codebuild:*"

  • "codebuild:project"

Amazon CodeCatalyst

  • Connections

  • "codecatalyst:connections"

Amazon CodeCommit

  • All

  • Repository

  • "codecommit:*"

  • "codecommit:repository"

Amazon CodePipeline

  • All

  • Action type

  • Pipeline

  • Webhook

  • "codepipeline:*"

  • "codepipeline:actiontype"

  • "codepipeline:pipeline"

  • "codepipeline:webhook"

Amazon Cognito Identity

  • All

  • Identity pool

  • "cognito-identity:*"

  • "cognito-identity:identitypool"

Amazon Cognito user pools

  • All

  • User pool

  • "cognito-idp:*"

  • "cognito-idp:userpool"

Amazon Comprehend

  • All

  • Document classifier

  • Entity recognizer

  • "comprehend:*"

  • "comprehend:document-classifier"

  • "comprehend:entity-recognizer"

Amazon Config

  • All

  • Aggregation authorization

  • Config aggregator

  • Config rule

  • "config:*"

  • "config:aggregation-authorization"

  • "config:config-aggregator"

  • "config:config-rule"
Amazon CodeGuru Reviewer

  • Association

  • "codeguru-reviewer:association"
Amazon CodeGuru Security

  • Scan

  • "codeguru-security:scans"
CodeConnections

  • Connection

  • Host

  • "codestar-connections:connection"

  • "codestar-connections:host"
Amazon Connect

  • Contact Flow

  • Integration Association

  • Queue

  • Quick Connect

  • Routing Profile

  • User

  • "connect:instance/contact-flow"

  • "connect:instance/integration-association"

  • "connect:instance/queue"

  • "connect:instance/transfer-destination"

  • "connect:instance/routing-profile"

  • "connect:instance/agent"
Amazon Connect Wisdom

  • Assistant

  • Association

  • Content

  • Knowledge Base

  • Session

  • "wisdom:assistant"

  • "wisdom:association"

  • "wisdom:content"

  • "wisdom:knowledge-base"

  • "wisdom:session"

Amazon Database Migration Service

  • All

  • Endpoint

  • ES

  • Rep

  • Subgrp

  • Task

  • "dms:*"

  • "dms:endpoint"

  • "dms:es"

  • "dms:rep"

  • "dms:subgrp"

  • "dms:task"
Amazon Data Lifecycle Manager

  • Policy

  • "dlm:policy"

Amazon Diode

  • Mapping

  • "diode-messaging:mapping"

Amazon Direct Connect

  • All

  • Dxcon

  • Dxlag

  • Dxvif

  • "directconnect:*"

  • "directconnect:dxcon"

  • "directconnect:dxlag"

  • "directconnect:dxvif"

Amazon DynamoDB

  • All

  • Table

  • "dynamodb:*"

  • "dynamodb:table"

Amazon EC2

  • Capacity reservation

  • Capacity reservation fleet

  • Carrier gateway

  • "ec2:capacity-reservation"

  • "ec2:capacity-reservation-fleet"

  • "ec2:carrier-gateway"

  • Client VPN endpoint

  • CoIP pool

  • Customer gateway

  • "ec2:client-vpn-endpoint"

  • "ec2:coip-pool"

  • "ec2:customer-gateway"

  • Dedicated host

  • DHCP options

  • Egress-only internet gateway

  • "ec2:dedicated-host"

  • "ec2:dhcp-options"

  • "ec2:egress-only-internet-gateway"

  • Elastic IP

  • Event window

  • Export Image Task

  • Export Instance Task

  • Fleet

  • "ec2:elastic-ip"

  • "ec2:instance-event-window"

  • "ec2:export-image-task"

  • "ec2:export-instance-task"

  • "ec2:fleet"

  • FPGA image

  • Host reservation

  • Image

  • "ec2:fpga-image"

  • "ec2:host-reservation"

  • "ec2:image"

  • Import Image Task

  • Import Snapshot Task

  • Instance

  • Internet gateway

  • IP Address Manager

  • "ec2:import-image-task"

