Simplified Amazon Web Services service information for programmatic access
Amazon provides service reference information in JSON format to streamline the automation of policy management workflows. With the service reference information, you can access available actions, resources, and condition keys across Amazon Web Services services from machine-readable files. Security administrators can establish guardrails and developers can ensure appropriate access to applications by identifying the available actions, resources, and condition keys for each Amazon Web Services service. Amazon provides service reference information for Amazon Web Services services to allow you to incorporate the metadata into your policy management workflows.
For an inventory of actions, resources, and condition keys for use in IAM policies, see the Service Authorization Reference page for the Amazon Web Services service.
Actions, resources, and condition keys for services that share a service prefix may be split across multiple pages in the Service Authorization Reference.
Note
Changes to the service reference information may take up to 24 hours to be reflected in the list of metadata for the service.
Accessing Amazon Web Services service reference information
-
Navigate to the service reference information
to access the list of Amazon Web Services services for which reference information is available. The following example shows a partial list of services and URLs for their respective reference information:
[ { "service": "s3", "url": "https://servicereference.us-east-1.amazonaws.com/v1/s3/s3.json" }, { "service": "dynamodb", "url": "https://servicereference.us-east-1.amazonaws.com/v1/dynamodb/dynamodb.json" }, … ] -
Choose a service and navigate to the service information page in the
urlfield for the service to view a list of actions, resources, and condition keys for the service.The following example shows a partial list of service reference information for Amazon S3:
{ "Name": "s3", "Actions": [ { "Name": "GetObject", "ActionConditionKeys": [ "s3:AccessGrantsInstanceArn", "s3:AccessPointNetworkOrigin", "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:ExistingObjectTag/key", "s3:ResourceAccount", "s3:TlsVersion", "s3:authType", "s3:if-match", "s3:if-none-match", "s3:signatureAge", "s3:signatureversion", "s3:x-amz-content-sha256" ], "Resources": [ { "Name": "object" } ] }, { "Name": "ListBucket", "ActionConditionKeys": [ "s3:AccessGrantsInstanceArn", "s3:AccessPointNetworkOrigin", "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:ResourceAccount", "s3:TlsVersion", "s3:authType", "s3:delimiter", "s3:max-keys", "s3:prefix", "s3:signatureAge", "s3:signatureversion", "s3:x-amz-content-sha256" ], "Resources": [ { "Name": "bucket" } ] }, ... ], "ConditionKeys": [ { "Name": "s3:TlsVersion", "Types": [ "Numeric" ] }, { "Name": "s3:authType", "Types": [ "String" ] }, ... ], "Resources": [ { "Name": "accesspoint", "ARNFormats": [ "arn:${Partition}:s3:${Region}:${Account}:accesspoint/${AccessPointName}" ] }, { "Name": "bucket", "ARNFormats": [ "arn:${Partition}:s3:::${BucketName}" ] } ... ], "Version": "v1.1" } -
Download the JSON file from the service URL to use in your policy authoring workflows.