Actions, resources, and condition keys for Amazon services
Each Amazon service can define actions, resources, and condition context keys for use in IAM policies. This topic describes how the elements provided for each service are documented.
Each topic consists of tables that provide the list of available actions, resources, and condition keys.
The actions table
The Actions table lists all the actions that you can use in an IAM policy statement's Action
element. Not all API operations that are defined by a service can be used as an action in an IAM policy. Some services include permission-only actions that don't directly correspond to an API operation. These actions are indicated with [permission only]. Use this list to determine which actions you can use in an IAM policy. For more information about the Action
, Resource
, or Condition
elements, see IAM JSON policy elements reference. The Actions and Description table columns are self-descriptive.
-
The Access level column describes how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Understanding access level summaries within policy summaries.
-
The Resource types column indicates whether the action supports resource-level permissions. If the column is empty, then the action does not support resource-level permissions and you must specify all resources ("*") in your policy. If the column includes a resource type, then you can specify the resource ARN in the
Resource
element of your policy. For more information about that resource, refer to that row in the Resource types table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement'sEffect
does not apply.Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
-
The Condition keys column includes keys that you can specify in a policy statement's
Condition
element. Condition keys might be supported with an action, or with an action and a specific resource. Pay close attention to whether the key is in the same row as a specific resource type. This table does not include global condition keys that are available for any action or under unrelated circumstances. For more information about global condition keys, see Amazon global condition context keys. -
The Dependent actions column includes any additional permissions that you should have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.
Dependent actions are not required in all scenarios. Refer to the individual service's documentation for more information about providing granular permissions to users.
The resource types table
The Resource types table lists all the resource types that you can specify as an ARN in the Resource
policy element. Not every resource type can be specified with every action. Some resource types work with only certain actions. If you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access. For more information about the Resource
element, see IAM JSON policy elements: Resource.
-
The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a $ must be replaced by the actual values for your scenario. For example, if you see
$user-name
in an ARN, you must replace that string with either the actual user's name or a policy variable that contains a user's name. For more information about ARNs, see IAM ARNs. -
The Condition keys column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a supporting action from the table above are included in the statement.
The condition keys table
The condition keys table lists all of the condition context keys that you can use in an IAM policy statement's Condition
element. Not every key can be specified with every action or resource. Certain keys only work with certain types of actions and resources. For more information about the Condition
element, see IAM JSON policy elements: Condition.
-
The Type column specifies the data type of the condition key. This data type determines which condition operators you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies.
If the Type column specifies a "List of …" one of the simple types, then you can use multiple keys and values in your policies. Do this using condition set prefixes with your operators. Use the
ForAllValues
prefix to specify that all values in the request must match a value in the policy statement. Use theForAnyValue
prefix to specify that at least one value in the request matches one of the values in the policy statement.
Topics
- Amazon Account Management
- Apache Kafka APIs for Amazon MSK clusters
- Amazon API Gateway