  • "ec2:import-snapshot-task"

  • "ec2:instance"

  • "ec2:internet-gateway"

  • "ec2:ipam"

  • IP Address Manager Pool

  • IP Address Manager Scope

  • IPv4 Pool

  • "ec2:ipam-pool"

  • "ec2:ipam-scope"

  • "ec2:ipv4pool-ec2"

  • Key Pair

  • Launch template

  • Local Gateway Route Table

  • "ec2:key-pair"

  • "ec2:launch-template"

  • "ec2:local-gateway-route-table"

  • Local Gateway Route Table Virtual Interface Group Association

  • Local Gateway Route Table VPC Association

  • NAT gateway

  • "ec2:local-gateway-route-table-virtual-interface-group-association"

  • "ec2:local-gateway-route-table-vpc-association"

  • "ec2:natgateway"

  • Network ACL

  • Network interface

  • Network Insights Access Scope

  • "ec2:network-acl"

  • "ec2:network-interface"

  • "ec2:network-insights-access-scope"

  • Network Insights Access Scope Analysis

  • Network Insights Analysis

  • Network Insights Path

  • "ec2:network-insights-access-scope-analysis"

  • "ec2:network-insights-analysis"

  • "ec2:network-insights-path"

  • Placement Group

  • Prefix List

  • Replace Root Volume Task

  • "ec2:placement-group"

  • "ec2:prefix-list"

  • "ec2:replace-root-volume-task"

  • Reserved Instances

  • Route table

  • Security group

  • "ec2:reserved-instances"

  • "ec2:route-table"

  • "ec2:security-group"

  • Snapshot

  • Spot Fleet Request

  • Spot Instances request

  • Subnet

  • "ec2:snapshot"

  • "ec2:spot-fleet-request"

  • "ec2:spot-instances-request"

  • "ec2:subnet"

  • Subnet CIDR Reservation

  • Traffic mirror filter

  • Traffic mirror session

  • "ec2:subnet-cidr-reservation"

  • "ec2:traffic-mirror-filter"

  • "ec2:traffic-mirror-session"

  • Traffic mirror target

  • Transit Gateway

  • Transit Gateway Attachment

  • "ec2:traffic-mirror-target"

  • "ec2:transit-gateway"

  • "ec2:transit-gateway-attachment"

  • Transit Gateway Connect Peer

  • Transit Gateway Multicast Domain

  • Transit Gateway Policy Table

  • "ec2:transit-gateway-connect-peer"

  • "ec2:transit-gateway-multicast-domain"

  • "ec2:transit-gateway-policy-table"

  • Transit Gateway Route Table

  • Transit Gateway Route Table Announcement

  • Verified Access Endpoint

  • Verified Access Group

  • "ec2:transit-gateway-route-table"

  • "ec2:transit-gateway-route-table-announcement"

  • "ec2:verified-access-endpoint"

  • "ec2:verified-access-group"

  • Verified Access Instance

  • Verified Access Trust Provider

  • Volume

  • "ec2:verified-access-instance"

  • "ec2:verified-access-trust-provider"

  • "ec2:volume"

  • VPC Flow Log

  • VPC

  • VPC endpoint

  • "ec2:vpc-flow-log"

  • "ec2:vpc"

  • "ec2:vpc-endpoint"

  • VPC endpoint service

  • VPC peering connection

  • VPN connection

  • VPN gateway

  • "ec2:vpc-endpoint-service"

  • "ec2:vpc-peering-connection"

  • "ec2:vpn-connection"

  • "ec2:vpn-gateway"
Amazon EC2 Recycle Bin

  • Rule

  • "rbin:rule"

Amazon Elastic Beanstalk

  • Application

  • Application version

  • Configuration template

  • Platform

  • "elasticbeanstalk:application"

  • "elasticbeanstalk:applicationversion"

  • "elasticbeanstalk:configurationtemplate"

  • "elasticbeanstalk:platform"
Amazon Elastic Container Registry

  • Repository

  • "ecr:repository"

Amazon Elastic Container Service

  • Capacity Provider

  • Cluster

  • Service

  • Task Definition

  • Task set

  • "ecs:capacity-provider"

  • "ecs:cluster"

  • "ecs:service"

  • "ecs:task-definition"

  • "ecs:task-set"

Amazon Elastic File System

  • All

  • File system

  • "elasticfilesystem:*"

  • "elasticfilesystem:file-system"
Amazon Elastic Inference

  • Accelerator

  • "elastic-inference:elastic-inference-accelerator"
Amazon Elastic Kubernetes Service

  • Cluster

  • "eks:cluster"
Amazon Elastic Search

  • Domain

  • "es:domain"
Amazon EMR

  • Cluster

  • Editor

  • "elasticmapreduce:cluster"

  • "elasticmapreduce:editor"
Amazon EMR Serverless

  • Application

  • "emr-serverless:applications"
Amazon Entity Resolution

  • Matching Workflow

  • Schema Mapping

  • "entityresolution:matchingworkflow"

  • "entityresolution:schemamapping"

Amazon ElastiCache

  • Cluster

  • "elasticache:cluster"

Amazon EventBridge

  • All

  • Event bus

  • Rule

  • "events:*"

  • "events:event-bus"

  • "events:rule"

Amazon EventBridge Pipes

  • Pipe

  • "pipes:pipe"

Amazon EventBridge Scheduler

  • Schedule Group

  • "scheduler:schedule-group"
Amazon Fraud Detector

  • Detector

  • Detector version

  • Model

  • Rule

  • Variable

  • "frauddetector:detector"

  • "frauddetector:detector-version"

  • "frauddetector:model"

  • "frauddetector:rule"

  • "frauddetector:variable"
Amazon Global Accelerator

  • Accelerator

  • "globalaccelerator:accelerator"

Elastic Load Balancing

  • All

  • Listener

  • Listener Rule

  • Load balancer

  • Target group

  • "elasticloadbalancing:*"

  • "elasticloadbalancing:listener"

  • "elasticloadbalancing:listener-rule"

  • "elasticloadbalancing:loadbalancer"

  • "elasticloadbalancing:targetgroup"

Amazon FSx

  • All

  • Backup

  • File system

  • "fsx:*"

  • "fsx:backup"

  • "fsx:file-system"
Amazon GuardDuty

  • Detector

  • Filter

  • IP Set

  • Threat Intel Set

  • "guardduty:detector"

  • "guardduty:detector/filter"

  • "guardduty:detector/ipset"

  • "guardduty:detector/threatintelset"
Amazon HealthLake

  • Datastore

  • "healthlake:datastore"

Amazon HealthOmics

  • Annotation Store

  • Annotation Store Version

  • Reference Store

  • Reference

  • Run

  • Run Group

  • Sequence Store

  • Read Set

  • Variant Store

  • Workflow

  • "omics:annotationStore"

  • "omics:annotationStore/version"

  • "omics:referenceStore"

  • "omics:referenceStore/reference"

  • "omics:run"

  • "omics:runGroup"

  • "omics:sequenceStore"

  • "omics:sequenceStore/readSet"

  • "omics:variantStore"

  • "omics:workflow"
Amazon Inspector

  • Filter

  • "inspector2:filter"

Amazon Identity and Access Management

  • Instance Profile

  • MFA

  • OIDC Provider

  • Policy

  • SAML Provider

  • Server Certificate

  • "iam:instance-profile"

  • "iam:mfa"

  • "iam:oidc-provider"

  • "iam:policy"

  • "iam:saml-provider"

  • "iam:server-certificate"

Amazon IoT Analytics

  • All

  • Channel

  • Dataset

  • Datastore

  • Pipeline

  • "iotanalytics:*"

  • "iotanalytics:channel"

  • "iotanalytics:dataset"

  • "iotanalytics:datastore"

  • "iotanalytics:pipeline"

Amazon IoT Events

  • All

  • Detector model

  • Input

  • "iotevents:*"