- Amazon API Gateway Management
- Amazon API Gateway Management V2
- Amazon App Mesh
- Amazon AppConfig
- Amazon Application Auto Scaling
- Amazon Application Recovery Controller - Zonal Shift
- Amazon AppSync
- Amazon Athena
- Amazon Backup
- Amazon Backup Gateway
- Amazon Backup storage
- Amazon Batch
- Amazon Billing
- Amazon Billing Console
- Amazon Budget Service
- Amazon Certificate Manager
- Amazon Web Services Cloud Map
- Amazon CloudAssist service read write permissions
- Amazon CloudFormation
- Amazon CloudFront
- Amazon CloudTrail
- Amazon CloudWatch
- Amazon CloudWatch Application Insights
- Amazon CloudWatch Logs
- Amazon CloudWatch Observability Access Manager
- Amazon CloudWatch Synthetics
- Amazon CodeBuild
- Amazon CodeCommit
- Amazon CodeDeploy
- Amazon CodeDeploy secure host commands service
- Amazon Cognito Identity
- Amazon Compute Optimizer
- Amazon Config
- Amazon Connector Service
- Amazon Consolidated Billing
- Amazon Cost and Usage Report
- Amazon Cost Explorer Service
- Amazon Data Lifecycle Manager
- Amazon Database Migration Service
- Amazon Direct Connect
- Amazon Directory Service
- Amazon DynamoDB
- Amazon DynamoDB Accelerator (DAX)
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon EC2 Image Builder
- Amazon EC2 Instance Connect
- Amazon EKS Auth
- Amazon Elastic Beanstalk
- Amazon Elastic Block Store
- Amazon Elastic Container Registry
- Amazon Elastic Container Service
- Amazon Elastic File System
- Amazon Elastic Kubernetes Service
- Amazon Elastic Load Balancing
- Amazon Elastic Load Balancing V2
- Amazon Elastic MapReduce
- Amazon ElastiCache
- Amazon Elemental MediaConvert
- Amazon EMR Serverless
- Amazon EventBridge
- Amazon Fapiao Management
- Amazon Free Tier
- Amazon FreeRTOS
- Amazon FSx
- Amazon GameLift
- Amazon Glue
- Amazon Glue DataBrew
- Amazon GuardDuty
- Amazon Health APIs and Notifications
- Amazon IAM Access Analyzer
- Amazon IAM Identity Center (successor to Amazon Single Sign-On)
- Amazon IAM Identity Center (successor to Amazon Single Sign-On) directory
- Amazon IAM Identity Center OIDC service
- Amazon Identity and Access Management (IAM)
- Amazon Identity and Access Management Roles Anywhere
- Amazon Identity Store
- Amazon Identity Store Auth
- Amazon Identity Sync
- Amazon Inspector2
- Amazon Invoicing Service
- Amazon IoT
- Amazon IoT Analytics
- Amazon IoT Events
- Amazon IoT Greengrass
- Amazon IoT Greengrass V2
- Amazon IoT Jobs DataPlane
- Amazon IoT SiteWise
- Amazon IoT TwinMaker
- Amazon Key Management Service
- Amazon Kinesis Analytics
- Amazon Kinesis Analytics V2
- Amazon Kinesis Data Streams
- Amazon Kinesis Firehose
- Amazon Kinesis Video Streams
- Amazon Lambda
- Amazon Launch Wizard
- Amazon License Manager
- Amazon License Manager Linux Subscriptions Manager
- Amazon Managed Streaming for Apache Kafka
- Amazon Managed Workflows for Apache Airflow
- Amazon Web Services Marketplace
- Amazon Web Services Marketplace Entitlement Service
- Amazon Web Services Marketplace Management Portal
- Amazon Web Services Marketplace Metering Service
- Amazon MemoryDB
- Amazon Message Delivery Service
- Amazon Message Gateway Service
- Amazon MQ
- Amazon Neptune
- Amazon Network Firewall
- Amazon OpenSearch Service
- Amazon Organizations
- Amazon Payments
- Amazon Performance Insights
- Amazon Personalize
- Amazon Polly
- Amazon Price List
- Amazon Private Certificate Authority
- Amazon Purchase Orders Console
- Amazon QuickSight
- Amazon RDS
- Amazon RDS IAM Authentication
- Amazon Recycle Bin
- Amazon Redshift
- Amazon Redshift Data API
- Amazon Redshift Serverless
- Amazon Resource Access Manager (RAM)
- Amazon Resource Group Tagging API
- Amazon Resource Groups
- Amazon Route 53
- Amazon Route 53 Resolver
- Amazon S3
- Amazon S3 Glacier
- Amazon S3 Object Lambda
- Amazon SageMaker
- Amazon Savings Plans
- Amazon Secrets Manager
- Amazon Security Hub
- Amazon Security Token Service
- Amazon Server Migration Service
- Amazon Serverless Application Repository
- Service Quotas
- Amazon Signer
- Amazon Simple Workflow Service
- Amazon SimpleDB
- Amazon Snowball
- Amazon SNS
- Amazon SQL Workbench
- Amazon SQS
- Amazon Step Functions
- Amazon Storage Gateway
- Amazon Web Services Support
- Amazon Systems Manager
- Amazon Systems Manager GUI Connect
- Amazon Timestream InfluxDB
- Amazon Transcribe
- Amazon Transfer Family
- Amazon Trusted Advisor
- Amazon WAF Regional
- Amazon WAF V2
- Amazon WorkSpaces
- Amazon X-Ray