  • "iotevents:detectorModel"

  • "iotevents:input"
Amazon IoT Fleet Hub

  • Application

  • "iotfleethub:application"
Amazon IoT SiteWise

  • Asset

  • Asset Model

  • "iotsitewise:asset"

  • "iotsitewise:asset-model"
Amazon IoT Greengrass

  • Bulk Deployment

  • Connector Definition

  • Core Definition

  • Device Definition

  • Function Definition

  • Logger Definition

  • Resource Definition

  • Subscription Definition

  • "greengrass:bulk"

  • "greengrass:connectorsDefinition"

  • "greengrass:coresDefinition"

  • "greengrass:devicesDefinition"

  • "greengrass:functionsDefinition"

  • "greengrass:loggersDefinition"

  • "greengrass:resourcesDefinition"

  • "greengrass:subscriptionsDefinition"

Amazon Key Management Service

  • All

  • Key

  • "kms:*"

  • "kms:key"

Amazon Kinesis

  • All

  • Application

  • "kinesisanalytics:*"

  • "kinesisanalytics:application"

Amazon Data Firehose

  • All

  • Delivery stream

  • "firehose:*"

  • "firehose:deliverystream"

Amazon Lambda

  • All

  • Function

  • "lambda:*"

  • "lambda:function"
Amazon Macie

  • Custom Data Identifier

  • "macie2:custom-data-identifier"
Amazon MediaStore

  • Container

  • "mediastore:container"
Amazon MQ

  • Broker

  • Configuration

  • "mq:broker"

  • "mq:configuration"
Amazon Network Firewall

  • Firewall

  • Firewall Policy

  • Stateful Rule Group

  • Stateless Rule Group

  • "network-firewall:firewall"

  • "network-firewall:firewall-policy"

  • "network-firewall:stateful-rulegroup"

  • "network-firewall:stateless-rulegroup"
Amazon OpenSearch Serverless

  • Collection

  • "aoss:collection"
Amazon Organizations

  • Account

  • Organizational Unit

  • Policy

  • Root

  • "organizations:account"

  • "organizations:ou"

  • "organizations:policy"

  • "organizations:root"
Amazon Pinpoint SMS Voice V2

  • Configuration Set

  • Opt Out List

  • Phone Number

  • Pool

  • Sender Id

  • "sms-voice:configuration-set"

  • "sms-voice:opt-out-list"

  • "sms-voice:phone-number"

  • "sms-voice:pool"

  • "sms-voice:sender-id"

Amazon RDS

  • Cluster parameter group

  • Cluster endpoint

  • Event subscription

  • DB option group

  • DB parameter group

  • DB proxy

  • DB proxy endpoint

  • Reserved DB instance

  • DB security group

  • DB subnet group

  • Target group

  • "rds:cluster-pg"

  • "rds:cluster-endpoint"

  • "rds:es"

  • "rds:og"

  • "rds:pg"

  • "rds:db-proxy"

  • "rds:db-proxy-endpoint"

  • "rds:ri"

  • "rds:secgrp"

  • "rds:subgrp"

  • "rds:target-group"

Amazon Redshift

  • All

  • Cluster

  • DB group

  • DB name

  • DB user

  • Event subscription

  • HSM client certificate

  • HSM configuration

  • Parameter group

  • Snapshot

  • Snapshot copy grant

  • Snapshot schedule

  • Subnet group

  • "redshift:*"

  • "redshift:cluster"

  • "redshift:dbgroup"

  • "redshift:dbname"

  • "redshift:dbuser"

  • "redshift:eventsubscription"

  • "redshift:hsmclientcertificate"

  • "redshift:hsmconfiguration"

  • "redshift:parametergroup"

  • "redshift:snapshot"

  • "redshift:snapshotcopygrant"

  • "redshift:snapshotschedule"

  • "redshift:subnetgroup"

Amazon Redshift Serverless

  • Namespace

  • Workgroup

  • "redshift-serverless:namespace"

  • "redshift-serverless:workgroup"

Amazon Resource Access Manager

  • All

  • Resource share

  • "ram:*"

  • "ram:resource-share"

Amazon Resource Groups

  • All

  • Group

  • "resource-groups:*"

  • "resource-groups:group"

Amazon Route 53

  • Hosted zone

  • "route53:hostedzone"

Amazon Route 53 Resolver

  • All

  • Resolver endpoint

  • Resolver rule

  • "route53resolver:*"

  • "route53resolver:resolver-endpoint"

  • "route53resolver:resolver-rule"

Amazon S3

  • Bucket

  • Storage Lens

  • Storage Lens Group

  • "s3:bucket"

  • "s3:storage-lens"

  • "s3:storage-lens-group"
Amazon SageMaker

  • App Image Config

  • Artifact

  • Context

  • Training job

  • Processing job

  • Model package group

  • Human task UI

  • Model Package

  • Action

  • Pipeline

  • Experiment

  • Flow Definition

  • Project

  • "sagemaker:app-image-config"

  • "sagemaker:artifact"

  • "sagemaker:context"

  • "sagemaker:training-job"

  • "sagemaker:processing-job "

  • "sagemaker:model-package-group"

  • "sagemaker:human-task-ui"

  • "sagemaker:model-package"

  • "sagemaker:action"

  • "sagemaker:pipeline"

  • "sagemaker:experiment"

  • "sagemaker:flow-definition"

  • "sagemaker:project"

Amazon Secrets Manager

  • All

  • Secret

  • "secretsmanager:*"

  • "secretsmanager:secret"

Amazon Security Lake

  • Data Lake

  • Subscriber

  • "securitylake:data-lake"

  • "securitylake:subscriber"
Amazon Service Catalog

  • Application

  • Attribute Group

  • Portfolio

  • Product

  • "servicecatalog:applications"

  • "servicecatalog:attribute-groups"

  • "catalog:portfolio"

  • "catalog:product"
Amazon Simple Notification Service (SNS)

  • Topic

  • "sns:topic"

Amazon Simple Queue Service (SQS)

  • Queue

  • "sqs:queue"
Amazon States Language

  • All

  • Activity

  • State Machine

  • "states:*"

  • "states:activity"

  • "states:stateMachine"

Amazon Step Functions

  • Activity

  • "states:activity"

Amazon Storage Gateway

  • All

  • Gateway

  • Share

  • Tape

  • Volume

  • "storagegateway:*"

  • "storagegateway:gateway"

  • "storagegateway:share"

  • "storagegateway:tape"

  • "storagegateway:gateway/volume"

Amazon Systems Manager

  • Association

  • Automation execution

  • Document

  • Maintenance Window

  • Managed instance

  • Ops item

  • Patch baseline

  • Session

  • Contacts

  • "ssm:association"

  • "ssm:automation-execution"

  • "ssm:document"

  • "ssm:maintenancewindow"

  • "ssm:managed-instance"

  • "ssm:opsitem"

  • "ssm:patchbaseline"

  • "ssm:session"

  • "ssm-contacts:contact"

Amazon Textract

  • Adapters

  • Versions

  • "textract:adapters"

  • "textract:adapters/versions"

Amazon Transfer Family

  • Server

  • User

  • Workflow

  • "transfer:server"

  • "transfer:user"

  • "transfer:workflow"

Amazon Well-Architected

  • Workload

  • "wellarchitected:workload"

Amazon Wickr

  • Network

  • "wickr:network"

Amazon WorkSpaces

  • All

  • Connection Alias

  • Directory

  • WorkSpace

  • WorkSpaces bundle

  • WorkSpaces image

  • WorkSpaces IP group

  • "workspaces:*"

  • "workspaces:connectionalias"

  • "workspaces:directory"

  • "workspaces:workspace"

  • "workspaces:workspacebundle"

  • "workspaces:workspaceimage"

  • "workspaces:workspaceipgroup"
Amazon WorkLink

  • Fleet

  • "worklink:fleet"